It wasn't every day at DroneDeliveries, as Antoine knew, that a user complained about having too much access to their e-commerce account.

"I swear, I'm not making this up!" she said over the phone. The user had logged in to check her recent order status. "My email address is best_mom@bestbox.net, but when I typed best.mom@bestbox.net, it logged me in!"

Antoine thought she might have added a second account by accident with the other address. He double-checked, but sure enough, there was only one account. "We'll get this sorted out," he told her.

In DroneDeliveries' giant cubicle farm, so many hands touch so many pieces of code that a warehouse of monkeys could make better code. A whole class definition written one week might be erased the next. But according the commit log, no one had touched the log-in form in years. Whatever vulnerability lay inside, it had always been there.

Yet Antoine could guess what was wrong before he even opened the file.


public virtual User LoadByEmail(string email) { 
	var query = Query.EQ(e => e.Email, new BsonRegularExpression(new Regex(string.Format("^{0}$", email), 
RegexOptions.IgnoreCase))); 
	return col.FindOne(query); 
} 

Who'd insert unsanitized text into a regular expression? Antoine thought. He wondered which nameless drone it was, imagining a Tomb of the Unknown Coder for that lost soul.

Antoine replaced the RegEx with a SQL-escaped regular string, then called the concerned customer back. "The glitch has been fixed. You'll have to enter your exact email address now to access your DroneDeliveries account."

"Wait, no, I want it back!" she said. "I make so many typos using that form, it was saving me so much time!"

"Then I suggest you make a second account," he said, "with an address you can actually type."