dependency injection – What are the disadvantages to using this form of pure DI in Python?

I want to perform dependency injection in my Python application without using reflection. My position on reflection is informed largely by the “don’t hide things” philosophy (I am unable to find a decent reference to this on google at the moment). What that basically means to me is that code ought to be easily discoverable by an incoming programmer (either your own code at some point in the future, or another programmer coming in to edit or extend your code).

It’s important for me to note here that my primary motivation for dependency injection is the ability to easily test individual services and dependencies without using Python’s patch, but instead to rely on an easily accumulated set of reusable mock dependencies.

Setting aside the reflection debate for the moment, here is one way I see that one can accomplish dependency injection without reflection.

The Container

The container houses my Python application’s dependencies. It could be a simple dictionary.

# container.py

dependencies = {}

The Composition Root

The point of the composition root is to have a centralized location where all needed application dependencies are drawn together and configured in whatever way is necessary. Some classes, for example, might need to be instantiated with config-specific parameters. In Python, I have not seen something like this in the wild. It seems like the composition root needs to be imported specifically by an environment-specific, executed module.

The below illustrates an example where a hypothetical dependency TaskManager depends on a service ApiService. TaskManager, in turn, is a service used throughout the application.

# run_prod.py - runs a production-configured instance of my application

from container import dependencies
from services import TaskManager, ApiService
import config
from app import App


api_service = ApiService(config.api_service_endpoint)
task_manager = TaskManager(api_service)
dependencies('task_manager') = task_manager

app = create_app(dependencies)
app.run(host=config.host, port=config.port)

The App

The application itself at this point is more or less a shallow orchestrator of the services injected into it, since all chunks of code that need to be tested in isolation are defined outside of it, and injected into it in this scheme.

# app.py

def create_app(dependencies)
    app = Flask(__name__)
    
    @app.route('/task/<task_id>', methods=('GET'))
    def get_task(task_id):
        task = dependencies.get('task_manager').find_task_by_id(task_id)
        return task

Another similar approach might be to import the dependency container, rather than inject it as an argument to the create_app function. In that case I don’t need the constructor function:

# app.py

from container import dependencies

app = Flask(__name__)
    
@app.route('/task/<task_id>', methods=('GET'))
def get_task(task_id):
    task = dependencies.get('task_manager').find_task_by_id(task_id)
    return task

Testing as a primary motivation for dependency injection

We can create as many use-specific composition roots as we want. For example, if we create one for testing, instead of having a separate run_prod.py, we can just compose the dependencies in the same module as the test (or in a separate module, for re-use). Let’s go with module test_flask_endpoint.py.

For this example, let’s say we want to test the TaskManager together with the Flask layer, but don’t want to make outgoing HTTP calls. We mock out ApiService.

# test_flask_endpoint.py
import pytest

@pytest.fixture
def test_app():
    from services import TaskManager

    class MockApiService():
        def get_task_details(task_id):
            {"task_id": task_id, "description": "does something special"}

    mock_api_service = MockApiService
    task_manager = TaskManager(mock_api_service)
    dependencies('task_manager') = task_manager

    app = create_app(dependencies)
    test_app = app.test_client()
    return test_app


def test_task_endpoint(test_app):
    assert test_app.get('/task/3').json()('description') == 'does something special'

One disadvantage I see to doing DI this way is that the app is coupled to the injector, namely, the dependencies argument of create_app. Is there a way around this? It is not clear to me that this matters.

sql injection – Dumping a lot of data using SQLMap faster

What’s the best way to dump 10 million of records from db using sqlmap ?

Was trying to dump the whole database of a test website with 10KK+ entries in 1 tables. Right now using the following commands:

sqlmap -u website.com/php?id=123 -D dbname --tables --dump-all --random-agent --threads 9 --time-sec 10 --technique=BEUS --dbms=mysql -o

Is there any other way to make the dumping process faster? Right now dumping columns as they are in the db and not reording them to make it faster. Internet connection and response time is good. Just the processing part and any other techniques?

