Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › Ubuntu forums hacked
New Posts  All Forums:Forum Nav:

Ubuntu forums hacked - Page 4

post #31 of 37
Quote:
Originally Posted by Plan9 View Post


Yes, but not with any of the solutions you've given:
To be fair, having client side validation is so stupid it doesn't even deserve mentioning.
I'm not really sure how many times I have to say this, but DON'T MANUALLY ESCAPE YOUR SQL!!! Use parametrized queries or ORMs.

Seriously guys, parametrized queries are actually EASIER to use than building your own SQL string:
Code:
$mysql.prepare("SELECT * FROM users WHERE user_id = ?", $user_id);

No need for escaping, no need to worry about table data types, no ugly procedural code intermixed with SQL. It's clean, easy to read and secure. There really isn't any excuse for anyone to be escaping their user inputs manually. In fact, I'd actually go as far as to say that anyone who does choose to manually escape over using parametrized queries or ORMs is demonstrating gross negligence. Harsh words, but given how easy parametrized queries are and how hard it is to securely escape SQL, there really is no excuse for manual escaping.

 

yep. I hate going into scripts and seeing manually generated queries, with escapes in it.  its really isn't that hard in php either. should be second nature especially if you are doing oop. i shudder at procedural code anymore lol...been working in oop to long to go back now! if you can't bother with it, use one of the many frameworks out there, that do this naturally!

Bazinga Punk
(12 items)
 
ooh shiny!
(6 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon 3440 AsRock P55 extreme Evga 8800 GT 512 MB Gskill Ripjaws 
Hard DriveCoolingOSMonitor
Western Digital Blue Antec Khuler 620 Ubuntu 11.10 Asus vw264H 
KeyboardPowerCaseMouse
GIGABYTE KM7600 CORSAIR TX 650 Cooler Master 590 GIGABYTE GM-M6800 
CPUMotherboardGraphicsRAM
Intel Core I5 6500 Gigabyte z170xp-SLI Nvidia 970gtx Corsair 16gb ddr4 2666mhz  
Hard DriveOS
250gb Samsung Evo 850 Windows 10 & Ubuntu 15.10 
  hide details  
Reply
Bazinga Punk
(12 items)
 
ooh shiny!
(6 items)
 
 
CPUMotherboardGraphicsRAM
Intel Xeon 3440 AsRock P55 extreme Evga 8800 GT 512 MB Gskill Ripjaws 
Hard DriveCoolingOSMonitor
Western Digital Blue Antec Khuler 620 Ubuntu 11.10 Asus vw264H 
KeyboardPowerCaseMouse
GIGABYTE KM7600 CORSAIR TX 650 Cooler Master 590 GIGABYTE GM-M6800 
CPUMotherboardGraphicsRAM
Intel Core I5 6500 Gigabyte z170xp-SLI Nvidia 970gtx Corsair 16gb ddr4 2666mhz  
Hard DriveOS
250gb Samsung Evo 850 Windows 10 & Ubuntu 15.10 
  hide details  
Reply
post #32 of 37
Thread Starter 
Your own forum you say? Sounds like a good place for all of us sozo.gif
post #33 of 37
Quote:
Originally Posted by Shrak View Post

Your own forum you say? Sounds like a good place for all of us sozo.gif

If anyone can break it and find the bugs, it's us lot! biggrin.gif
Hexacore Whore
(14 items)
 
  
CPUMotherboardGraphicsGraphics
1055t 125w @ 3.5 Gigabyte GA-890GPA UD3-H rev 1.0 F7c MSI R6950 PE OC Unlocked shaders MSI R6950 PE OC Locked shaders :( 
RAMHard DriveOptical DriveOS
G.Skill Ripjaw Blue 1.6v 500gb Sammy EVO 840, 1tbWDCavBlack SIII A Black One! :P Win7 Ultimate 64bit 
MonitorKeyboardPowerCase
LG 37LH3000 37" 1080P Logitech Comfort Laser XFX XXX 650W Cooler Master Storm Scout 
MouseMouse Pad
Logitech Comfort Cordless Mahogany desk 
  hide details  
Reply
Hexacore Whore
(14 items)
 
  
CPUMotherboardGraphicsGraphics
1055t 125w @ 3.5 Gigabyte GA-890GPA UD3-H rev 1.0 F7c MSI R6950 PE OC Unlocked shaders MSI R6950 PE OC Locked shaders :( 
RAMHard DriveOptical DriveOS
G.Skill Ripjaw Blue 1.6v 500gb Sammy EVO 840, 1tbWDCavBlack SIII A Black One! :P Win7 Ultimate 64bit 
MonitorKeyboardPowerCase
LG 37LH3000 37" 1080P Logitech Comfort Laser XFX XXX 650W Cooler Master Storm Scout 
MouseMouse Pad
Logitech Comfort Cordless Mahogany desk 
  hide details  
Reply
post #34 of 37
@Plan9
Quote:
The forum I'm midway through developing at the moment. tongue.gif
If you want, I'll give you the URL and you can have a play. I'd be interested in hearing some reviews from some alpha testers

