How useful is the 5e ‘Wish’ spell (‘Basic Use’ version) for spell research?

The 5e Wish spell does, literally, whatever you wish, but for a price. The Basic Use version may be useful for instant spell research without the usual time / gold costs. Logically, one could use this Basic Wish to learn all the wizard spells lvl. 8 and lower. But what are the limits? To quote:

The basic use of this spell is to duplicate any other spell of 8th level or lower. You don’t need to meet any requirements in that spell, including costly Components. The spell simply takes effect.

Here are some possibilities:

  1. Casting ‘Wish’ may allow one to have a version of any existing / official spell (found in Player’s Handbook, Volo’s &/or Mordenkainen’s manuals). This exists as a memorized spell ‘slot’, uncast, in one’s mind. Wizards (class) could then write-scribe this spell, providing this was a wizard’s (spell-list) spell in the first place. This learning technique may also extend to some ritual spells, q.v.

  2. As the Basic Use of a ‘Wish’ spell does NOT require material components. As such, the caster of this spell can automatically gain one (1) fully transcribed non-magical version in a book (or scroll / carved tablet / scribed on a skull / whatever suits your fancy). Should this be a ‘wizard’ spell, the caster could then use this written version as though they had transcribed this themselves. Other wizards would need to endure the usual transcription-study-cost process from this origin material, as normal.

  3. This Basic Version of the spell vetoes any and all requirements! As such, any spell imaginable (of less than 8th level value) can be instantly scribed into a book. If it were considered a ‘wizard’ type spell others of that class could make use / transcribe it as usual. If it were a spell for any other list, those of the appropriate class could use this written spell to re-establish a new relationship with their deity, patron or other spell-delivery creature.

Off the cuff, the first one seems reasonable. The second version seems to be pushing boundaries a little (not sure why). The last one, drafting out Brand New Spells every day, seems totally implausible for a mere Basic Wish (perhaps a FULL wish could do this?) – yet i have no known RAW defence on this. It just seems like a bad idea to let a CR 11 ‘arch-mage’ pump out 300+ spells (of any class / up to 8th lvl) in any given year, risk free. But… why not?

Gathered Exchangers of Stackings… what say ye?

Mysql injection with a single `USE` statement

I know you need prepared statements and such to avoid SQL injection, and I’ve seen that there are different questions about exploits for SELECT, INSERT, UPDATE injectable queries.

But I couldn’t come up with an exploit sample for USE statement. Suppose I have an injectable single statement that looks like this:

USE `data_from_attacker`; 

What data could the attacker use if they can put anything in place of the data_from_attacker, considering I’m looking for an exploit example that is not just selecting a DB (ie: selecting information_schema or mysql DB seems harmless, as the next queries won’t work because tables won’t exist; and selecting a DB that do not exists seems also harmless).

Also, consider that mysql will only interpret the 1st query, so attacker cannot inject:

mysql`; SELECT * FROM `users 

Can you find such exploit for MySQL? The USE syntax seems very “poor” for such injection…

mitmproxy: Error starting proxy server: OSError(98, ‘Address already in use’)

I just installed mitmproxy tool. I want to run it. Once I type: sudo mitmproxy I get this error:

Error starting proxy server: OSError(98, ‘Address already in use’)

I searched and found some suggestion for changing the port by typing: sudo mitmproxy -p 99999 However, I think this may cause me problems as I wan to do HTTPS traffic manipulation.

Can you please help me solve the error?

file_exists with ‘replace’ or ‘use existing’ not working when a variable is passed

Can somebody point out the fault in this snippet for downloading a file entity. I am trying to replace or use existing file dynamically. When I give a variable it doesn’t seems to pass to ‘download’ plugin. If I hard code the value to ‘replace’ or ‘use existing’ it works.

file_config_keys:   plugin: default_value   default_value: "use existing" uri:   plugin: download   source:     - '@source_image_url'     - '@dest_image_uri'   file_exists: '@file_config_keys' destination:   plugin: 'entity:file' migration_dependencies: null 

Aaand … who “should” *USE* crypto code? :)

This seems to be yet another logical follow-on in a now-mounting train of questions that I’ve seen here that seeks to set out and clarify the full extent of the parameters behind the oft-repeated advice “don’t roll your own crypto”! In particular:

  1. Why is it wrong to *implement* myself a known, published, widely believed to be secure crypto algorithm?
  2. Who SHOULD write crypto code?

For one, I think that it is really good that finally these questions were asked – they are things that were a LONG source of headpop and frustration for me and I wondered why nobody was asking “but what about this lesser scenario than the ‘main dish’ ‘offense’ under discussion to which the same logic seems like it should apply yet on which people are far more silent?”

And looking at the second question, I see that an answer posted thereto naturally lends itself to a third question in the series:

https://security.stackexchange.com/posts/209699/revisions

First, note that I’m talking about implementing actual cryptography functions, i.e. encryption, signatures etc. This is different from just using existing cryptography functions (much easier, but still many errors possible) and different from designing cryptographic algorithms (much harder).

(highlights mine)

If that is so, then it sounds that “don’t roll your own crypto” could be extended even further to “don’t even use others’ ‘rolled’ crypto!” And this also ties into my older question here:

How much security expertise does a general application programmer need to develop software ethically?

which got closed, regarding what sort of expertise and/or qualifications one needs in security simply to develop software in an ethically responsible manner, which is in a sense even broader. So then to ask this maybe third-rung question … how much do you need to know to be able to effectively use others’ cryptographic routines, even and especially widely trusted/vetted ones and, moreover, as a sort of “opinion” question, from whom would you trust a piece of software written thereby that uses such vetted routines?