<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article10_02_26_0542206</id>
	<title>Anatomy of a SQL Injection Attack</title>
	<author>timothy</author>
	<datestamp>1267178580000</datestamp>
	<htmltext>Trailrunner7 writes <i>"SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate. It's not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that. Rafal Los  showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process <a href="http://threatpost.com/en\_us/blogs/anatomy-sql-injection-attack-022510">found that the site had already been hacked</a> and was serving the Zeus Trojan to visitors."</i>

<a href="http://www.communities.hp.com/securitysoftware/blogs/rafal/archive/2010/02/25/a-big-case-of-oops.aspx">Los's original blog post</a> has more and better illustrations, too.</htmltext>
<tokenext>Trailrunner7 writes " SQL injection has become perhaps the most widely used technique for compromising Web applications , thanks to both its relative simplicity and high success rate .
It 's not often that outsiders get a look at the way these attacks work , but a well-known researcher is providing just that .
Rafal Los showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection , and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors .
" Los 's original blog post has more and better illustrations , too .</tokentext>
<sentencetext>Trailrunner7 writes "SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate.
It's not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that.
Rafal Los  showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors.
"

Los's original blog post has more and better illustrations, too.</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284732</id>
	<title>The author should be more careful...</title>
	<author>joshuao3</author>
	<datestamp>1267198200000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>Simply searching on google fo the tail end of the URL shows exactly which sites are vulnerable and the provider of the sites... Now the entire database of restaurants is open to attack.  If the author was trying to teach their client a lesson or two (or 50)--well, good job...</htmltext>
<tokenext>Simply searching on google fo the tail end of the URL shows exactly which sites are vulnerable and the provider of the sites... Now the entire database of restaurants is open to attack .
If the author was trying to teach their client a lesson or two ( or 50 ) --well , good job.. .</tokentext>
<sentencetext>Simply searching on google fo the tail end of the URL shows exactly which sites are vulnerable and the provider of the sites... Now the entire database of restaurants is open to attack.
If the author was trying to teach their client a lesson or two (or 50)--well, good job...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284306</id>
	<title>Re:Slash Dot Virus Sequel Injected in You</title>
	<author>jDeepbeep</author>
	<datestamp>1267195980000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>you will need to reformat your brain.</p></div><p>Does this mean I have to download the internet again?</p></div>
	</htmltext>
<tokenext>you will need to reformat your brain.Does this mean I have to download the internet again ?</tokentext>
<sentencetext>you will need to reformat your brain.Does this mean I have to download the internet again?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283760</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283982</id>
	<title>Re:PHP security object</title>
	<author>ArwynH</author>
	<datestamp>1267194000000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Quick answer: A lot.</p><p>Long answer:</p><p>You are mistaking escaping with sanitising. These are two very different things.</p><p>Sanitising should occur as soon as possible, before the values are used. It involves validating and optionally filtering \_each\_ field, so that you know the data you are getting is exactly what you are expecting it to be. This is a lot of work, which is why a lot of people skip it, hence the large number of vulnerabilities in the wild. I suggest looking into libraries like Zend\_Form to help with this.</p><p>Escaping on the other hand, is done just before the variable is used. This is because different output formats have different escape sequences. E.G for SQL you would use named variables and let the engine handle the escaping for you, but for HTML you would use something like htmlspecialchars().</p><p>Both sanitising and escaping are required for a secure application.</p></htmltext>
<tokenext>Quick answer : A lot.Long answer : You are mistaking escaping with sanitising .
These are two very different things.Sanitising should occur as soon as possible , before the values are used .
It involves validating and optionally filtering \ _each \ _ field , so that you know the data you are getting is exactly what you are expecting it to be .
This is a lot of work , which is why a lot of people skip it , hence the large number of vulnerabilities in the wild .
I suggest looking into libraries like Zend \ _Form to help with this.Escaping on the other hand , is done just before the variable is used .
This is because different output formats have different escape sequences .
E.G for SQL you would use named variables and let the engine handle the escaping for you , but for HTML you would use something like htmlspecialchars ( ) .Both sanitising and escaping are required for a secure application .</tokentext>
<sentencetext>Quick answer: A lot.Long answer:You are mistaking escaping with sanitising.
These are two very different things.Sanitising should occur as soon as possible, before the values are used.
It involves validating and optionally filtering \_each\_ field, so that you know the data you are getting is exactly what you are expecting it to be.
This is a lot of work, which is why a lot of people skip it, hence the large number of vulnerabilities in the wild.
I suggest looking into libraries like Zend\_Form to help with this.Escaping on the other hand, is done just before the variable is used.
This is because different output formats have different escape sequences.
E.G for SQL you would use named variables and let the engine handle the escaping for you, but for HTML you would use something like htmlspecialchars().Both sanitising and escaping are required for a secure application.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283534</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285704</id>
	<title>Re:Use a persistence library</title>
	<author>MemoryDragon</author>
	<datestamp>1267203240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Exactly, no persistence layer will help you against sql injections per default, simply by swithing to an orm layer you are safe from them is a common myth instead you just shift the problem from sql to hql or jqpl, only parametrized queries really help you to avoid that.</p></htmltext>
<tokenext>Exactly , no persistence layer will help you against sql injections per default , simply by swithing to an orm layer you are safe from them is a common myth instead you just shift the problem from sql to hql or jqpl , only parametrized queries really help you to avoid that .</tokentext>
<sentencetext>Exactly, no persistence layer will help you against sql injections per default, simply by swithing to an orm layer you are safe from them is a common myth instead you just shift the problem from sql to hql or jqpl, only parametrized queries really help you to avoid that.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31286442</id>
	<title>Re:Lemme be the first to say</title>
	<author>kill-1</author>
	<datestamp>1267206060000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Use perl, but do it because it has a plethora of usable ORMs.</p></htmltext>
<tokenext>Use perl , but do it because it has a plethora of usable ORMs .</tokentext>
<sentencetext>Use perl, but do it because it has a plethora of usable ORMs.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036</id>
	<title>Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267182180000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>One should definitely use a persistence library instead of concatenating strings to help mitigate the possibilities of being victim of SQL injections. They are pretty good at it. Hibernate is a widely used one.</p><p>
&nbsp;</p></htmltext>
<tokenext>One should definitely use a persistence library instead of concatenating strings to help mitigate the possibilities of being victim of SQL injections .
They are pretty good at it .
Hibernate is a widely used one .
 </tokentext>
<sentencetext>One should definitely use a persistence library instead of concatenating strings to help mitigate the possibilities of being victim of SQL injections.
They are pretty good at it.
Hibernate is a widely used one.
 </sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31288018</id>
	<title>And sometimes...</title>
	<author>ratboy666</author>
	<datestamp>1267211160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>A client wanted me to size a migration job. VMS, running Oracle, very old. A lot of the application was running in DCL scripts. With embedded SQL.</p><p>In my report I noted the possibility of SQL injection attacks. The client chose not to bother "Yes, we know about that already". This was a government branch. Nearly made me cry.</p><p>Mostly because I am too ethical to exploit it to make money.</p></htmltext>
<tokenext>A client wanted me to size a migration job .
VMS , running Oracle , very old .
A lot of the application was running in DCL scripts .
With embedded SQL.In my report I noted the possibility of SQL injection attacks .
The client chose not to bother " Yes , we know about that already " .
This was a government branch .
Nearly made me cry.Mostly because I am too ethical to exploit it to make money .</tokentext>
<sentencetext>A client wanted me to size a migration job.
VMS, running Oracle, very old.
A lot of the application was running in DCL scripts.
With embedded SQL.In my report I noted the possibility of SQL injection attacks.
The client chose not to bother "Yes, we know about that already".
This was a government branch.
Nearly made me cry.Mostly because I am too ethical to exploit it to make money.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284356</id>
	<title>Re:It is a sad world we live in.</title>
	<author>Anonymous</author>
	<datestamp>1267196280000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>1</modscore>
	<htmltext><p>Your post is quite good. In fact, I'm sitting in the corner, thinking that (1)  enhances the user experience, but does not by any means decrease any chance of SQL injection. Anyone with Firebug can overcome client side validation. (4) Is the essential point where the data is actually persisted. You can perform as many contortions as you want with your data, but only what is stored there will be retrieved. So it makes sense to start with making sure (4) is correct, because any manipulation on the data has the ultimate objective of being persisted in the database.</p><p>Let's hear from a grown-up then what is the role of (2) and (3), please, please. I've not yet made mysellf a strong opinion on protecting these layers, but seems to me that they are much less important than (4). And from a security perspective, (1) is completely irrelevant.</p></htmltext>
<tokenext>Your post is quite good .
In fact , I 'm sitting in the corner , thinking that ( 1 ) enhances the user experience , but does not by any means decrease any chance of SQL injection .
Anyone with Firebug can overcome client side validation .
( 4 ) Is the essential point where the data is actually persisted .
You can perform as many contortions as you want with your data , but only what is stored there will be retrieved .
So it makes sense to start with making sure ( 4 ) is correct , because any manipulation on the data has the ultimate objective of being persisted in the database.Let 's hear from a grown-up then what is the role of ( 2 ) and ( 3 ) , please , please .
I 've not yet made mysellf a strong opinion on protecting these layers , but seems to me that they are much less important than ( 4 ) .
And from a security perspective , ( 1 ) is completely irrelevant .</tokentext>
<sentencetext>Your post is quite good.
In fact, I'm sitting in the corner, thinking that (1)  enhances the user experience, but does not by any means decrease any chance of SQL injection.
Anyone with Firebug can overcome client side validation.
(4) Is the essential point where the data is actually persisted.
You can perform as many contortions as you want with your data, but only what is stored there will be retrieved.
So it makes sense to start with making sure (4) is correct, because any manipulation on the data has the ultimate objective of being persisted in the database.Let's hear from a grown-up then what is the role of (2) and (3), please, please.
