Category Archives: infosec

Why not MySQL

I’ve been a happy postgresql user for some years now. Just a quick reminder why I prefer PostgreSQL way of doing things (the proper way):

$ psql -c "select ''::text - ''::text"
ERROR:  operator is not unique: text - text
LINE 1: select '' - ''
                  ^
HINT:  Could not choose a best candidate operator. You might need to add explicit type casts.

Sounds about right, minus operator isn’t defined for two strings in general. I was horrified when going through my rss reader and stumbled upon Abusing MySQL string arithmetic for tiny SQL injections by Krzysztof Kotowicz:

mysql> select ''-'';
+-------+
| ''-'' |
+-------+
|     0 |
+-------+

The above works because when faced with minus operator, MySQL thinks that you are, by mistake passing it two doubles in strings and that an empty string defaults to zero.

PostgreSQL’s solution for above is superior as it let’s you know, hey, this is undefined. MySQL’s solution thinking it can/should fix this for you leads to security (or at least lingering hard to find bugs) problems, as shown in the article.

Advertisements

t2’12

Just a quickpress on my t2’12 experience. It was the first infosec conference I’ve ever attended, and I’m still in awe on the actual contents.

Basically there was everything I would had hoped for from current-ish events (Huawei, Flame), interesting targets (EMV payment devices, USB, browsers) to actual enterpise protection tips. At least these are the topics on top of my mind right now.

Almost surprisingly there was a talk by Rick Falkvinge, the founder of Pirate Partiet (of Sweden). His keynote was very inspiring and thought-provoking. Looking at the conference schedule as a whole, it was a great kickoff for the talks to come. (Mentioning this in it’s own paragraph as Rick requested mentioning his unique name near the end of his talk. :)

I’ll be most likely writing much more on this topic.