I’ve also used the option --dns-domain but still 4 days running now.

MySQL Injection Through Get Request via Coolie Parameter

Somebody closed this question as not having enough info. There is enough information here.

It is MySQL
It is a cookie parameter injection
I am using a proxy
I am getting the error I want
I am using ‘ select @@version;# in the appropriate cookie parameter to produce the error that I
It is a Get request

All the other details are below

I have a MySQL lab challenge where I send id=1‘ and select @@version;# then manage to trigger an error. But the part of the error response that has my version info looks like it comes back in binary (or Unicode?).
I have to send the GET in base64 then URI encode as it’s sent from a cookie parameter.
How do I make sure the response is in ASCII? Is that kind of response actually in Unicode, and browser/burp garbling the response to make it look like binary?

php – sqlmap SQL injection not injecting

Hi I’m relatively new to sqlmap and trying to find an exploit in my project web. Here is how i run it;

python3 sqlmap.py -u http://localhost/output3/members.php?valueToSearch=mira&search=Filter

I have tried to use the various variables along with it as follows;

--dbs
--columns
--tables
--level=5
--risk=3

However it seems that sqlmap is unable to find any injection/exploit. Here is the output of sqlmap;

(21:15:40) (INFO) testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6c6e4118f5b...b74a20db38'). Do you want to use those (Y/n) y
(21:15:43) (INFO) testing if the target URL content is stable
(21:15:43) (INFO) target URL content is stable
(21:15:43) (INFO) testing if GET parameter 'valueToSearch' is dynamic
(21:15:43) (WARNING) GET parameter 'valueToSearch' does not appear to be dynamic
(21:15:43) (WARNING) heuristic (basic) test shows that GET parameter 'valueToSearch' might not be injectable
(21:15:43) (INFO) testing for SQL injection on GET parameter 'valueToSearch'
(21:15:43) (INFO) testing 'AND boolean-based blind - WHERE or HAVING clause'
(21:15:43) (INFO) testing 'Boolean-based blind - Parameter replace (original value)'
(21:15:43) (INFO) testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                       
(21:15:43) (INFO) testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
(21:15:43) (INFO) testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                               
(21:15:43) (INFO) testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
(21:15:43) (INFO) testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
(21:15:43) (INFO) testing 'Generic inline queries'
(21:15:43) (INFO) testing 'PostgreSQL > 8.1 stacked queries (comment)'
(21:15:43) (INFO) testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
(21:15:43) (INFO) testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
(21:15:43) (INFO) testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
(21:15:43) (INFO) testing 'PostgreSQL > 8.1 AND time-based blind'
(21:15:43) (INFO) testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
(21:15:43) (INFO) testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? (Y/n) y
(21:15:44) (INFO) testing 'Generic UNION query (NULL) - 1 to 10 columns'
(21:15:44) (WARNING) GET parameter 'valueToSearch' does not seem to be injectable
(21:15:44) (INFO) testing if GET parameter 'search' is dynamic
(21:15:44) (WARNING) GET parameter 'search' does not appear to be dynamic
(21:15:44) (WARNING) heuristic (basic) test shows that GET parameter 'search' might not be injectable
(21:15:44) (INFO) testing for SQL injection on GET parameter 'search'
(21:15:44) (INFO) testing 'AND boolean-based blind - WHERE or HAVING clause'
(21:15:45) (INFO) testing 'Boolean-based blind - Parameter replace (original value)'
(21:15:45) (INFO) testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                       
(21:15:45) (INFO) testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
(21:15:45) (INFO) testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                               
(21:15:45) (INFO) testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
(21:15:45) (INFO) testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
(21:15:45) (INFO) testing 'Generic inline queries'
(21:15:45) (INFO) testing 'PostgreSQL > 8.1 stacked queries (comment)'
(21:15:45) (INFO) testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
(21:15:45) (INFO) testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
(21:15:45) (INFO) testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
(21:15:45) (INFO) testing 'PostgreSQL > 8.1 AND time-based blind'
(21:15:45) (INFO) testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
(21:15:45) (INFO) testing 'Oracle AND time-based blind'
(21:15:45) (INFO) testing 'Generic UNION query (NULL) - 1 to 10 columns'
(21:15:45) (WARNING) GET parameter 'search' does not seem to be injectable
(21:15:45) (CRITICAL) all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

(*) ending @ 21:15:45 /2020-11-18/

I have attached my source code below for reference as well. In addition, I’m getting do not access superglobal $_GET array directly for my code. Any advise would be appreciated.