I've not yet made mysellf a strong opinion on protecting these layers, but seems to me that they are much less important than (4).
And from a security perspective, (1) is completely irrelevant.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283760</id>
	<title>Slash Dot Virus Sequel Injected in You</title>
	<author>Anonymous</author>
	<datestamp>1267191900000</datestamp>
	<modclass>Funny</modclass>
	<modscore>4</modscore>
	<htmltext>You can't stop reading slashdot.  Full of nonsensensical arguments, but you read on, your brain oozes, your eyes are red, dry and hurt. Still, you read on, and participate in the debate.  You don't recognize your odd behavior.  There's a sequel reply injected into your brain. It's a slash dot sequel brain virus injection. There's no cleaning utility, you will need to reformat your brain.</htmltext>
<tokenext>You ca n't stop reading slashdot .
Full of nonsensensical arguments , but you read on , your brain oozes , your eyes are red , dry and hurt .
Still , you read on , and participate in the debate .
You do n't recognize your odd behavior .
There 's a sequel reply injected into your brain .
It 's a slash dot sequel brain virus injection .
There 's no cleaning utility , you will need to reformat your brain .</tokentext>
<sentencetext>You can't stop reading slashdot.
Full of nonsensensical arguments, but you read on, your brain oozes, your eyes are red, dry and hurt.
Still, you read on, and participate in the debate.
You don't recognize your odd behavior.
There's a sequel reply injected into your brain.
It's a slash dot sequel brain virus injection.
There's no cleaning utility, you will need to reformat your brain.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31289130</id>
	<title>First post!</title>
	<author>Anonymous</author>
	<datestamp>1267214940000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>'; update comments set date='2010-02-26 05:02:00' where id=(select max(id) from comments where user\_id is null and sid=1563946);<nobr> <wbr></nobr>/*</p></htmltext>
<tokenext>' ; update comments set date = '2010-02-26 05 : 02 : 00 ' where id = ( select max ( id ) from comments where user \ _id is null and sid = 1563946 ) ; / *</tokentext>
<sentencetext>'; update comments set date='2010-02-26 05:02:00' where id=(select max(id) from comments where user\_id is null and sid=1563946); /*</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283768</id>
	<title>Re:Use a persistence library</title>
	<author>DrXym</author>
	<datestamp>1267192020000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><i>Persistence is just a bad idea, it hides the real performance issues of how databases work, and limits how you can easily manipulate the data. </i>
<p>
That assumes performance is somebody's number 1 priority. An app might use something like OpenJPA or Hibernate because code correctness, scalability, time to market or portability are more important than performance. Besides, I bet for typical database queries, the performance boost from handwriting SQL vs Hibernate (hql) / OpenJPA (jpql) generating it would be neglible. If you absolutely had to hand tune some SQL you could even slap it in a stored proc or function which is probably a good idea anyway for some actions.
</p><p>
If performance or a legacy database was a concern all over the place then iBatis or its ilk might be a better fit. Then you can handwrite every SQL call but at least it sits in an XML file so it doesn't pollute the application code. It's still harder to code than using a persistence API though.</p></htmltext>
<tokenext>Persistence is just a bad idea , it hides the real performance issues of how databases work , and limits how you can easily manipulate the data .
That assumes performance is somebody 's number 1 priority .
An app might use something like OpenJPA or Hibernate because code correctness , scalability , time to market or portability are more important than performance .
Besides , I bet for typical database queries , the performance boost from handwriting SQL vs Hibernate ( hql ) / OpenJPA ( jpql ) generating it would be neglible .
If you absolutely had to hand tune some SQL you could even slap it in a stored proc or function which is probably a good idea anyway for some actions .
If performance or a legacy database was a concern all over the place then iBatis or its ilk might be a better fit .
Then you can handwrite every SQL call but at least it sits in an XML file so it does n't pollute the application code .
It 's still harder to code than using a persistence API though .</tokentext>
<sentencetext>Persistence is just a bad idea, it hides the real performance issues of how databases work, and limits how you can easily manipulate the data.
That assumes performance is somebody's number 1 priority.
An app might use something like OpenJPA or Hibernate because code correctness, scalability, time to market or portability are more important than performance.
Besides, I bet for typical database queries, the performance boost from handwriting SQL vs Hibernate (hql) / OpenJPA (jpql) generating it would be neglible.
If you absolutely had to hand tune some SQL you could even slap it in a stored proc or function which is probably a good idea anyway for some actions.
If performance or a legacy database was a concern all over the place then iBatis or its ilk might be a better fit.
Then you can handwrite every SQL call but at least it sits in an XML file so it doesn't pollute the application code.
It's still harder to code than using a persistence API though.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31288872</id>
	<title>Just a matter of the right way of programming...</title>
	<author>Anonymous</author>
	<datestamp>1267214160000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I've got in touch with a few programmers during the time of my ICT period as manager and have noticed a few interesting things:</p><ul> <li>There are not a lot of guys in the PHP world not thinking about the implications of lax security. They program their code in a few hours/days and consider it done; time is money so why care about security anyways? These guys create a hell for shared hosting; since their projects tend to be the bridge towards a new security hell of other customers on the same server. It's easy to find all the domains attached to an IP for someone with malicious purposes. A sysadmin can prevent by sandboxing/chrooting as much as possible; but cannot prevent an account (or more) to be hacked if the code is programmed bad.</li><li>There are a few who really think security as necessity; these applications are mostly hardened towards the latest exploits. Their projects won't bring any clients in danger in a later stage; unless the server isn't properly updated; which is a duty for the sysadmin.</li><li>Then you got some managers not thinking about security at all; not motivating their programmers enough to think about the implications of bad code, even when told about it; which does add a big deal to the equation. Such projects got a short lifespan till they get discovered and abused/defaced to some 3l1ghT s1t3.</li></ul><p>I've been in both sides of the camp, sysadmin and programmer and have seen a few zombie corpses on the servers I've managed; ready to be hacked if not fixed.</p><p>I've read some replies in this thread where people tell everything which is considered harming should be denied. I think a better approach is sanitizing input towards a harmless string. Remove all harming characters instead of denying input is a real charm for the user and still a safety for the programmer. If special strings are used, encode. Instead of using raw SQL; use functions sanitizing input all the times.</p><p>When these actions are common, it's nothing but normal security is taken into consideration; anyone creating value in their applications should be prepared against the unknown; the Internet is a warzone and it's not getting better.</p><p>It's all a matter of routine; create the good routine and most problems will already be solved in advance.</p></htmltext>
<tokenext>I 've got in touch with a few programmers during the time of my ICT period as manager and have noticed a few interesting things : There are not a lot of guys in the PHP world not thinking about the implications of lax security .
They program their code in a few hours/days and consider it done ; time is money so why care about security anyways ?
These guys create a hell for shared hosting ; since their projects tend to be the bridge towards a new security hell of other customers on the same server .
It 's easy to find all the domains attached to an IP for someone with malicious purposes .
A sysadmin can prevent by sandboxing/chrooting as much as possible ; but can not prevent an account ( or more ) to be hacked if the code is programmed bad.There are a few who really think security as necessity ; these applications are mostly hardened towards the latest exploits .
Their projects wo n't bring any clients in danger in a later stage ; unless the server is n't properly updated ; which is a duty for the sysadmin.Then you got some managers not thinking about security at all ; not motivating their programmers enough to think about the implications of bad code , even when told about it ; which does add a big deal to the equation .
Such projects got a short lifespan till they get discovered and abused/defaced to some 3l1ghT s1t3.I 've been in both sides of the camp , sysadmin and programmer and have seen a few zombie corpses on the servers I 've managed ; ready to be hacked if not fixed.I 've read some replies in this thread where people tell everything which is considered harming should be denied .
I think a better approach is sanitizing input towards a harmless string .
Remove all harming characters instead of denying input is a real charm for the user and still a safety for the programmer .
If special strings are used , encode .
Instead of using raw SQL ; use functions sanitizing input all the times.When these actions are common , it 's nothing but normal security is taken into consideration ; anyone creating value in their applications should be prepared against the unknown ; the Internet is a warzone and it 's not getting better.It 's all a matter of routine ; create the good routine and most problems will already be solved in advance .</tokentext>
<sentencetext>I've got in touch with a few programmers during the time of my ICT period as manager and have noticed a few interesting things: There are not a lot of guys in the PHP world not thinking about the implications of lax security.
They program their code in a few hours/days and consider it done; time is money so why care about security anyways?
These guys create a hell for shared hosting; since their projects tend to be the bridge towards a new security hell of other customers on the same server.
It's easy to find all the domains attached to an IP for someone with malicious purposes.
A sysadmin can prevent by sandboxing/chrooting as much as possible; but cannot prevent an account (or more) to be hacked if the code is programmed bad.There are a few who really think security as necessity; these applications are mostly hardened towards the latest exploits.
Their projects won't bring any clients in danger in a later stage; unless the server isn't properly updated; which is a duty for the sysadmin.Then you got some managers not thinking about security at all; not motivating their programmers enough to think about the implications of bad code, even when told about it; which does add a big deal to the equation.
Such projects got a short lifespan till they get discovered and abused/defaced to some 3l1ghT s1t3.I've been in both sides of the camp, sysadmin and programmer and have seen a few zombie corpses on the servers I've managed; ready to be hacked if not fixed.I've read some replies in this thread where people tell everything which is considered harming should be denied.
I think a better approach is sanitizing input towards a harmless string.
Remove all harming characters instead of denying input is a real charm for the user and still a safety for the programmer.
If special strings are used, encode.
Instead of using raw SQL; use functions sanitizing input all the times.When these actions are common, it's nothing but normal security is taken into consideration; anyone creating value in their applications should be prepared against the unknown; the Internet is a warzone and it's not getting better.It's all a matter of routine; create the good routine and most problems will already be solved in advance.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31313792</id>
	<title>Re:PHP security object</title>
	<author>DeanLearner</author>
	<datestamp>1267444140000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Thanks for the response.

