ii_log | Announcement from my owner (grantc): #ingres planetingres | 01:49 |
---|---|---|
Vroomfondle | hrm | 02:06 |
Vroomfondle | has the Ingres driver always done prepared statements / placeholders, or is that a new thing? | 02:07 |
Vroomfondle | we're not using them, and I'd always assumed that that was because the driver didn't have that functionality, but I notice they seem to be in use in the demo code on the wiki | 02:07 |
grantc | placeholders have been around for sometime, 2-3+ years | 02:09 |
grantc | prepare/execute is newer but uses ? as well | 02:10 |
grantc | assuming we are talking about PHP here... | 02:10 |
Vroomfondle | yeah | 02:10 |
grantc | with ingres 9.1.x and newer the driver will fetch the column types from the server so it will match the PHP types with the Ingres types... | 02:11 |
Vroomfondle | we're still on 2.6 | 02:11 |
grantc | ok then you might need to pass an additional parameter that describes the types | 02:11 |
grantc | http://es.php.net/ingres_query - see the types section | 02:12 |
grantc | and example #3 | 02:12 |
Vroomfondle | k | 02:14 |
* Vroomfondle tries to think of a way of explaining the benefits of this approach to a manager who doesn't seem to be able to get his head around the concept of injection attacks etc. | 02:15 | |
pboro | it also helps in performance (in certain situations) | 02:16 |
grantc | google ilia php security | 02:16 |
Vroomfondle | (he's the lead developer for the web system so I'll need to get him to agree to any change) | 02:16 |
ii_log | http://ilia.ws/files/phptek2007_secpitfalls.pdf | 02:16 |
grantc | in fact all the presentations on http://ilia.ws are worth a read | 02:16 |
grantc | he has perf as well as security | 02:17 |
Vroomfondle | I shall forward that, thanks | 02:17 |
grantc | re-performance not sure there will be much if any performance improvement unless you move to a newer Ingres release | 02:17 |
grantc | prepared statements are not cached like repeated | 02:18 |
pboro | are repeated cached always or only when cache_dynamic is enabled? | 02:21 |
grantc | only with cache_dynamic | 02:22 |
grantc | which can be switched on in the session or at the server level i believe (not having used the feature myself) | 02:22 |
pboro | ok, so no that in 2.6 either | 02:22 |
pboro | I tried it couple months ago, it was pretty buggy :/ | 02:23 |
pboro | iirc Alex told me that they are aware of the problems and are trying to get it fixed | 02:23 |
grantc | withdefault could tell us more since he was one of the drivers for the feature | 02:24 |
pboro | which reminds me that I should try the latest 9.2 SPARC patch on my testbed | 02:29 |
pboro | damn... I thought I could create a "bugs fixed in patch x since patch y" web page automatically, but readme's in ESD require logins | 02:47 |
* Vroomfondle fires off a couple of politely-worded emails about security practices and placeholders, and prepares for a bit of a fight | 02:56 | |
pboro | it's sad you have to fight to get things done right | 02:57 |
grantc | perhaps your bosses should google for sql injection | 02:57 |
grantc | @google sql injection | 02:57 |
ii_log | grantc: SQL injection - Wikipedia, the free encyclopedia: <http://en.wikipedia.org/wiki/SQL_injection>; SQL Injection Attacks by Example: <http://unixwiz.net/techtips/sql-injection.html>; SecuriTeam - SQL Injection Walkthrough: <http://www.securiteam.com/securityreviews/5DP0N1P76E.html>; YouTube - SQL Injection: <http://www.youtube.com/watch?v=MJNJjh4jORY>; SQL Injection: <http://msdn.microsoft.com/en- (1 more message) | 02:57 |
grantc | or the xkcd strip | 02:58 |
grantc | google bobby drop table | 02:58 |
ii_log | http://xkcd.com/327/ | 02:58 |
Vroomfondle | grantc: I have that pinned to my shelf | 02:59 |
Vroomfondle | my boss doesn't get it | 02:59 |
grantc | since ingres does not handle batch statements (at the moment) - statement 1; update pay set pay=.... won't work | 02:59 |
grantc | but adding clauses to the SQL will | 03:00 |
Vroomfondle | yeah | 03:00 |
