Alexander Martin @alexbuzzbee@fosstodon.org

Just want to reraise that "you're not invited to my birthday anymore" can be a powerful psychic attack if executed correctly.

To learn more about nondecaying toxin containment, look up the Giant Mine Remediation Project. 200,000+ tonnes of arsenic trioxide dust buried in the ground. It will never break down and will remain lethally dangerous indefinitely. The plan is for it to be frozen forever.

CAUTION - DANGER - WARNING

PERMANENT DISPOSAL SITE

NUCLEAR WEAPONS

RADIOACTIVE MATERIAL

NONDECAYING TOXINS

DO NOT DISTURB

Full-pipeline reverse engineering: You start with an undocumented binary, and by the end you have the requirements it was intended to address.

Of course, the hung jury analogy doesn't fully hold together because you can't have a mistrial and dismiss and replace the Senate if it fails to return a conclusive result

I'd just like to point out that there is a considerable difference between an acquittal and a finding of innocence. 57 Senators voted to convict Trump, which is a considerable majority. The sense of the Senate is that he's guilty; they just didn't meet the supermajority needed to impose penalties, which means acquittal. Vaguely like a hung jury. It's still an unfortunate result, but not an unexpected one (in fact, 57 is better than the 54 or 55 I was expecting).

Oh good SQLite changed the name of the metadata table to sqlite_schema

Examples (your client probably collapses multiple spaces so I replaced them with underscores):

1)
//____something
2)
____//_something
3)
____//something

POLL for programmers: When you comment out a line of code, do you...

And here's the implementation: https://gitlab.com/alexbuzzbee/strukit/-/raw/sqlnames/src/lib/sqlnames.py

I think I've arrived at a solution for my particular case. With thanks to @yuki, it comes in two parts:

1. Use sqlite_master to verify table names, then SELECT * FROM table LIMIT 0; and the Python SQLite module's cursor.description (which gives (in a strange format) field names from the last query, even if it had zero rows) to verify field names.
2. Apply the quoting mechanism described above to mitigate against weird but non-malicious name choices.

(I did check and the injection does work when quoted naively. If you remove the first double-quote, it works when unquoted.)

I wrote a very small Python implementation of the same quoting technique from above (def quote_sql_name(name): return '"' + name.replace('"', '""') + '"') and used it to create a SQLite table called

sometable"(a TEXT);INSERT INTO things VALUES ('This thing was added through SQL injection');--"'\.,?!@#$%^&*()_-+=|\[]{};:`~--/*

with no ill effects (no syntax errors, table created, no record inserted in things). I'm still not sure it's enough. Tell me if you see a problem.