By the sounds of it I am sanitising as well (though not good at explaining it!).

I've made my own framework that expects an email address for a field marked as email, a date for a date field and so on.</htmltext>
<tokenext>Thanks for the response .
By the sounds of it I am sanitising as well ( though not good at explaining it ! ) .
I 've made my own framework that expects an email address for a field marked as email , a date for a date field and so on .</tokentext>
<sentencetext>Thanks for the response.
By the sounds of it I am sanitising as well (though not good at explaining it!).
I've made my own framework that expects an email address for a field marked as email, a date for a date field and so on.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283982</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285736</id>
	<title>Re:It is a sad world we live in.</title>
	<author>DarkOx</author>
	<datestamp>1267203420000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>I am with you on thee through 4, and you probably should or are doing 1 because you want to be able to help the user put the right information in fields, check onblur an give some useful feedback but spending allot of time on careful input validation at the client level with web is pretty pointless.  Anyone doing something malicious does not have to use your interface at all.</p></htmltext>
<tokenext>I am with you on thee through 4 , and you probably should or are doing 1 because you want to be able to help the user put the right information in fields , check onblur an give some useful feedback but spending allot of time on careful input validation at the client level with web is pretty pointless .
Anyone doing something malicious does not have to use your interface at all .</tokentext>
<sentencetext>I am with you on thee through 4, and you probably should or are doing 1 because you want to be able to help the user put the right information in fields, check onblur an give some useful feedback but spending allot of time on careful input validation at the client level with web is pretty pointless.
Anyone doing something malicious does not have to use your interface at all.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283670</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267190880000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>Note: I even admit in my profile I'm a bad web developer.</p><p>I have JFGI, but most of the stuff I've found leads me to articles I don't fully understand how to implement. I mostly code simple websites for my school and friends that have little db interaction, but I'd rather learn to do it right from the beginning, so if anyone has some links to good articles for beginners to understand how to properly secure their SQL code, I'd be happy for the help.</p></htmltext>
<tokenext>Note : I even admit in my profile I 'm a bad web developer.I have JFGI , but most of the stuff I 've found leads me to articles I do n't fully understand how to implement .
I mostly code simple websites for my school and friends that have little db interaction , but I 'd rather learn to do it right from the beginning , so if anyone has some links to good articles for beginners to understand how to properly secure their SQL code , I 'd be happy for the help .</tokentext>
<sentencetext>Note: I even admit in my profile I'm a bad web developer.I have JFGI, but most of the stuff I've found leads me to articles I don't fully understand how to implement.
I mostly code simple websites for my school and friends that have little db interaction, but I'd rather learn to do it right from the beginning, so if anyone has some links to good articles for beginners to understand how to properly secure their SQL code, I'd be happy for the help.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284022</id>
	<title>Just bind!</title>
	<author>Angvaw</author>
	<datestamp>1267194240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><a href="http://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11\_QUESTION\_ID:23863706595353#68977084133974" title="oracle.com" rel="nofollow">Just bind!</a> [oracle.com]</p></htmltext>
<tokenext>Just bind !
[ oracle.com ]</tokentext>
<sentencetext>Just bind!
[oracle.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283572</id>
	<title>limit the length and content of what you accept</title>
	<author>bl8n8r</author>
	<datestamp>1267189800000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>This isn't a new concept, just one that people have been removed from.</p><p>If ($QUERY\_STRING &gt; $MAX\_QUERY)<br>{<br>
&nbsp; &nbsp; print "*Boom* Check server for smoke!"<br>
&nbsp; &nbsp; exit;<br>}</p><p># only allow characters 0 through 9 and upper/lowercase a-z<br>$Input = $QUERY\_STRING;<br>$Input =~ s/[^0-9a-zA-Z]//g;</p></htmltext>
<tokenext>This is n't a new concept , just one that people have been removed from.If ( $ QUERY \ _STRING &gt; $ MAX \ _QUERY ) {     print " * Boom * Check server for smoke !
"     exit ; } # only allow characters 0 through 9 and upper/lowercase a-z $ Input = $ QUERY \ _STRING ; $ Input = ~ s/ [ ^ 0-9a-zA-Z ] //g ;</tokentext>
<sentencetext>This isn't a new concept, just one that people have been removed from.If ($QUERY\_STRING &gt; $MAX\_QUERY){
    print "*Boom* Check server for smoke!
"
    exit;}# only allow characters 0 through 9 and upper/lowercase a-z$Input = $QUERY\_STRING;$Input =~ s/[^0-9a-zA-Z]//g;</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284832</id>
	<title>Huh</title>
	<author>tthomas48</author>
	<datestamp>1267198740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>No one's pointing out the smaller half of the problem. If you are displaying errors you're doing most of the hackers work for them.</p></htmltext>
<tokenext>No one 's pointing out the smaller half of the problem .
If you are displaying errors you 're doing most of the hackers work for them .</tokentext>
<sentencetext>No one's pointing out the smaller half of the problem.
If you are displaying errors you're doing most of the hackers work for them.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338</id>
	<title>Lemme be the first to say</title>
	<author>bytesex</author>
	<datestamp>1267186260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Use perl.  Because the support both in java and php for applying regexes and preparing SQL statements has been late, convoluted and lacking.</p></htmltext>
<tokenext>Use perl .
Because the support both in java and php for applying regexes and preparing SQL statements has been late , convoluted and lacking .</tokentext>
<sentencetext>Use perl.
Because the support both in java and php for applying regexes and preparing SQL statements has been late, convoluted and lacking.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284060</id>
	<title>I produced a video on SQL injections -</title>
	<author>JRHelgeson</author>
	<datestamp>1267194480000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>I wanted it to be short, easy for management to understand (even non-technical). Definitely worth watching, IMHO.</p><p><a href="http://www.youtube.com/watch?v=jMQ2wdOmMIA" title="youtube.com">http://www.youtube.com/watch?v=jMQ2wdOmMIA</a> [youtube.com]</p></htmltext>
<tokenext>I wanted it to be short , easy for management to understand ( even non-technical ) .
Definitely worth watching , IMHO.http : //www.youtube.com/watch ? v = jMQ2wdOmMIA [ youtube.com ]</tokentext>
<sentencetext>I wanted it to be short, easy for management to understand (even non-technical).
Definitely worth watching, IMHO.http://www.youtube.com/watch?v=jMQ2wdOmMIA [youtube.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284428</id>
	<title>RCOMX is the problem</title>
	<author>Anonymous</author>
	<datestamp>1267196580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>A quick google finds that the problem actually exists on hundreds of websites, all driven by RCOMX - http://www.linusinc.com/</p><p>Doubtful this will be fixed anytime soon!</p></htmltext>
<tokenext>A quick google finds that the problem actually exists on hundreds of websites , all driven by RCOMX - http : //www.linusinc.com/Doubtful this will be fixed anytime soon !</tokentext>
<sentencetext>A quick google finds that the problem actually exists on hundreds of websites, all driven by RCOMX - http://www.linusinc.com/Doubtful this will be fixed anytime soon!</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283822</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267192620000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>How is persistence a bad idea?  Persistance libraries make it easy to manipulate the data in an object oriented way and with sensible caching most performance issues become non-issues.</p><p>Having said that, Hibernate (for example) uses parameterized statements under the hood, so sql injection is also a non-issue. Lots of problems solved<nobr> <wbr></nobr>:)</p></htmltext>
<tokenext>How is persistence a bad idea ?
Persistance libraries make it easy to manipulate the data in an object oriented way and with sensible caching most performance issues become non-issues.Having said that , Hibernate ( for example ) uses parameterized statements under the hood , so sql injection is also a non-issue .
Lots of problems solved : )</tokentext>
<sentencetext>How is persistence a bad idea?
Persistance libraries make it easy to manipulate the data in an object oriented way and with sensible caching most performance issues become non-issues.Having said that, Hibernate (for example) uses parameterized statements under the hood, so sql injection is also a non-issue.
Lots of problems solved :)</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284716</id>
	<title>Use access control</title>
	<author>Anonymous</author>
	<datestamp>1267198140000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>When setting up a system I always set up both a readwrite and readonly database user, granting only SELECT for the readonly user.  Many web apps are "SELECT-only" that grab info out of a database and display it.  By requiring these apps to use the readonly user adds another layer of protection should the web programmer code unsafely.  Note that a hacker can still get info out of the database using injection, but can't put stuff in, or delete your data.</p></htmltext>
<tokenext>When setting up a system I always set up both a readwrite and readonly database user , granting only SELECT for the readonly user .
Many web apps are " SELECT-only " that grab info out of a database and display it .
By requiring these apps to use the readonly user adds another layer of protection should the web programmer code unsafely .
Note that a hacker can still get info out of the database using injection , but ca n't put stuff in , or delete your data .</tokentext>
<sentencetext>When setting up a system I always set up both a readwrite and readonly database user, granting only SELECT for the readonly user.
Many web apps are "SELECT-only" that grab info out of a database and display it.
By requiring these apps to use the readonly user adds another layer of protection should the web programmer code unsafely.
Note that a hacker can still get info out of the database using injection, but can't put stuff in, or delete your data.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284240</id>
	<title>Vulnerable Sites</title>
	<author>Anonymous</author>
	<datestamp>1267195500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Thanks for leading us to a list of vulnerable sites!</p><p><a href="http://www.google.com/search?hl=en&amp;q=inurl:menu.asp+inurl:locationid+restaurant" title="google.com" rel="nofollow">List of vulnerable sites</a> [google.com]</p></htmltext>
<tokenext>Thanks for leading us to a list of vulnerable sites ! List of vulnerable sites [ google.com ]</tokentext>
<sentencetext>Thanks for leading us to a list of vulnerable sites!List of vulnerable sites [google.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283836</id>
	<title>Re:Lemme be the first to say</title>
	<author>ArsenneLupin</author>
	<datestamp>1267192800000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Although there might be lots of reasons to use Perl rather than Java (and vice-versa), security against SQL injections is not one of them. Java JDBC has been supporting <a href="http://java.sun.com/j2se/1.4.2/docs/api/java/sql/PreparedStatement.html" title="sun.com">wildcards (parameters)</a> [sun.com] (using <tt>statement.setObject(pos,value);</tt>) since day one.</htmltext>
<tokenext>Although there might be lots of reasons to use Perl rather than Java ( and vice-versa ) , security against SQL injections is not one of them .
Java JDBC has been supporting wildcards ( parameters ) [ sun.com ] ( using statement.setObject ( pos,value ) ; ) since day one .</tokentext>
<sentencetext>Although there might be lots of reasons to use Perl rather than Java (and vice-versa), security against SQL injections is not one of them.
Java JDBC has been supporting wildcards (parameters) [sun.com] (using statement.setObject(pos,value);) since day one.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285624</id>
	<title>Re:It is a sad world we live in.</title>
	<author>Anonymous</author>
	<datestamp>1267202880000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>In the early days of the Internet there was a mantra along the lines of "be strict in what you send, and liberal in what you receive".