?php
if(isset($_GET('search')))
//if(filter_input_array(INPUT_GET, 'search', FILTER_SANITIZE_NUMBER_INT))
{
    $valueToSearch = $_GET('valueToSearch');
    //$valueToSearch = filter_input_array(INPUT_GET, 'search', FILTER_SANITIZE_NUMBER_INT);

    $query = "SELECT * FROM `user1` WHERE `user` LIKE '%".$valueToSearch."%' OR `name` LIKE '%".$valueToSearch."%' OR `contact_numberH` LIKE '%".$valueToSearch."%' OR `contact_numberM` LIKE '%".$valueToSearch."%'";

    $search_result = filterTable($query);
    
}
 else {
    $query = "SELECT * FROM `user1`";
    $search_result = filterTable($query);
}

// function to connect and execute the query
function filterTable($query)
{
    $connect = mysqli_connect("localhost", "root", "", "fyp2");
    $filter_Result = mysqli_query($connect, $query) or die(mysqli_error($connect));
    return $filter_Result;
}
 ?>
         <form action="members.php" method="get">
            <input type="text" name="valueToSearch" placeholder="Value To Search"><br><br>
            <input type="submit" name="search" value="Filter"><br><br>
            <table>
                <tr>
                    <th>User</th>
                    <th>Name</th>
                    <th>Home Number</th>
                    <th>Mobile</th>
                </tr>

      <!-- populate table from mysql database -->
                <?php while($row = mysqli_fetch_array($search_result)):?>
                <tr>
                    <td><?php echo $row('user');?></td>
                    <td><?php echo $row('name');?></td>
                    <td><?php echo $row('contact_numberH');?></td>
                    <td><?php echo $row('contact_numberM');?></td>
                </tr>
                <?php endwhile;?>
            </table> 
         </form>

dependency injection – Simple constructor DI implementation in Rust

From my experience in C# programming I think that DI is important. But it’s not possible to do it same way in Rust. There are some DI frameworks but I’ve come with an idea on how it can be made and decided to implement it my way. My implementation uses only constructor injection, no container needed. I’m only learning Rust now so can you review my code, find possible pitfalls, suggest improvements or better approaches?

My goals in DI:

  1. Make stubs possible for testing.
  2. Systems shouldn’t know “sub-dependencies” of their dependencies. Separate construction and providing dependencies from actual usage. All dependencies are “wired” in one place.
  3. No global shared state.
  4. The design principle that higher level systems declare what they need and lower level systems implement it, not other way.
  5. Avoid God objects.
  6. All dependencies can be clearly determined by a constructor signature, no looking inside code needed. Therefore I don’t use Resource Locator pattern.
#(cfg(not(feature = "test")))
mod Bindings {
    // real implementations binding

    // I assume only one implementor per each interface
    // this is not always the case but al least it's good for a simple scenario
    pub type Door = crate::Autocar::DoorMod::DoorImpl;
    pub type Engine = crate::Autocar::EngineMod::EngineImpl;
}

// how can I move these into actual tests files?
#(cfg(all(feature = "test", feature = "test1")))
mod Bindings {
    // stubs for test1 can be binded here
    pub type Door = crate::Autocar::DoorMod::DoorImpl;
    pub type Engine = crate::Autocar::EngineMod::EngineImpl;
}

#(cfg(all(feature = "test", feature = "test2")))
mod Bindings {
    // stubs for test2 can be binded here
    pub type Door = crate::Autocar::DoorMod::DoorImpl;
    pub type Engine = crate::Autocar::EngineMod::EngineImpl;
}

