Wikipedia:Reference desk/Archives/Computing/2011 September 25
Computing desk | ||
---|---|---|
< September 24 | << Aug | September | Oct >> | September 26 > |
Welcome to the Wikipedia Computing Reference Desk Archives |
---|
The page you are currently viewing is an archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages. |
September 25
[edit]SQL injection
[edit]Could someone explain SQL injection in more simplistic terms, layman's terms even, than the article? So far, I get that an attacker puts an SQL command into a text entry field but I'm not sure where that field is and how this helps them break in to user data. I'm not looking to do this myself but I'd like to better understand it. Thanks, Dismas|(talk) 01:30, 25 September 2011 (UTC)
- Here's a shot.
- So I have a website that lets you search for people by their last name. There is a text input field for the last name, and it stores that input in the variable $search.
- The search code works by making an SQL query for my name database, and generates queries that look like this: SELECT * FROM mytable WHERE name = '$search';
- With me so far? OK. Now what happens if $search contains a value like this: "'; DROP TABLE mytable;"?
- Because I used a single quote to delineate where $search started and began in my SQL query, if $search contains a single quote, my SQL engine will interpret that initial single quote in $search as meaning, "OK, the search variable is done". So I then I am injecting raw SQL into the rest of the query with the rest of my text input. The result is that instead of saying, "get all the names that are like $search," it now says, "get all the names that are like $search, and then delete the table."
- So you can see the nature of the attack — fool the SQL into thinking the query is complete, then put in your own malicious SQL code. That's the essence of it. It's easy enough to prevent — just make sure that $search doesn't contain a delimiting character, or sanitize it (e.g. turn the ' into /') — but it's also easy to forget to do that, which opens a huge hole in the database. It doesn't have to be a DROP TABLE command, it can be a command that instead returns all passwords, or lists all the tables, or anything. You've basically exposed any tables in your database to whatever the attacker wants to do with them.
- Well, I don't know if that's clearer. --Mr.98 (talk) 01:56, 25 September 2011 (UTC)
Suppose you have a login page. When you press the submit button, your user name and password are passed to the following script running on the server that creates a SQL statement from it:
sSql = "SELECT * FROM tblCustomers WHERE cust_name ='" & sUserName & "' AND cust_password='" & sPassword & "';"So, if you entered Joe as your user name and 1234 as the password, the following SQL would be generated and then used to look up the user in a database:
SELECT * FROM tblCustomers WHERE cust_name = Joe AND cust_password = '1234';In other words, select all entries (i.e., *) in the customer table (tblCustomers) that have a customer name of Joe and a password of 1234. But what would happen if you put this for your user name, instead: ' or 1=1--. Since 1 does equal 1, the database would return a result of all the users in the user table. In other words, you'd be telling the database to return everything from the customer table when 1 is equal to 1. The result would be that you would log into the site as the first user in the table. The two minuses terminate the SQL statement, preventing the check for a password. Therefore, you could leave the password field empty.--Best Dog Ever (talk) 02:10, 25 September 2011 (UTC)
- Thanks! Both of your answers were quite helpful. I now understand this XKCD even more. (though that wasn't the only reason for my curiosity) So, when these tables are "returned" where/how are they returned? Does the web site simply display them all on the web page? Dismas|(talk) 03:12, 25 September 2011 (UTC)
Set rs = Server.CreateObject("ADODB.Recordset")
rs.Open sSql, cnn, 3, 3
if rs.BOF or rs.EOF then
response.write "Access Denied"
else
Response.write "Welcome"
End if
In other words, if the record set is empty, the SQL query returns no results given that user name and password. If it is not empty, the script assumes that it has a valid user and password. So, it's a very simple script.
On a related note, you could also output a table to a web page as you asked using a user name like this: '; exec sp_makewebtask "C:\Inetpub\wwwroot\output.html", "select * from tblCustomers";--. Although such commands return an access-denied error, they're still completing successfully, meaning, in this case, you could point your browser to output.html like this: http://www.somesite.com/output.html to view a table of customers. But sp_makewebtask is specific to Microsoft SQL Server, so these sort of attacks are often vendor-specific.—Best Dog Ever (talk) 04:07, 25 September 2011 (UTC)
- I see. Thanks! Dismas|(talk) 09:06, 25 September 2011 (UTC)
How do one set UTF-8 as default encoding in Notepad (in Windows7)
[edit]In the dialog box: "Save as..." in Notepad (Under 64bit Windows7 Home Premium) the default text encoding is: ANSI.
But one may click it and choose between:
ANSI, Unicode,Unicode big endian, or UTF-8.
If one wants to set the default to UTF-8 instead of ANSI:
How do one do it?
