As per my New Year's resolution, I've been learning to program in Go and reading The Go Programming Language. On page 141 of the book, there are a couple of code examples to explain scoping rules and how variables are bound to anonymous functions. This short post is just me making sure I grok what's in the book and sharing in case its helpful to anyone else.
Showing posts with label Programming. Show all posts
Showing posts with label Programming. Show all posts
Friday, January 11, 2019
Tuesday, March 26, 2013
Basics: Avoiding SQL Injection
SQL injection is a pretty big deal. The attack is easy to carry out, the vulnerabilities are prevalent and the payoff is potentially large. Many of the password breaches reported over the last year or two are known or thought to have been carried out via SQL injection.
SQL injection attacks allow attackers to execute arbitrary queries or commands against a database. Developers introduce the vulnerabilities into their code when they concatenate or substitute user input into the elements of a SQL query. In the following Python example, the program will accept any input as the "user_id" variable (returned as a part of login_data) and tack it onto the end of a string that is subsequently executed as a sql query:
SQL injection attacks allow attackers to execute arbitrary queries or commands against a database. Developers introduce the vulnerabilities into their code when they concatenate or substitute user input into the elements of a SQL query. In the following Python example, the program will accept any input as the "user_id" variable (returned as a part of login_data) and tack it onto the end of a string that is subsequently executed as a sql query:
login_data = web.input()
query_string = "SELECT * FROM USERS WHERE ID = '%s'" %login_data.user_idcursor.execute(query_string)
Thursday, July 26, 2012
Building PyCrypto on Amazon EC2
I setup a new AMI Linux instance in the EC2 cloud today primarily for playing around with Python and possibly building some small web apps. Shortly after firing up the instance, I tried to build and install PyCrypto and ran into some problems. It was a bit of an adventure. Here's how I got it working:
Monday, July 2, 2012
How to fail at cryptography
In my last post, I discussed the number 2128 and explained why it’s not possible to brute-force 2128 possible keys. Does this mean that we can use 128-bit cipher like AES with confidence? Not quite. Brute-force against AES with 128-bit or larger keys is impossible with any non-quantum computer we will build for the foreseeable future, but that’s only one avenue of attack. In practice, cryptosystems are broken in a variety of ways. Sometimes, the algorithm is flawed. Other times, the algorithm is sound but the implementation is bad.
This post attempts to explain, at a high level, some of the technical vulnerabilities that exist in real-world cryptosystems. I
hope that it will help developers, IT and security people gain a basic
understanding of the difficulties that exist and give them some ideas of what to look for in code reviews, testing, or product selection. I also hope to make clear why writing your own implementation is usually a bad idea. For more information, check out the book Cryptography Engineering and Matthew Green’s blog. For a look at management/business failures, check out Ross Anderson's Why Cryptosystems Fail.
Subscribe to:
Posts (Atom)