</p><p>The general idea is that you should expect all kinds of input. It's up to you to ensure that data is fit for purpose inside your program.

</p><p>There's a whole new generation with little respect for the history of computing and the mistakes endured: data validation, software patents and licensing, open standards and compatibility, etc. But then there's a whole generation of business men who will employ the cheapest "developer" to deliver something that appears functional and brings in money - what incentive have they for fault tolerance, for allowing the fringe that use text browsers to access their site, for preventing distribution of exploits?</p></htmltext>
<tokenext>In the early days of the Internet there was a mantra along the lines of " be strict in what you send , and liberal in what you receive " .
The general idea is that you should expect all kinds of input .
It 's up to you to ensure that data is fit for purpose inside your program .
There 's a whole new generation with little respect for the history of computing and the mistakes endured : data validation , software patents and licensing , open standards and compatibility , etc .
But then there 's a whole generation of business men who will employ the cheapest " developer " to deliver something that appears functional and brings in money - what incentive have they for fault tolerance , for allowing the fringe that use text browsers to access their site , for preventing distribution of exploits ?</tokentext>
<sentencetext>In the early days of the Internet there was a mantra along the lines of "be strict in what you send, and liberal in what you receive".
The general idea is that you should expect all kinds of input.
It's up to you to ensure that data is fit for purpose inside your program.
There's a whole new generation with little respect for the history of computing and the mistakes endured: data validation, software patents and licensing, open standards and compatibility, etc.
But then there's a whole generation of business men who will employ the cheapest "developer" to deliver something that appears functional and brings in money - what incentive have they for fault tolerance, for allowing the fringe that use text browsers to access their site, for preventing distribution of exploits?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283862</id>
	<title>Re:limit the length and content of what you accept</title>
	<author>Anonymous</author>
	<datestamp>1267193040000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>So, no names with accent ? No emails with "-" or "." or "+" or whatever freaking character is legal ? In many *Western* countries " ' " is a vaild character in names/surnames (O'Neill -&gt; http://en.wikipedia.org/wiki/O\%27Neill\_\%28surname\%29). And let's not start to mention countries with non-Latin alphabets, which are where the majority of people in the world live.</p></htmltext>
<tokenext>So , no names with accent ?
No emails with " - " or " .
" or " + " or whatever freaking character is legal ?
In many * Western * countries " ' " is a vaild character in names/surnames ( O'Neill - &gt; http : //en.wikipedia.org/wiki/O \ % 27Neill \ _ \ % 28surname \ % 29 ) .
And let 's not start to mention countries with non-Latin alphabets , which are where the majority of people in the world live .</tokentext>
<sentencetext>So, no names with accent ?
No emails with "-" or ".
" or "+" or whatever freaking character is legal ?
In many *Western* countries " ' " is a vaild character in names/surnames (O'Neill -&gt; http://en.wikipedia.org/wiki/O\%27Neill\_\%28surname\%29).
And let's not start to mention countries with non-Latin alphabets, which are where the majority of people in the world live.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283572</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283534</id>
	<title>PHP security object</title>
	<author>Anonymous</author>
	<datestamp>1267189200000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>I create a security object that stores $\_GET and $\_POST as arrays and escapes all the contained details, once this is done i blitz both $\_GET and $\_POST so they cant accidentally be called within the programme.<br> <br>

From this point to call a get variable you need to call $security-&gt;get('name');<br> <br>

This object also checks for dodgy content like scripts and the like and further down the line, each input is checked for proper formatting.<br> <br>

Im wondering though, what else should I be doing?</htmltext>
<tokenext>I create a security object that stores $ \ _GET and $ \ _POST as arrays and escapes all the contained details , once this is done i blitz both $ \ _GET and $ \ _POST so they cant accidentally be called within the programme .
From this point to call a get variable you need to call $ security- &gt; get ( 'name ' ) ; This object also checks for dodgy content like scripts and the like and further down the line , each input is checked for proper formatting .
Im wondering though , what else should I be doing ?</tokentext>
<sentencetext>I create a security object that stores $\_GET and $\_POST as arrays and escapes all the contained details, once this is done i blitz both $\_GET and $\_POST so they cant accidentally be called within the programme.
From this point to call a get variable you need to call $security-&gt;get('name'); 

This object also checks for dodgy content like scripts and the like and further down the line, each input is checked for proper formatting.
Im wondering though, what else should I be doing?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284526</id>
	<title>Re:Use a persistence library</title>
	<author>digitalaudiorock</author>
	<datestamp>1267197120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>For those using php, ADOdb is a great way of doing this, and also adds a lot of great functions similar to the perl DBI:

<a href="http://adodb.sourceforge.net/" title="sourceforge.net" rel="nofollow">http://adodb.sourceforge.net/</a> [sourceforge.net]</htmltext>
<tokenext>For those using php , ADOdb is a great way of doing this , and also adds a lot of great functions similar to the perl DBI : http : //adodb.sourceforge.net/ [ sourceforge.net ]</tokentext>
<sentencetext>For those using php, ADOdb is a great way of doing this, and also adds a lot of great functions similar to the perl DBI:

