| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Comments:
<0> it was pretty disgusting
<1> falieson: You have to run the amd64 in 32-bit compat. mode
<1> falieson: At least, I run a very large segment of software on an opteron using everything from the 32-bit side and it all works just fine.
<1> I can't make any promises about gentoo, though.
<2> why do people even buy amd/intel 64bit computers?
<2> seriously....
<3> JeeHoover: all intel cpus are 64 bit now sir.
<2> if you want a 64bit computer, there are plenty of properly supported 64 bit platforms to choose from
<1> JeeHoover: What makes you think AMD64 isn't "properly supported"?
<4> i made a nice little username/p*** form. i have it method=post and action=process.php. i need to make a process.php. i want to send the inputted username / p*** to either a mysql db or my email. can some one help me generate this THANKS!
<1> And who are the "properly supported 64 bit platforms", for that matter.
<1> I can't think of one that's more "properly supported" than the AMD64 chipset. I mean I can think of a number of 64 bit chips (IBM, Sparc64, SGI, and Alphas), but all of them have their own problems.
<3> thisbullet: $query = "SELECT COUNT(username) FROM userdb WHERE username = '". $_POST['username'] . "' AND p***word = '". $_POST['p***word'] ."';
<3> run the query, check the num of rows returned.
<3> though i suppose drop that count() :P
<3> and add a limit 1
<0> TML: yah, but if I ran it in 32bit mode, what'd be the point of having a screaming 64bit? (I got my proc like two years ago when 64bit first got main stream)
<5> Myconid: that's a scary query
<5> Myconid: and extremely open for SQL
<4> will this suffice?
<5> injection
<3> tek: eh.. figured he was running mysql
<3> tek: which means, a. its not my fault, and b. there isnt a whole lot of injection possible
<5> Myconid: Okay.
<6> *cough* BS *cough*
<3> jonez: ok.. what are you going to inject?
<1> falieson: *shrug* a 64bit main with a 32bit chroot works just fine for me
<4> Myconid, its just a little personal test thing
<0> tml yah that'd work fine
<4> i couldnt give a hoot in hell what happens to it
<6> if I set $_POST['p***word'] to "\"; delete * from userdb"; kiss your db good bye
<3> jonez: not with mysql sir.
<2> TML, all the people complaining they have to run in '32bit' mode, or run a 32bit os
<5> Myconid: since when?
<6> oh *really*
<3> jonez: yep.
<0> TML :-D But I was 16, wtf am I going to use the computer for chrooted? At most a counter-strike server!
<3> mysql only runs a single query
<3> now if we were running postgres,oracle,mssql i'd be done.
<3> also gpc_quote_whatever would escape your string
<0> tek: can I just throw the nutch directory into the home dir of my user on cygwin?
<0> I have never used cygwin before... laggy it is!
<5> falieson: I dont want to recommend it and not help you through it but, I haven't used it in a long time and I think I used an older release
<6> Myconid, which version of "mysql" does all this magic?
<4> Myconid, can you help me plug in the values
<5> sorry man, but I'm pretty sure they explicitly tell you where to place them, and I think it's in the Tomcat /home dir
<4> Myconid, what do i replace
<0> tek: Unpack the release and connect to its top-level directory
<1> Myconid: Simple injection: " OR 1=1 "
<7> tek; any idea what part of the manual?
<0> tek: its been over a year since I used *nix. top-level directory, ~/ or / do they mean?
<1> Myconid: If I p*** something like that as $_POST['p***word'], you might have problems. :)
<3> jonez: mysql always had.
<3> had=has
<1> Myconid: Actually, a little birdie told me that the mysqlclient API has changed and no longer enforces that.
<3> one sec.. im setting it up to test
<1> Myconid: But that's not a problem in "mysql", I don't think, just in "mysqli".
<5> jsoft: http://www.free2code.net/plugins/articles/read.php?id=84
<5> jsoft: http://us2.php.net/manual/en/ref.filesystem.php
<0> god ol vim...
<7> thanks.
<5> yup
<8> Can someone please help me with my pagination? I am trying to use the code from: http://www.programmingtalk.com/archive/index.php/t-19364.html , applying it myself looks like this: http://www.rafb.net/paste/results/Nyk0aX56.html , but I keep getting a sql syntax error. Please help, thank you.
<1> DAaaMan64: What is the error?
<8> Thanks for responding: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0,10' at line 1"
<1> DAaaMan64: And where are you adding the "LIMIT" code?
<8> 10 is the value of $pagelenth, and 0 is the value of $lowerbound, provided that this is going to work my issue is with my line 71. currentely
<8> that would be line 66
<1> DAaaMan64: You can't just put "SELECT * FROM foo 0,10". You need to use the keyword "LIMIT". See your database documentation for details.
