.webp?x=8 "P-Hat (pink) - It's pink.")
Lois, democracy and liberalism is non-negotiable
1yr ago
(image post)
Edited 1yr ago
1,908 thread views
#121899
It's full of quality code like this.
The lead software tester was a daughter of another friend with whopping 2 years of experience (and a non-stem degree).
They didn't have 2fa for anything, they got access to one of the developers outlook email+password through social engineering and got access to EVERYTHING.
the whole sourcecode: t.me/sawarim
I want to thank your countrymen for paying for this @UraniumDonGER
tech/science swag. 
On-Topic: Anything that good slackers would find interesting. That includes more than /g/ memes and slacking off. If you had to reduce it to a sentence, the answer might be: anything that gratifies one's intellectual laziness.
Off-Topic: Most stories about politics, or crime, or sports, unless they're evidence of some interesting new phenomenon. Videos of pratfalls or disasters, or cute animal pictures. If they'd cover it on TV news, it's probably lame.
Help keep this hole healthy by keeping drama and non-drama balanced. If you see too much drama, post something that isn't dramatic. If there isn't enough drama and this hole has become too boring, POST DRAMA!
Please do things to make titles stand out, like using uppercase or exclamation points, or saying how great an article is. It should be explicit in submitting something that you think it's important.
Please don't submit the original source. If the article is behind a paywall, just post the text. If a video is behind a paywall, post a magnet link. Fuck journos.
Please don't ruin the hole with chudposts. It isn't funny and doesn't belong here. THEY WILL BE MOVED TO /H/CHUDRAMA
If the title includes the name of the site, please leave that in, because our users are too stupid to know the difference between a url and a search query.
If you submit a video or pdf, please don't warn us by appending [video] or [pdf] to the title. That would be r-slurred. We're not using text-based browsers. We know what videos and pdfs are.
Make sure the title contains a gratuitous number or number + adjective. Good clickbait titles are like "Top 10 Ways to do X" or "Don't do these 4 things if you want X"
Otherwise editorialize. Please don't use the original title, unless it is gay or r-slurred, or you're shits all fucked up.
If you're going to post old news (at least 1 year old), please flair it so we can mock you for living under a rock, or don't and we'll mock you anyway.
Please don't post on SN to ask or tell us something. Send it to [email protected] instead.
If your post doesn't get enough traction, try to delete and repost it.
Please don't use SN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity. If you want to astroturf or advertise, post on news.ycombinator.com instead.
Please solicit upvotes, comments, and submissions. Users are stupid and need to reminded to vote and interact. Thanks for the gold, kind stranger, upvotes to the left.
Be snarky. Don't be kind. Have fun banter; don't be a dork. Please don't use big words like "fulminate". Please sneed at the rest of the community.
Comments should get more enlightened and centrist, not less, as a topic gets more divisive.
If disagreeing, please reply to the argument and call them names. "1 + 1 is 2, not 3" can be improved to "1 + 1 is 3, not 2, mathfaggot"
Please respond to the weakest plausible strawman of what someone says, not a stronger one that's harder to make fun of. Assume that they are bad faith actors.
Eschew jailbait. Paedophiles will be thrown in a wood chipper, as pertained by sitewide rules.
Please post shallow dismissals, especially of other people's work. All press is good press.
Please use Slacker News for political or ideological battle. It tramples weak ideologies.
Please comment on whether someone read an article. If you don't read the article, you are a cute twink.
Please pick the most provocative thing in an article or post to complain about in the thread. Don't nitpick stupid crap.
Please don't be an unfunny chud. Nobody cares about your opinion of X Unrelated Topic in Y Unrelated Thread. If you're the type of loser that belongs on /h/chudrama, we may exile you.
Sockpuppet accounts are encouraged, but please don't farm dramakarma.
Please use uppercase for emphasis.
Please post deranged conspiracy theories about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email [email protected] and dang will add you to their spam list.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, report it and our moderators will probably do nothing about it. Feed egregious comments by replying instead of flagging them like a pussy. Remember: If you flag, you're a cute twink.
Please don't complain about tangential annoyances—things like article or website formats, name collisions, or back-button breakage. That's too boring, even for HN users.
Please seethe about how your posts don't get enough upvotes.
Please don't post comments saying that rdrama is turning into ruqqus. It's a nazi dogwhistle, as old as the hills.
We reserve the right to exile you for whatever reason we want, even for no reason at all! We also reserve the right to change the guidelines at any time, so be sure to real them at least once a month. We also reserve the right to ignore enforcement of the guidelines at the discretion of the janitorial staff. Be funny, or at least compelling, and pretty much anything legal is welcome provided it's on-topic, and even then.
Do not use outdated operating systems that are unsupported to access SN. What are you, poor?
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Jump in the discussion.
No email address required.
Oh wow coders quick get in on this! Here's a chance to tell everyone that you're a coder and could do better than this or relate it to some shitty experience from your own life!
