Comment On Injection Rejection

Bus Raker:

Bad bad bad!

First i think

And where's the QA?  I wonder if it's standard protocal to test against such things

This is a classic wtf, well done.

What makes it worse is that arbitrary SQL can STILL be executed using the



EXEC( CHAR(##) + CHAR(##) + ... + CHAR(##) )



trick.  Combine this with xp_cmdshell and life starts to get a little dangerous.

Oh, and Community Server must die.  Apologies to Cato.

Somehow, I'm not the least bit surprised.

You get what you pay for ;-P

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

So I'm guessing it also didn't like the name Jenidatabasefer.

toddhilehoffer:

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

it's PHP, however this still fails to excuse the WTF in question.

toddhilehoffer:

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

preg_match is a PHP function.  The syntax here seems to be PHP.  I'm inclined to think so when the original description indicates it's a web app (not that you can't write a web app in C#).  In addition, the $varname[] = "new value" is a PHP shorthand way of adding a new element to the end of an arrya.

Looks more like PHP to me, though it's a nice one!

Spectacular problem solving skills.

Here is an assertion: outsource-developers are neither better nor worse than local developers.  However, if the guy who wrote this code was local, you wouldn't let him touch the coffee maker, much less the source code (assuming your company isn't an internal WTF).  The remote developers don't care who writes the code as long as the project is complete.

As such, I have no worries about outsourcing, and neither should any good developer.

  function entireScrewedUpApplication($source) { 

    $result = veryNull;

    if($source eq "out") { $return = "to sender"; } /* Return Outsourced Work to Sender */

    else                 { $return = "file not found"; } /* We can't fix it either! */

    return $result;

  }

toddhilehoffer:

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

...and this, my friends, is why I come to this site.

What we have here is a failure of imagination.  See "Enumerating Badness:"
http://www.ranum.com/security/computer_security/editorials/dumb/

Very bad, it should have been spotted that the line 

  $badSqlCode[] = 'handler';

is made redundant by the line

  $badSqlCode[] = 'and';

:-)

How can these people understand perl regular expresion syntax but not escaping characters?

Anonymous:

How can these people understand perl regular expresion syntax but not escaping characters?

Especially when PHP makes that so easy.

And lo, Internet Jesus wept.

I am a HUGE fan of outsourcing. Especially OFFWORLD outsourcing!

http://www.twonails.com/~jdieter/gudcodium.html

Anonymous:

toddhilehoffer:

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

I think you should not rely on client side Javascript validation only, for it is possible to modify the post data or query string (which bypasses the javascript validation).

You should always check server side (although not as posted of course).

//IMHO sould be something like that:

$post["name"] = $_POST["name"];

$sql["name"] = mysql_real_escape($post["name"]);
$sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';

Anonymous:

Anonymous:

toddhilehoffer:

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

I think you should not rely on client side Javascript validation only, for it is possible to modify the post data or query string (which bypasses the javascript validation).

You should always check server side (although not as posted of course).

Good catch, DJ Mike, but I think you may have missed the dripping sarcasm in the parent post.

Anonymous:

So I'm guessing it also didn't like the name Jenidatabasefer.

Best. Reply. Ever.

Anonymous:

//IMHO sould be something like that:

$post["name"] = $_POST["name"];

$sql["name"] = mysql_real_escape($post["name"]);
$sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';

Think mysqli_prepare().

By the way, WTF is the "i" doing in there? I haven't done PHP since the early 4.x days, and I sure don't remember that.

Anonymous:

Anonymous:

So I'm guessing it also didn't like the name Jenidatabasefer.

Best. Reply. Ever.

On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
(not to start the whole "the real WTF is the forum software" thing again...)

> Even for overseas programmers that is shameful.

You think so? It's indented and legible, which is more than we've gotten back from outsourced overseas programmers.

Seriously. C/Java with no indenting whatsoever. Would that waste precious disk space?

