terrible programmers: my god, it's full of chars

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > terrible programmers: my god, it's full of chars

«‹›1446 »

gonadic io: Feb 16, 2011; >>=

Jabor posted:

they don't fit neatly together if you're using them as a clustering key

What's so bad about auto increment primary keys as a opaque identifier?

# ? Sep 9, 2017 09:01

Adbot: ADBOT LOVES YOU

# ? May 23, 2024 13:43

NihilCredo: Jun 6, 2011; iram omni possibili modo preme:
plus una illa te diffamabit, quam multæ virtutes commendabunt

Jabor posted:

they don't fit neatly together if you're using them as a clustering key

it depends on your db if this is even an issue:

mysql: only clusters on the pkey. best you can do is set up an autoincrement fake pkey and then a unique index on your uuid column

mssql: clusters on the pkey by default. you can have the uuid as pkey, just remember to add a separate clustering index on any well-ordered column

postgres: doesn't cluster by default at all. you can just make uuid the pkey

# ? Sep 9, 2017 09:23

NihilCredo: Jun 6, 2011; iram omni possibili modo preme:
plus una illa te diffamabit, quam multæ virtutes commendabunt

gonadic io posted:

What's so bad about auto increment primary keys as a opaque identifier?

- if you want to copy a record from a db to another
- if you want to delete a record and then make another, while references to the old one may still be around in the wild
- if you don't want people to guess pkeys
- if you're worried about accidentally joining the wrong table

all of these issues can be avoided with good practice and a bit of forethought (have a second 'origin' pkey column, always use ON DELETE CASCADE, never expose surrogate keys, don't accidentally join the wrong table)

however, with uuids, they don't arise at all

# ? Sep 9, 2017 09:27

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

*exposes primary key*

# ? Sep 9, 2017 09:36

Luigi Thirty: Apr 30, 2006; Emergency confection port.

Powaqoatse posted:

*exposes primary key*

please there are children here

# ? Sep 9, 2017 09:38

redleader: Aug 18, 2005; Engage according to operational parameters

guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about

# ? Sep 9, 2017 10:06

Rectus: Apr 27, 2008

Shinku ABOOKEN posted:

speaking of lua. anybody tried squirrel? the filename extension for it is .nut so it must be good🥜🐿

quoting this old post to say that squirrel is cool and good and fixes a lot of the idiosyncratic bullshit in lua. stuff like having actual OOP support, not assigning global variables by default, separating arrays and tables into different things and having build in library functions for them that work like expected, C-like crap everyone takes for granted like ++, +=, the ternary operator, continue and break, assignments inside conditionals, AND actually throwing an error if you pass a null reverence to something

tldr, lua can suck my .nut

# ? Sep 9, 2017 11:06

Soricidus: Oct 21, 2010; freedom-hating statist shill

redleader posted:

guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about

given that all programmers are poo poo, we should favor idioms that make the bugs they will inevitably write harder to exploit

# ? Sep 9, 2017 11:40

Lutha Mahtin: Oct 10, 2010; Your brokebrain sin is absolved...go and shitpost no more!

Powaqoatse posted:

*exposes primary key*

# ? Sep 9, 2017 12:25

Janitor Prime: Jan 22, 2004; PC LOAD LETTER

What da fuck does that mean; Fun Shoe

redleader posted:

guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about

your acls are a piece of poo poo!

# ? Sep 9, 2017 12:48

redleader: Aug 18, 2005; Engage according to operational parameters

Soricidus posted:

given that all programmers are poo poo, we should favor idioms that make the bugs they will inevitably write harder to exploit

i agree that developers should not be allowed to design or develop a database

# ? Sep 9, 2017 12:49

gonadic io: Feb 16, 2011; >>=

Just use an in mem hashmap and serialise it when your application closes

# ? Sep 9, 2017 12:50

Workaday Wizard: Oct 23, 2009; by Pragmatica

i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice?

# ? Sep 9, 2017 14:35

FamDav: Mar 29, 2008

Jabor posted:

they don't fit neatly together if you're using them as a clustering key

that's why you either use a datastore that wants you to distribute your data randomly as much as possible, or you use uuids that drop some randomness for better clustering properties.

using auto-incrementing primary keys gives you a false sense of security that you will always have a consistently ordered list of ids, which at some point in the future will no longer be true. better to disabuse yourself of that thinking now rather than later

redleader posted:

guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about

yeah exactly. auto-incrementing keys should not be a security risk because you should be authenticating and authorizing every single incoming request against requested resources anyways.

