The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,224 other subscribers

Archive for March 20th, 2018

One of those “duh” moments: “go –version” says there is no “go -version”, but there is “go version”

Posted by jpluimers on 2018/03/20

One of those “duh” moments: go --version says there is no go -version, but there is go version as shown below.

It is even at [WayBack] Print Go version right in the middle of this 30 page [WayBackgo – The Go Programming Language.

On the hunt for that, I found this very interesting link for when you have binaries built with go and need the version: [WayBack] How to find out which Go version built your binary | Dave Cheney.

$ go --version
flag provided but not defined: -version
Go is a tool for managing Go source code.
Usage:
        go command [arguments]
The commands are:
        build       compile packages and dependencies
        clean       remove object files and cached files
        doc         show documentation for package or symbol
        env         print Go environment information
        bug         start a bug report
        fix         update packages to use new APIs
        fmt         gofmt (reformat) package sources
        generate    generate Go files by processing source
        get         download and install packages and dependencies
        install     compile and install packages and dependencies
        list        list packages
        run         compile and run Go program
        test        test packages
        tool        run specified go tool
        version     print Go version
        vet         report likely mistakes in packages
Use "go help [command]" for more information about a command.
Additional help topics:
        c           calling between Go and C
        buildmode   build modes
        cache       build and test caching
        filetype    file types
        gopath      GOPATH environment variable
        environment environment variables
        importpath  import path syntax
        packages    package lists
        testflag    testing flags
        testfunc    testing functions
Use "go help [topic]" for more information about that topic.

 

–jeroen

Posted in Development, Software Development | Leave a Comment »

Update for DprojNormalizer | The Art of Delphi Programming

Posted by jpluimers on 2018/03/20

Important small [WayBack] Update for DprojNormalizer | The Art of Delphi Programming: it fixes usage of SanitizedProjectName in all other properties.

It is now at [WayBack] Version 2.2.1.

via: [WayBack] Small update for DprojNormalizer available – Uwe Raabe – Google+

–jeroen

 

Posted in Delphi, Development, Software Development | Leave a Comment »

In this day and age, people still write SQL injection vulnerable code

Posted by jpluimers on 2018/03/20

I keep being amazed that new generations of people keep writing SQL injection vulnerable code, so further below is a repeat of  [WayBack] xkcd: Exploits of a Mom on Little Bobby Tables named Robert '; Drop TABLE Students;--

Take this recent question on G+ for instance: [WayBack] Hi can you help to write correct Query for Filter 3 Data fields for Example Data1 , Data2 , Data2 txt1 = Data1 txt2= data2 txt3 = data3… – Jude De Silva – Google+ with this code fragment:

Tables:

Data1 , Data2 , Data2

Text control contents:

txt1 = Data1
txt2= data2
txt3 = data3

Examples when text property is filled:

ex1: Data1  and Data 3
ex2: Data 3 and Data2
ex3: Data 1, Data 2 Data 3

Code:

Qury.Close;
Query.Sql.Clear;
Qury.Sql.Add (Select * From Table1);
If Not (txt1.text = ' ')then
   Begin
   Qury.Sql.Add(Format ('Where Data1= ' '%s' ' ',[txt1] ));
  end;
If not (txt3.text = ' ') then
   Begin
   Qury.Sql.Add(Format ('and Data3= ' '%s' ' ',[txt1] ));
  end;

This example is wrong on so many levels, to lets explain a few:

  • use name Qury and Query for queries: are they actually two variables?
  • inconsistent keyword capitalisation for both used languages
  • incinsistent indenting and unindenting
  • mixed use of quotes for strings
  • use of space for blank fields
  • getting embedded quotes wrong

The basic solution for solving the actual problem asked is like this (assuming all user input are strings):

  • use
    • where 1=1 for a starting point for and based queries
    • where 1=0 for a starting point of or based queries
  • add a method AddAndClause or AddOrClause taking with parameters Query,  FieldName, ParameterName and ParameterValuethen when ParameterValue is not empty:
    • adds this to the SQL Text:
      • for and based queries:Format('and %s = :%s', [FieldName, ParameterName]);
      • for or based queries:Format('or %s = :%s', [FieldName, ParameterName]);
    • adds a parameter Query.ParamByName(ParameterName).AsString := ParameterValue