http://adodb.sourceforge.net/ [sourceforge.net]</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283754</id>
	<title>USDA likes to put SQL strings in their URLS</title>
	<author>RaigetheFury</author>
	<datestamp>1267191780000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>2</modscore>
	<htmltext><p>If you look for a while you'll find them. The developers replied to me with "It's perfectly fine". While it seems they do parse this information isn't that screaming "Exploit me!"</p></htmltext>
<tokenext>If you look for a while you 'll find them .
The developers replied to me with " It 's perfectly fine " .
While it seems they do parse this information is n't that screaming " Exploit me !
"</tokentext>
<sentencetext>If you look for a while you'll find them.
The developers replied to me with "It's perfectly fine".
While it seems they do parse this information isn't that screaming "Exploit me!
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31316288</id>
	<title>Re:SQL Injections SHOULD NEVER WORK</title>
	<author>hesaigo999ca</author>
	<datestamp>1267459560000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Thank you for that, I had not even though of that, but I guess a greatly designed db, could also have a view per user for most info. Being that a terabyte now is 100$ at bestbuy, it would be cheap to make your db bigger, and use more views for users, which forces the record lines to be exactly their records none else. so instead of passing in any sort of parameter like ids etc...then you use the name of the view as per user name plus table, and voila, instant security, plus<br>super speed for being precompiled to exactly what the user needs nothing more or less. Going to have to try that sometime...!!!</p></htmltext>
<tokenext>Thank you for that , I had not even though of that , but I guess a greatly designed db , could also have a view per user for most info .
Being that a terabyte now is 100 $ at bestbuy , it would be cheap to make your db bigger , and use more views for users , which forces the record lines to be exactly their records none else .
so instead of passing in any sort of parameter like ids etc...then you use the name of the view as per user name plus table , and voila , instant security , plussuper speed for being precompiled to exactly what the user needs nothing more or less .
Going to have to try that sometime... ! !
!</tokentext>
<sentencetext>Thank you for that, I had not even though of that, but I guess a greatly designed db, could also have a view per user for most info.
Being that a terabyte now is 100$ at bestbuy, it would be cheap to make your db bigger, and use more views for users, which forces the record lines to be exactly their records none else.
so instead of passing in any sort of parameter like ids etc...then you use the name of the view as per user name plus table, and voila, instant security, plussuper speed for being precompiled to exactly what the user needs nothing more or less.
Going to have to try that sometime...!!
!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283832</id>
	<title>Re:limit the length and content of what you accept</title>
	<author>Dunbal</author>
	<datestamp>1267192800000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>2</modscore>
	<htmltext><p>I agree. Just like any regular program, input must be reduced to an EXPECTED set of values. Bounds checking must be performed. Anything outside that strict set of values must be rejected offhand and an error message provided. This is programming 101.</p><p>Unfortunately when HTML, PHP and SQL went "mainstream", these core programming concepts didn't get passed along. Frankly I say let "evolution" take careof/teach sloppy web developers - the smarter ones will have backups and be able to fix their problems. What really gets me is when you see large, allegedly professional sites taken down by something as silly as this.</p></htmltext>
<tokenext>I agree .
Just like any regular program , input must be reduced to an EXPECTED set of values .
Bounds checking must be performed .
Anything outside that strict set of values must be rejected offhand and an error message provided .
This is programming 101.Unfortunately when HTML , PHP and SQL went " mainstream " , these core programming concepts did n't get passed along .
Frankly I say let " evolution " take careof/teach sloppy web developers - the smarter ones will have backups and be able to fix their problems .
What really gets me is when you see large , allegedly professional sites taken down by something as silly as this .</tokentext>
<sentencetext>I agree.
Just like any regular program, input must be reduced to an EXPECTED set of values.
Bounds checking must be performed.
Anything outside that strict set of values must be rejected offhand and an error message provided.
This is programming 101.Unfortunately when HTML, PHP and SQL went "mainstream", these core programming concepts didn't get passed along.
Frankly I say let "evolution" take careof/teach sloppy web developers - the smarter ones will have backups and be able to fix their problems.
What really gets me is when you see large, allegedly professional sites taken down by something as silly as this.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283572</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284204</id>
	<title>Re:Use a persistence library</title>
	<author>moreati</author>
	<datestamp>1267195260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Sure you're aware of this, but to make to clear for everyone. Python, Perl and other languages don't require extra libraries to do parameterized queries either. In Python the pattern is</p><p>import db\_module<br>conn = db\_module.connect('user/pass@host')<br>curs = conn.cursor()<br>curs.execute('select field1, field2 from table1 where field3 = ? and field4 = ?', ('foo', 7.6))<br>curs.fetchall()</p><p>Exactly the same number of lines as doing it with string munging, but type safe and zero chance of sql injection.</p></htmltext>
<tokenext>Sure you 're aware of this , but to make to clear for everyone .
Python , Perl and other languages do n't require extra libraries to do parameterized queries either .
In Python the pattern isimport db \ _moduleconn = db \ _module.connect ( 'user/pass @ host ' ) curs = conn.cursor ( ) curs.execute ( 'select field1 , field2 from table1 where field3 = ?
and field4 = ?
' , ( 'foo ' , 7.6 ) ) curs.fetchall ( ) Exactly the same number of lines as doing it with string munging , but type safe and zero chance of sql injection .</tokentext>
<sentencetext>Sure you're aware of this, but to make to clear for everyone.
Python, Perl and other languages don't require extra libraries to do parameterized queries either.
In Python the pattern isimport db\_moduleconn = db\_module.connect('user/pass@host')curs = conn.cursor()curs.execute('select field1, field2 from table1 where field3 = ?
and field4 = ?
', ('foo', 7.6))curs.fetchall()Exactly the same number of lines as doing it with string munging, but type safe and zero chance of sql injection.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285248</id>
	<title>List of vulnerable sites</title>
	<author>Anonymous</author>
	<datestamp>1267201140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><a href="http://www.google.com/search?hl=en&amp;q=inurl:menu.asp+inurl:locationid+restaurant" title="google.com" rel="nofollow">Thanks</a> [google.com]. For giving us a list of targets.</p><p>I am not sure if the author meant to give away this information, but I would be a little upset.</p><p>It isn't too far off to find this exact site, knowing the images and basic layout of the site.</p></htmltext>
<tokenext>Thanks [ google.com ] .
For giving us a list of targets.I am not sure if the author meant to give away this information , but I would be a little upset.It is n't too far off to find this exact site , knowing the images and basic layout of the site .</tokentext>
<sentencetext>Thanks [google.com].
For giving us a list of targets.I am not sure if the author meant to give away this information, but I would be a little upset.It isn't too far off to find this exact site, knowing the images and basic layout of the site.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284118</id>
	<title>Re:SQL Injections SHOULD NEVER WORK</title>
	<author>Qzukk</author>
	<datestamp>1267194900000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The idea is that instead of creating a "users" table and filling it with your users, the user is created as a database user, and their username and password is handed straight to the database during the connection process.  If it connects, the user had a valid username/password.  If it doesn't connect, the user didn't.  If you have a million users, then your database server would need to be able to handle having a million different users each with different levels of access on different tables/rows/columns/etc.</p><p>Aside from the problem of having the database wade through a million users to decide if you have permission to perform every last query, the process of finding out whether a user has permission to perform a query in advance is usually a hairy system-level (possibly db-version-specific, new system catalog next version) query, but if you don't do that, then you get users raging at you because they spent their time filling out a form and it threw an error at them when they hit save and now it's all gone and they want that 30 minutes of their life back.</p><p>The other problem is that for most database servers, db accounts are server/cluster-wide, meaning that on any kind of shared hosting, everyone's usernames have to be distinct across people you don't even know about.</p></htmltext>
<tokenext>The idea is that instead of creating a " users " table and filling it with your users , the user is created as a database user , and their username and password is handed straight to the database during the connection process .
If it connects , the user had a valid username/password .
If it does n't connect , the user did n't .
If you have a million users , then your database server would need to be able to handle having a million different users each with different levels of access on different tables/rows/columns/etc.Aside from the problem of having the database wade through a million users to decide if you have permission to perform every last query , the process of finding out whether a user has permission to perform a query in advance is usually a hairy system-level ( possibly db-version-specific , new system catalog next version ) query , but if you do n't do that , then you get users raging at you because they spent their time filling out a form and it threw an error at them when they hit save and now it 's all gone and they want that 30 minutes of their life back.The other problem is that for most database servers , db accounts are server/cluster-wide , meaning that on any kind of shared hosting , everyone 's usernames have to be distinct across people you do n't even know about .</tokentext>
<sentencetext>The idea is that instead of creating a "users" table and filling it with your users, the user is created as a database user, and their username and password is handed straight to the database during the connection process.
If it connects, the user had a valid username/password.
If it doesn't connect, the user didn't.
If you have a million users, then your database server would need to be able to handle having a million different users each with different levels of access on different tables/rows/columns/etc.Aside from the problem of having the database wade through a million users to decide if you have permission to perform every last query, the process of finding out whether a user has permission to perform a query in advance is usually a hairy system-level (possibly db-version-specific, new system catalog next version) query, but if you don't do that, then you get users raging at you because they spent their time filling out a form and it threw an error at them when they hit save and now it's all gone and they want that 30 minutes of their life back.The other problem is that for most database servers, db accounts are server/cluster-wide, meaning that on any kind of shared hosting, everyone's usernames have to be distinct across people you don't even know about.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283698</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31292978</id>
	<title>Re:SQL Injections SHOULD NEVER WORK</title>
	<author>Jaime2</author>
	<datestamp>1267191780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>What about three tier applications?  For connection pooling to work properly, the middle tier should always connect to the database as the same application user.  Having the middle tier connect as the actual user running the application makes connections non-shareable.  So, the application user needs access to everything that any user could potentially need access to.  Also, the database isn't even aware of who the request is sent on behalf of.<br>
<br>
Database-level permission also prohibits caching in the middel tier.  Since the middle tier can't be trusted to make security determinations, it would always have to re-fetch data to ensure that proper security is applied.  Caching is the single most powerful performance enhancement tool.</htmltext>
<tokenext>What about three tier applications ?
For connection pooling to work properly , the middle tier should always connect to the database as the same application user .
Having the middle tier connect as the actual user running the application makes connections non-shareable .
So , the application user needs access to everything that any user could potentially need access to .
Also , the database is n't even aware of who the request is sent on behalf of .
Database-level permission also prohibits caching in the middel tier .
Since the middle tier ca n't be trusted to make security determinations , it would always have to re-fetch data to ensure that proper security is applied .
Caching is the single most powerful performance enhancement tool .</tokentext>
<sentencetext>What about three tier applications?
For connection pooling to work properly, the middle tier should always connect to the database as the same application user.
Having the middle tier connect as the actual user running the application makes connections non-shareable.
So, the application user needs access to everything that any user could potentially need access to.
Also, the database isn't even aware of who the request is sent on behalf of.
Database-level permission also prohibits caching in the middel tier.
Since the middle tier can't be trusted to make security determinations, it would always have to re-fetch data to ensure that proper security is applied.
Caching is the single most powerful performance enhancement tool.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31293286</id>
	<title>Re:limit the length and content of what you accept</title>
	<author>shutdown -p now</author>
	<datestamp>1267193760000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>I agree. Just like any regular program, input must be reduced to an EXPECTED set of values.</p> </div><p>This is a good advice, but not when applied to this example. You do not want  to restrict what users type for their name in any way (as a bunch of replies already point out, GP has missed a few obvious things... and then, what if I'm Russian or Japanese, and want to use my original alphabet?). All that needs to be done is properly <em>escaping</em> any unsafe chars (and for those, the set is known and well-defined); leave everything else be.</p></div>
	</htmltext>
<tokenext>I agree .
Just like any regular program , input must be reduced to an EXPECTED set of values .
This is a good advice , but not when applied to this example .
You do not want to restrict what users type for their name in any way ( as a bunch of replies already point out , GP has missed a few obvious things... and then , what if I 'm Russian or Japanese , and want to use my original alphabet ? ) .
All that needs to be done is properly escaping any unsafe chars ( and for those , the set is known and well-defined ) ; leave everything else be .</tokentext>
<sentencetext>I agree.
Just like any regular program, input must be reduced to an EXPECTED set of values.
This is a good advice, but not when applied to this example.
You do not want  to restrict what users type for their name in any way (as a bunch of replies already point out, GP has missed a few obvious things... and then, what if I'm Russian or Japanese, and want to use my original alphabet?).
All that needs to be done is properly escaping any unsafe chars (and for those, the set is known and well-defined); leave everything else be.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283832</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31286906</id>
	<title>Re:It is a sad world we live in.</title>
	<author>FoolishOwl</author>
	<datestamp>1267207380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>I found this post a relief, as it makes perfect sense to me.</p><p>I am, relatively late in life, studying for certification in system administration and LAMP administration. When some of the posts in here complain about the "pointy-clicky types" who ignorantly create security holes, I was afraid I'm setting myself up to be that sort of person.</p><p>But, I get the general concept of input validation. In fact, it's such a fundamental concept that I'm astonished that professional developers don't always get it. A few years ago, I decided I should go back to school and into IT when I used a shiny, new program developed in-house by my employers, that would crash if you pressed a letter key at a menu.</p><p>In fact, I thought the point of using Perl for Web development was the excellence of its its regexp features, facilitating input validation and manipulation.</p></htmltext>
<tokenext>I found this post a relief , as it makes perfect sense to me.I am , relatively late in life , studying for certification in system administration and LAMP administration .
When some of the posts in here complain about the " pointy-clicky types " who ignorantly create security holes , I was afraid I 'm setting myself up to be that sort of person.But , I get the general concept of input validation .
In fact , it 's such a fundamental concept that I 'm astonished that professional developers do n't always get it .
A few years ago , I decided I should go back to school and into IT when I used a shiny , new program developed in-house by my employers , that would crash if you pressed a letter key at a menu.In fact , I thought the point of using Perl for Web development was the excellence of its its regexp features , facilitating input validation and manipulation .</tokentext>
<sentencetext>I found this post a relief, as it makes perfect sense to me.I am, relatively late in life, studying for certification in system administration and LAMP administration.
When some of the posts in here complain about the "pointy-clicky types" who ignorantly create security holes, I was afraid I'm setting myself up to be that sort of person.But, I get the general concept of input validation.
In fact, it's such a fundamental concept that I'm astonished that professional developers don't always get it.
A few years ago, I decided I should go back to school and into IT when I used a shiny, new program developed in-house by my employers, that would crash if you pressed a letter key at a menu.In fact, I thought the point of using Perl for Web development was the excellence of its its regexp features, facilitating input validation and manipulation.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267183620000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>A more simple way is to use a <a href="http://en.wikipedia.org/wiki/SQL\_injection#Parameterized\_statements" title="wikipedia.org" rel="nofollow">parametrized statement</a> [wikipedia.org]. No extra libraries if you are using Java,<nobr> <wbr></nobr>.NET, or PHP5.</p></htmltext>
<tokenext>A more simple way is to use a parametrized statement [ wikipedia.org ] .
No extra libraries if you are using Java , .NET , or PHP5 .</tokentext>
<sentencetext>A more simple way is to use a parametrized statement [wikipedia.org].
No extra libraries if you are using Java, .NET, or PHP5.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31293262</id>
	<title>Re:Lemme be the first to say</title>
	<author>shutdown -p now</author>
	<datestamp>1267193580000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>Use perl. Because the support both in java and php for applying regexes and preparing SQL statements has been late, convoluted and lacking.</p></div><p>If you're using regexes to prepare SQL statements, you're part of the problem.</p><p>If you're not, then please kindly explain what your comment was all about.</p></div>
	</htmltext>
<tokenext>Use perl .
Because the support both in java and php for applying regexes and preparing SQL statements has been late , convoluted and lacking.If you 're using regexes to prepare SQL statements , you 're part of the problem.If you 're not , then please kindly explain what your comment was all about .</tokentext>
<sentencetext>Use perl.
Because the support both in java and php for applying regexes and preparing SQL statements has been late, convoluted and lacking.If you're using regexes to prepare SQL statements, you're part of the problem.If you're not, then please kindly explain what your comment was all about.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284660</id>
	<title>Ouch - This just hit home</title>
	<author>Anonymous</author>
	<datestamp>1267197840000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext>Posting anon as I wouldn't want to expose our website.