FamDav fucked around with this message at 15:39 on Sep 9, 2017

# ? Sep 9, 2017 15:22

FamDav: Mar 29, 2008

Shinku ABOOKEN posted:

i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice?

you can always reap logically deleted things later. keeping them around aids analysis/BI, and if you need to perform cleanup work asynchronously it lets you keep track of and reconcile incomplete work.

and if data is sensitive you should be encrypting it at rest and only distributing decryption materials to application hosts that have to decrypt it. then you can expose direct access to an isolated replica (you don't want an outage because BI took down your production replicas) of your data to everybody to poke at.

# ? Sep 9, 2017 15:34

Ellie Crabcakes: Feb 1, 2008; Stop emailing my boyfriend Gay Crungus

Powaqoatse posted:

*exposes primary key*

code:

id tinyint primary key

# ? Sep 9, 2017 17:59

distortion park: Apr 25, 2011

Powerful Two-Hander posted:

lmao a system at work let's users define filters by letting them type in arbitrary SQL and I bet it's not remotely sanitised before insertion

hope they never need to filter on 'drop tables

we just give our users db access so that they don't need devs for every new requirement

# ? Sep 9, 2017 19:05

my homie dhall: Dec 9, 2010; honey, oh please, it's just a machine

Jabor posted:

they don't fit neatly together if you're using them as a clustering key

the use case for clustered vs nonclustered index is just for getting ranges of IDs or fast lookup of neighbors? doesn't seem like that would make autoincrement ids are worth being the default

# ? Sep 9, 2017 19:34

Doom Mathematic: Sep 2, 2008

I guess exposing the primary key also indirectly exposes information like roughly how many rows are in the table, and if you do whatever activity creates a new row several times in a row, you can inspect the numbers generated to determine how fast new rows are being created overall. I don't know if that's sensitive information but it's information?

# ? Sep 9, 2017 19:56

Sapozhnik: Jan 2, 2005; Nap Ghost

plenty of places dont want ppl to know that they're like customer number 7 or something

# ? Sep 9, 2017 21:17

The MUMPSorceress: Jan 6, 2012; ^SHTPSTS; Gary’s Answer

Shinku ABOOKEN posted:

i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice?

i know at epic you can't do anything but soft delete records without like ultra secret security that usually only the dba has and it has to be done manually. once there's enough interconnection between various records hard deleting poo poo is just a crap shoot.

# ? Sep 10, 2017 01:30

tef: May 30, 2004; -> some l-system crap ->

Shinku ABOOKEN posted:

i was once told that if data isnt sensitive just mark it as deleted without actually deleting it and move on. is this good advice?

reasonable

also, if data is sensitive, you delete the key, because it's encrypted, right?

# ? Sep 10, 2017 13:04

tef: May 30, 2004; -> some l-system crap ->

redleader posted:

guessing keys isn't a thing. either you have access controls in place to prevent someone from looking up record (n + 1) and it doesn't matter, or you don't and you're a clown and you have other, worse vulnerabilities to worry about

lol it's totally a thing

# ? Sep 10, 2017 13:05

Ellie Crabcakes: Feb 1, 2008; Stop emailing my boyfriend Gay Crungus

code:

private boolean getTagValues(StringBuffer buf) throws Exception {
		int start = buf.indexOf("<%");
		int stop = buf.indexOf("%>");
		if (stop < 0 || stop < 0)
			return false;

		String code = buf.substring(start + 2, stop);
		Object o = engine.eval(code);
		if (o == null)
			o = "";
		else if (o instanceof String)
			o = o.toString();
		else
			o = "";

		buf.replace(start, stop + 2, o.toString());
		if (start != 0 && buf.length() < start + 1) {
			if (buf.charAt(start) == '\n' && buf.charAt(start - 1) == '\n')
				buf.replace(start - 1, start + 1, "\n");
		}

		return true;
	}

# ? Sep 10, 2017 19:07

DONT THREAD ON ME: Oct 1, 2002; by Nyc_Tattoo; Floss Finder

i'm trying to fix database fanouts in our application and i found a section of code that fans out recursively over a list of records. :eyepop:

I think I can obfuscate it enough to post

# ? Sep 10, 2017 19:13

pokeyman: Nov 26, 2006; That elephant ate my entire platoon.

John Big Booty posted:

holy poo poo

# ? Sep 10, 2017 20:39

redleader: Aug 18, 2005; Engage according to operational parameters

John Big Booty posted:

# ? Sep 10, 2017 21:44

redleader: Aug 18, 2005; Engage according to operational parameters

tef posted:

lol it's totally a thing

when?

