Show newer

Just want to reraise that "you're not invited to my birthday anymore" can be a powerful psychic attack if executed correctly.

Terrifying imagined warning sign 

@alexbuzzbee DANGER: RUN.

Alarming information about toxic materials 

To learn more about nondecaying toxin containment, look up the Giant Mine Remediation Project. 200,000+ tonnes of arsenic trioxide dust buried in the ground. It will never break down and will remain lethally dangerous indefinitely. The plan is for it to be frozen forever.

Show thread

Terrifying imagined warning sign 







Full-pipeline reverse engineering: You start with an undocumented binary, and by the end you have the requirements it was intended to address.

US politics, Trump 

Of course, the hung jury analogy doesn't fully hold together because you can't have a mistrial and dismiss and replace the Senate if it fails to return a conclusive result

Show thread

US politics, Trump 

I'd just like to point out that there is a considerable difference between an acquittal and a finding of innocence. 57 Senators voted to convict Trump, which is a considerable majority. The sense of the Senate is that he's guilty; they just didn't meet the supermajority needed to impose penalties, which means acquittal. Vaguely like a hung jury. It's still an unfortunate result, but not an unexpected one (in fact, 57 is better than the 54 or 55 I was expecting).

Oh good SQLite changed the name of the metadata table to sqlite_schema

Me, reading an article about how to write good code: Wait a minute.
Me: *pulls mask off of article*
[The article is just functional programming.]
Me: This article is just functional programming in disguise!

Examples (your client probably collapses multiple spaces so I replaced them with underscores):


Show thread

POLL for programmers: When you comment out a line of code, do you...

Just fucking great! On a website they can use plaintext, but when they send me spam it's HTML.

SQL injection horror 

I think I've arrived at a solution for my particular case. With thanks to @yuki, it comes in two parts:

1. Use sqlite_master to verify table names, then SELECT * FROM table LIMIT 0; and the Python SQLite module's cursor.description (which gives (in a strange format) field names from the last query, even if it had zero rows) to verify field names.
2. Apply the quoting mechanism described above to mitigate against weird but non-malicious name choices.

Show thread

SQL injection horror 

(I did check and the injection does work when quoted naively. If you remove the first double-quote, it works when unquoted.)

Show thread

SQL injection horror 

I wrote a very small Python implementation of the same quoting technique from above (def quote_sql_name(name): return '"' + name.replace('"', '""') + '"') and used it to create a SQLite table called

sometable"(a TEXT);INSERT INTO things VALUES ('This thing was added through SQL injection');--"'\.,?!@#$%^&*()_-+=|\[]{};:`~--/*

with no ill effects (no syntax errors, table created, no record inserted in things). I'm still not sure it's enough. Tell me if you see a problem.

Show thread
Show older

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.