Search Results

Search found 5998 results on 240 pages for 'rise against'.

Page 8/240 | < Previous Page | 4 5 6 7 8 9 10 11 12 13 14 15  | Next Page >

  • Is reliance on parametrized queries the only way to protect against SQL injection?

    - by Chris Walton
    All I have seen on SQL injection attacks seems to suggest that parametrized queries, particularly ones in stored procedures, are the only way to protect against such attacks. While I was working (back in the Dark Ages) stored procedures were viewed as poor practice, mainly because they were seen as less maintainable; less testable; highly coupled; and locked a system into one vendor; (this question covers some other reasons). Although when I was working, projects were virtually unaware of the possibility of such attacks; various rules were adopted to secure the database against corruption of various sorts. These rules can be summarised as: No client/application had direct access to the database tables. All accesses to all tables were through views (and all the updates to the base tables were done through triggers). All data items had a domain specified. No data item was permitted to be nullable - this had implications that had the DBAs grinding their teeth on occasion; but was enforced. Roles and permissions were set up appropriately - for instance, a restricted role to give only views the right to change the data. So is a set of (enforced) rules such as this (though not necessarily this particular set) an appropriate alternative to parametrized queries in preventing SQL injection attacks? If not, why not? Can a database be secured against such attacks by database (only) specific measures? EDIT Emphasis of the question changed slightly, in the light of the initial responses received. Base question unchanged. EDIT2 The approach of relying on paramaterized queries seems to be only a peripheral step in defense against attacks on systems. It seems to me that more fundamental defenses are both desirable, and may render reliance on such queries not necessary, or less critical, even to defend specifically against injection attacks. The approach implicit in my question was based on "armouring" the database and I had no idea whether it was a viable option. Further research has suggested that there are such approaches. I have found the following sources that provide some pointers to this type of approach: http://database-programmer.blogspot.com http://thehelsinkideclaration.blogspot.com The principle features I have taken from these sources is: An extensive data dictionary, combined with an extensive security data dictionary Generation of triggers, queries and constraints from the data dictionary Minimize Code and maximize data While the answers I have had so far are very useful and point out difficulties arising from disregarding paramaterized queries, ultimately they do not answer my original question(s) (now emphasised in bold).

    Read the article

  • Does this PHP function protect against SQL injection?

    - by George Edison
    I have this function I'm using and I want to be sure that it fully protects against SQL injection attacks: function MakeSafeForQuery($string) { // replace all of the quote // chars by their escape sequence $ret = str_replace("\\","\\\\",$string); $ret = str_replace("'","\\'",$ret); $ret = str_replace("\"","\\\"",$ret); return $ret; } Am I missing anything serious?

    Read the article

  • Access: strange results with queries against MDB file

    - by Craig Johnston
    I am running the following SQL against an MDB file, a copy of which is located here: http://hotfile.com/dl/40641614/2353dfc/test.mdb.html (perfectly clean file, no macros or viruses) SELECT datediff("d", MAX(invoice.date), Now) As Date_Diff , MAX(invoice.date) AS max_invoice_date , customer.number AS customer_number FROM invoice INNER JOIN customer ON invoice.customer_number = customer.number GROUP BY customer.number If the the following was added: HAVING datediff("d", MAX(invoice.date), Now) > 365 would this simply exclude rows with Date_Diff <= 365? What should be the effect of the HAVING clause here?

    Read the article

  • The right way to develop against of PayPal platform

    - by zshamrock
    What is the right/recommended way to develop against of PayPal platform: Use the New PayPal SDK (https://www.x.com/developers/paypal/documentation-tools/paypal-sdk-index) Use the legacy PayPal SDK (which is quite old right now) Just send raw HTTPS requests following NVP protocol (in the end they are just REST-like API), and do not depend on any official API (just depend on the official NVP protocol description) Which one is considered the right way to go?

    Read the article

  • Django: How can I protect against concurrent modification of data base entries

    - by Ber
    If there a way to protect against concurrent modifications of the same data base entry by two or more users? It would be acceptable to show an error message to the user performing the second commit/save operation, but data should not be silently overwritten. I think locking the entry is not an option, as a user might use the "Back" button or simply close his browser, leaving the lock for ever.

    Read the article

  • Commitment to Zend Framework - any arguments against?