We had our company website designed and hosted by an outside company. Always assumed it would be secure, I check the sites I produce for this kind of thing. Parameterising, sanity checking  etc.


I looked over our company website for a similar avenue of attack added the tick. SQL Error! Added " or 1=1" and bingo a whole load of pages scrunched onto the one browser page.


I had an interesting conversation with the producing company...</htmltext>
<tokenext>Posting anon as I would n't want to expose our website .
We had our company website designed and hosted by an outside company .
Always assumed it would be secure , I check the sites I produce for this kind of thing .
Parameterising , sanity checking etc .
I looked over our company website for a similar avenue of attack added the tick .
SQL Error !
Added " or 1 = 1 " and bingo a whole load of pages scrunched onto the one browser page .
I had an interesting conversation with the producing company.. .</tokentext>
<sentencetext>Posting anon as I wouldn't want to expose our website.
We had our company website designed and hosted by an outside company.
Always assumed it would be secure, I check the sites I produce for this kind of thing.
Parameterising, sanity checking  etc.
I looked over our company website for a similar avenue of attack added the tick.
SQL Error!
Added " or 1=1" and bingo a whole load of pages scrunched onto the one browser page.
I had an interesting conversation with the producing company...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267183200000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Persistence is just a bad idea, it hides the real performance issues of how databases work, and limits how you can easily manipulate the data.  A better idea is just to always use bind variables.  Problem solved.</p></htmltext>
<tokenext>Persistence is just a bad idea , it hides the real performance issues of how databases work , and limits how you can easily manipulate the data .
A better idea is just to always use bind variables .
Problem solved .</tokentext>
<sentencetext>Persistence is just a bad idea, it hides the real performance issues of how databases work, and limits how you can easily manipulate the data.
A better idea is just to always use bind variables.
Problem solved.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283652</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267190700000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Fun</p></htmltext>
<tokenext>Fun</tokentext>
<sentencetext>Fun</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283742</id>
	<title>good day</title>
	<author>kan831019</author>
	<datestamp>1267191660000</datestamp>
	<modclass>Troll</modclass>
	<modscore>-1</modscore>
	<htmltext><a href="http://www.lvbagmall.com/Damier-Azur-category-11-b0.html" title="lvbagmall.com" rel="nofollow"> <strong>Louis Vuitton Damier Azur</strong> </a> [lvbagmall.com]
<a href="http://www.lvbagmall.com/Damier-Canvas-category-12-b0.html" title="lvbagmall.com" rel="nofollow"> <strong>Louis Vuitton Damier Canvas</strong> </a> [lvbagmall.com]
<a href="http://www.lvbagmall.com/Damier-Geant-Canvas-category-13-b0.html" title="lvbagmall.com" rel="nofollow"> <strong>Louis Vuitton Damier Geant Canvas</strong> </a> [lvbagmall.com]
<a href="http://www.lvbagmall.com/Damier-Graphite-category-28-b0.html" title="lvbagmall.com" rel="nofollow"> <strong>Louis Vuitton Damier Graphite</strong> </a> [lvbagmall.com]
<a href="http://www.lvbagmall.com/Epi-Leather-category-17-b0.html" title="lvbagmall.com" rel="nofollow"> <strong>Louis Vuitton Epi Leather</strong> </a> [lvbagmall.com]</htmltext>
<tokenext>Louis Vuitton Damier Azur [ lvbagmall.com ] Louis Vuitton Damier Canvas [ lvbagmall.com ] Louis Vuitton Damier Geant Canvas [ lvbagmall.com ] Louis Vuitton Damier Graphite [ lvbagmall.com ] Louis Vuitton Epi Leather [ lvbagmall.com ]</tokentext>
<sentencetext> Louis Vuitton Damier Azur  [lvbagmall.com]
 Louis Vuitton Damier Canvas  [lvbagmall.com]
 Louis Vuitton Damier Geant Canvas  [lvbagmall.com]
 Louis Vuitton Damier Graphite  [lvbagmall.com]
 Louis Vuitton Epi Leather  [lvbagmall.com]</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284028</id>
	<title>Re:Lemme be the first to say</title>
	<author>pooh666</author>
	<datestamp>1267194300000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Support for binding params in PHP has been there a LONG LONG time(5 years maybe more?), it is the culture that tends not to use it. I discovered it as a kind of odd hack sort of thing, not commonly documented when it first came out. One reason is it had to be adopted, it wasn't a part of PHP to begin with. WHY PHP didn't have it to BEGIN with, that is my issue with PHP. To hold true to its credo, I would think that binding params would be seemless and transparent with no need for a developer to make a choice. That didn't happen for some reason.

I found the same to be true not too long ago with Ruby, it blew my mind when I read about its MySQL interface and oh that is coming soon. This was some time ago, but I dropped it right there. Rails could go stuff itself if basics like that were not in place.