That'd be cool. biggrin.gif
Mythica
(14 items)
 
  
CPUMotherboardGraphicsRAM
Intel i3 530 Gigabyte GA-H55M-D2H Palit nVidia GT430 Corsair Dominator 4GB TW3X4G1333C9A 
Hard DriveHard DriveOSMonitor
Western Digital Scorpio Black Samsung HD204UI Linux Mint 17 HP L1800 
KeyboardPowerCaseMouse
Logitech Basic Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Mythica
(14 items)
 
  
CPUMotherboardGraphicsRAM
Intel i3 530 Gigabyte GA-H55M-D2H Palit nVidia GT430 Corsair Dominator 4GB TW3X4G1333C9A 
Hard DriveHard DriveOSMonitor
Western Digital Scorpio Black Samsung HD204UI Linux Mint 17 HP L1800 
KeyboardPowerCaseMouse
Logitech Basic Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #35 of 37
Quote:
Originally Posted by Plan9 View Post

Yes, but not with any of the solutions you've given:
To be fair, having client side validation is so stupid it doesn't even deserve mentioning.
I'm not really sure how many times I have to say this, but DON'T MANUALLY ESCAPE YOUR SQL!!! Use parametrized queries or ORMs.

Seriously guys, parametrized queries are actually EASIER to use than building your own SQL string:
Code:
$mysql.prepare("SELECT * FROM users WHERE user_id = ?", $user_id);

No need for escaping, no need to worry about table data types, no ugly procedural code intermixed with SQL. It's clean, easy to read and secure. There really isn't any excuse for anyone to be escaping their user inputs manually. In fact, I'd actually go as far as to say that anyone who does choose to manually escape over using parametrized queries or ORMs is demonstrating gross negligence. Harsh words, but given how easy parametrized queries are and how hard it is to securely escape SQL, there really is no excuse for manual escaping.

My bad :-( I haven't been active in the web development industry since the early 2000's, i.e. circa early php5 days late php4 days. Last I knew the only way to do it was to do your own manual checking since there wasn't an included method for it.
I need to brush up on things again :-P
    
CPUMotherboardGraphicsRAM
Core i7 920 D0 4.2ghz HT (1.3625v) Asus R3E 2xGTX 460 (non SLi, no overclock) 6x2gb G.skill @ 6-8-6-24-1T 
Hard DriveOptical DriveOSMonitor
WD-VR 300GBx1, 2xWD 1tb,2x60gb Agility Some crappy combo burner... Arch x64 3xDell U2410f rev A02 
KeyboardPowerCaseMouse
X-Armor U9BL TT Toughpower 1200w (NTB more efficient) Mountain Mods Pinnacle 24 CYO Roccat Kone (R.I.P. A4Tech x7) 
Mouse Pad
Steelpad Experience I-1 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Core i7 920 D0 4.2ghz HT (1.3625v) Asus R3E 2xGTX 460 (non SLi, no overclock) 6x2gb G.skill @ 6-8-6-24-1T 
Hard DriveOptical DriveOSMonitor
WD-VR 300GBx1, 2xWD 1tb,2x60gb Agility Some crappy combo burner... Arch x64 3xDell U2410f rev A02 
KeyboardPowerCaseMouse
X-Armor U9BL TT Toughpower 1200w (NTB more efficient) Mountain Mods Pinnacle 24 CYO Roccat Kone (R.I.P. A4Tech x7) 
Mouse Pad
Steelpad Experience I-1 
  hide details  
Reply
post #36 of 37
Quote:
Originally Posted by Shrak View Post

Your own forum you say? Sounds like a good place for all of us sozo.gif

Quote:
Originally Posted by Spacedinvader View Post

If anyone can break it and find the bugs, it's us lot! biggrin.gif

Quote:
Originally Posted by parityboy View Post

@Plan9
That'd be cool. biggrin.gif
I'll drop you guys a PM when I've gotten to a stage that I can let people on (at the moment I keep breaking things as quickly as I'm building them laugher.gif
Quote:
Originally Posted by Xaero252 View Post

My bad :-( I haven't been active in the web development industry since the early 2000's, i.e. circa early php5 days late php4 days. Last I knew the only way to do it was to do your own manual checking since there wasn't an included method for it.
I need to brush up on things again :-P
Yeah, the stuff I've mentioned have only really come about in the last 10 years (not sure when as, like yourself, I stopped web developing around in the early 2000's and only picked it up again in the last couple of years)
post #37 of 37
Thread Starter 
Sounds good to me thumb.gif
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Linux, Unix
Overclock.net › Forums › Software, Programming and Coding › Operating Systems › Linux, Unix › Ubuntu forums hacked