Php magicians
-
I work on a system every day which is made of bugs. Today I realized how stupid can be a human being. If someone have to pay as a punishment, the system stores it with id 204. Az idiot wrote into the code insert into ... punishment_reason=402. I looked for it and there is no 402 id in the punishment reason table. It is "the same" as 204, so I checked the function which should have to list these punishments. The function was this one:
[code]
function getLastPunishmentDate()
{
if($date==null)
{
$date=date();
}$sql="select blablabla where date=".$date;
return SQLObject::fetch($sql);
}
[/code]
The only problem was that it returned null every time, because $date had not rounded by quotes. I've done a 5 minute task in 5 hours. Thank you guys! (Again..)
-
I wish I could make a wise comment about 402 being the area code for Omaha and that it makes sense to think of it as punishment, but actually Omaha is quite a nice city with surprisingly modern buildings and a high-quality lifestyle (in most areas).
204 however is the area code for Manitoba, which is the Canadian twin of North Dakota... See what kind of punishment it is!.
-
HTTP Error 402 - Payment Required
-
@szigya said:
I work on a system every day which is made of bugs. Today I realized how stupid can be a human being. If someone have to pay as a punishment, the system stores it with id 204. Az idiot wrote into the code insert into ... punishment_reason=402. I looked for it and there is no 402 id in the punishment reason table.
The real problem here seems to be a missing foreign key constraint.@szigya said:
$sql="select blablabla where date=".$date;
The only problem was that it returned null every time, because $date had not rounded by quotes.
No, that's by no means the only problem. The biggest problem here is that an SQL query is being composed by appending strings rather than using proper parameter substitution.
-
-
-
It's not a problem here, because date is a valid data, and there is no $date input parameter (in the function) as you can see :))).
Actually 'only' was a little sarcasm, it's originated from by mother tongue, maybe in english it's not so obvious.In this system there aren't any Foreign keys, because it uses MyISAM. :(
-
It seems common, but I've never seen anything like this before. I could post two or three times a day pieces like this. An other example:
There is a menu: Queries.
A function in connection with it is like this:
public function Query128() { $sql="..."; //execute return $result; }
and the number of the query is (was) an autoincrement value in the database, and was static in the view. So if I wanted to create a new query, I had to rename it after migration, because queries can be created "online" by clicking on a button and writing in an sql query.
-
-
@szigya said:
Fuck, I see what you did here :D
Yo! When replying, you should include a bit of relevant quote, otherwise it looks like you're shouting randomly.
-
@dhromed said:
@szigya said:
Fuck, I see what you did here :D
Yo! When replying, you should include a bit of relevant quote, otherwise it looks like you're shouting randomly.
Sure, danke. I'm just getting to know this forum engine.
As well how to add new lines.
-
-
@anonymous235 said:
@szigya said:
punishment_reason=402
Kinky. Sounds like some kind of automated BDSM system.enum PunishmentReason { // ... Naughty = 402, // ... }
-
@szigya said:
It's not a problem here, because date is a valid data, and there is no $date input parameter (in the function) as you can see :))).
Yes, it is. It's bugging about like this that gives PHP a bad name, in my opinion. Simply always parametrize your queries; if you have a good system in place for that, it becomes second nature and you automatically avoid bugs like this because those quotes would have been inserted automatically - which would have saved you five hours of work.
For example, a system I work with has a fairly simple query syntax, that is based on (and is essentially identical to) sprintf. It takes a variable number of arguments, of course, and each parameter goes through mysql_real_escape_string and has quotes added to it. Possibility of SQL-injection: zero; at least, as long as you consistently enforce this structure. Is this some mysterious, new fangled enigma technique? Not exactly: it's been in place for almost a decade now (and in fact being deprecated in favor of the newer MySQLi methods). Heck, there's an example of how to do this in the manual.
-
@FragFrog said:
@szigya said:
It's not a problem here, because date is a valid data, and there is no $date input parameter (in the function) as you can see :))).
Yes, it is. It's bugging about like this that gives PHP a bad name, in my opinion. Simply always parametrize your queries; if you have a good system in place for that, it becomes second nature and you automatically avoid bugs like this because those quotes would have been inserted automatically - which would have saved you five hours of work.
For example, a system I work with has a fairly simple query syntax, that is based on (and is essentially identical to) sprintf. It takes a variable number of arguments, of course, and each parameter goes through mysql_real_escape_string and has quotes added to it. Possibility of SQL-injection: zero; at least, as long as you consistently enforce this structure. Is this some mysterious, new fangled enigma technique? Not exactly: it's been in place for almost a decade now (and in fact being deprecated in favor of the newer MySQLi methods). Heck, there's an example of how to do this in the manual.