So I like Perl too, but you are not accurate in your statement or focus of blame.</htmltext>
<tokenext>Support for binding params in PHP has been there a LONG LONG time ( 5 years maybe more ?
) , it is the culture that tends not to use it .
I discovered it as a kind of odd hack sort of thing , not commonly documented when it first came out .
One reason is it had to be adopted , it was n't a part of PHP to begin with .
WHY PHP did n't have it to BEGIN with , that is my issue with PHP .
To hold true to its credo , I would think that binding params would be seemless and transparent with no need for a developer to make a choice .
That did n't happen for some reason .
I found the same to be true not too long ago with Ruby , it blew my mind when I read about its MySQL interface and oh that is coming soon .
This was some time ago , but I dropped it right there .
Rails could go stuff itself if basics like that were not in place .
So I like Perl too , but you are not accurate in your statement or focus of blame .</tokentext>
<sentencetext>Support for binding params in PHP has been there a LONG LONG time(5 years maybe more?
), it is the culture that tends not to use it.
I discovered it as a kind of odd hack sort of thing, not commonly documented when it first came out.
One reason is it had to be adopted, it wasn't a part of PHP to begin with.
WHY PHP didn't have it to BEGIN with, that is my issue with PHP.
To hold true to its credo, I would think that binding params would be seemless and transparent with no need for a developer to make a choice.
That didn't happen for some reason.
I found the same to be true not too long ago with Ruby, it blew my mind when I read about its MySQL interface and oh that is coming soon.
This was some time ago, but I dropped it right there.
Rails could go stuff itself if basics like that were not in place.
So I like Perl too, but you are not accurate in your statement or focus of blame.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432</id>
	<title>SQL Injections SHOULD NEVER WORK</title>
	<author>mcalwell</author>
	<datestamp>1267187580000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p>If your code is running at the correct privilege level, SQL injections should be completely irrelevant.</p><p>If your user is connecting with the correct credentials, they should only be able to see public data and their own records, nothing else.</p><p>This is implemented by using views in the database, and only allowing users rights to views, not tables.</p><p>If your website user is connecting with credentials that allow a crafted SQL query to see priveleged data, you have set everything up wrong</p><p>If you have set everything up correctly, even a successful SQL injection will only return data the user can see </p></htmltext>
<tokenext>If your code is running at the correct privilege level , SQL injections should be completely irrelevant.If your user is connecting with the correct credentials , they should only be able to see public data and their own records , nothing else.This is implemented by using views in the database , and only allowing users rights to views , not tables.If your website user is connecting with credentials that allow a crafted SQL query to see priveleged data , you have set everything up wrongIf you have set everything up correctly , even a successful SQL injection will only return data the user can see</tokentext>
<sentencetext>If your code is running at the correct privilege level, SQL injections should be completely irrelevant.If your user is connecting with the correct credentials, they should only be able to see public data and their own records, nothing else.This is implemented by using views in the database, and only allowing users rights to views, not tables.If your website user is connecting with credentials that allow a crafted SQL query to see priveleged data, you have set everything up wrongIf you have set everything up correctly, even a successful SQL injection will only return data the user can see </sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31326144</id>
	<title>An ASP site with a querystring for id? C'mon</title>
	<author>shivamib</author>
	<datestamp>1267462260000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Hmm I wonder how one could prevent this kind of mischief? Let's see... using Rails, you could:</p><p>In your Controller:</p><blockquote><div><p> <tt>Student.find(:first,<nobr> <wbr></nobr>:conditions =&gt; params[:student])</tt></p></div> </blockquote><p>In your View:</p><blockquote><div><p> <tt>&lt;\%= h @student.html\_summary \%&gt;</tt></p></div> </blockquote><p>TFA shows an ASP site with some clear querystring id tied to a WHERE clause? <b>Ack! You lost experience!</b> </p></div>
	</htmltext>
<tokenext>Hmm I wonder how one could prevent this kind of mischief ?
Let 's see... using Rails , you could : In your Controller : Student.find ( : first , : conditions = &gt; params [ : student ] ) In your View : TFA shows an ASP site with some clear querystring id tied to a WHERE clause ?
Ack ! You lost experience !</tokentext>
<sentencetext>Hmm I wonder how one could prevent this kind of mischief?
Let's see... using Rails, you could:In your Controller: Student.find(:first, :conditions =&gt; params[:student]) In your View:  TFA shows an ASP site with some clear querystring id tied to a WHERE clause?
Ack! You lost experience! 
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283116</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267183140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Or use directly an ODBMS like Versant with the JDO persistence API. That is nearly unbreakable.</p></htmltext>
<tokenext>Or use directly an ODBMS like Versant with the JDO persistence API .
That is nearly unbreakable .</tokentext>
<sentencetext>Or use directly an ODBMS like Versant with the JDO persistence API.
That is nearly unbreakable.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283698</id>
	<title>Re:SQL Injections SHOULD NEVER WORK</title>
	<author>Eivind</author>
	<datestamp>1267191120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Uhm. No.</p><p>Well, yes, but it don't help much. True, the web-sql-user should only have access to information it needs to see. But that doesn't help you at all against the fact that a single web-user shouldn't nessecarily be able to see everything and do everything the web-server as such can see and do.</p><p>To make a concrete example, if you're making a internet-bank, then the web-frontend need to be able to see the account-balance and movements of everyone who has internet-banking, it also needs to be able to put in new transactions.</p><p>But it doesn't follow that Joe should be able to see Janes balance, or to transfer Janes balance to himself.</p><p>No web-frontend I know of create and use one sql-connection, with the apropriate rights, for every user of the web-application. I suspect that'd be very unwieldy to do anyway.</p></htmltext>
<tokenext>Uhm .
No.Well , yes , but it do n't help much .
True , the web-sql-user should only have access to information it needs to see .
But that does n't help you at all against the fact that a single web-user should n't nessecarily be able to see everything and do everything the web-server as such can see and do.To make a concrete example , if you 're making a internet-bank , then the web-frontend need to be able to see the account-balance and movements of everyone who has internet-banking , it also needs to be able to put in new transactions.But it does n't follow that Joe should be able to see Janes balance , or to transfer Janes balance to himself.No web-frontend I know of create and use one sql-connection , with the apropriate rights , for every user of the web-application .
I suspect that 'd be very unwieldy to do anyway .</tokentext>
<sentencetext>Uhm.
No.Well, yes, but it don't help much.
True, the web-sql-user should only have access to information it needs to see.
But that doesn't help you at all against the fact that a single web-user shouldn't nessecarily be able to see everything and do everything the web-server as such can see and do.To make a concrete example, if you're making a internet-bank, then the web-frontend need to be able to see the account-balance and movements of everyone who has internet-banking, it also needs to be able to put in new transactions.But it doesn't follow that Joe should be able to see Janes balance, or to transfer Janes balance to himself.No web-frontend I know of create and use one sql-connection, with the apropriate rights, for every user of the web-application.
I suspect that'd be very unwieldy to do anyway.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283300</id>
	<title>Re:Use a persistence library</title>
	<author>Anonymous</author>
	<datestamp>1267185660000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Yeah, until someone comes at it with a cross-site scripting attack. ^^</p></htmltext>
<tokenext>Yeah , until someone comes at it with a cross-site scripting attack .
^ ^</tokentext>
<sentencetext>Yeah, until someone comes at it with a cross-site scripting attack.
^^</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283750</id>
	<title>Re:SQL Injections SHOULD NEVER WORK</title>
	<author>ArsenneLupin</author>
	<datestamp>1267191780000</datestamp>
	<modclass>Interestin</modclass>
	<modscore>3</modscore>
	<htmltext><p><div class="quote"><p>If your code is running at the correct privilege level, SQL injections should be completely irrelevant.</p></div><p>True, if you run your web app at the correct privilige level, there is no way an SQL injection can be used to root the machine.</p><p>
But it can still be used to corrupt the application itself, which is often more valuable that the system.</p><p>
Example: a gaming application that wants to store a score per user. Even if the app uses a separate DB user per game user, and even if the DB only allows the user himself to update his score, this would not be good enough, because SQL injection might allow a player to assign himself an arbitrary score of his chosing.</p></div>
	</htmltext>
<tokenext>If your code is running at the correct privilege level , SQL injections should be completely irrelevant.True , if you run your web app at the correct privilige level , there is no way an SQL injection can be used to root the machine .
But it can still be used to corrupt the application itself , which is often more valuable that the system .
Example : a gaming application that wants to store a score per user .
Even if the app uses a separate DB user per game user , and even if the DB only allows the user himself to update his score , this would not be good enough , because SQL injection might allow a player to assign himself an arbitrary score of his chosing .</tokentext>
<sentencetext>If your code is running at the correct privilege level, SQL injections should be completely irrelevant.True, if you run your web app at the correct privilige level, there is no way an SQL injection can be used to root the machine.
But it can still be used to corrupt the application itself, which is often more valuable that the system.
Example: a gaming application that wants to store a score per user.
Even if the app uses a separate DB user per game user, and even if the DB only allows the user himself to update his score, this would not be good enough, because SQL injection might allow a player to assign himself an arbitrary score of his chosing.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828</id>
	<title>It is a sad world we live in.</title>
	<author>TaggartAleslayer</author>
	<datestamp>1267192680000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>5</modscore>
	<htmltext><p>I go through this all of the time. Though I call it laziness, it is actually a combination of ignorance, indignation, and laziness.</p><p>Here is a very, very, very simple and very, very, very standard way of keeping SQL injections out. Validate everything at every level. There you go. Done.</p><p>1) Client side matters. Check input, validate it and pass it through to the application layer.<br>2) Application layer matters. Check variable, strictly type it, validate it and pass it through to your data layer.<br>3) Data layer matters. Check argument against strict type, validate it, paramaterize it, and pass it off to the database.<br>4) Database matters. Check paramater against strict type, validate it, and run it.</p><p>You run into problems when someone only follows any one of the steps above. You could handle it with a medium level of confidence in areas 2 and 3 (and if you're asking why not 1 and 4, go sit in the corner while the grown-ups talk), but good practice for keeping it clean is validate it at every layer. That doesn't mean every time you touch the information you have to recheck the input, but every time it moves from one core area of the platform to another or hits an area it could be compromised, you do.</p><p>As I said above, the only reason for not following 1-4 is laziness, ignorance, or indignation. SQL injections aren't hard to keep out.</p><p>We're in an age where web development IS enterprise level programming and developers need to treat it as such.</p><p>There, I just saved your organization millions of dollars. Go get a raise on my behalf or something.</p></htmltext>
<tokenext>I go through this all of the time .
Though I call it laziness , it is actually a combination of ignorance , indignation , and laziness.Here is a very , very , very simple and very , very , very standard way of keeping SQL injections out .
Validate everything at every level .
There you go .
Done.1 ) Client side matters .
Check input , validate it and pass it through to the application layer.2 ) Application layer matters .
Check variable , strictly type it , validate it and pass it through to your data layer.3 ) Data layer matters .
Check argument against strict type , validate it , paramaterize it , and pass it off to the database.4 ) Database matters .
Check paramater against strict type , validate it , and run it.You run into problems when someone only follows any one of the steps above .
You could handle it with a medium level of confidence in areas 2 and 3 ( and if you 're asking why not 1 and 4 , go sit in the corner while the grown-ups talk ) , but good practice for keeping it clean is validate it at every layer .
That does n't mean every time you touch the information you have to recheck the input , but every time it moves from one core area of the platform to another or hits an area it could be compromised , you do.As I said above , the only reason for not following 1-4 is laziness , ignorance , or indignation .
SQL injections are n't hard to keep out.We 're in an age where web development IS enterprise level programming and developers need to treat it as such.There , I just saved your organization millions of dollars .