SQL Injection: Little Bobby Tables

Back in 2007, SQL Injection was already a very well known vulnerability (they date back to at least 1998), so Randall Munroe published [WayBack] xkcd: Exploits of a Mom on Little Bobby Tables named Robert '; Drop TABLE Students;--


School: “Hi, this is your son’s school. We’re having some computer trouble.”
Mom: “Oh, dear — Did he break something?”
School: “In a way. Did you really name your son Robert'); DROP TABLE Students;-- ?
Mom: “Oh. Yes. Little Bobby Tables we call him.”
School: “Well, we’ve lost this year’s student records. I hope you’re happy.”
Mom: “And I hope you’ve learned to sanitize your database inputs.”
(Alt-text: “Her daughter is named Help I’m trapped in a driver’s license factory.”)

It did not just get explained at [WayBack] 327: Exploits of a Mom – explain xkcd (Explain xkcd is a wiki dedicated to explaining the webcomic xkcd. Go figure.), Little Bobby Tables got his own page there: [WayBack] Little Bobby Tables – explain xkcd.

Like people continuing writing SQL injection vulnerable code, XKCD posted another SQL injection in [WayBack] 1253: Exoplanet Names – explain xkcd by using e'); DROP TABLE PLANETS;-- as name for Planet e of Star Gliese 667.

Preventing SQL Injection

A few years later, around 2009, Bobby Tables inspired [WayBack] bobby-tables.com: A guide to preventing SQL injection explaining:

  • what not to do “Don’t try to escape invalid characters. Don’t try to do it yourself.”
  • what do to: “Learn how to use parameterized statements. Always, every single time.”
bobby-tables.com

bobby-tables.com

It goes on with many examples of parameterised queries in many environments and language, for instance in the language used above: Delphi.

You can contribute new environments and languages as the site has source code at [WayBack] GitHub – petdance/bobby-tables: bobby-tables.com, the site for preventing SQL injections.

Finally, it points to a few more resources:

WayBack bobby-tables.com: A guide to preventing SQL injection in Delphi

Delphi

To use a prepared statement, do something like this:

query.SQL.Text := 'update people set name=:Name where id=:ID';
query.Prepare;
query.ParamByName( 'Name' ).AsString := name;
query.ParamByName( 'ID' ).AsInteger := id;
query.ExecSQL;

–jeroen

Read the rest of this entry »

Posted in Development, Software Development, SQL | Leave a Comment »

Switching from net-tools to iproute2 or not? You probably have no choice, but the iproute2 cheat-sheet is 20+ pages…

Posted by jpluimers on 2018/03/20

Last year I came across this semi-humorous post: [WayBack] Bwahahaha, now that they took your init and replaced it with systemd, they are coming after your ifconfig. Next thing is that they will come after your… – Kristian Köhntopp – Google+

Underneath is a bigger problem: net-tools had been dormant for a long time, which means a lot of people rely on the predictable behaviour – especially by parsing the output for post processing.

Those days are definitely over: net-tools is in more active maintenance now breaking scripts like crazing. So since the foundation of networking on most distributions is now iproute2, it’s better to learn iproute2.

That’s not easy though, so here is some background reading to do:

I got this little translation table from the last link:

program obsoleted by
arp ip neigh
ifconfig ip addr
ipmaddr ip maddr
iptunnel ip tunnel
route ip route
nameif ifrename
mii-tool ethtool

–jeroen

 

 

Posted in Uncategorized | Leave a Comment »

Ben, blogging: Show the complete apache config file

Posted by jpluimers on 2018/03/20

Quite a while back, I got attended to Ben, blogging: Show the complete apache config file:

If you really want to see all the complete config settings, there is no existing tool for that. This Stack Overflow page  answered this question pretty well: You can use apachectl -S to see the settings of Virtual Host, or apachectl -M to see the loaded modules, but to see all settings, there is no such tool, you will have to go through all the files , starting from familiar yourself with the  general structure of the httpd config files.
… script …

The usage is simple: Run it as python  CombineApacheConfig.py . Since there is no additional parameters given, it will retrieve the default Ubuntu apache config file from  /etc/apache2/apache2.conf and generate the result complete config file in /tmp/apache2.combined.conf. If your config file is in different location, then give the input file and output file location.