<3> http://vtwireless.com/php/ <- someone SQL inject something here
<3> the source as well as the schema is posted
<1> Myconid: You think simply because no one here feels motivated to show you the problem means you don't have a problem?
<9> WOOT I LOGGED IN
<3> THOM HAXORED MY DB
<0> lmao
<3> btw.. whoever asked.. theres a simple database based login
<3> and it would be very smart to check the parameters that are p***ed.
<3> About to run query: 'SELECT * FROM users WHERE user = 'joe' AND p***word = ''; delete * from users ' LIMIT 1'
<3> DB Error: syntax error
<3> spiffy.. i tried the in () statement
<3> I dont think yuour allowed to use deletes in subselects.
<10> how do i make all font-size to be the same in my style sheet?
<1> !tell deadcat about g8
<2> $selectboxes = $selectboxes.'\t<option value="'.$years[$i].'">'.$years[$i].'</option>\n';
<3> !tell me about g8
<4> Myconid, can you help me with the stuff you pasted me
<4> what do i modify
<4> please
<2> but the \t and \n end up in the html... how do I change this? would putting it outside the quotes work?
<3> thisbullet: i strongly discourage you to use what I posted.
<3> thisbullet: atleast without understanding it and santizing input.
<4> what would you encourage me to use
<4> Myconid, its not for a website or anything
<11> anyone have any opinions on ecommerce systems?
<1> Myconid: p***word='+OR+user+in+(SELECT user FROM users)+or+user='
<3> albercomp: oscommerce is pretty horrid, but it works for the basics.
<3> tml: checking
<3> tml: jerk
<11> why is OSC so bad?
<3> albercomp: no standards
<1> Myconid: Why am I a jerk?
<3> TML: just joking..
<6> thank you tml
<1> jonez: For?
<1> Demonstrating SQL injection?
<6> yes
<1> It was a pretty trivial one.
<6> my initial "delete * from userdb" thing does not work, but the code *is* vulnerable to an attack, which is why *all* input should be sanitized before use.
<11> so what would you recommend then?
<3> TML: that wouldnt work if I had magic_quotes_gpc on
<1> Myconid: Are you suggesting that it's impossible to inject if you have magic_quotes_gpc turned on?
<3> TML: look now.
<5> Myconid: are you missing the entire point?
<3> tek: no.. i am well aware of the point..
<3> TML: Care to prove me wrong (once again)?
<3> tek: i learn quite a bit from TML..
<1> Myconid: Not really. It'd take more time than I care to spend right now.
<12> how to check if a file is an image type?
<1> Myconid: The former one was trivial. Getting around magic_quotes_gpc, while not IMPOSSIBLE, is a bit more time consuming.
<1> stedios: getimagesize
<5> Myconid: I know, just saying... just filter data correctly before any SQL is processed and you'll be okay
<3> TML: how might I do it?
<7> what do I use to trim a string, and then turn it into a number?
<3> tek: I am *well* aware :)
<1> stedios: Or use the replacement extension to mime
<12> k
<1> stedios: fileinfo it's called, IIRC
<5> Myconid: I see that. I'm just saying for new comers like thebullet that aren't sure about security...just trying to make the web a safer place. One website at a time. -Microsoft
<3> tek: I clearly said, multiple times for him to NOT use my code :)
<12> so if getimagesize($file) == true its an image, if == false, its not an image?
<5> Myconid: I saw that :)
<3> TML: A coworker is of the mind that gpc_magic_quotes is the cureall.
<5> Myconid: but you explicitly wrote teh first SQL query that I mentioned was scary :)
<13> anyone from Jakarta, ID ?
<3> TML: if you could provide an example around them.. I would be most gracious
<1> Myconid: I forget offhand, which is why it would take so long to do it. It involves using an extremely large number of ASCII escapes.
<3> TML: wouldnt that be a php bug?
<5> Myconid: only if the programmer doesn't use PHP's protective measures properly then it becomes a code bug
<5> not a PHP bug
<5> PHP offers plenty of functionality to correct those "vulnerabilities"
<3> From the manual, "Magic Quotes is a process that automagically escapes incoming data to the PHP script."
<1> Myconid: Yes, but it only escapes certain values.
<3> From that description, one might ***ume that with magic quotes on, you are protected.
<5> yes, but ***uming anything is never a favored thing to do
<7> how do I ensure a string is a number?
<1> Myconid: magic_quotes_gpc is specifically NOT intended to provide security
<14> !+strings
<15> [STRINGS] Please read http://php.net/types.string for a basic understanding of how strings work in PHP, as well as http://php.net/strings for functions to manipulate strings. Be sure to read 'user comments' as well.
<1> jsoft: is_numeric
<12> hmm
Return to
#php
or
Go to some related
logs:
#css
#nvidia
#python
#awk
#debian
#gentoo
fish acvarium
gaim maybe the room is full
#gentoo
ventrilo wine move cursor
|
|