|
lol @ p-langs still having sql injection possibilities.
|
# ? Jan 9, 2013 19:40 |
|
|
# ? Jun 1, 2024 14:32 |
|
Cross-site scripting (XSS) vulnerability in the SQL Server Report Manager in Microsoft SQL Server 2000 Reporting Services SP2 and SQL Server 2005 SP4, 2008 SP2 and SP3, 2008 R2 SP1, and 2012 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "Reflected XSS Vulnerability." Buffer overflow in the SQLVDIRLib.SQLVDirControl ActiveX control in Tools\Binn\sqlvdir.dll in Microsoft SQL Server 2000 (aka SQL Server 8.0) allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a long URL in the second argument to the Connect method. NOTE: this issue is not a vulnerability in many environments, since the control is not marked as safe for scripting and would not execute with default Internet Explorer settings. Buffer overflow in the convert function in Microsoft SQL Server 2000 SP4, 2000 Desktop Engine (MSDE 2000) SP4, and 2000 Desktop Engine (WMSDE) allows remote authenticated users to execute arbitrary code via a crafted SQL expression. Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password. Heap-based buffer overflow in Microsoft SQL Server 2000 SP4, 8.00.2050, 8.00.2039, and earlier; SQL Server 2000 Desktop Engine (MSDE 2000) SP4; SQL Server 2005 SP2 and 9.00.1399.06; SQL Server 2000 Desktop Engine (WMSDE) on Windows Server 2003 SP1 and SP2; and Windows Internal Database (WYukon) SP2 allows remote authenticated users to cause a denial of service (access violation exception) or execute arbitrary code by calling the sp_replwritetovarbin extended stored procedure with a set of invalid parameters that trigger memory overwrite, aka "SQL Server sp_replwritetovarbin Limited Memory Overwrite Vulnerability."
|
# ? Jan 9, 2013 19:41 |
|
Shaggar posted:lol @ p-langs still having sql injection possibilities. It's really the application, not the language, that has the vulnerability. Isn't it?
|
# ? Jan 9, 2013 19:43 |
|
WHOIS John Galt posted:Cross-site scripting (XSS) vulnerability in the SQL Server Report Manager in Microsoft SQL Server 2000 Reporting Services SP2 and SQL Server 2005 SP4, 2008 SP2 and SP3, 2008 R2 SP1, and 2012 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "Reflected XSS Vulnerability." sql server 2000 is pretty old but still better than a non-mssql
|
# ? Jan 9, 2013 19:44 |
|
prefect posted:It's really the application, not the language, that has the vulnerability. Isn't it? you must be new here
|
# ? Jan 9, 2013 19:44 |
|
Werthog 95 posted:you must be new here Kinda, yeah.
|
# ? Jan 9, 2013 19:44 |
|
stop capitalizing, dont you know how to be ironic
|
# ? Jan 9, 2013 19:45 |
|
prefect posted:It's really the application, not the language, that has the vulnerability. Isn't it? the language conventions and frameworks are the problems since they consider parameterized sql way too effort and enterprise to be worth it. in a real job w/ a real language (java/c#) you'd be fired if you did what p-langs do on a regular basis.
|
# ? Jan 9, 2013 19:45 |
any language that let's a retard build a string and send it to the db has that vulnerability hey at least perl dbix is okay
|
|
# ? Jan 9, 2013 19:46 |
|
ok click the little question mark next to shaggar's av and study up a bit then you'll get it
|
# ? Jan 9, 2013 19:46 |
hey shaggar i took ur advice on dbs a while ago and it's working gr8. ty m8
|
|
# ? Jan 9, 2013 19:47 |
|
cool!
|
# ? Jan 9, 2013 19:48 |
|
also im not saying its not possible to do things the right way in a plang, but the general attitude in those communities is that the right way is effort and waaaay too verbose!!
|
# ? Jan 9, 2013 19:49 |
|
that is to say, to do things as right as possible in a plang. you're still better off using java/c#
|
# ? Jan 9, 2013 19:50 |
i don't really know any terrible idiots who literally send a raw string to the db but that's prob cos my company/peers know what they doing
|
|
# ? Jan 9, 2013 19:51 |
|
has anyone here used kivy?
|
# ? Jan 9, 2013 20:02 |
|
WHOIS John Galt posted:tef i remember you talking about baking web security into types, like having explicit type conversions from unsafe strings to safe strings, and etc. did you elaborate on that anywhere? is there particular research you were looking at? there's something about that here: Tainting checker
|
# ? Jan 9, 2013 20:12 |
|
Shaggar posted:the language conventions and frameworks are the problems since they consider parameterized sql way too effort and enterprise to be worth it. in a real job w/ a real language (java/c#) you'd be fired if you did what p-langs do on a regular basis. what popular p-lang web frameworks don't use parameterized queries
|
# ? Jan 9, 2013 20:24 |
|
WHOIS John Galt posted:tef i remember you talking about baking web security into types, like having explicit type conversions from unsafe strings to safe strings, and etc. did you elaborate on that anywhere? is there particular research you were looking at? yesod enforces string safety in this way in templates to mitigate XSS attacks http://www.yesodweb.com/book/shakespearean-templates
|
# ? Jan 9, 2013 20:25 |
|
php internals drama
|
# ? Jan 9, 2013 23:35 |
|
3. "PHP Should Be Implementation Neutral, and Support All Paradigms Poorly".