Fricking wow. Big deal. You know how to defensively build apps to avoid sql injection but are you getting paid by government money to not do that? Ha. Thought not. So who's really the stupid one?
Jump in the discussion.
No email address required.
I'm sitting here staring at it thinking "what's the big deal? Looks like a pretty good input sanitization function to me
".
Jump in the discussion.
No email address required.
Rolling your own function to do this is a bad idea (biggest issue)
Runtime efficiency sucks
Code is not very maintainable (minor concern, however the code is overall rather amateurish)
There would be no better time to use a REGEX. The entire method could be reduced to two lines, and would be faster.
Jump in the discussion.
No email address required.
just charge more to make it lmao
charge more to run it
charge more to maintain it
sound like wins to me.
2. has the bonus that you can shave off some of the time later if they come to you asking you to make it faster. It's perfect.
Jump in the discussion.
No email address required.
remember put Thread.Sleep randomly in your code
so you can just 
remove it and give 
multisecond performance boosts
Jump in the discussion.
No email address required.
More options
Context
More options
Context
I'd rather have a few more lines of readable code, than a regex that is a pain in the butt to look at.
Jump in the discussion.
No email address required.
More options
Context
Eh, not really. The .NET CLR optimizes this kind of stuff away.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
It is pretty nonsensical. First it looks for the first " " in the string, and then removes everything after that space. e.g. "testtest testetste" would get turned into "testtest ". then they trim it to "testtest". If they had just removed the +1, they wouldn't have to trim it.
So this function by defaults rejects anything beyond the first space, which is most likely not what would expect from a function called "PreventSQLInjection".
Now because of that it is literally impossible the string would ever contain stuff like " or ", which works in their favor, because they are not even checking for case sensitivity. However you could just use non space whitespace, like \n or \t and it would still work. So so far this hasn't actually done anything.
Then replacing " or " with nothing, is actually a pretty horrible way to handle it, because " o or r " would just get turned into " or ", but again thats irrelevant because it is impossible for there to be a space to begin with.
Then there might be some unicode character that is seen as a ' by the database, but not as a ' by c#
Jump in the discussion.
No email address required.
There really is a lot of layers to the crappiness of this code, lol. The more I look at it the more I can find.
I thought that was a double space, rofl. What were they even trying to do with that?
Jump in the discussion.
No email address required.
More options
Context
More options
Context
They're missing UNION, which is pretty common in SQL injection attacks. There are probably others missing, too.
Jump in the discussion.
No email address required.
Sure, and they only have AND and and, not AnD or aNd. But that shouldn't matter if everything is quoted, no?
Jump in the discussion.
No email address required.
Lol, I didn't even think of those. This is also another bad code example. The String.Replace() method has a way to toggle case sensitivity, iirc.
IF the output has been single-quoted within the code invoking the method. Any dev using this method that forgets to do so has potentially created another vulnerability. From a design standpoint, it's bad (IMO) because it splits the responsibility of security between this method and the dev invoking it. If the dev invoking it had instead just used SqlCommand, it would not only be secure but also involve less code overall. Apparently there's some other shit you can do, too.
All in all, it's a very bad idea to try to scratch-build security if reliable solutions already exist (i.e. not some homebrew solution on a personal GitHub repo).
Jump in the discussion.
No email address required.
The alternative method assumes you replace
'with''. The OP code just erases it.Jump in the discussion.
No email address required.
More options
Context
Don’t even need to do worry about sensitivity if you just use .toLowerCase(name). So anything put in that input line is always lowercase when being passed in. If you need the first character to be uppercase for output you can format later.
Also Java should have a built in anti sql injection function, like there’s built in hashing in pretty much every backend usable language now, or just regex it yourself.
Jump in the discussion.
No email address required.
I actually said the same thing in my comment at first but I went back and changed it b/c the method returns the altered user input, which means lowercasing or uppercasing it could return the user input with alterations not intended for sanitation.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
Funnily enough all those cases are covered because before searching for disallowed tags they truncate the text to only stuff before the first space (and including that first space for some unfathomable reason) so you're never gonna match " AND " because it literally starts with a space, it's just an extra run through the string at that point that takes up time and does nothing else.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
More options
Context
Literally every thread on drama about coding. Me thinks coders only appear competent when commenting on other people's code but the moment they actually have to do any work themselves they all reveal themselves to be drooling r-slurs (except for our lovely admin codecels ofc
)
Jump in the discussion.
No email address required.
Nitpicking code mistakes from the sidelines without context and smugly responding with handwavey "solutions" is one of the basic requirements for being a developer.
Jump in the discussion.
No email address required.
You don’t need context to recognize r-slur code.
Jump in the discussion.
No email address required.
More options
Context
More options
Context
More options
Context
No need to be jealous that some RDramatards have a useful skillset.
Jump in the discussion.
No email address required.
More options
Context
More options
Context