You are here

Feed aggregator

CodeSOD: The Database Gazes Also Into You

The Daily WTF - Wed, 08/27/2014 - 12:15

When Simon asked us to consider this code from his predecessor's custom-built PHP CMS, we weren't terribly impressed:

$rs = new RecordSet("SELECT * FROM moduleData WHERE moduleID = '".$moduleID."' ORDER BY displayOrder ASC");

Since that code just selects a single record by its primary key, the only thing wrong with it is the redundant ORDER BY clause. But that wasn't all. Simon leaned forward across the table, his face made sinister by the single, flickering light bulb we make every would-be submitter sit under (TDWTF policy), and he whispered, "Wouldn't you like to know about the field in moduleData called SQLCode?"

We should have known better, Dear Reader. You would have known better. You would have known not to ask, not to take Simon's hand and follow him down the rickety, rusty spiral staircase into madness.

"SELECT * FROM ( SELECT * FROM ( SELECT 1 as active, modulePR.*, DATE_FORMAT(createDate, '%M %Y') as groupBy FROM modulePR WHERE ".is_published($moduleID, 'modulePR', SITE_ID)." AND archiveStatus ".(ARCHIVE_MODE ? " =1" : " <>1")." UNION SELECT 0 as active, modulePR_old.*, DATE_FORMAT(createDate, '%M %Y') as groupBy FROM modulePR_old WHERE ".is_published($moduleID, 'modulePR_old', SITE_ID)." AND archiveStatus ".(ARCHIVE_MODE ? " =1" : " <>1")." GROUP BY linkUID ORDER BY active DESC, lastEditedDate desc ) as pr1 GROUP BY linkUID ) as prSorted ORDER BY DATE_FORMAT(createDate,'%Y%m') DESC, itemTitle

Yes, that is a SQL string with PHP embedded in it, being stored in a database table. And, as Simon was quick to point out, that is_published() function returns even more SQL that makes up the first part of the WHERE clause. At this point, we'd learned our lesson. The lightbulb had flickered out while Simon described the monstrosity, and now his face was lost in shadow. He seemed to be chuckling to himself, quietly. He seemed to know, as we knew, that we were duty-bound to hear the fate of the SQL string. Praying it would just be fed to a simple eval() call, we kept recording—for you, Dear Reader. We did this for you...

while(!$rs->EOF()) { $moduleData['sql'] = !@eval("return ".$rs->field("SQLCode").";") ? !@eval("return \"".$rs->field("SQLCode")."\";") ? false : @eval("return \"".$rs->field("SQLCode")."\";") : @eval("return ".$rs->field("SQLCode").";"); // ...snip a dozen or so more fields to build the $moduleData array, several of which contain similar thing to the above $rs2 = new RecordSet($moduleData['sql']); while(!$rs2->EOF()) { // ... } $rs->next(); }

Simon was laughing openly now, the atonal cackle of the truly lost. With the last of our sanity we heard him say, "The SQL/PHP blob from the DB is eval()ed to determine whether it's valid PHP code. In this example it isn't, so the eval fails, so it's eval()ed again with quotes around it to determine whether it's a valid PHP string-with-embedded-PHP-code. If either of these tests succeeds, the successful eval() is run one more time to get a value to put into the $moduleData[] array."

He went on, as though unable to stop, "If neither eval() works, or if they just return a falsey value like zero or the empty string, moduleData['sql'] gets set to false. False isn't a valid SQL string, so you'd think passing it into a new RecordSet without any further error checks might be a problem, but, no! The RecordSet class fails silently on SQL errors, and just sets EOF to true."

That's all we got out of Simon, who would do nothing further but mutter "GROUP BY with no aggregate" over and over. Weep for him, Dear Reader, for he has surely glimpsed an abyss. And shed a year for yourself, for now you have, too.

[Advertisement] Have you seen BuildMaster 4.3 yet? Lots of new features to make continuous delivery even easier; deploy builds from TeamCity (and other CI) to your own servers, the cloud, and more.
Categories: Fun/Other

HP Recalls 6 Million Power Cables Over Fire Hazard

Slashdot - Wed, 08/27/2014 - 11:07
Via the Consumerist comes news that HP is recalling power cables after about 30 reports that they were melting from regular use. From the article: Hewlett-Packard received 29 reports of the melting or charring power cords, two that included claims of minor burns and 13 claims of minor property damage. The black power cords were distributed with HP and Compaq notebook and mini notebook computers and with AC adapter-powered accessories such as docking stations and have an "LS-15" molded mark on the AC adapter. About 5.6 million power cords were sold in the United States, while 446,700 were sold in Canada from September 2010 to June 2012 at electronic stores and hp.com.