Note: Apache server-info page http://127.0.0.1/server-info also provide similar information, but not in the config file format. It is in human readable format. The page works only when it is open from the same computer.

Since I could not find how to post comments there, and it works better for me having a repo, I put it into a gist with attribution to hist post: https://gist.github.com/jpluimers/fd300f3a500cbc78cd862d2a248e7b03
I need to adapt it for OpenSuSE; until then run it as this:
python CombineApacheConfig.py /etc/apache2/httpd.conf /tmp/apache2.combined.conf

–jeroen

 


#!/usr/bin/python2.7
# CombineApacheConfig.py
__author__ = 'ben'
import sys, os, os.path, logging, fnmatch
def Help():
print("Usage: python CombineApacheConfig.py inputfile[default:/etc/apache2/apache2.conf] outputfile[default:/tmp/apache2.combined.conf")
def InputParameter():
if len(sys.argv) <> 3:
Help()
return "/etc/apache2/apache2.conf", "/tmp/apache2.combined.conf"
return sys.argv[1], sys.argv[2]
def ProcessMultipleFiles(InputFiles):
Content = ''
LocalFolder = os.path.dirname(InputFiles)
basenamePattern = os.path.basename(InputFiles)
for root, dirs, files in os.walk(LocalFolder):
for filename in fnmatch.filter(files, basenamePattern):
Content += ProcessInput(os.path.join(root, filename))
return Content
def RemoveExcessiveLinebreak(s):
Length = len(s)
s = s.replace(os.linesep + os.linesep + os.linesep, os.linesep + os.linesep)
NewLength = len(s)
if NewLength < Length:
s = RemoveExcessiveLinebreak(s)
return s
def ProcessInput(InputFile):
Content = ''
if logging.root.isEnabledFor(logging.DEBUG):
Content = '# Start of ' + InputFile + os.linesep
with open(InputFile, 'r') as infile:
for line in infile:
stripline = line.strip(' \t')
if stripline.startswith('#'):
continue
if stripline.lower().startswith('include'):
match = stripline.split()
if len(match) == 2:
IncludeFiles = match[1]
IncludeFiles = IncludeFiles.strip('"') #Inserted according to V's comment.
if not IncludeFiles.startswith('/'):
LocalFolder = os.path.dirname(InputFile)
IncludeFiles = os.path.join(LocalFolder, IncludeFiles)
Content += ProcessMultipleFiles(IncludeFiles) + os.linesep
else:
Content += line # if it is not pattern of 'include(optional) path', then continue.
else:
Content += line
Content = RemoveExcessiveLinebreak(Content)
if logging.root.isEnabledFor(logging.DEBUG):
Content += '# End of ' + InputFile + os.linesep + os.linesep
return Content
if __name__ == "__main__":
logging.basicConfig(level=logging.DEBUG, format='[%(asctime)s][%(levelname)s]:%(message)s')
InputFile, OutputFile = InputParameter()
try:
Content = ProcessInput(InputFile)
except Exception as e:
logging.error("Failed to process " + InputFile, exc_info=True)
exit(1)
try:
with open(OutputFile, 'w') as outfile:
outfile.write(Content)
except Exception as e:
logging.error("Failed to write to " + outfile, exc_info=True)
exit(1)
logging.info("Done writing " + OutputFile)

view raw

CombineApacheConfig.py

hosted with ❤ by GitHub

Posted in *nix, *nix-tools, Apache2, Development, Linux, openSuSE, Power User, Python, Scripting, Software Development, SuSE Linux | Leave a Comment »

 
%d bloggers like this: