CentOS - Mar 2016 - C5 MySQL injection attack ("Union Select")

Valeri Galtsev wrote:
> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
<snip>>
> Indeed. There are several flaws in how mysql handles data. This is why to
Ok, do you have a link or two to info about that?
> the best of my ability I am trying to avoid mysql, and use postgresql if
> whatever chunk of software I need is designed to work also with
> postgresql. And I recommend developers I work with/for the same (to use
We seem to be moving to postgresql. I find I do not like it - it's much
more of a pain to work with than mysql is. Do you have any opinions about
meria d/b? Are there improvements over the flaws you're aware of with
mysql?
<snip>

        mark

On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us
wrote:
> Valeri Galtsev wrote:
>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64)
using
>>> readline 5.1
> <snip>>
>> Indeed. There are several flaws in how mysql handles data. This is why
>> to
>
> Ok, do you have a link or two to info about that?
Mark, you seemed to snip away the link to presentation on youtube :

https://www.youtube.com/watch?v=1PoFIohBSM4

which I gave in my post. That even though a bit old, was instructive for me.
>
>> the best of my ability I am trying to avoid mysql, and use postgresql
if
>> whatever chunk of software I need is designed to work also with
>> postgresql. And I recommend developers I work with/for the same (to use
>
> We seem to be moving to postgresql.
Great!
> I find I do not like it - it's much
> more of a pain to work with than mysql is. Do you have any opinions about
> meria d/b? Are there improvements over the flaws you're aware of with
> mysql?
Mariadb being a fork of mysql likely inherited mysql's
"inconsistencies".
Not that I would say mysql (and mariadb surely) folks are not working on
improvements. E.g., the default installation of latest mysql does not have
any accounts with empty password (I was weeding these away for years with
every new installation of mysql. Oh, well, maybe I'm wrong, as this I just
had seen fixed on FreeBSD, so it is possible that package maintainer did
this nice cleaning). I'm not the one who can have any opinion on something
 (mariadb) which he doesn't use, still...

Valeri
> <snip>
>
>         mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Valeri Galtsev wrote:
>
> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
>> Valeri Galtsev wrote:
>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64)
using
>>>> readline 5.1
>> <snip>>
>>> Indeed. There are several flaws in how mysql handles data. This is
why
>>
>> Ok, do you have a link or two to info about that?
>
> Mark, you seemed to snip away the link to presentation on youtube :
>
> https://www.youtube.com/watch?v=1PoFIohBSM4
>
Oh. I really dislike videos of people explaining something I could read,
if they'd just typed it up.... (I mean the author, not you). But I suppose
I'll watch it.
<snip>
>> We seem to be moving to postgresql.
>
> Great!
>
>> I find I do not like it - it's much
>> more of a pain to work with than mysql is. Do you have any opinions
>> about meria d/b? Are there improvements over the flaws you're aware
>> of with mysql?
>
> Mariadb being a fork of mysql likely inherited mysql's
"inconsistencies".
> Not that I would say mysql (and mariadb surely) folks are not working on
> improvements. E.g., the default installation of latest mysql does not have
> any accounts with empty password (I was weeding these away for years with
> every new installation of mysql. Oh, well, maybe I'm wrong, as this I
just
> had seen fixed on FreeBSD, so it is possible that package maintainer did
> this nice cleaning). I'm not the one who can have any opinion on
something
>  (mariadb) which he doesn't use, still...
Well, remember that it was forked after the Evil Empire took over mysql. I
just wonder if Oracle is *not* fixing some security issues... because they
obviously want you to "fix" that problem by simply buying Oracle. With
that train of thought, that's why I'm wondering if the mariad/b team
*is*
fixing the issues.

      mark

On 3/24/2016 7:48 AM, m.roth at 5-cent.us wrote:
> We seem to be moving to postgresql. I find I do not like it - it's much
> more of a pain to work with than mysql is. Do you have any opinions about
> meria d/b? Are there improvements over the flaws you're aware of with
> mysql?
and I find mysql a real pain to work with.

the biggest difference is, postgresql is much stricter about data 
types.   it will not, for example, allow you to store 2015-02-30 as a 
date.   also, postgres is very strict about the atomicity of 
transactions, its all or nothing.



-- 
john r pierce, recycling bits in santa cruz

John,

John R Pierce wrote:
> On 3/24/2016 7:48 AM, m.roth at 5-cent.us wrote:
>> We seem to be moving to postgresql. I find I do not like it - it's
much
>> more of a pain to work with than mysql is. Do you have any opinions
>> about meria d/b? Are there improvements over the flaws you're aware
>> of with mysql?
>
> and I find mysql a real pain to work with.
>
> the biggest difference is, postgresql is much stricter about data
> types.   it will not, for example, allow you to store 2015-02-30 as a
> date.   also, postgres is very strict about the atomicity of
> transactions, its all or nothing.
And I have serious issues trying to figure out the structure of, say, the
barios d/b. But I did NOT ask for a comparison to postgresql, or care to
have any kind of argument about it at all. I was asking about mariadb vs.
mysql.

Oh, and the link I posted, to MySQL gotchas, that was last updated in '14?
I tried emailing them, at the link they gave, and my email bounced.

        mark
       mark