Read more of this story at Slashdot.








Categories: Tech/Science News

Brown Dwarf With Water Clouds Tentatively Detected Just 7 Light-Years From Earth

Slashdot - Wed, 08/27/2014 - 09:01
sciencehabit (1205606) writes Astronomers have found signs of water ice clouds on an object just 7.3 light-years from Earth — less than twice the distance of Alpha Centauri. If confirmed, the discovery is the first sighting of water clouds beyond our solar system. The clouds shroud a Jupiter-sized object known as a brown dwarf and should yield insight into the nature of cool giant planets orbiting other suns.

Read more of this story at Slashdot.








Categories: Tech/Science News

UK Prisons Ministry Fined For Lack of Encryption At Prisons

Slashdot - Wed, 08/27/2014 - 06:06
Bruce66423 (1678196) writes The Guardian reports that the UK Information Commissioner has levied a fine of £180,000 on the Ministry of Justice for their failure to encrypt data held on external hard drives at prisons. The fine is nominal — one part of government fining another is rather pointless, but it does show that there's a little bit of accountability. Of course it's interesting to consider the dangers of this hopefully old way of storing backups; but the question of whether we do a lot better now is quite pointed. To make matters worse, one of the unencrypted backup hard drives walked away.

Read more of this story at Slashdot.








Categories: Tech/Science News

Seagate Ships First 8 Terabyte Hard Drive

Slashdot - Wed, 08/27/2014 - 04:01
MojoKid (1002251) writes Seagate announced today that it has begun shipping the world's first 8 Terabyte hard drive. The 8TB hard drive comes only five months after Western Digital released the first ever 6TB HDD. Up until then, Seagate's high capacity HDDs had been shipping only to select enterprise clients. The 8TB HDD comes in the 3.5-inch form factor and, according to the manufacturer, features a SATA 6Gbps interface and multi-drive RV tolerance which makes it suitable for data centers. It's unclear what technology the drive is based on, or if PMR (Perpendicular Magnetic Recording) or low-resistance helium technology was employed.

Read more of this story at Slashdot.








Categories: Tech/Science News

Comcast Tells Government That Its Data Caps Aren't Actually "Data Caps"

Slashdot - Wed, 08/27/2014 - 02:08
mpicpp (3454017) writes with this excerpt from Ars Technica about Comcast's data caps that aren't data caps:Customers must pay more if they exceed limits — but it's not a cap, Comcast says. For the past couple of years, Comcast has been trying to convince journalists and the general public that it doesn't impose any "data caps" on its Internet service. ... That's despite the fact that Comcast in some cities enforces limits on the amount of data customers can use and issues financial penalties for using more than the allotment. Comcast has said this type of billing will probably roll out to its entire national footprint within five years, perhaps alongside a pricier option to buy unlimited data. ... Comcast's then-new approach was touted to "effectively offer unlimited usage of our services because customers will have the ability to buy as much data as they want."

Read more of this story at Slashdot.








Categories: Tech/Science News

Project Zero Exploits 'Unexploitable' Glibc Bug

Slashdot - Wed, 08/27/2014 - 01:29
NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

Read more of this story at Slashdot.








Categories: Tech/Science News

Project Zero Explots 'Unexploitable' Glibc Bug

Slashdot - Wed, 08/27/2014 - 01:29
NotInHere (3654617) writes with news that Google's Project Zero has been busy at work. A month ago they reported an off-by-one error in glibc that would overwrite a word on the heap with NUL and were met with skepticism at its ability to be used in an attack. Google's 'Project Zero' devised an exploit of the out-of-bounds NUL write in glibc to gain root access using the setuid binary pkexec in order to convince skeptical glibc developers. 44 days after being reported, the bug has been fixed. They even managed to defeat address space randomization on 32-bit platforms by tweaking ulimits. 64-bit systems should remain safe if they are using address space randomization.

Read more of this story at Slashdot.








Categories: Tech/Science News

Exomoon Detection Technique Could Greatly Expand Potential Habitable Systems

Slashdot - Wed, 08/27/2014 - 00:48
Luminary Crush (109477) writes Most of the detected exoplanets thus far have been gas giants which aren't great candidates for life as we know it. However, many of those planets are in fact in the star's habitable zone and could have moons with conditions more favorable. Until now, methods to detect the moons of such gas giants have been elusive, but researchers at the University of Texas, Arlington have discovered a way to detect the interaction of a moon's ionosphere with the parent gas giant from studies of Jupiter's moon Io. The search for 'Pandora' has begun.

Read more of this story at Slashdot.