    - by Pekka
    I am refurbishing a big CMS that I have been working on for quite a number of years now. The product itself is great, but some components, the Database and translation classes for example, need urgent replacing - partly self-made as far back as 2002, grown into a bit of a chaos over time, and might have trouble surviving a security audit. So, I've been looking closely at a number of frameworks (or, more exactly, component Libraries, as I do not intend to change the basic structure of the CMS) and ended up with liking Zend Framework the best. They offer a solid MVC model but don't force you into it, and they offer a lot of professional components that have obviously received a lot of attention (Did you know there are multiple plurals in Russian, and you can't translate them using a simple ($number == 0) or ($number > 1) switch? I didn't, but Zend_Translate can handle it. Just to illustrate the level of thorougness the library seems to have been built with.) I am now literally at the point of no return, starting to replace key components of the system by the Zend-made ones. I'm not really having second thoughts - and I am surely not looking to incite a flame war - but before going onward, I would like to step back for a moment and look whether there is anything speaking against tying a big system closely to Zend Framework. What I like about Zend: As far as I can see, very high quality code Extremely well documented, at least regarding introductions to how things work (Haven't had to use detailed API documentation yet) Backed by a company that has an interest in seeing the framework prosper Well received in the community, has a considerable user base Employs coding standards I like Comes with a full set of unit tests Feels to me like the right choice to make - or at least, one of the right choices - in terms of modern, professional PHP development. I have been thinking about encapsulating and abstracting ZF's functionality into own classes to be able to switch frameworks more easily, but have come to the conclusion that this would not be a good idea because: it would be an unnecessary level of abstraction it could cost performance the big advantage of using a framework - the existence of a developer base that is familiar with its components - would partly be cancelled out therefore, the commitment to ZF would be a deep one. Thus my question: Is there anything substantial speaking against committing to the Zend Framework? Do you have insider knowledge of plans of Zend Inc.'s to go evil in 2011, and make it a closed source library? Is Zend Inc. run by vampires? Are there conceptual flaws in the code base you start to notice when you've transitioned all your projects to it? Is the appearance of quality code an illusion? Does the code look good, but run terribly slow on anything below my quad-core workstation?

    Read the article

  • MongoDB query against geospatial index with maxDistance fails from node.js client

    - by user1735497
    I want to query against a geospatial index in mongo-db (designed after this tutorial http://www.mongodb.org/display/DOCS/Geospatial+Indexing). So when I execute this from the shell everything works fine: db.sellingpoints.find(( { location : { $near: [48.190120, 16.270895], $maxDistance: 7 / 111.2 } } ); but the same query from my nodejs application (using mongoskin or mongoose), won't return any results until i set the distance-value to a very high number (5690) db.collection('sellingpoints') .find({ location: { $near: [lat,lng], $maxDistance: distance / 111.2} }) .limit(limit) .toArray(callback); Has someone any idea how to fix that?

    Read the article

  • visual c++ 2010 link against older runtime?

    - by Kugel
    Sorry if this has been asked. Just like I can select in C# project that I want it to build for .NET 2.0 runtime, is it possible for native c++ project to be built against older CRT, let's say one from visual studio 2005? I would like this because I have external SDK that was build with VS2005, but I'd like to use newer IDE.

    Read the article

  • Why did you decide "against" using Erlang?

    - by Zubair
    Have you actually "tried" (means programmed in, not just read an article on it) Erlang and decided against it for a project? If so, why? Also, if you have opted to go back to your old language, or to use another functional language like F#, Haskell, Clojure, Scala, or something else then this counts too, and state why.

    Read the article

  • MySQL MATCH AGAINST functionality....

    - by Webnet
    Currently I have the following query... SELECT id, LOWER(title) as title, LOWER(sub_title) as sub_title FROM ebay_archive_listing WHERE MATCH(title, sub_title) AGAINST ("key" IN BOOLEAN MODE) However it is not finding rows where the title contains the word "key". "key" is generated dynamically based on a set of keywords, so sometimes it contains + and - symbols.

    Read the article

  • MySQL function to compare values in a db table against the previous

    - by Stuart
    Iam quite new to functions in SQL and I would like to create a function to compare values in a MySQL table against previous and I am not sure how to do this. For example (iId is the input value) DECLARE pVal INT(20); DECLARE val INT(20); SELECT price INTO pVal FROM products WHERE Id=iId; SELECT price FROM products; IF price == pVal THEN SET val = price; END IF; Thanks

    Read the article

  • Authenticating against a web-service.

