Forgot your password?
typodupeerror

Comment: Re:It's not that hard to do it right (Score 1) 53

by amicusNYCL (#48173173) Attached to: Drupal Fixes Highly Critical SQL Injection Flaw

Sure but in Java you have things like Spring Framework, Hibernate, Java EE standards that have been around for a decade and they are rock-solid foundations to build upon.

To be fair, the mysqli extension in PHP which supports prepared statements has also been around for over a decade. But you can still go and find any number of tutorials teaching people how to write vulnerable queries by concatenating strings and using the deprecated mysql extension, and you can go to any PHP forum and find people posting questions about code which uses the same. And when you try to teach those people how to do it the correct way, roughly 95% of the time their response is along the lines of "I just need to make it work, then I'll learn about prepared statements." It's a failure of the programmers and tutorials far more than it is a failure of the language. It would be fantastic if PHP outright removed the mysql extension and the mysqli_query function, but that would break a ton of existing applications. And, even so, even when you point people to tutorials about prepared statements they gloss over everything and come back with code like:

$mysqli->prepare('SELECT * FROM table WHERE id=' . $_GET['id']);

Look, I used a prepared statement!

Like I said, it's a failure of the programmers who want the quick and easy way instead of the correct way.

Comment: Get Off My Lawn (Score 1) 33

by Frosty Piss (#48172535) Attached to: High-Tech Walkers Could Help Japan's Elderly Stay Independent

I think this is terrific technology that has a great potential to help old people both now and in the future when you and I will be old.

It all seems a bit "hoaky" now, kind of on the interesting side of lame, but remember, this is how ideas start out: A basic idea that has to be developed.

I'm 50 now, which makes me a decrepit old man by Slashdot standards, but I expect to have a "helper robot" when I retire in 15 years.

Comment: Re:Baby steps (Score 1) 348

Step 1: research on the ISS focused on biosphere components and food production.

Those aren't baby steps - your step 1 is no lower than about step 5 in any rational plan. We don't even know how to build a biosphere _on the ground_. Baby steps start with the basics, not three quarters of the way up the curve in the most expensive place to perform research.
 

At the same time, work on high efficiency, low reaction mass propulsion systems.

We already have those. The problem is, they absolutely suck because high efficiency and low reaction mass means absurdly low thrust. (F=MA after all.) Absent new physics, that's not going to change and such drives are going to be useless for manned expansion.

Comment: Re:Heh (Score 5, Informative) 53

by amicusNYCL (#48155095) Attached to: Drupal Fixes Highly Critical SQL Injection Flaw

It looks like a feature where you could supply one placeholder in a prepared statement, but give it an array of values, and it would expand the placeholders to fit the array. So if the query was like this:

SELECT * FROM table WHERE id IN (:idlist)

and you passed an array with 3 values for idlist, it would replace the query like this:

SELECT * FROM table WHERE id IN (:idlist_1, :idlist_2, :idlist_3) ... then use the values in the array as the three values for those placeholders. It looks like the old code was using the keys from the data array, so instead of appending someting like "_1", it would append the actual key. So an attacker could put SQL code into the array keys and it would stick those (unchanged) into the query.

Here is the old code (without comments):

foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach ($data as $i => $value) {
                $new_keys[$key . '_' . $i] = $value;
            }
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

And the new code:

foreach (array_filter($args, 'is_array') as $key => $data) {
            $new_keys = array();
            foreach (array_values($data) as $i => $value) {
                $new_keys[$key . '_' . $i] = $value;
            }
            $query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

array_values will return an array with numeric indexes, which is what removes the vulnerability.

Comment: Re:German illegal? (Score 2) 323

by DerekLyons (#48142775) Attached to: How English Beat German As the Language of Science

And this isn't old news either - that a Presidential candidate (JFK) was Catholic was a divisive issue within living memory.

The problem with knowing the truth of US history is, starting in the 60's the black civil rights movement co-opted the idea of discrimination and painted in simple black-and-white terms. Steadily since then, except for things like the internment of the Japanese that simply couldn't be overwritten, the story of discrimination and persecution in the US has been told solely in terms of antisemitism and Jim Crow.

It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome Klapka Jerome

Working...