// prelude for internal use
mod Usings {
    pub use crate::Bindings::*;
    pub use std::cell::RefCell;
    pub use std::rc::Rc;
    pub type Mrc<T> = Rc<RefCell<T>>; // Mutable Reference Counter
    pub fn Mrc<T>(v: T) -> Mrc<T> {
        Rc::new(RefCell::new(v))
    }
}

fn main() {
    // this code performs constructor injection itself
    // all constructors are called here

    use Autocar::*;
    use Usings::*;

    let engine = Mrc(Engine::new());

    // also we can make factory methods
    let make_door = || -> Door { Door::new(engine.clone()) };

    let doors = vec!(make_door(), make_door());
    let mut car = Car::new(engine, doors);

    // all constructed, now run something
    car.doors(0).open();
}

// now application code
mod Autocar {
    use crate::Usings::*;

    // top-level struct so no interface
    pub struct Car {
        // Since same Engine is used also by a Door too, I have to use Mrc.
        // This may become an issue as once a dependency becomes
        // used by multiple structs I have to change it everywhere to Mrc
        // and insert borrow_mut() everywhere.
        // Which doesn't look like a good design. But no choice. Or?
        pub engine: Mrc<Engine>,

        pub doors: Vec<Door>,
    }

    impl Car {
        pub fn new(engine: Mrc<Engine>, doors: Vec<Door>) -> Car {
            Car { engine, doors }
        }
    }

    // declare Car dependencies:

    // we actually need IDoor so stubs can inherit it and reflect signature changes when refactoring
    pub trait IDoor {
        fn is_opened(&self) -> bool;
        fn open(&mut self);
    }

    pub trait IEngine {
        fn is_running(&self) -> bool;
        fn start(&mut self);
        fn stop(&mut self);
    }

    pub(crate) mod DoorMod {
        use super::*;
        use crate::Usings::*;

        pub struct DoorImpl {
            // I tried to design the code in a way so that DI doesn't prevent optimizations.
            // So I don't use IEngine here or otherwise it becomes dyn implicitly and then
            // no inlining and can't be placed on the stack.
            // But one issue with this approach is that IntelliSense can see
            // all EngineImpl functions even if it implements multiple traits, not just IEngine.
            // But a stub will contain only interface-declared functions
            // so it will be at least checked by the compiler.
            engine: Mrc<Engine>,
        }

        impl IDoor for DoorImpl {
            fn is_opened(&self) -> bool {
                unimplemented!()
            }

            fn open(&mut self) {
                if self.engine.borrow().is_running() {
                    self.engine.borrow_mut().stop();
                }
                println!("opening")
            }
        }

        impl DoorImpl {
            pub fn new(engine: Mrc<Engine>) -> Self {
                DoorImpl { engine }
            }
        }
    }

    pub(crate) mod EngineMod {
        use super::*;
        use crate::Usings::*;

        pub struct EngineImpl;

        impl IEngine for EngineImpl {
            fn is_running(&self) -> bool {
                true
            }

            fn start(&mut self) {
                println!("starting");
            }

            fn stop(&mut self) {
                println!("stopping");
            }
        }