OMG - Let's just leave the front door open, turn on the lights, and place signs leading them right to the data.  I guess these guys must of thought SQL Injection was some kind of new innoculation against Bird Flu !

What ever happend to good ole N-tier solutions, and stored procs. I know this won't stop all attacks but at least it will thwart a good many of them.

 

 

eddieboston:

Anonymous:

Anonymous:

So I'm guessing it also didn't like the name Jenidatabasefer.

Best. Reply. Ever.

On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
(not to start the whole "the real WTF is the forum software" thing again...)

It says that for non-registered/non-signed-in users. On a different note, it won't let me log in. It doesn't complain, it just simply ignores my attempt, as if I don't have cookies enabled. Which I do, of course.

CAPTCHA: broken

they could have at least checked for spaces before and after the words because "seth" wouldn't mean anything to the database, right?

GoatCheez:

Somehow, I'm not the least bit surprised.

You get what you pay for ;-P

i think it's not just about the cost, somehow, another factor is the management of the deliverable...
unless the deliverables are managed off-site too...in that case i'll certainly agree...

//bad sql found -- hack attept! Abort

 

I love nested WTFs

xrT:

They could have at least checked for spaces before and after the words

The \s's mean they tried.

There are multiple WTFs here.  The biggest one is the design.  The implementation contains a few gems though.

Anonymous:

Anonymous:

//IMHO sould be something like that:

$post["name"] = $_POST["name"];

$sql["name"] = mysql_real_escape($post["name"]);
$sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';

Think mysqli_prepare().

By the way, WTF is the "i" doing in there? I haven't done PHP since the early 4.x days, and I sure don't remember that.

MySQLI is a new, OOP interface for PHP/MySQL. It requires PHP >= 5 and MySQL >= 4.1. And yes, it has features to make avoiding SQL injection easier. But even with the old-style MySQL interface, it's not *that* hard. I guess some people just shouldn't be programmers.

Awesome.  Simply awesome.


First, I'll echo what's already been said:



- The managers got what they paid for.



- It's not outsourcing that's the problem, it's people who work for
half the price of real programmers that's the problem.  This is
why outsourcing isn't a (significant) threat.  Good developers
cost roughly the same worldwide.



Some things that haven't been said:



I must give a huge and hearty congratulations to the testing team, for
having SQL injection checks in their test plan.  It's scary how
many web houses aren't even aware of the concept.



I don't know how literal Alex's explanation of the WTF is (remember, he
frequently changes some facts around to protect the guilty), but I
would think that tracking down the problem was as easy as searching the
code base for the text "Invalid text was entered.  Please
correct."  Unless that exact text is used in multiple places
(which I would believe).



Overall, though, a beautiful tale of the archetypal results of
outsourcing to save money.  The bugs, the handholding, the cost
overrun... it covers everything.

I bet those programmers never heard of "Amanda", "Seth", or "George".

On another note, suddenly I can't log in.

Anonymous:

eddieboston:

Anonymous:

Anonymous:

So I'm guessing it also didn't like the name Jenidatabasefer.

Best. Reply. Ever.

On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
(not to start the whole "the real WTF is the forum software" thing again...)

It says that for non-registered/non-signed-in users. On a different note, it won't let me log in. It doesn't complain, it just simply ignores my attempt, as if I don't have cookies enabled. Which I do, of course.

CAPTCHA: broken

The Real WTF Is The Forum Software™ 2.0
Yesterday I was allowed to sign in, but the "remember me" check box didn't do anything--I wouldn't be signed in when I came back.  Today, I can't sign in at all.

captcha is "broken".  :)

Anonymous:

I bet those programmers never heard of "Amanda", "Seth", or "George".

Think they heard of "Paula"?

eddieboston:

Anonymous:

Anonymous:

So I'm guessing it also didn't like the name Jenidatabasefer.

Best. Reply. Ever.

On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
(not to start the whole "the real WTF is the forum software" thing again...)

