| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
Comments:
<0> mysql_escape_string or addslashes for user data going into an sql query
<1> oh my god.
<1> ****ing java.
<0> your god is ****ing java?
<2> lol
<2> ahhh, tags are used to insert malicious code
<2> so stripping them is alright in most cases
<2> am i right?
<0> depends on where the output goes
<2> example?
<0> if the output is going in double quoted tag attribute.. ***ide from a valid malicious value of the attribute, a double quote is the first immediate risk
<0> since it allows you to CLOSE the attribute and add MORE attributes.
<0> after that, > becomes dangerous since that lets you exit the tag itself and add content directly to the markup
<1> i used public String getCatTitle() for an encapsulation for cattitle :(
<0> and then comes <, by which time you can inject any tags you want
<2> so combined with htmlspecialchars
<2> it should be alright
<0> htmlspecialchars takes care of all three
<2> removing those <>
<2> oh
<2> so i can just use that, and bang, no code can be executed
<0> of that nature, nope
<0> sql injection is another matter
<0> and valid/malicious values (a rarity)
<1> steps to avoiding sql injection:
<0> for example.. some people have a habit of putting paths and filenames into querystrings to be loaded either by php on the server or linked in the webpage. they could be altered
<1> step 1: check for magic_gpc_quotes or whatever that's called then strip slashes if necessary
<1> step 2: mysql_real_escape_quotes
<1> step 3: profit.
<2> yeah but if what is p***ed is stripped by, "htmlspecialchars" then it wont be malicious
<2> i am guessing
<2> it would have ruined any injection i am ***uming
<1> i imagine my way is better
<1> uses less space, anyways
<2> i think a good beginning for me is to use htmlspecialchars($_GET['message']);
<2> on everything
<2> it seems that will eliminate a lot of my troubles
<3> un1x: depends on how you're using it
<3> really you only need to escape stuff when you're outputting it, into HTML or building SQL, for example
<4> Hello everyone. If I want to select all of the duplicate records in a database (based on being duplicates in one specific field), is there a way to do that? The closest that I can think of is: select name, count(name) from clients where count(*)>1 order by name; But that doesn't work.
<3> PackardOne: there is, in fact
<4> pizza_milkshake : Am I anywhere near close?
<3> PackardOne: one sec
<3> http://parseerror.com/sql/sql/find_dupes.txt
<0> that merley gives you the values that are duped, not the duped records themselves
<3> yes indeed
<4> Right. I need the actual duped records--which is why I tried moving the count(*)>1 to the where clause.
<3> you could use those keys to then fetch the duped records
<0> you can't without a subquery
<0> or multiple single queries
<3> uno momento
<0> i suppose a udf would be nice for that too
<4> Is there anyway to order by the count? ie. I could have the highest count sorted on top?
<0> i think so, yes
<3> PackardOne: yes
<3> count(*) AS c ... ORDER BY c DESC
<4> That errors out: "select name, count(name) as c from clients order by c"
<2> hey Two-Bits, i think i fixedf
<2> try that site now with a xss
<2> :)
<0> PackardOne: you MUST use a group by in order to use aggregate functions like count
<4> argh... thanks.
<3> PackardOne, Two-Bits: yes indeed, in my example it looks like you'll need a temporary table or a subquery
<2> its not responsive cuz it's looking at a m***ive database
<3> PackardOne: are you using mysql 4.1+?
<3> un1x: define m***ive
<2> 2gigabytes
<2> mysql
<5> that isn't m***ive
<5> its big
<2> yeah right ;]
<3> that's not all that m***ive
<5> but not m***ive
<3> probably just not indexed :-P
<2> its running on a 450mhz
<2> it is indexed
<3> and probably 90% wasted space :-P
<2> in deed
<2> no way, its all products
<5> yeah, lots of wasted space if its myisam
<2> it is myisam
<2> ;p
<6> what should it me?
<6> be*
<3> what's wrong with myisam?
<2> Two-Bits, have i fixed it?
<0> seems so
<2> awesome
<2> do you think at least in that instant xss is impossible?
<3> un1x: your website is almost certainly bulletproof
<5> myisam is terrible
<5> its quick, but lacks many features
<5> and it tends to bloat if not routinely cleansed
<3> Zenethian: lacking features == wasted space?
<2> i havent gone to secure other bits in there, so i'm not worried
<2> but that search engine bit
<5> pizza_milkshake: for example, varchar=char in myisam
<2> is it bullet proof from xss?
<3> Zenethian: what database does not require maintenance?
<3> un1x: i was joking when i said that
<3> Zenethian: does it?
<5> yeah
<3> i'd never tested that
<5> and all DBs of cousre need maintainance.
<5> but it just seems that myisam bloats faster.
<3> i try to use char() anyways where possible... much speedier
<5> innodb is a much better choice with mysql
<3> hmm i hadn't noticed, i'll test that varchar==char thingy
<3> yeah innodb is nice, last i used it it was slower though
<3> of course, more features... slower...
<5> yeah it's a bit slower
<5> hehe
<0> un1x: unless there's some whacky buffer overflow i dont know about, sure
<2> Thanx!
<2> my problems are over!
<2> I learn about XSS today :}
<2> <3
<5> I learned about XXX today!
<2> hehee
<0> only half of what we talked about was a small portion of xss
<7> Zenethian, wait until you start seeing girls. then it gets real exciting.
<8> you watch xxx every day, Zenethian.
<8> i think i'm getting wet.
<7> lol
<5> :O
<5> Mmm girls
<7> I guess it won't interest you as much as guys, but give it a shot, just to help us think more of you.
<5> hahah
<3> Zenethian:
<3> create table bloaty (v varchar(255));
<3> insert into bloaty values('A'),('B'),('C'),('D'),('E'),('F'),('G'),('H');
<3> -rw-rw---- 1 mysql mysql 160 Jan 26 15:09 bloaty.MYD
<5> which version of mysql?
<3> 4.1
<1> 7
<5> hmm
<5> maybe they fixed that then. :)
<3> it would make a big difference, indeed
<3> but next time test your claims ;-)
<5> I don't have time to install and load mysql just to prove something that I used to know as fact a year ago. :P
<3> you don't have it installed?!
<3> you a pgsql man?
<5> why the hell would I? I don't use it.
<5> hehe
<5> yeah, I use pgsql and firebird.
<3> i like pgsql... how is firebird?
<3> never tried it
<0> <@Zenethian> and it tends to bloat if not routinely cleansed -- usually because it needs compacting after numerous deleted records?
<3> most dbs are that way... postgres has vaccuum...
<5> yeah
<0> usually you just schedule such operations
Return to
#php
or
Go to some related
logs:
#chat-world
#allnitecafe
#allnitecafe
omarshariff
#allnitecafe
#kl
hot_girl
kari sikerim
#allnitecafe
nick ellam
|
|