On 03/06/15 16:15, Richard Barnes wrote:
> +1 to Eric's praise. Nice idea.
Thanks Richard. :-)
> Even better if you were to open-source the code ;)
That's a conversation I've yet to have with my employer.
I'll take a look. Thanks.
> I notice that % is your wildcard character. Hopefully this doesn't
> indicate a SQL injection risk!
What sort of SQL injection risk are you concerned about?
http://en.wikipedia.org/wiki/SQL_injection
"SQL injection is a code injection technique, used to attack data-driven
applications, in which malicious SQL statements are inserted into an
entry field for execution (e.g. to dump the database contents to the
attacker)"
"to dump the database" is kinda the point of crt.sh. :-)
All of the data is already public (in the CT logs). I would happily
permit searches for "?q=%25" if I had unlimited bandwidth and server
performance. (Currently any search that's still running after a minute
or two is automatically killed).
Also, the database used by
https://crt.sh is a read-only slave, so even
if you could inject something like "DROP TABLE certificate", it would
fail to execute.
Office Tel:
+44.(0)1274.730505
Office Fax:
+44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.