Categories: Tech/Science News

Free Law Casebook Project Starts With IP Coursebook

Slashdot - Wed, 08/27/2014 - 00:08
An anonymous reader writes Duke Law School's James Boyle and Jennifer Jenkins just published a CC licensed, freely downloadable textbook called "Intellectual Property Law and the Information Society." (Which includes a discussion of whether and when the term "intellectual property" is a dangerous misnomer). The book is apparently part of an attempt to lower what the authors describe as the "obscene cost" of legal textbooks. "This is the first in a series of free digital/low cost print legal educational materials to be published by Duke's Center for the Study of the Public Domain—starting with statutory supplements aimed at the basic classes. The goal of this project... is to improve the pricing and access norms of the world of legal textbook publishing, while offering the flexibility and possibility for customization that unfettered digital access provides. We hope it will provide a pleasant, restorative, competitive pressure on the commercial publishers to lower their prices and improve their digital access norms." The book's "problems range from a video of the Napster oral argument to counseling clients about search engines and trademarks, applying the First Amendment to digital rights management and copyright or commenting on the Supreme Court's new rulings on gene patents.. [The book] includes discussions of such issues as the Redskins trademark cancelations, the Google Books case and the America Invents Act."

Read more of this story at Slashdot.








Categories: Tech/Science News

Uber Has a Playbook For Sabotaging Lyft, Says Report

Slashdot - Tue, 08/26/2014 - 23:26
Nerval's Lobster (2598977) writes "The folks over at The Verge claim that 'Uber is arming teams of independent contractors with burner phones and credit cards as part of its sophisticated effort to undermine Lyft and other competitors.' Interviews and documents apparently show Uber reps ordering and canceling Lyft rides by the thousands, following a playbook with advice designed to prevent Lyft from flagging their accounts. 'Uber appears to be replicating its program across the country. One email obtained by The Verge links to an online form for requesting burner phones, credit cards, and driver kits — everything an Uber driver needs to get started, which recruiters often carry with them.' Is this an example of legal-but-hard-hitting business tactics, or is Uber overstepping its bounds? The so-called sharing economy seems just as cutthroat — if not more so — than any other industry out there."

Read more of this story at Slashdot.








Categories: Tech/Science News

The Grumpy Programmer has Advice for Young Computer Workers (Video)

Slashdot - Tue, 08/26/2014 - 22:45
Bob Pendleton calls his blog "The Grumpy Programmer" because he's both grumpy and a programmer. He's also over 60 years old and has been programming since he was in his teens. This pair of videos is a break from our recent spate of conference panels and corporate people. It's an old programmer sharing his career experiences with younger programmers so they (you?) can avoid making his mistakes and possibly avoid becoming as grumpy as he is -- which is kind of a joke, since Bob is not nearly as grumpy as he is light-hearted. (Transcript covers both videos. Alternate Video Link One; Alternate Video Link Two)

Read more of this story at Slashdot.








Categories: Tech/Science News

MediaGoblin 0.7.0 "Time Traveler's Delight" Released

Slashdot - Tue, 08/26/2014 - 22:01
paroneayea (642895) writes "The GNU MediaGoblin folks have put out another release of their free software media hosting platform, dubbed 0.7.0: Time Traveler's Delight. The new release moves closer to federation by including a new upload API based on the Pump API, a new theme labeled "Sandy 70s Speedboat", metadata features, bulk upload, a more responsive design, and many other fixes and improvements. This is the first release since the recent crowdfunding campaign run with the FSF which was used to bring on a full time developer to focus on federation, among other things."

Read more of this story at Slashdot.








Categories: Tech/Science News

How the Ancient Egyptians (Should Have) Built the Pyramids

Slashdot - Tue, 08/26/2014 - 21:20
KentuckyFC writes The Great Pyramid of Giza in Egypt is constructed from 2.4 million limestone blocks, most about 2.5 tonnes but some weighing in at up to 80 tonnes, mostly sourced from local limestone quarries. That raises a famous question. How did the ancient Egyptians move these huge blocks into place? There is no shortage of theories but now a team of physicists has come up with another that is remarkably simple--convert the square cross section of the blocks into dodecadrons making them easy to roll. The team has tested the idea on a 30 kg scaled block the shape of a square prism. They modified the square cross-section by strapping three wooden rods to each long face, creating a dodecahedral profile. Finally, they attached a rope to the top of the block and measured the force necessary to set it rolling. The team say a full-sized block could be modified with poles the size of ships masts and that a work crew of around 50 men could move a block with a mass of 2.5 tonnes at the speed of 0.5 metres per second. The result suggests that this kind of block modification is a serious contender for the method the Egyptians actually used to construct the pyramids, say the researchers.

Read more of this story at Slashdot.