Esocul (talk) 02:42, 25 September 2011 (UTC)
- Here is one explanation. I have not tried it myself. In my experience, an easier solution on Windows is to open the Control Panel, go to Regional and Language Options, select the Advanced tab, and change the "Language for non-Unicode programs" setting; after this, you don't need to bother saving Notepad documents in UTF-8. rʨanaɢ (talk) 04:08, 25 September 2011 (UTC)
- There are Notepad replacements that retain Notepad's only useful feature (quick startup time) while adding a lot of other features, including the ability to change the default document encoding. Personally I use Notepad++. If you don't like the visual clutter of tabbed editing, line numbers, etc., it can all be disabled. -- BenRG (talk) 19:00, 25 September 2011 (UTC)
Thank you both! :-)
--Esocul (talk) 21:11, 29 September 2011 (UTC)
Something's wrong: Deleting texts doesn't free up memory?
[edit]On my Android phone, an Xperia Play, I deleted all my texts, including some with multimedia. They were backed up to Gmail. This was to free internal memory, which I only had 25mb left of.
When I checked the memory again, it still said 25 MB remaining. Like I said, some of the texts had multimedia (picture attachments).
I was told that texts get saved to the internal memory by default. Therefore, why wouldn't the difference of megabytes available register? --70.179.163.168 (talk) 04:00, 25 September 2011 (UTC)
- Android typically divides the internal storage space into two sections, the "Phone Storage" where you can save music, photos, and other things (this is the same as the space on a removable SD card), and the "Application Storage" where programs that you install save themselves by default (with third party software or newer versions of android, you can move them to other storage areas). My guess is that you are looking at the free space for one of these, and the text messages were in the other. gnfnrf (talk) 03:21, 26 September 2011 (UTC)
Learning Web design.
[edit]I want to learn web designing. what computer languages will be essentiol to be a web designer. — Preceding unsigned comment added by 220.225.96.217 (talk) 06:34, 25 September 2011 (UTC)
- This is a big can of worms with a lot of options in it. Forgive me for excessive linking of acronyms, which is what most of these are known by.
- The basic web trio that control how things look are HTML, CSS, and Javascript. These are sort of mandatory and essential no matter what you do, working in the "real world" of design. (Only Javascript is a programming language; HTML is a markup language, CSS is style sheet language.)
- Those three manage the front end, managing how the browser renders things. On the back end, managing what is actually sent to the browser in the first place, are a variety of server-side scripting languages. The most popular at the moment seem to be PHP, ASP, Perl, and JSP, but there is a lot of variety there. You don't have to learn all of those, of course.
- Separate from this are technologies like Adobe Flash, which relies heavily on ActionScript.
- Depending on what you mean by "web design", the above may or may not be important. If you only care about being a graphics designer who works on the web, you can get away with knowing only HTML, CSS, maybe Flash. More important than these is likely to be familiarity with Photoshop. If by "web design" you mean "web developer," then HTML, Javascript, and a server-side scripting language or two are more important, along with an understanding of databases (e.g. MySQL). If you want to be sort of a jack-of-all-trades type, you'll need to know a few things in concert. These look like a lot, but it's a lot less than it appears. HTML and CSS are the sorts of things you can learn the basics of in an afternoon. The programming languages all use similar-enough syntax and reasoning that learning one of them puts you in a good position to adapt to the others if you need to. Flash is it's own thing, maybe the hardest of the above, because it combines a lot of things simultaneously (scripting, vector graphics, animation, what have you). --Mr.98 (talk) 13:38, 25 September 2011 (UTC)
- Just to make sure it is clear: Mr. 98 is absolutely correct in that the essentials are HTML, CSS, and Javascript. -- kainaw™ 17:08, 25 September 2011 (UTC)
How to view folder directory of my Android phone on PC without rooting it?
[edit]I'm getting nowhere on how to do this. (It's so I can figure out what other files than apps I would need to delete from the phone's internal memory, and it's better-viewed from a PC.)
