Archive for the ‘Programming’ Category
So I’ve been looking at and using Python recently. I thought I’d share some of my thoughts for those who haven’t had a chance to play with the language yet. I’ll try to avoid a preachy OMG-I’ve-just-discovered-the-best-thing-ever post, or to simply write another Python tutorial. I’ll look at the good and bad points of the language.I first looked at Python a month or two ago. The guy and girls over at programming.reddit.com push it as the language to end all languages, so I decided to grab a copy of the (free!) Dive Into Python book. I started putting together a smallish personal project, but with no external pressure it petered out. When a discussion came up at work (a PHP shop) on how to quickly write a reliable server daemon I pushed the idea of Python. It took a little convincing, but the results speak for themselves.
SQL injection is a well trodden topic so I won’t go into too much detail.
For those who don’t know, the problem occurs when you fail to properly escape variables being placed into your strings. For example the SQL statement
"SELECT * FROM users WHERE name = '$name'" will fail if $name is set to
' or '1' = '1. The string will be expanded to produce
SELECT * FROM users WHERE name = '' or '1' = '1'. This is obviously not what you wanted, and could lead to very bad results when coupled with DELETE or UPDATE queries.
When protecting your server environment you’ll want to ensure that two things happen. Firstly, you’ll want to keep your scripts from prying eyes; you want to make sure that you don’t accept input that will break your code. Secondly, and most importantly, you want to stop anyone from executing their own code on your servers.
Today I’m going to start a three part series looking at security issues affecting web developers. The specifics apply to PHP developers, but the general concepts carry across all technologies.
To most of you the term "rainbow table" is probably familiar. You are probably aware that they are used to aid the reversing of one-way hashes, usually when trying to crack a password. I personally think that they are a nifty little hack, and so I’d like to explain a little about how they are implemented.