Don' misunderstand me, this is not the technique I use when I write a code. I've learnt ASP.NET as well, and prefer that kind of coding style, so I use framework for my php projects. I said it's not a problem from a security aspect, and I don't think it would be better if it was a parameter.
-
@dhromed said:
...it looks like you're shouting randomly
To be fair, that is the way many of us roll.
-
@eViLegion said:
@dhromed said:
...it looks like you're shouting randomly
To be fair, that is the way many of us roll.It's like long-form twitter.
-
@dhromed said:
It's like long-form twitter.
lornekates Tweets:
#ftfy #hashtaginsteadofthought
lornekates Tweets:
... up and presented in reverse chrono
lornekates Tweets:
... where long ideas are broken ...
lornekates Tweets:
... form @Twitter ...
lornekates Tweets:
It like long...
-
@szigya said:
@dhromed said:
@szigya said:
Fuck, I see what you did here :D
Yo! When replying, you should include a bit of relevant quote, otherwise it looks like you're shouting randomly.
Sure, danke. I'm just getting to know this forum engine.
As well how to add new lines.Oooh, you're going to have so much fun with this one.
-
@Maciejasjmj said:
@szigya said:
@dhromed said:
@szigya said:
Fuck, I see what you did here :D
Yo! When replying, you should include a bit of relevant quote, otherwise it looks like you're shouting randomly.
Sure, danke. I'm just getting to know this forum engine.
As well how to add new lines.Oooh, you're going to have so much fun with this one.
Filed under: XSS is strictly prohibited, well not quite
We should have a list of things you shouldn't do, so people know not to do them.
I'll start:- Don't write <img src="/logout.aspx"> in your posts
- Don't close more tags than you open in your posts
- Don't post ginormous images [known as Ben L'ing*]
* Other practices known as Ben L'ing in include talking about Chromebooks, Go advocacy, and feline sodomy
-
@joe.edwards said:
* Other practices known as Ben L'ing in include talking about Chromebooks, Go advocacy, and feline sodomy
What about QR code abuse? Won't anyone think of the poor QR codes?
-
@joe.edwards said:
This public service message has been brought to you by The Ministry of No Fun At All.- Don't write <img src="/logout.aspx"> in your posts
- Don't close more tags than you open in your posts
- Don't post ginormous images [known as Ben L'ing*]
* Other practices known as Ben L'ing in include talking about Chromebooks, Go advocacy, and feline sodomy
-
@El_Heffe said:
@joe.edwards said:
Maybe I was too subtle.
This public service message has been brought to you by The Ministry of No Fun At All.- Don't write <img src="/logout.aspx"> in your posts
- Don't close more tags than you open in your posts
- Don't post ginormous images [known as Ben L'ing*]
* Other practices known as Ben L'ing in include talking about Chromebooks, Go advocacy, and feline sodomy
-
@joe.edwards said:
Don't write <img src="/logout.aspx"> in your posts
You just reminded me I still don't have a signature.
-
Filed under: The point was giving him ideas he might never have had otherwise.
<img src="http://static.tvtropes.org/pmwiki/pub/images/texplainthejoke.jpg" >
-
@Maciejasjmj said:
He's cross because somebody just explained a joke.Filed under: The point was giving him ideas he might never have had otherwise.
-
@flabdablet said:
@Maciejasjmj said:
He's cross because somebody just explained a joke.Filed under: The point was giving him ideas he might never have had otherwise.
Referral Denied
-
@Scribbler said:
What about QR code abuse?
-
@Ronald said:
@Scribbler said:
WHO IS THAT? HAVE YOU BEEN SEEING SOMEONE?What about QR code abuse?
-
@dhromed said:
I told him he should have turned left at Albuquerque!@szigya said:
Fuck, I see what you did here :D
Yo! When replying, you should include a bit of relevant quote, otherwise it looks like you're shouting randomly.
-
@DaveK said:
told him he should have turned left at Albuquerque
Albuquerque is more famous for something else these days.
-
php magicians v2
protected static function storeData($generatedSessionId, $value){
$storeId = self::getStoreKey($generatedSessionId);
$sql = "
DELETE FROM dataStoreData WHERE store_id = " . (int)$storeId . ";
";
self::$_dbConnection->execute($sql);
foreach($value as $row){
$sql = "
INSERT INTO dataStoreData (store_id, row_id, data)
VALUES (" . $storeId . ", " . current($row) . ", '" . self::$_dbConnection->quote(serialize($row)) . "')
";
self::$_dbConnection->execute($sql);
}
return $storeId;
}
-
-
@anonymous235 said:
indeed!