When I tried the USB cable connection, as soon as I turn that USB storage thing on, it "forgets" that an SD card is in the phone for some reason, and when I click "removable device," I can't get in. It keeps asking me to insert something. So I need to find another way, please. Thanks. --70.179.163.168 (talk) 07:23, 25 September 2011 (UTC)
- IS ANYBODY THERE??????????????????????????? --70.179.163.168 (talk) 21:37, 26 September 2011 (UTC)
- Yes - but nobody who knows the answer to your question, apparently. This is a help desk run by volunteers, and we can't be expected to answer every possible query. Have you tried the phone supplier's website? AndyTheGrump (talk) 21:45, 26 September 2011 (UTC)
- You could try removing your SD card and connecting it via a card reader. Dbfirs 23:32, 26 September 2011 (UTC)
Computing
[edit]I frequently got a error, when i try to connect my pc with internet, mines is a dial up connection my error is 711 error
Anyone help me.. ```` — Preceding unsigned comment added by Shriram105 (talk • contribs) 16:56, 25 September 2011 (UTC)
- Does this link help? If not, please give us a lot more information - what version of Windows, what sort of modem, and a screenshot of the error message if possible. Comet Tuttle (talk) 21:23, 25 September 2011 (UTC)
Question Resolved - Webcam video quality
[edit]I have recently got myself a Hercules HD Webcam. It is supposed to be a fairly high range model and I expected anyone watching my webcam to get smooth quality video. But they are getting a succession of stills rather than true video. I am also getting that quality from their webcam when we chat. I have seen videos taken from webcam and some have been good quality. Can you tell me what the factors are that control getting or broadcasting a reasonable quality video from a webcam? Oh, a final question . . . my Hercules is advertised as having a capture/transmission rate of "up to" 30fps. What controls the actual fps achieved? Thanks. Gurumaister (talk) 17:17, 25 September 2011 (UTC)
I have since been given an answer to the above - thanks anyway. Gurumaister (talk) 18:15, 25 September 2011 (UTC)
Add comments to pictures
[edit]How can you add comments to pictures, in a flickr-like fashion, but off-line? (I search for something unobtrusive, but to point to a specific spot and show a comment when someone hover the mouse pointer over an element? Quest09 (talk) 21:12, 25 September 2011 (UTC)
- The comment isn't added to the picture. It is being associated with the picture by the photo viewing program. There are many programs that you can put on your computer to show pictures with comments, such as Picasa by Google. -- kainaw™ 21:14, 25 September 2011 (UTC)
- Windows Vista and Windows 7 let you add comments to pictures in this way, too. As Kainaw wrote, comments are metadata that are not added to the picture itself. Comet Tuttle (talk) 21:20, 25 September 2011 (UTC)
- Of course, you can add text directly to a picture, too. This is often done to prevent others from taking credit for your work (the catch is, you need to write it over something important, or they will trim it off). You can also extend the image and add the text to the extension. This can be done with just about any picture editor, like MS Paint. This doesn't do the hover trick, though. StuRat (talk) 01:48, 26 September 2011 (UTC)
MBR, fdisk, and other types of boot sectors
[edit]I was reading this page ([1]) on OSDev, and I noticed the part where it states that MS-DOS's fdisk was the first program to use the MBR format. Was it Microsoft that helped to develop the MBR scheme? Also, I have a few other questions associated with master boot records:
- All pages I read state the MBR is loaded into address 0x7C00 of the memory. I've also seen it written as 0x0000:7C00. What does the "0x0000:" in front of "7C00" mean and isn't 4 or 8 hexadecimal places not enough to address today's RAM?
- Why isn't the boot sector loaded into the very beginning of the RAM instead of 0x7C00/0x0000:7C00?
- In the section of the page I linked to, it says the MBR fdisk made was loaded into 0x0000:6000, instead of 0x7C00. What I gather from this is that this MBR could load itself anywhere, although it does mention 0x7C00. What gives?
- Some distributions of BSD use something called disklabel instead of an MBR. Does this require special firmware?
- Can more than one sector be loaded by the BIOS during the start up process?
--Melab±1 ☎ 21:35, 25 September 2011 (UTC)
- The BIOS boots in 16 bit real mode, where far pointers (which is what 0000:7c00 is) mean something weirder than you think - see x86 memory segmentation for lots of pain.
- In the real mode memory map page 0 is the interrupt vector table (by fiat of the processor), you you can't put general stuff there.
- pass
- See BSD disklabel. On a BIOS PC, the BSD disklabel is subordinate to the MBR.
- I answered this the last time you asked: no.
- -- 2.122.75.122 (talk) 11:43, 26 September 2011 (UTC) (Finlay McWalter, out of the office)
Chess Word Processing
[edit]I frequently copy and paste chess games from online to Microsoft Word 2010. For the most part everything works perfectly, but there is a curious exception: the program does not appear to like castling. For both castlings in the game, it breaks the 0-0(-0) over two lines; this occurs no matter what font or page orientation I use. This does not happen if I type the entire game manually, but that is quite time-consuming and I am frequently in a hurry when I copy the games. How can I prevent this? Interchangeable|talk to me 21:36, 25 September 2011 (UTC)
- Perhaps using Paste Special > Paste without formatting? I'd test it, but don't have a copy of MS Office handy. Then again, if you only copy one game at a time, that method is probably no more efficient than simply backspacing the unwanted newline, unless you assign a shortcut to it. AJCham 23:48, 25 September 2011 (UTC)
- Paste without formatting worked! Thanks! Interchangeable|talk to me 16:14, 26 September 2011 (UTC)