    - by Sash
    Did anyone try using a web-service for authentication and at the same time use the web-service as a provider model pattern? Basically, I want to use provider model with authentication against a data-source via a web-service !!! Thanks, Sashidhar Kokku

    Read the article

  • Unserialize data and check it against an id in MySQL

    - by kylex
    I have a row of IDs in a database that has been serialized. What I'm trying to do is check those serialized IDs against a known ID to see if it should be excluded or not. for example: "SELECT * FROM mydb WHERE id = 4 AND checkID != 'an id in the serialized column' " What's the best way to go about this?

    Read the article

  • Checking array of censored words against user submitted content

    - by steve-o
    Hello, I have set up an array of censored words and I want to check that a user submitted comment doesn't contain any of these words. What is the most efficient way of doing this? All I've come up with so far is splitting the string into an array of words and checking it against the array of censored words, but I've a feeling there's a neater way of doing this.

    Read the article

  • Programatically determining which node in an XML document caused validation against its XML Schema t

    - by jd1212
    My input is a well-formed XML document and a corresponding XML Schema document. What I would like to do is determine the location within the XML document that causes it to fail validation against the XML Schema document. I could not figure out how to do this using the standard validation approach in Java: SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI); Schema schema = schemaFactory.newSchema(... /* the .xsd source */); Validator validator = schema.newValidator(); DocumentBuilderFactory ... DocumentBuilder ... Document document = DocumentBuilder.parse(... /* the .xml source */); try { validator.validate(new DOMSource(document)); ... } catch (SAXParseException e) { ... } I have toyed with the idea of getting at least the line and column number from SAXParseException, but they're always set to -1, -1 on validation error.

    Read the article

  • Problem using SQLDMO/Vb6 against SQL2008

    - by E.J. Brennan
    I have a client, that uses SQLDMO for a portion of a custom application that was written against SQL 2000, and they recently upgraded to SQL2008. The majority of the app still runs fine (doesn't use SQLDMO), but the admin functions which rely on SQLDMO stopped working. I installed the SQL2005 backward compatibility pack, and now SQLDMO partially works, i.e. I can run "select" type queries, but any "Update" queries fail with the error message: to connect to the server you must use SQL Server management studio or sql server management objects (SMO) Any thoughts? Should the backward compatibility pack give me ALL the functionality back, or is this a known issue? BTW: I realize SQLDMO has been deprecated and will go away next release, none-the-less I need to do what I can to solve the problem at hand.

    Read the article

  • Strange error occurring when using wcf to run query against sql server

    - by vondip
    Hi all, I am building an asp.net application, using II6 on windows server 2003 (vps hosting). I am confronted with an error I didn't receive on my development machine (windows 7, iis 7.5, 64 bit). When my wcf service tries launching my query running against a local sql server this is the error I receive: Memory gates checking failed because the free memory (43732992 bytes) is less than 5% of total memory. As a result, the service will not be available for incoming requests. To resolve this, either reduce the load on the machine or adjust the value of minFreeMemoryPercentageToActivateService on the serviceHostingEnvironment config element. and ideas??

    Read the article

  • Metalanguage like BNF or XML-Schema to validate a tree-instance against a tree-model

    - by Stefan
    Hi! I'm implementing a new machine learning algorithm in Java that extracts a prototype datastructure from a set of structured datasets (tree-structure). As im developing a generic library for that purpose, i kept my design independent from concrete data-representations like XML. My problem now is that I need a way to define a data model, which is basically a ruleset describing valid trees, against which a set of trees is being matched. I thought of using BNF or a similar dialect. Basically I need a way to iterate through the space of all valid TreeNodes defined by the ModelTree (Like a search through the search space for algorithms like A*) so that i can compare my set of concrete trees with the model. I know that I'll have to deal with infinite spaces there but first things first. I know, it's rather tricky (and my sentences are pretty bumpy) but I would appreciate any clues. Thanks in advance, Stefan

    Read the article

  • Protecting against transaction concurency (Transaction type; Transaction IsolationLevel)

    - by Vytas999
    Middle-tier component will execute the data access routines in application. The component will call several SQL Server stored procedures to perform database updates. All of these procedure calls run under the control of a single transaction. The code for the middle-tier will implement the following objects: SqlCommand comm = connection.CreateCommand(); SqlTransaction trans; How i must add code to component to specify the highest possible level of protection against such errors(two users try to update the same data concurrently).

    Read the article

< Previous Page | 4 5 6 7 8 9 10 11 12 13 14 15  | Next Page >