        impl EngineImpl {
            pub fn new() -> Self {
                EngineImpl {}
            }
        }
    }
}
```

Understanding sqlmap’s payload for blind sql injection

I am fairly new to sql injections and tried to solve a little hackit to understand everything better. I wasn’t able to solve one of the levels so I ran sqlmap to see what it would do. The payloads that I got looked a bit like this

http://some-hackit.com/sqli/level4.php?id=0'+or+ascii(substring((select+smth+from+something+limit+0,1),1,1))=120+and+'1'+'1

I don’t really understand what and+'1'+'1 is doing. As soon as I add this part to all of my other injections they suddenly work and I am able to solve the hackit. I tried to search for explanations online, but didn’t find anything. I would really appreciate it if someone on here could maybe explain it to me.

code injection – How to define an object field type in graphql query?

So I’m currently testing an endpoint that takes graphql using the apollo framework as an argument for certain queries. Introspection is disabled so I have been bruteforcing field and variable names to some success. However, with the following request data:

{"operationName":"page","variables":{"input":{"preview":true
    }},"query":"query page($input: PostItemInput)  {n page(input: $input) {n daten}n}"}

I get this error

"Variable "$input" got invalid value { preview: true }; Field identifier of required type ID! was not provided."

I know that the field names and variable names are correct. Searching around it seems the problem is that the value of the field “preview” within the object “input” does not have a type defined for it (unlike the object input itself which is type PostItemInput). I have searched and searched for how to specify an object field type in a graphql request but almost every solution seems to be talking about doing it on the dev side rather than the request side, and the official apollo documentation hasn’t been of much help either. Does anyone know how I can specify an object field type in a request like the one above? I’m a bit of a noob at graphql so sorry if it’s a dumb question. Any help would be greatly appreciated!

php – Is this code safe from SQL Injection and other exploits?

my question is this, is my code safe?

So I have two PHP files that execute SQL code in them. It’s simply a registration script and a account recover script.

1. registration system

a person goes to my url with specified data such as the following example.

http://localhost/registeruser.php?identity=438746285267827419&idnumber=2201

2. recovery account system

user goes to this url with this specified data passed through.

http://localhost/accountrecovery.php?secretcode=GU3DZ99S4D73D9G7H

Here is the code for my files

  • registeruser.php
  • accountrecovery.php
(registeruser.php)

<?php
session_start();
if ($_COOKIE('timerValueHolder') < 1)
{
    if (!isset($_SESSION)) session_start();
    $timeCurrently = round(microtime(true));
    $UserRegTime = (isset($_SESSION("timeLastAccessed"))) ? $_SESSION("timeLastAccessed") : '0';
    if (($timeCurrently - $UserRegTime) > 3)
    {
        $_SESSION('timeLastAccessed') = $timeCurrently;
    }
    else
    {
        header('refresh: 1');
        die("cannot continue because you must wait " . (3 - ($timeCurrently - $UserRegTime)) . " seconds.");
    }
}
$title = "User registration";
require_once ("header.php");
$passedInfo = $_GET('identity');
$passedInfoTwo = $_GET('idnumber');

if (strlen(trim($passedInfoTwo)) < 1)
{
    echo "Invalid identification number of your account.";
    setcookie('timerValueHolder', 0);
}

if (strlen(trim($passedInfo)) < 1)
{
    echo "Invalid identification number of your account.";
    setcookie('timerValueHolder', 0);
}

if ($_COOKIE('timerValueHolder') >= 0)
{

    if (strlen(trim($passedInfo)) > 0)
    {
        if (!isset($_COOKIE('timerValueHolder')))
        {
            setcookie('timerValueHolder', 0);
        }
        if (isset($_COOKIE('timerValueHolder')) && $_COOKIE('timerValueHolder') < 4)
        {
            $servername = "localhost";
            $username = "admin";
            $password = "abc123";
            $dbname = "databaseholder";
            $conn = new mysqli($servername, $username, $password, $dbname);
            if ($conn->connect_error)
            {
                die("Failed to Complete Connection: " . $conn->connect_error);
            }
            $usersIPAddress = $_SERVER('REMOTE_ADDR');
            $checkAction = mysqli_real_escape_string($conn, "select * from userconfiguration where membersID='$passedInfo' and MemberName<>''");

            if ($checkAction > 0)
            {

                $checkActionRows = mysqli_num_rows($checkAction);
                if ($checkActionRows > 0)
                {
