Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).


Comment: Re:SQL Injections SHOULD NEVER WORK (Score 1) 267

by mcalwell (#31283716) Attached to: Anatomy of a SQL Injection Attack

of database credentials or having different area, including duplicate pages, that handle the different database credentials.

Why would you have duplicate pages? You store the database connection credentials in a session, or even the database connection object. When they login, they change credentials and run with those.

Comment: Re:SQL Injections SHOULD NEVER WORK (Score 2, Informative) 267

by mcalwell (#31283704) Attached to: Anatomy of a SQL Injection Attack

The user can see the table structure, perhaps the view definition, but not the data they have no rights to.

You deny select on the table, and grant access to the view. The view contains a constraint that forces the view only to return the data the connecting user is allowed to see.

I have implemented this in Postgres/PHP.

You have a group role that has read access to the public tables (eg products). The webserver runs, by default, at this user level.

When a user logs in, they reconnect to the database. They are in two groups now, the same one the webserver runs in by default, and another, which gives them access to their view

To CREATE users, you have an insert trigger in a users table to which the webserver user has INSERT rights, which then creates a new role with the required credentials.

Is it more work than a simple users table and single sign on? Yes. Is it a more sound methodology than SSO? Yes.

You wouldn't have SSO in a corporate environment, why should you have it in a web environment?

Comment: SQL Injections SHOULD NEVER WORK (Score 5, Insightful) 267

by mcalwell (#31283432) Attached to: Anatomy of a SQL Injection Attack

If your code is running at the correct privilege level, SQL injections should be completely irrelevant.

If your user is connecting with the correct credentials, they should only be able to see public data and their own records, nothing else.

This is implemented by using views in the database, and only allowing users rights to views, not tables.

If your website user is connecting with credentials that allow a crafted SQL query to see priveleged data, you have set everything up wrong

If you have set everything up correctly, even a successful SQL injection will only return data the user can see

Comment: No more night-time builds means agile is possible? (Score 1) 193

by mcalwell (#30122788) Attached to: Becoming Agile
I'm not too young to remember when a software change meant an overnight build before testing could be done the next day.
And then testing involved aspects of system performance which simply don't apply in many environments today - memory leaks, null pointer exceptions, DLL hell, and so on. There was a much stronger case for a more rigorous and pedestrian process, because the costs of change were higher. Being able to change and test code on the fly is something to to be taken advantage of.
That doesn't mean methodology should be thrown out of the window. A solid, lean, clean, transparent, demarcated set of classes to describe the general system and initial problem will give you flexibility to change. Keep your business, data and presentation layers separate. Always maintain stable interfaces. It doesn't have to be dogmatic.

Comment: Thinkpad, Thinkpad, Thinkpad (Score 1) 672

by mcalwell (#29636079) Attached to: Best Developer's Laptop?
T Series - bulletproof, robust, great with Linux, go forever. Also IBM/Lenovo provide fantastic replacement manuals giving descriptions of how to disassemble the unit step by step. I repaired an old T23 the other day and it's fantastic. Also, Thinkpad Docks are great and cheap. I have a dock at home and at work and just shuffle the machine back and forth. Never looked back.

Comment: If hate isn't a crime, why is inciting hatred? (Score 1) 778

by mcalwell (#28668781) Attached to: British Men Jailed For Online Hate Crimes

If hate isn't a crime, why is inciting hatred a crime? This is one question the liberal fascists can't answer. Inciting violence is a crime, because violence is a crime, commissioning a crime is a crime. But hatred?

Liberals, not being people who like taking responsibility for their own actions, like the idea that nebulous things such as "speech" can be held responsible for events. Ergo, punish the speech.

The problem with "inciting hatred" is that it's such a nebulous term that anything can be interpreted in that way by even the most hypersensitive paranoiac and before you know it, you're not saying anything for fear of being arrested. For some people, saying that sodomy is grotesque is enough to merit a penalty.

Britain's Labour government are a sad, sad, desperate, miserable bunch of barrel scraping nation destroyers. We were owed an election years ago.

The next person to mention spaghetti stacks to me is going to have his head knocked off. -- Bill Conrad