Categories: Tech/Science News

VMware Unveils Workplace Suite and NVIDIA Partnership For Chromebooks

Slashdot - Tue, 08/26/2014 - 20:38
Gamoid writes At VMworld today, VMware introduced the Workplace Suite, a platform for securely delivering applications and content across desktops and mobile devices from the cloud. The really cool part, though, is a partnership with Google and NVIDIA to deliver even graphics-intensive Windows applications on a Chromebook. From the article: "The new VMware Workplace Suite takes advantage of three existing VMware products: Tools for application, device, and content management as well as secure cloud file storage that comes from the January acquisition of enterprise mobile management company AirWatch; VMware Horizon for desktop-as-a-service; and brand-new acquisition CloudVolumes for app delivery. "

Read more of this story at Slashdot.








Categories: Tech/Science News

Climate Scientist Pioneer Talks About the Furture of Geoengineering

Slashdot - Tue, 08/26/2014 - 19:56
First time accepted submitter merbs writes At the first major climate engineering conference, Stanford climatologist Ken Caldeira explains how and why we might come to live on a geoengineered planet, how the field is rapidly growing (and why that's dangerous), and what the odds are that humans will try to hijack the Earth's thermostat. From the article: "For years, Dr. Ken Caldeira's interest in planet hacking made him a curious outlier in his field. A highly respected atmospheric scientist, he also describes himself as a 'reluctant advocate' of researching solar geoengineering—that is, large-scale efforts to artificially manage the amount of sunlight entering the atmosphere, in order to cool off the globe."

Read more of this story at Slashdot.








Categories: Tech/Science News

California DMV Told Google Cars Still Need Steering Wheels

Slashdot - Tue, 08/26/2014 - 19:12
cartechboy writes Google showed us what it feels is the car of the future. It drives itself, it doesn't have a gas or brake pedal, and there's no steering wheel. But that last one might be an issue. Back in May California's Department of Motor Vehicles published safety guidelines aimed at manufacturers of self-driving vehicles. After seeing Google's self-driving car vision, the California DMV has told the company it needs to add all those things back to their traditional locations so that occupants can take "immediate physical control" of the vehicle if necessary. Don't for a second think this is a major setback for Google, as the prototypes unveiled weren't even close to production ready. While the DMV may loosen some of these restrictions in the future as well all become more comfortable with the idea of self-driving vehicles, there's no question when it comes down to the safety of those on the road.

Read more of this story at Slashdot.








Categories: Tech/Science News

TechCentral Scams Call Center Scammers

Slashdot - Tue, 08/26/2014 - 18:31
An anonymous reader writes "At TechCentral, we get on average called at least once a week — sometimes far more often — by a friendly sounding Indian national warning us that our Windows computer is infected with a virus. The call, which originates from a call centre, follows exactly the same script every time. Usually we shrug them off and put the phone down, but this week we thought we'd humour them to find out how they operate. As this week's call came in, the first thing the "operator" at the other end of the line tried to establish was who was owner of the Windows computer in the household. I'd taken the call. It was time to have some fun. I told the scammer that I was the PC owner. He proceeded to introduce himself as "John Connor." I laughed quietly as I imagined Arnold Schwarzenegger's Terminator hunting down this scamster in the streets of Calcutta. Perhaps he should have come up with a more convincing name."

Read more of this story at Slashdot.








Categories: Tech/Science News

IBM Gearing Up Mega Power 8 Servers For October Launch

Slashdot - Tue, 08/26/2014 - 17:49
darthcamaro (735685) writes "Now that IBM has sold off its x86 server business to Lenovo, it's full steam ahead for IBM's Power business. While Intel is ramping up its next generation of server silicon for a September launch, IBM has its next lineup of Power 8 servers set to be announced in October. "There is a larger than 4U, 2 socket system coming out," Doug Balog, General Manager of Power Systems within IBM's System and Technology Group said. Can IBM Power 8 actually take on x86? Or has that ship already sailed?" At last weekend's Linux Con in Chicago, IBM talked up the availability of the Power systems, and that they are working with several Linux vendors, including recently-added Ubuntu; watch for a video interview with Balog on how he's helping spend the billion dollars that IBM pledged last year on open source development.

Read more of this story at Slashdot.








Categories: Tech/Science News

A Horrifying Interactive Map of Global Internet Censorship

Slashdot - Tue, 08/26/2014 - 17:03
An anonymous reader writes "Imagine a world where the book burners had won. A world where information is filtered and must be approved by governments before it can be accessed by their citizens. A world where people are held down and kept in line by oppressive regimes that restrict the free flow of information and bombard citizens with government-approved messages. Now stop imagining, because this horrifying world already exists..."

Read more of this story at Slashdot.








Categories: Tech/Science News

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer