Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Drupal Fixes Highly Critical SQL Injection Flaw

amicusNYCL Re:It's not that hard to do it right (53 comments)

Sure but in Java you have things like Spring Framework, Hibernate, Java EE standards that have been around for a decade and they are rock-solid foundations to build upon.

To be fair, the mysqli extension in PHP which supports prepared statements has also been around for over a decade. But you can still go and find any number of tutorials teaching people how to write vulnerable queries by concatenating strings and using the deprecated mysql extension, and you can go to any PHP forum and find people posting questions about code which uses the same. And when you try to teach those people how to do it the correct way, roughly 95% of the time their response is along the lines of "I just need to make it work, then I'll learn about prepared statements." It's a failure of the programmers and tutorials far more than it is a failure of the language. It would be fantastic if PHP outright removed the mysql extension and the mysqli_query function, but that would break a ton of existing applications. And, even so, even when you point people to tutorials about prepared statements they gloss over everything and come back with code like:

$mysqli->prepare('SELECT * FROM table WHERE id=' . $_GET['id']);

Look, I used a prepared statement!

Like I said, it's a failure of the programmers who want the quick and easy way instead of the correct way.

3 days ago
top

Drupal Fixes Highly Critical SQL Injection Flaw

amicusNYCL Re:It's not that hard to do it right (53 comments)

SQL context aware eval() routines with safe default marshaling assumptions are relatively trivial to write.

Could you post a trivial example of one?

3 days ago
top

Drupal Fixes Highly Critical SQL Injection Flaw

amicusNYCL Re:Heh (53 comments)

It looks like a feature where you could supply one placeholder in a prepared statement, but give it an array of values, and it would expand the placeholders to fit the array. So if the query was like this:

SELECT * FROM table WHERE id IN (:idlist)

and you passed an array with 3 values for idlist, it would replace the query like this:

SELECT * FROM table WHERE id IN (:idlist_1, :idlist_2, :idlist_3) ... then use the values in the array as the three values for those placeholders. It looks like the old code was using the keys from the data array, so instead of appending someting like "_1", it would append the actual key. So an attacker could put SQL code into the array keys and it would stick those (unchanged) into the query.

Here is the old code (without comments):

foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach ($data as $i => $value) {
                $new_keys[$key . '_' . $i] = $value;
            }
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

And the new code:

foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach (array_values($data) as $i => $value) {
                $new_keys[$key . '_' . $i] = $value;
            }
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

array_values will return an array with numeric indexes, which is what removes the vulnerability.

5 days ago
top

Drupal Fixes Highly Critical SQL Injection Flaw

amicusNYCL Re:Is Drupal 6.x Affected? (53 comments)

Considering that the API is to help protect against SQL injection though, it's probably fair to say that version 6 is affected by other issues.

5 days ago
top

Secretive X-37B Military Space Plane Could Land On Tuesday

amicusNYCL Re:It must be running out of fuel (81 comments)

I don't see any claim that they "need" to bring it back, just that they "are" bringing it back. Considering that its stated mission is to test various technologies, maybe they want to change the payload out. Maybe the mission ended. Apparently the other two missions did not end because of a lack of fuel.

about a week ago
top

Snapchat Says Users Were Victimized By Their Use of Third-Party Apps

amicusNYCL Re:that's not a lot... (90 comments)

It's around 200,000 pictures, actually. No need to figure out how many pictures are in 13GB when they say, right there, how many pictures there are.

about two weeks ago
top

Ross Ulbricht's Lawyer Says FBI's Hack of Silk Road Was "Criminal"

amicusNYCL Re:when the president does it (208 comments)

Today on Slashdot I learned that the only purpose of the constitution is to allow sex slaves in South Carolina and make it possible to steal Ohio from the Indians.

Thanks for that valuable analysis. No, no, don't bother with any citations, they aren't even remotely necessary. I'll just assume that Article V is all about sex slaves in South Carolina. Or the Ohio thing, whatever. I'm sure it's one of the two, anyway. I'll teach this to any child I can find. Now, if you'll excuse me, I need to go educate Facebook.

about two weeks ago
top

Belkin Router Owners Suffering Massive Outages

amicusNYCL Re:Oh hey, consumers! (191 comments)

If I was bored, and wanted to do something for teh lulz, I would organize an ongoing campaign to run a DDoS against heartbeat.belkin.com. If I was that type of person, anyway.

about two weeks ago
top

Belkin Router Owners Suffering Massive Outages

amicusNYCL Re:Mod parent up. (191 comments)

I don't know how much traffic Microsoft really sees (I assume it's quite a bit), or BofA would put out (probably a fair bit as well), but if I was running a network and saw a range of IPs pinging me all day every day I would be pretty hard pressed to not block them. I mean, why is Microsoft paying for BofA's internet connectivity testing?

about two weeks ago
top

Lennart Poettering: Open Source Community "Quite a Sick Place To Be In"

amicusNYCL Re:Systemd (993 comments)

No one has been able to come up with a solution to have it create text logs?

about two weeks ago
top

Lennart Poettering: Open Source Community "Quite a Sick Place To Be In"

amicusNYCL Re:Systemd (993 comments)

I'm missing part (ok, the vast majority) of this story, but if his software is such shit, then why are so many distros, who presumably enjoy when their operating systems run correctly, using his software? Is there actually a consensus on his software being shit, and if so, why do people use it? If not, why do people act like it's a foregone conclusion that his software is shit? To an outside observer this kind of looks like a shouting match amongst a huge group of egotistical assholes.

about two weeks ago
top

Senators Threaten To Rescind NFL Antitrust Exemption

amicusNYCL Re:that's racist! (242 comments)

There are over 1000 teams named after natives, in the hs - college- majors.