It's fixed-height padding so that syzzigy's posts fit exactly on my monitor.
-
@dhromed said:
@anonymous235 said:
indeed!
It's fixed-height padding so that syzzigy's posts fit exactly on my monitor.
You have really small monitor :(
-
@szigya said:
You have really small monitor :(
Sorry, I meant only your previous one, with the ton of white space.
-
@Zemm said:
@DaveK said:
Hot dogs? Jumping frogs?told him he should have turned left at Albuquerque
Albuquerque is more famous for something else these days.
Filed Under: Can you think of something that talks, other than a person?
-
@dhromed said:
@szigya said:
You have really small monitor :(
Sorry, I meant only your previous one, with the ton of white space.
I know.
-
@DaveK said:
@Zemm said:
Lumberjacks?Albuquerque is more famous for something else these days.
Hot dogs? Jumping frogs?
-
@dkf said:
@DaveK said:
Don't think there are an awful lot of lumberjacks in the deserts of New Mexico.@Zemm said:
Lumberjacks?Albuquerque is more famous for something else these days.
Hot dogs? Jumping frogs?
-
@DaveK said:
The only reason I can think of to live in the deserts of New Mexico is because either you are terrified of plants or you hate them with a burning passion. The later could make you a non-professional lumberjack.
-
@locallunatic said:
Most lumberjacks aren't afraid of p***ts, they're simply disgusted by them.@DaveK said:
The only reason I can think of to live in the deserts of New Mexico is because either you are terrified of plants or you hate them with a burning passion. The later could make you a non-professional lumberjack.
-
@joe.edwards said:
@locallunatic said:
How do lumberjacks feel about f****ts?@DaveK said:
Most lumberjacks aren't afraid of p***ts, they're simply disgusted by them.@dkf said:
The only reason I can think of to live in the deserts of New Mexico is because either you are terrified of plants or you hate them with a burning passion. The later could make you a non-professional lumberjack.@DaveK said:
Don't think there are an awful lot of lumberjacks in the deserts of New Mexico.@Zemm said:
Lumberjacks?Albuquerque is more famous for something else these days.
Hot dogs? Jumping frogs?
-
@El_Heffe said:
Are they okay?@joe.edwards said:
@locallunatic said:
How do lumberjacks feel about f****ts?@DaveK said:
Most lumberjacks aren't afraid of p***ts, they're simply disgusted by them.@dkf said:
The only reason I can think of to live in the deserts of New Mexico is because either you are terrified of plants or you hate them with a burning passion. The later could make you a non-professional lumberjack.@DaveK said:
Don't think there are an awful lot of lumberjacks in the deserts of New Mexico.@Zemm said:
Lumberjacks?Albuquerque is more famous for something else these days.
Hot dogs? Jumping frogs?
-
@El_Heffe said:
How do lumberjacks feel about f****ts?
Pretty much every single [url="http://en.wikipedia.org/wiki/Faggot_%28unit%29"]f****ts[/url] in the world was once in the hands of a lumberjack.
-
@Lorne Kates said:
@El_Heffe said:
How do lumberjacks feel about fts?
Pretty much every single ft in the world was once in the hands of a lumberjack.
A f****t is either 21 or 31 pints, depending on what you had for lunch today.
-
@Ben L. said:
@Lorne Kates said:
I am of the opinion that even as little as 21 pints is a bit much for lunch.
A f****t is either 21 or 31 pints, depending on what you had for lunch today.@El_Heffe said:
How do lumberjacks feel about f****ts?
Pretty much every single f****t in the world was once in the hands of a lumberjack.
-
@Lorne Kates said:
YHBT? I think El Heffe was asking how they feel about forests.@El_Heffe said:
How do lumberjacks feel about f****ts?
Pretty much every single f****ts in the world was once in the hands of a lumberjack.
-
@locallunatic said:
The only reason I can think of to live in the deserts of New Mexico is because either you are terrified of plants or you hate them with a burning passion.
What if you like to watch cute chicks with sunglasses playing the slots?
Also it's hard to find a venue name that is cooler than Casino Apache.
-
@Ronald said:
Also it's hard to find a venue name that is cooler than Casino Apache.
How about Casino IIS?