Vroomfondle | and we're also bringing MSSQL and Oracle into the mix, so the Ingres driver isn't always the one that's being used | 03:00 |
grantc | from what i can gather SQL injection is the main attack vector for hacking websites | 03:02 |
Vroomfondle | thus far I've been using my own custom sanitation procedure (it's basically just a str_replace which wipes out any risky characters), and I've tried to encourage others to use it but that doesn't seem to have worked | 03:02 |
Vroomfondle | so I think I'm gonna just try to bring out the big guns | 03:02 |
grantc | pboro, re your blog post I have emailed one of the L2 engineers to see what the possibilities are | 04:53 |
pboro | oh, thanks :) | 04:53 |
pboro | it would make my life a bit easier (and hopefully few others' too) | 04:54 |
grantc | I believe the bugs for a patch are selected in order for example: | 04:55 |
grantc | select bug_no from .... where patch_no = x | 04:55 |
grantc | and probably contain and order by to sort them... | 04:56 |
pboro | it would actually be pretty cool, if the listing contained rows telling each release of a patch, but I guess that's asked too much | 04:56 |
pboro | I mean, the listing would be in chronological order + additional rows included for released patch numbers, then it would be really easy to start reading from right spot :) | 04:57 |
pboro | example: Bug 4343\nBug 5454\nPatch 13129 released\nBug 453\nBug 1294\nPatch 13159 released\n... :) | 04:58 |
grantc | I can only ask :) | 04:58 |
grantc | something more along the lines of a CHANGELOG | 04:58 |
pboro | I am not aware though if there's always a new patch number if a new fix is added | 04:58 |
pboro | yeah | 04:58 |
grantc | i don't believe that final patches (since they go through iterations) can have a new fix added later on. A new fix = new patch | 04:59 |
pboro | ok | 04:59 |
pboro | hmm yeah, makes sense | 04:59 |
pboro | interesting stuff: http://www.slideshare.net/rawwell/dropacidpycon2009 | 05:21 |
grantc | this is part of this noSQL movement | 05:24 |
grantc | ? | 05:24 |
pboro | hmm no I don't think so, not at least that I knew | 05:25 |
grantc | there is a movement that is saying that relational is dead for large sets of data | 05:25 |
grantc | couchdb/bigtable etc are better for managing documents | 05:26 |
grantc | so the theory goes | 05:26 |
grantc | google noSQL | 05:26 |
ii_log | http://www.strozzi.it/cgi-bin/CSA/tw7/I/en_US/NoSQL | 05:26 |
pboro | yeah I have read about it | 05:26 |
pboro | this guy is simply comparing different options | 05:26 |
pboro | or... giving a short list of ideas what else there is | 05:27 |
grantc | fair enough, i just skimmed the presentation | 05:27 |
pboro | Ahh, weekend. Bye guys! :) -> | 05:35 |
atrofast | Have a good weekend pboro | 05:36 |
grantc | cya | 05:38 |
*** zxiiro has quit IRC | 05:55 | |
*** zxiiro has joined #ingres | 05:55 | |
*** zxiiro has quit IRC | 06:05 | |
*** zxiiro has joined #ingres | 06:06 | |
*** mull has joined #ingres | 06:47 | |
*** Deyan has joined #ingres | 06:51 | |
Deyan | hello | 06:51 |
grantc | lo | 07:09 |
*** zxiiro has quit IRC | 07:49 | |
*** zxiiro has joined #ingres | 07:49 | |
*** zxiiro has quit IRC | 08:17 | |
*** zxiiro has joined #ingres | 08:18 | |
*** thiagomz has quit IRC | 08:23 | |
*** DarylM has joined #ingres | 08:33 | |
*** Alex|off is now known as Alex| | 08:56 | |
*** grantc has quit IRC | 09:31 | |
*** rossand has joined #ingres | 09:50 | |
*** ChanServ sets mode: +o rossand | 09:50 | |
*** rossand has quit IRC | 09:50 | |
*** rossand has joined #ingres | 11:30 | |
*** ChanServ sets mode: +o rossand | 11:30 | |
*** DerMeister has joined #ingres | 12:51 | |
*** Alex| is now known as Alex|off | 13:09 | |
*** mull has quit IRC | 13:20 | |
*** DerMeister has quit IRC | 14:44 | |
*** DarylM has quit IRC | 15:43 | |
*** rossand has quit IRC | 17:54 | |
*** rossand has joined #ingres | 19:49 | |
*** ChanServ sets mode: +o rossand | 19:49 | |
*** rossand has quit IRC | 19:49 | |
*** zxiiro has quit IRC | 21:05 | |
*** Alex|off is now known as Alex| | 23:56 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!