The vast majority of those names are descriptive though, not offensive. For example, Seminoles - (anglicized) name of a tribe; Blackhwaks - name of a chief; Indians, Braves, Chiefs - just describing an entire group or class (although "Indian" is a pretty stupid way to refer to them). A lot of high school or college teams use the names of tribes from the area (Chippewas, Choctaws, Apaches, Cherokees, Mohawks, etc). I don't think any of those are offensive. "Redskins" is completely different. If you think that term is not offensive, walk into a meeting of the National Congress of Native Americans and say "hey, how are you all you redskins doing today?" See how they react. It doesn't really matter if *you* find the name offensive or not. I wouldn't be offended if someone called me a redskin either, I would just sort of look at them kind of funny. It's clearly offensive to a large group of people, and they should change the name. Most colleges and high schools I think are fine using tribal names for their schools.

Although, maybe the Agawam High School Brownies might consider a name change. And the Aniak High School Halfbreeds might think about it also.

about two weeks ago
top

Online Creeps Inspire a Dating App That Hides Women's Pictures

amicusNYCL Re:Women in the drivers seat`? (482 comments)

I dated a girl for 6 years who I met while playing Doom and Descent on a BBS. Pretty cool story, I know.

about three weeks ago
top

Online Creeps Inspire a Dating App That Hides Women's Pictures

amicusNYCL Re:How about... (482 comments)

Gender equality means gender equality.

What exactly does gender equality have to do with dating? There is nothing remotely equal about the experiences of single men and women. Look at some of the statistics in the article - on one site the most attractive woman got 17 times as many messages as the most attractive man. There is nothing equal about the way that men and women approach each other when dating and, frankly, most women will not pay to date. They don't have to. OKCupid may send you an email saying that you are in the top 10% of attractive people on the site. If you're a man, this means that your picture is shown to more attractive people, and also that you'll see more attractive people. If you're a woman, you get those same perks plus you also are automatically on the "A-list", which gives you more searching options, lets you browse profiles undetected, and other things. Men have to pay for the A-list, attractive women do not, because the site knows that many men will pay for better access. This is the exact same idea behind "ladies' night" at a bar or nightclub. If the women are there (and they are more likely to be there if its free), then the men will follow (and pay).

There is nothing equal about dating. The business model described above could definitely work, and in fact the women who use it would probably be thankful for the lack of crap messages that they get. Meet some women on dating sites and take them out some time, ask them about the messages they receive. Ask them about the number of messages and the content. Ask them to send you a few examples of what they get. It is nothing like the messages that men get from women. Any woman who has sent me a message has just asked a casual question (what's my favorite band, movie, etc), asked about something in my profile, went for light humor, etc, and they've done it with good grammar and spelling. Ask some girls to send you examples of some of the messages they receive and feel free to compare and contrast. Come back and tell everyone how equal it is out there.

Personally, I would be fine with something similar to the above (although seeing a person's message history to everyone would not be a feature I would add). I would feel confident that I could use that site, send the messages I want to send, that they would get delivered, and that women could look at my message acceptance levels and figure out that I'm a respectful person. If that makes it harder for the guys sending messages about tits and ass using some misspelled version of txt-speak, good.

about three weeks ago
top

Ebola Has Made It To the United States

amicusNYCL Re:Fristy Pawst! (475 comments)

That it's not a 'dark, dismal world', that it's a ''what you make of it'' world, depending on your attitude towards it.

The important question we need to ask is if we want to live in a world of single quotes or double quotes.

about three weeks ago
top

Ebola Has Made It To the United States

amicusNYCL Re:Fristy Pawst! (475 comments)

Science is cool and all, it has many answers, though not all of them, imo.

That's one of the best things about science, though. Not only does it not have all of the answers (in fact, not even a very small percentage of them), but this fact is ingrained into the entire scientific process with the knowledge that if we try hard enough, we can find the answers.

about three weeks ago
top

Ebola Has Made It To the United States

amicusNYCL Re:Fristy Pawst! (475 comments)

Why SHOULDN'T first world countries get to share the misery of their less fortunate bretheren, anyway?

For one, because first world countries tend not to have mobs go after health workers and scientists based on belief in things like witchcraft and sorcery, and they also tend not to break people out of isolation in a hospital when the person has a deadly contagious disease. Sometimes a little epidemic is just what you need to get the population on board with modern medicine.

about three weeks ago
top

Grooveshark Found Guilty of Massive Copyright Infringement

amicusNYCL Re:Why? (171 comments)

The concept was a good one, but the major thing that kept bugging me was that I would log in after several weeks or months and my playlists kept shrinking. I don't even know which songs it was removing, but in a lot of cases it would remove some songs by an artist and leave others by the same one (or even the same album).

about three weeks ago
top

Analyzing Silk Road 2.0

amicusNYCL Re:MDMA Demand (68 comments)

It seems that this is pretty good proof that there is a demand for reputable MDMA.

The SR vendor you're looking for is Geoffrey Giraffe.

If the dosage was known steps could be taken to provide the most fun for the least amount of harm (it sure as hell isn't harmless).

The therapeutic dose is 125mg, with an optional 62.5mg an hour or so in. Note that the additional dose doesn't typically cause any increase in intensity, it just makes it last a little longer. The first dose usually determines the intensity.

about three weeks ago

Submissions

amicusNYCL hasn't submitted any stories.

Journals

amicusNYCL has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?