Go get a raise on my behalf or something .</tokentext>
<sentencetext>I go through this all of the time.
Though I call it laziness, it is actually a combination of ignorance, indignation, and laziness.Here is a very, very, very simple and very, very, very standard way of keeping SQL injections out.
Validate everything at every level.
There you go.
Done.1) Client side matters.
Check input, validate it and pass it through to the application layer.2) Application layer matters.
Check variable, strictly type it, validate it and pass it through to your data layer.3) Data layer matters.
Check argument against strict type, validate it, paramaterize it, and pass it off to the database.4) Database matters.
Check paramater against strict type, validate it, and run it.You run into problems when someone only follows any one of the steps above.
You could handle it with a medium level of confidence in areas 2 and 3 (and if you're asking why not 1 and 4, go sit in the corner while the grown-ups talk), but good practice for keeping it clean is validate it at every layer.
That doesn't mean every time you touch the information you have to recheck the input, but every time it moves from one core area of the platform to another or hits an area it could be compromised, you do.As I said above, the only reason for not following 1-4 is laziness, ignorance, or indignation.
SQL injections aren't hard to keep out.We're in an age where web development IS enterprise level programming and developers need to treat it as such.There, I just saved your organization millions of dollars.
Go get a raise on my behalf or something.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283440</id>
	<title>Independent Programmers' No-Win Scenario</title>
	<author>Anonymous</author>
	<datestamp>1267187880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Yesterday we read about the problems of individual developers who can't get a foothold in the industry due to a shift towards accountability for software bugs. Today we read about SQL injection vulnerabilities affecting many web sites. Can anybody else see how one is the cause of the other? It is very obvious that a lot of people who should not come anywhere close to a text editor are writing public-facing code. Is there a way to remove these people from the pool other than by making programmers responsible for failing to prevent at least well known attacks? How are serious programmers, who take the time to get it right, supposed to compete when any hack can get away with abysmal code quality?</p></htmltext>
<tokenext>Yesterday we read about the problems of individual developers who ca n't get a foothold in the industry due to a shift towards accountability for software bugs .
Today we read about SQL injection vulnerabilities affecting many web sites .
Can anybody else see how one is the cause of the other ?
It is very obvious that a lot of people who should not come anywhere close to a text editor are writing public-facing code .
Is there a way to remove these people from the pool other than by making programmers responsible for failing to prevent at least well known attacks ?
How are serious programmers , who take the time to get it right , supposed to compete when any hack can get away with abysmal code quality ?</tokentext>
<sentencetext>Yesterday we read about the problems of individual developers who can't get a foothold in the industry due to a shift towards accountability for software bugs.
Today we read about SQL injection vulnerabilities affecting many web sites.
Can anybody else see how one is the cause of the other?
It is very obvious that a lot of people who should not come anywhere close to a text editor are writing public-facing code.
Is there a way to remove these people from the pool other than by making programmers responsible for failing to prevent at least well known attacks?
How are serious programmers, who take the time to get it right, supposed to compete when any hack can get away with abysmal code quality?</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31299824</id>
	<title>Re:I produced a video on SQL injections -</title>
	<author>Anonymous</author>
	<datestamp>1267267140000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Every time I view that video, I can hear email arriving... and then when I check, I haven't got any new emails.</p><p>Does that mean the video guy is hacking me?</p></htmltext>
<tokenext>Every time I view that video , I can hear email arriving... and then when I check , I have n't got any new emails.Does that mean the video guy is hacking me ?</tokentext>
<sentencetext>Every time I view that video, I can hear email arriving... and then when I check, I haven't got any new emails.Does that mean the video guy is hacking me?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284060</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31288210</id>
	<title>Re:Use a persistence library</title>
	<author>IICV</author>
	<datestamp>1267211640000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>Just do one thing: whenever you get any sort of input that the user might have ever possibly touched, name it something like \_untrusted. Once you've sanitized the contents of the variable (using whatever method's appropriate for what you're doing) only then put it into .</p></htmltext>
<tokenext>Just do one thing : whenever you get any sort of input that the user might have ever possibly touched , name it something like \ _untrusted .
Once you 've sanitized the contents of the variable ( using whatever method 's appropriate for what you 're doing ) only then put it into .</tokentext>
<sentencetext>Just do one thing: whenever you get any sort of input that the user might have ever possibly touched, name it something like \_untrusted.
Once you've sanitized the contents of the variable (using whatever method's appropriate for what you're doing) only then put it into .</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283670</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284336</id>
	<title>Re:SQL Injections SHOULD NEVER WORK</title>
	<author>Anonymous</author>
	<datestamp>1267196160000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p>That is assuming that each web user has their own database account, and more importantly, their own set of views; this introduces a couple of problems.</p><p>1. No SQL database engine I'm aware of supports "generic views" taking the user as a parameter in a reasonable way. If they did, you might have a case, but the<br>2. One db-user per web-user? If your web-application has more than a few hundred users, your DBA will kill you for this.<br>3. Most web app servers use connection pooling; some DB engines support "switching user" on an open connection, but there are security implications there too. Without user-switching, you screw up performance as establishing a connection is very slow.</p><p>Since you DO have to prevent SQL injections anyway, the price for this strategy is generally too high for the bonuses it brings.</p></htmltext>
<tokenext>That is assuming that each web user has their own database account , and more importantly , their own set of views ; this introduces a couple of problems.1 .
No SQL database engine I 'm aware of supports " generic views " taking the user as a parameter in a reasonable way .
If they did , you might have a case , but the2 .
One db-user per web-user ?
If your web-application has more than a few hundred users , your DBA will kill you for this.3 .
Most web app servers use connection pooling ; some DB engines support " switching user " on an open connection , but there are security implications there too .
Without user-switching , you screw up performance as establishing a connection is very slow.Since you DO have to prevent SQL injections anyway , the price for this strategy is generally too high for the bonuses it brings .</tokentext>
<sentencetext>That is assuming that each web user has their own database account, and more importantly, their own set of views; this introduces a couple of problems.1.
No SQL database engine I'm aware of supports "generic views" taking the user as a parameter in a reasonable way.
If they did, you might have a case, but the2.
One db-user per web-user?
If your web-application has more than a few hundred users, your DBA will kill you for this.3.
Most web app servers use connection pooling; some DB engines support "switching user" on an open connection, but there are security implications there too.
Without user-switching, you screw up performance as establishing a connection is very slow.Since you DO have to prevent SQL injections anyway, the price for this strategy is generally too high for the bonuses it brings.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285150</id>
	<title>This lovely programmer has sold his code around</title>
	<author>Trailer Trash</author>
	<datestamp>1267200540000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext><p>Took me 2 minutes with Google to find other sites that are apparently using the same crappy code with the same vulnerabilities.  "inurl:" does wonders.</p></htmltext>
<tokenext>Took me 2 minutes with Google to find other sites that are apparently using the same crappy code with the same vulnerabilities .
" inurl : " does wonders .</tokentext>
<sentencetext>Took me 2 minutes with Google to find other sites that are apparently using the same crappy code with the same vulnerabilities.
"inurl:" does wonders.</sentencetext>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_20</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283300
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31316288
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_24</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285624
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285736
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284204
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_21</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283836
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284336
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283768
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_25</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31293286
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283832
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283572
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284306
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283760
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_19</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284356
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283750
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285704
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283822
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31286442
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283862
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283572
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284526
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31313792
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283982
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283534
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283652
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284028
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_22</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31293262
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31288210
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283670
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283116
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_26</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284118
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283698
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31286906
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_23</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31299824
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284060
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_10_02_26_0542206_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31292978
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283338
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284028
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31293262
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31286442
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283836
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283572
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283862
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283832
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31293286
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283828
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285624
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284356
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31286906
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285736
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284716
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283432
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284336
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31316288
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31292978
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283698
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284118
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283750
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284732
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283534
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283982
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31313792
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284060
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31299824
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283760
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284306
</commentlist>
</conversation>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation10_02_26_0542206.2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283036
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283152
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284526
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31285704
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31284204
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283116
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283120
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283652
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283670
---http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31288210
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283768
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283300
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment10_02_26_0542206.31283822
</commentlist>
</conversation>