|
# ? Jan 9, 2013 23:37 |
|
Shaggar posted:also im not saying its not possible to do things the right way in a plang, but the general attitude in those communities is that the right way is effort and waaaay too verbose!! mega-laffo if you pay any attention at all to the 'language communities'
|
# ? Jan 10, 2013 00:49 |
|
yeah man i'm part of the ruby /scene/ go to the meetups, get my free food, scope some chicks you know, /the scene/
|
# ? Jan 10, 2013 01:09 |
|
WHOIS John Galt posted:yeah man i'm part of the ruby /scene/ unironically this, except for the scoping chicks part
|
# ? Jan 10, 2013 01:12 |
|
board of reading language discussion the arguments cycle every 50 pages how can talk of programming be so limited i feel hollow and unrequited
|
# ? Jan 10, 2013 01:41 |
|
MeruFM posted:board of reading language discussion everything is recursion and repetition
|
# ? Jan 10, 2013 01:42 |
|
MeruFM posted:board of reading language discussion still better than hn
|
# ? Jan 10, 2013 01:43 |
|
MeruFM posted:board of reading language discussion because this is a general audience thread and any time somebody talks about something cinteresting dumb people will call it "ivory tower"
|
# ? Jan 10, 2013 01:45 |
|
biject johnynek onto ulrich drepper
|
# ? Jan 10, 2013 01:54 |
|
Shaggar posted:sql server 2000 is pretty old but still better than a non-mssql sql server 2000 doesn't have mvcc so no, it isn't even as good as postgres 7
|
# ? Jan 10, 2013 02:06 |
|
sql server 2000 also had bad management tools ms sql didn't stop being a joke until 2005. now it owns some bones
|
# ? Jan 10, 2013 02:07 |
|
MeruFM posted:board of reading language discussion
|
# ? Jan 10, 2013 02:07 |
|
Shaggar posted:the language conventions and frameworks are the problems since they consider parameterized sql way too effort and enterprise to be worth it. in a real job w/ a real language (java/c#) you'd be fired if you did what p-langs do on a regular basis. php is the only language community in which parameterized queries are not the norm/default. perl dbi, python mysqldb etc all expect parameterized queries. php is special only because 90% of the php userbase is on a 5+ year old version then again pdo probably has bugs in its parameterized query support because no one has ever used it
|
# ? Jan 10, 2013 02:11 |
|
Notorious b.s.d. posted:php is the only language community in which parameterized queries are not the norm/default. perl dbi, python mysqldb etc all expect parameterized queries. I'm currently stuck with PHP 5.3 (two versions old, right), because the mssql stuff has been removed (in favor of parameterized stuff I really want to use), but I can't convince the bosses that rewriting would be worth the time.
|
# ? Jan 10, 2013 02:21 |
|
Notorious b.s.d. posted:php is the only language community in which parameterized queries are not the norm/default. perl dbi, python mysqldb etc all expect parameterized queries.
|
# ? Jan 10, 2013 02:42 |
|
Deus Rex posted:yesod enforces string safety in this way in templates to mitigate XSS attacks cool imma czech it out
|
# ? Jan 10, 2013 04:40 |
|
Cocoa Crispies posted:because this is a general audience thread and any time somebody talks about something cinteresting dumb people will call it "ivory tower" quote:As a member of the knitting community, I find the use of String here both confusing and inaccurate. Am I to understand that this library gives scala the power to materialize abstract concepts like Int into physical fiber?
|
# ? Jan 10, 2013 04:44 |
|
welp https://twitter.com/Fayettevillains
|
# ? Jan 10, 2013 07:56 |
|
quote:how can talk of programming be so limited these two are more related than you think
|
# ? Jan 10, 2013 08:03 |
|
|
# ? Jun 1, 2024 14:32 |
|
prefect posted:I'm currently stuck with PHP 5.3 (two versions old, right), because the mssql stuff has been removed (in favor of parameterized stuff I really want to use), but I can't convince the bosses that rewriting would be worth the time. let's be fair here: php 5.5 is not that big a deal. 5.5 is probably less different from 5.3 than 5.3 was from 5.2. 5.3 introduced a ton of important stuff like late static binding and closures; the most useful thing in later versions is probably short array syntax
|
# ? Jan 10, 2013 08:07 |