# ? Sep 10, 2017 21:45

Ellie Crabcakes: Feb 1, 2008; Stop emailing my boyfriend Gay Crungus

pokeyman posted:

holy poo poo

It gets better!

code:

private ScriptEngine engine = new ScriptEngineManager().getEngineByName("nashorn");
static BullshitHandler butts = new BullshitHandler();
engine.put("nash", this);

code:

<% "" + butts.emitBullshitAsList(); %>

code:

pubic class BullshitHandler {
	pubic String emitBullshitAsList() {
		String str = "";
		List<String> cowpats = new ArrayList<String>();
		for (BullshitItem p : Bullshit.wtf) {
			cowpats.add(p.turdName);
		}

		for (String s : cowpats) {
			String res = "<li 'id='" + s +
			"' class='list-group-item'><a onclick='pleaseKillMe();'>" +
			s +
			"<span lass='value'>" + s + "</span></a></a></li>";
			str += res + "\n";
		}
		return str;
	}
}

MononcQc posted:

I'm the stop < 0 || stop < 0

I didn't even notice that. Like a fart in a hurricane.

Ellie Crabcakes fucked around with this message at 21:52 on Sep 10, 2017

# ? Sep 10, 2017 21:47

MononcQc: May 29, 2007

John Big Booty posted:

I'm the stop < 0 || stop < 0

# ? Sep 10, 2017 21:48

Ellie Crabcakes: Feb 1, 2008; Stop emailing my boyfriend Gay Crungus

redleader posted:

when?

Lots of times.

# ? Sep 10, 2017 21:55

Luigi Thirty: Apr 30, 2006; Emergency confection port.

well friends I�m evacuated in a hurricane and extremely bored

So here�s the Jaguar GPU snippet I wrote that blits my lines while cooped up in this hotel room. next step: rotation

https://pastebin.com/xEeFKS0r

# ? Sep 10, 2017 23:03

redleader: Aug 18, 2005; Engage according to operational parameters

John Big Booty posted:

Lots of times.

doesn't this fall into the "have access controls in place" category? in the vast* majority of cases, correctly guessing that there is an object with id n isn't a risk if the attacker can't actually access/use that object

i think this is why owasp has a category for insecure (in contrast to all) direct object references

happy to be educated otherwise though

* and i know that there will be places this does matter

# ? Sep 10, 2017 23:20

kitten emergency: Jan 13, 2008; get meow this wack-ass crystal prison

John Big Booty posted:

code:

private boolean getTagValues(StringBuffer buf) throws Exception {
		int start = buf.indexOf("<%");
		int stop = buf.indexOf("%>");
		if (stop < 0 || stop < 0)
			return false;

		String code = buf.substring(start + 2, stop);
		Object o = engine.eval(code);
		if (o == null)
			o = "";
		else if (o instanceof String)
			o = o.toString();
		else
			o = "";

		buf.replace(start, stop + 2, o.toString());
		if (start != 0 && buf.length() < start + 1) {
			if (buf.charAt(start) == '\n' && buf.charAt(start - 1) == '\n')
				buf.replace(start - 1, start + 1, "\n");
		}

		return true;
	}

this is violence

# ? Sep 10, 2017 23:25

DONT THREAD ON ME: Oct 1, 2002; by Nyc_Tattoo; Floss Finder

i spent the last sprint focusing on the mongo -> postgres migration and suddenly our services have sprouted an outgrowth of node.

# ? Sep 11, 2017 00:19

Doom Mathematic: Sep 2, 2008

John Big Booty posted:

code:

		else if (o instanceof String)
			o = o.toString();

Nice, nice.

Doom Mathematic fucked around with this message at 12:10 on Sep 11, 2017

# ? Sep 11, 2017 00:20

Ellie Crabcakes: Feb 1, 2008; Stop emailing my boyfriend Gay Crungus

Doom Mathematic posted:

Nice, nice.

It's the gift that keeps on giving.

# ? Sep 11, 2017 01:12

simble: May 11, 2004

MALE SHOEGAZE posted:

i spent the last sprint focusing on the mongo -> postgres migration and suddenly our services have sprouted an outgrowth of node.

# ? Sep 11, 2017 02:11

LinYutang: Oct 12, 2016; NEOLIBERAL SHITPOSTER

VOTE BLUE NO MATTER WHO!!!

generating javascript through Java string concatenation is extremely my poo poo

# ? Sep 11, 2017 02:16

Adbot: ADBOT LOVES YOU

# ? May 23, 2024 13:43

Ellie Crabcakes: Feb 1, 2008; Stop emailing my boyfriend Gay Crungus

Well then, you're certainly in the right place.

# ? Sep 11, 2017 03:28

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > terrible programmers: my god, it's full of chars

«‹›1446 »