Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I am looking at my apache server logs and almost always when someone is scanning the server for vulnerabilities I always see this in their query strings...
+--+
like in the various examples below...
.
.
.
/includes/usercp_register.php?phpbb_root_path=1'+--+?
/includes/profilcp_constants.php?module_root_path=1'+--+?
/includes/functions_user_viewed_posts.php?phpbb_root_path=1'+--+?
/includes/orderSuccess.inc.php?&glob=1&cart_order_id=1&glob[rootDir]=1'+--+
.
.
.
I know they are scanning for popular vulnerabilities but what Im wondering is whats the purpose of +--+?
Im thinking of using that as something I can filter for using fail2ban
In query strings, the plus character is shorthand notation for a space. Remember that spaces are not allowed in URLs, so they must either be percent-encoded (%20) or, only in the query string portion of a URL, represented with a plus. (As a consequence, this means actual pluses must be percent-encoded in the query string but not elsewhere in a URL.)
In this case, the attacker is attempting simple SQL injection. The ' is a quote ('), and the + URL-decodes to a space. So ultimately this happens:
phpbb_root_path=1' --
(The -- is a SQL comment.)
Be careful banning requests with +--+ in the URL; that could be legitimate input -- ie, https://www.google.com/search?q=dash+--+separated
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 months ago.
Improve this question
I am currently studying SQL and am completing Hackerrank Questions (this is the question). The question involves concatenating strings. However when I use CONCAT according to convention, i.e:
SELECT
CONCAT(NAME, '(', LEFT(Occupation,1), ')')
FROM
OCCUPATIONS;
I receive the following error:
> SQL0440N No authorized routine named "CONCAT" of type "FUNCTION" having compatible arguments was found. SQLSTATE=42884
However, if I enter the following code:
SELECT
CONCAT(NAME, CONCAT(CONCAT('(', LEFT(Occupation,1)), ')'))
FROM
OCCUPATIONS;
The code runs correctly and I receive the following output:
Kristeen(S)
Maria(P)
Meera(P)
Naomi(P)
Priya(D)
I have tried to use escape characters to no avail. I am able to concatenate any of the two strings fine however when I attempt to join any more than that in the cone CONCAT function I am unable.
Is this an error with my code, or an error with the platform? I have reviewed other solutions online that is coded exactly like the first solution and they are able to submit.
The issue was that on Hackerrank I had not changed the language from DB2 to MySQL in the top right hand corner, the error I was receiving was because I was using MySQL syntax where it wasn't supported.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I'm watching a video on SQL and the guy is making a distinction between ' and ". In Python and R, I tend to use ' and " interchangeably while technically there is a minor difference or in certain situations one needs to be used. However for the most part in Python/R it doesn't matter.
Is this the same in SQL and the guy is just over analyzing or is there actually a big difference between ' and "? Unfortunately, I don't actually work with SQL so I can't really learn from experience - just have to watch vids.
Thanks
Yes, ' and " are very different in SQL.
' is used to indicate strings, such as 'Hello world!'; it is always required.
" is used to indicate identifiers, such as SELECT "name", "age" FROM "people"; it's optional when the name can't be confused with anything, but mandatory if you want unusual names (spaces, upper-case letters) or if you want a name that's reserved (such as "from"); for example SELECT "from", "to" FROM "time slots".
It's generally best to avoid names that have to be quoted, but the option is there if you need it. Many libraries that wrap SQL will habitually quote everything.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I have a problem writing regular expression. I want to write a regular expression that replaces all double consonants with a single consonant.
Please help me to write such a rule in only one line.
Thanks in advance.
Here's a .NET regex that'll find any group of exactly two non-vowels:
[^aeiou]{2}
The following will work for groups longer than 2:
[^aeiou]{2,}
For example, this will match "llst" in "allstar."
Slightly uglier, but will match groups of 2 consonants, case-insensitive:
[QqWwRrTtYyPpSsDdFfGgHhJjKkLlZzXxCcVvBbNnMM]{2}
The following will match two identical non-vowels:
([^aeiou])\1
For example, this would match the "ll" in "all."
Once you have your regex, just use your chosen language's Regex.Replace function.
Since you did not specify the language, I'm going to go ahead and assume Javascript.
This should get you started:
console.log('babble bubble http htttp www'.replace(/([^aeiou\.,\/=?:\d&\s!##$%^*();\\|<>"'_+-])\1{1}/gi, "$1"));
See more here:
http://regexr.com/3ee47
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
How acceptable is to name a variable like that:
int Δt = 3;
and not:
int timeDuration = 3;
I love the Delta character.... However it is only acceptable if this becomes a maintainable standard in your code, so that you or your team knows exactly what it is - and you never mix up notation.
It's likely to work, but I absolutely would not recommend it in anything other than personal projects.
Things like varying encoding languages (UTF etc) can affect these kind of unicode characters. Also the fact it's confusing to reliably type and not really hugely semantic.
Languages such as PHP have these guidelines for vars:
Variable names follow the same rules as other labels in PHP. A valid
variable name starts with a letter or underscore, followed by any
number of letters, numbers, or underscores. As a regular expression,
it would be expressed thus: '[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*'
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I need to complete cards numbers in sql. I have the prefix =11111 and the number of the card which is variable, therefore it could be '25' or '2130' but at the end I must have 14 numbers. So I need to fill spaces with zeros.
I've read about 'LPAD' but I don't understand very well this method.
You could use lpad, but if you're starting with a number you could use a 9-digit format model instead, and concatenate that onto your prefix:
select '11111' || to_char(25, 'FM000000000') from dual;
11111000000025
The FM format modifier stops Oracle adding a space for a potential +/- sign indicator.
SQL Fiddle demo
Use the ZEROFILL attribute.
But your database should only be responsible for saving data and not changing it before saving.
The best way would be to send the zerofilled data to the database server.