Month: June 2012

Using % in NSString

It probably says this somewhere, but I missed it. I’m writing results to the screen and to a file and it works fine with this code for my table headers:


tableHeader = @"<table width='100%' border='1'><tr><th colspan='2'>Presentations</th></tr>";

I wanted to adjust the colspan depending on the number of presentations for different conditions. So I put the code into an NSString like so:


NSInteger numColumns = 6;
tableHeader = [NSString stringWithFormat:@"<table width='100%' border='1'><tr><th colspan='%d'>Presentations</th></tr>", numColumns];

The table no longer takes up the whole page. I tried escaping the 100% like you normally do \% but that didn’t do anything. The correct way to escape a percent sign is to double it. e.g. %%

So now you know.

MySQL injection attempts

I recently started getting lots of error statements in my error logs for a site I manage. And by lots I mean thousands each week. Since the site works fine and I haven’t changed anything recently I was puzzled as to why the were happening.

So I expanded the MySql error codes to give me more information on what file was the problem and what the MySql statement was that failed. i.e filename, query, and error message.


if (!$result) {
    error_log("product.php");
    error_log($query);
    error_log(mysqli_error($dbLF));
    die();
  }

This is a common error.


[18-Jun-2012 05:34:52 UTC] SELECT * FROM product_table
           WHERE productNum = \\\'1
           ORDER BY display_seq, name
[18-Jun-2012 05:34:52 UTC] You have an error in your SQL syntax;

And they get more complicated:


SELECT * FROM product_table
           WHERE productNum = 38/product.php?id=381\\\'
           ORDER BY display_seq, name
[19-Jun-2012 07:47:01 UTC] You have an error in your SQL syntax;

I went though all my code and I can’t find anywhere that I could possible have such a malformed query.

What clinched it for me are these queries:


WHERE product_id = 999999.9/**//*!30000union/**/all/**/select/**/(select/**/concat(0x7e,0x27,group_concat(column_name),0x27,0x7e)/**/from/**/`information_schema`.columns/**/where/**/table_schema=0x52656D696E64657273/**/and/**/table_name=0x7573657273),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--
         WHERE product_id = 999999.9/**//*!30000union/**/all/**/select/**/(select/**/concat(0x7e,0x27,count(column_name),0x27,0x7e)/**/from/**/`information_schema`.columns/**/where/**/table_schema=0x446F776E6C6F616473/**/and/**/table_name=0x507572636861736573),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--
         WHERE product_id = 999999.9/**//*!30000union/**/all/**/select/**/(select/**/concat(0x7e,0x27,group_concat(column_name),0x27,0x7e)/**/from/**/`information_schema`.columns/**/where/**/table_schema=0x446F776E6C6F616473/**/and/**/table_name=0x507572636861736573),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--

There’s absolutely no way I miscoded my query to get that garbage.

Since all my product numbers are integers, I changed the code to only run if the productNum is an integer. Seems to work.


if ( isset($_GET['num']) ) { $productNum  = mysql_real_escape_string($_GET['num']); }  else { $productNum  = '';} 

// Attempts have been made to exploit the database with long strings. 
// This stops it without filling up the error log.
if ( !is_numeric($productNum) ) $productNum = '1';

OSX difference from Linux

If you want to rename a file from the command line you use the mv command. Escape special characters (like spaces, asterisks, quotes, etc.) with a backslash. The backslash character itself is escaped with a backslash. So for example, ‘girl w/ hoop’ would be ‘girl\ w\/\ hoop’

I tried running this command


mv GIRL\ W\/HOOP.jpg GIRL\ WITH\ HOOP.jpg

and got back this error message


usage: mv [-f | -i | -n] [-v] source target
       mv [-f | -i | -n] [-v] source ... directory

You can also put the file name in quotes like so


mv 'GIRL W/HOOP.jpg' 'GIRL WITH HOOP.jpg'

And you don’t need to worry about spaces and special characters.

Except that OSX doesn’t treat the / in a file name as a slash. It coverts it to a colon.

To see this, drag a file with a forward slash from the desktop to the terminal. Note what happens.


/Desktop/GIRL\ W:\ HOOP.jpg

Spaces are escaped, but the forward slash is converted to a colon.

So to get my move command to work I need to do this.


mv GIRL\ W:HOOP.jpg GIRL\ WITH\ HOOP.jpg

And it’s happy.

My new favorite word—ausperity

Rob Knopf recently had a blog post where he noted that “…observatory facilities are being eviscerated on the altar of ausperity.”

It’s a word that perfectly sums up the Republican attitude towards eviscerating state and local government, science programs, and just about everything not related to defense. Austerity is good for you. It builds character—unless you are a job creator, in which case we don’t dare hurt your precious feelings or you might just take your jobs and go home. And of course, the result of all this austerity is prosperity! Hence, ausperity. It makes perfect sense.