                    echo "please wait as web page refreshes until you see a successful message.";
                }
            }
            else
            {
                $secondaryCheck = mysqli_real_escape_string($conn, "select * from userconfiguration where ipaddress='$usersIPAddress' and membersID='$passedInfo'");
                if ($secondaryCheck > 0)
                {
                    $rowCheckTwo = mysqli_num_rows($secondaryCheck);
                    if ($rowCheckTwo > 0)
                    {
                        echo "please wait as web page refreshes until you see a successful message.";
                    }
                }
                else
                {
                    $sql = "INSERT INTO userconfiguration (ipaddress, membersID, TheirName)
VALUES ('$usersIPAddress', '$passedInfo', '$passedInfoTwo')";
                    if ($conn->query($sql) === true and $secondaryCheck > 0 and $rowCheckTwo > 0)
                    {
                        echo "please wait as web page refreshes until you see a successful message.";
                    }
                    else
                    {
                        echo "please wait as web page refreshes until you see a successful message.";
                    }
                }
            }
            $conn->close();
            $current_val = $_COOKIE('timerValueHolder');
            $current_val++;
            setcookie('timerValueHolder', $current_val);
            echo $_COOKIE('timerValueHolder');
            header('refresh: 4');
        }
        else
        {
            echo "success. go on to our application and finalize the registry by typing #finalizeregister ";
            echo $_GET('identity');
            setcookie('timerValueHolder', 0);
        }
    }
}
?>

(accountrecovery.php)

<?php
session_start();
if (!isset($_SESSION)) session_start();
$timeCurrently = round(microtime(true));
$UserRegTime = (isset($_SESSION("timeLastAccessed"))) ? $_SESSION("timeLastAccessed") : '0';
if (($timeCurrently - $UserRegTime) > 3)
{
    $_SESSION('timeLastAccessed') = $timeCurrently;
}
else
{
    header('refresh: 1');
    die("cannot continue because you must wait " . (3 - ($timeCurrently - $UserRegTime)) . " seconds.");
}
$title = "user recovery";
require_once ('header.php');
$servername = "localhost";
$username = "admin";
$password = "abc123";
$dbname = "databaseholder";

$conn = new mysqli($servername, $username, $password, $dbname);

if ($conn->connect_error)
{
    die("Failed to Complete Connectio: " . $conn->connect_error);
}

$passedData = $_GET('secretcode');

$dataPassedTwo = mysqli_real_escape_string($conn, $passedData);

$actionCheck = mysqli_query($conn, "select * from userconfiguration where recoveryCode='$dataPassedTwo'");

$rowCheckAction = mysqli_num_rows($actionCheck);
$rowCount = mysqli_fetch_row($actionCheck);
if ($rowCheckAction > 0 and strlen(trim($passedData)) > 0)
{
    echo "account recover details are ";
    echo " your password: ", $rowCount(4);
    echo " your security pin: ", $rowCount(5);
    echo "to recover your account in the future you must do the following task.";
    echo "in our application type #finalizeregister to obtain a new recovery code.";

    $update = mysqli_query($conn, "UPDATE userconfiguration SET recoveryCode = '' WHERE recoveryCode = '$dataPassedTwo'");

    if (!$update)
    {
        echo "An issue has occured in the update task.";
    }
}

else
{
    echo "failed to recover account. try typing #finalizeregister in our application for a new code to generate.";
}
$conn->close();
?>
```

magento2 – RequireJS module dependency injection in Magento 2

I am searching for a way to extend a JS file which is used as dependency in other JS files for the whole project. The file in use is Magento_Ui/js/form/element/abstract and I need to replace it with new file Custom_Ui/js/form/element/abstract and then enforce that every other file to use my new file instead of the original one. Only other files, because my new file will extend the original abstract file. Is that possible? So in practice I need to replace abstract algorithms for the Magento form UI element and make it in the most portable and stable way.

set theory – Is having injection to hereditarily size sets equivalent with choice over ZF?

It’s known that ZF proves that for every set $x$ there exists a set $H_x$ of all sets that are hereditarily strictly subnumerous to $x$. [see here]. Now is the following principle equivalent with choice over the rest of axioms of ZF?

For every set $x$, there exists a set $y$ such that: $x$ is subnumerous to $H_y$.

By “subnumerous to” its meant, as usual, possessing an injection towards; and “strictly subnumerous” means, as usual, existence of subnumerousity without existence of a bijection.