If they haven't logged in but only supplied a name, they will become 'anonymous'.  Notice how my 'first' post which was deleted by Gene Wirchenko (sincerely I am sure) still has my login in my second and now first post. 

Anonymous:

Anonymous:

I bet those programmers never heard of "Amanda", "Seth", or "George".

Think they heard of "Paula"?

Doubtful. "Parva," maybe.

I don't know if it was via anonymizing or what, but the regex won't
even work as advertised -- the implode() is wrapped in []+ which means
that it's looking for one or more letters that exist in any of those
words or the | character (ie [create|database|table...]+ ). That means
that even names like 'Will' will fail too... ;)

Of course, they could just be even worse than it appears, and mess up their regex themselves... ;)

Alex Papadimoulis:

  if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode))
  {
    //bad sql found -- hack attept! Abort
    $ERROR_TEXT = "Invalid text was entered. Please correct.";
    return 0;
  }

And why is there no search for a ['] or a [;]   ?  10 minutes on google with the keyword 'hack' would have led straight to that.  Do they not use that in SQL 'overseas'?

Wouldn't that still allow people to use an injection attack but just require them to create their own "page" to submit it?  

Sure you ought to use some client-side validation,  but you still need to defend against the attack on the server side.

Diet pepsi out the nose hilarious.

Bus Raker:

eddieboston:

On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?

(not to start the whole "the real WTF is the forum software" thing again...)

If they haven't logged in but only supplied a name, they will become 'anonymous'.  Notice how my 'first' post which was deleted by Gene Wirchenko (sincerely I am sure) still has my login in my second and now first post.

Alex does not like the "First!" posts.  Your second post was marginal.

Sincerely,

Gene Wirchenko

<Sarcasm>

Perhaps a different approach to stuff like security is warranted.

Instead of constantly battling stupid developers and hackers in order to protect precious data from prying eyes, why not encrypt the whole thing using public algorithms (eg: RSL), and just expose everything with public read access - only those with the key can make use of it.

</Sarcasm>

Seriously though, when management teams with whom I've worked were considering outsourcing, I've tried to make them understand that it's not just the cost they must consider, but the relative experience of the developers/managers who will be doing/managing the actual work. A team of cheap rookies won't beat the quality (or even total costs) of a team of expensive (but experienced) veterans who have done it before.

Anonymous:

Anonymous:

I bet those programmers never heard of "Amanda", "Seth", or "George".

Think they heard of "Paula"?

Well 'Pauline' has an IN.

And they decided that 'AND' and 'OR' were bad, but 'IN', 'JOIN', and 'UNION ALL' are OK?

WTF?

Anonymous:

Wouldn't that still allow people to use an injection attack but just require them to create their own "page" to submit it?  

Sure you ought to use some client-side validation,  but you still need to defend against the attack on the server side.

You didn't quote who you're referring to... but PHP is server side.

This is hardly an international problem. I see this all the time with programmers in multiple languages. I think the biggest flaw with calling them "Prepared Statements" is that people immediately look up the tech and say, "My database doesn't support Prepared Statements". And so they don't use them. I've known so many php, perl, and java programmers who only use string concatentation for SQL statements. It's freightening.
Please, if you use php use the PEAR database abstraction classes, and please always use prepared statements.

For all you clever kids trying to deduce whether this is C# or not,
it's very similar to Java (in loathsomeness as well as syntax). The
differences involve stuff that's probably over your heads (e.g.
delegates).



But just for starters, it's a statically type-checked language that
doesn't have f*****g dollar signs in the f*****g identifers. WTF...?

function checkForBadSql($sqlcode)
{
  global $CONTEXT, $ERROR_TEXT;

Let me clarify that: C# is very similar to Java in loathsomeness and syntax.



It's important to disambiguate the antecedent there, lest some
shambling halfwit try to convince me that I meant to say the WTF PHP
code was "very similar to Java".

Anonymous:

toddhilehoffer:

That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

Please say that's a joke :/