• 0 Posts
  • 20 Comments
Joined 1 year ago
cake
Cake day: June 15th, 2023

help-circle
  • SQL, where injection is still in the top 10 security risks

    This is absolutely true, but it’s not what it looks like on the surface, and if you dig into the OWASP entry for this, you’ll see they talk about mitigation.

    You can completely eliminate the possibility of injection attacks using well-understood technologies such as bind variables, which an ORM will usually use under the covers but which you can also use with your own queries. There are many, many database applications that have never once had a SQL injection vulnerability and never will.

    The reason SQL injection is a widespread security risk, to be blunt, is that there are astonishingly large numbers of inexperienced and/or low-skill developers out there who haven’t learned how to use the tools at their disposal. The techniques for avoiding injection vulnerability are simple and have been well-documented for literally decades but they can’t help if a lousy dev decides to ignore them.

    Now, a case could be made that it’d be better if instead, we were using a query language (maybe even a variant of SQL) that made injection attacks impossible. I agree in principle, but (a) I think this ends up being a lot harder than it looks if you want to maintain the same expressive power and flexibility SQL has, (b) given that SQL exists, “get bad devs to stop using SQL” doesn’t seem any more likely to succeed than “get bad devs to use bind variables,” and © I have too much faith in the ability of devs to introduce security vulnerabilities against all odds.


  • it would be great to “just” have a DB with a binary protocol that makes it unnecessary to write an ORM.

    Other people have talked about other parts of the post so I want to focus on this one.

    The problem an ORM solves is not a problem of SQL being textual. Just switching to a binary representation will have little or no impact on the need for an ORM. The ORM is solving the problem that’s in its name: bridging the conceptual gap between an object-oriented data model and a relational data model. “A relational data model” isn’t about how queries are represented in a wire protocol; instead, it is about how data, and relationships between pieces of data, are organized.

    So, okay, what if you get rid of the relational data model and make your database store objects directly? You can! NoSQL databases had a surge in popularity not too long ago, and before that, there have been lots of object databases.

    What you’re likely to discover in an application of any real complexity, though, and the reason the industry has cooled somewhat on NoSQL databases after the initial hype cycle, is that the relational model turns out to be popular for a reason: it is extremely useful, and some of its useful properties are awkward to express in terms of operations on objects. True, you can ditch the ORM, but often you end up introducing complex queries to do things that are simple in SQL and the net result is more complex and harder to maintain than when you started. (Note “often” here; sometimes non-relational databases are the best tool for the job.)

    And even in an object database, you still have to know what you’re doing! Storing objects instead of relational tuples won’t magically cause all your previously-slow queries to become lightning-fast. You will still need to think about data access patterns and indexes and caching and the rest. If the problem you’re trying to solve is “my queries are inefficient,” fixing the queries is a much better first step than ditching the entire database and starting over.




  • I think this is a more subtle question than it appears on the surface, especially if you don’t think of it as a one-off.

    Whether or not Scientology deserves to be called a “religion,” it’s a safe bet there will be new religions with varying levels of legitimacy popping up in the future. And chances are some of them will have core beliefs that are related to the technology of the day, because it would be weird if that weren’t the case. “Swords” and “plowshares” are technological artifacts, after all.

    Leaving aside the specific case of Scientology, the question becomes, how do laws that apply to classes of technology interact with laws that treat religious practices as highly protected activities? We’ve seen this kind of question come up in the context of otherwise illegal drugs that are used in traditional rituals. But religious-tech questions seem like they could have a bunch of unique wrinkles.









  • The “developed or supplied outside the course of a commercial activity” condition is part of why people are up in arms about this. If I’m at work and I run into a bug and submit a patch, my patch was developed in the course of a commercial activity, and thus the project as a whole was partially developed in the course of a commercial activity.

    How many major open-source projects have zero contributions from companies?

    It also acts as a huge disincentive for companies to open their code at all. If I package up a useful library I wrote at work, and I release it, and some other person downloads it and exposes a vulnerability that is only exploitable if you use the library in a way that I wasn’t originally using it, boom, my company is penalized. My company’s lawyers would be insane to let me release any code given that risk.




  • ChatGPT is certainly no good at a lot of aspects of storytelling, but I wonder how much the author played with different prompts.

    For example, if I go to GPT-4 and say, “Write a short fantasy story about a group of adventurers who challenge a dragon,” it gives me a bog standard trope-ridden fantasy story. Standard adventuring party goes into cave, fights dragon, kills it, returns with gold.

    But then if I say, “Do it again, but avoid using fantasy tropes and cliches,” it generates a much more interesting story. Not sure about the etiquette of pasting big blocks of ChatGPT text into Lemmy comments, but the setting turned from generic medieval Europe into more of a weird steampunk-like environment, and the climax of the story was the characters convincing the dragon that it was hurting people and should stop.


  • GDPR protects things implicitly (albeit completely untested–perhaps even problematic)

    I will grab my popcorn the first time someone seriously tries to pursue a GDPR erasure request for their fediverse content. I don’t think it’s even possible to honor such a request in theory, let alone in practice, given that nodes can come and go from the network and when they go, they could easily keep their local copies of everything.




  • Wish people wouldn’t do this, though I do understand the motivation. IMO it ends up punishing other Internet users (who are the ones getting value from years-old comment threads) vastly more than it punishes the owners and employees of Reddit, Inc. (who get most of their value from people participating in active discussions and seeing ads along the way).

    The end result is that you search for “how to fix a broken curtain rod” on Google and the search results are full of comment threads like

    • Anyone know how to fix a broken curtain rod?
      • [deleted]
        • Oh, that’s a good idea. How do you unscrew the end if you do it that way?
          • Hello! I have removed my comment from reddit because I don’t like the way they’re running their company. You can find me on Lemmy.
            • Thanks! That worked.

    Reddit still gets the revenue from the ad at the top of the page, so the only person you’ve successfully stiffed is the person who was looking for an answer.