Hacker News new | past | comments | ask | show | jobs | submit login
The trojan Emoji (poststatus.com)
17 points by krogsgard on May 8, 2015 | hide | past | favorite | 5 comments



It's sad to see this mistake being made repeatedly. It kind of works like this

  1) Small project started, MySQL is used because that's all the developer knows 
  or it's convenient
  2) Strict mode is never turned on; developer has no idea it exists
  3) App gets popular
  4) Too late to enable Strict
It's really the main reason why I don't recommend MySQL. Theres so many mistakes waiting to be made.


> 2) Strict mode is never turned on; developer has no idea it exists

MySQL has been my hair-tearing problem for many years - https://reddragdiva.dreamwidth.org/593924.html - and I had no idea it existed.

There's a secret "don't suck as much" switch? TURN IT ON!!


Wait until the developer learns they need to support unicode.


Why why why did MySQL have to win the damn race. It's the PHP of databases: it more or less works, but you're relying on a cardboard skyscraper built on a foundation of poop. And this will come back to bite you.

Why MySQL Is Not My Favourite Database: https://reddragdiva.dreamwidth.org/593924.html


For anyone interested in knowing how the UTF8 attack works, Mathias Bynens has a fantastic presentation which describes the technical details: https://www.youtube.com/watch?v=qFfjJ8pOrWY

Here's the slide deck: https://speakerdeck.com/mathiasbynens/hacking-with-unicode

Interesting anecdote from the talk: This isn't just unique to Wordpress. Spotify was vulnerable to this at one point.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: