Comment On Top-grade, SHA1 Encryption

First! Sounds a blast - how on earth did this company even get a project if they are this bad? I'd hate to see the rest of the code!

At least it will make SQL injection just a tiny bit harder as an extra bracket it required that the hacker would not expect.

68a6a81ff9352dad1909c2907451fb726886328b

0323094163a8ecd15bf19efe081cf793ec345376

Clearly the WTF is SHA1 encryption. This would've been far better:

$result = mysql_query(
"SELECT * FROM users " .
" WHERE SHA1(ROT13(username)) = SHA1(ROT13('" . $_REQUEST["username"] . "')) " .
" AND SHA1(ROT13(password)) = SHA1(ROT13('" . $_REQUEST["password"] . "'))");

GettinSadda:

At least it will make SQL injection just a tiny bit harder as an extra bracket it required that the hacker would not expect.

"Check you sql syntax near `SHA1('1' OR 1=1 --`"
So much harder

CAPTCHA: damnum, a damn number?

There are more than enough low-paid devs out there turning out code this bad. Unfortunately, there's a market for them, too...

At a guess, it was either some beginner who'd read the basic examples for SQL programming or someone similar from some offshore company...

Captcha: damnum (kinda fitting... ;-)

You get what you pay for (are you listening Verizon?)

ted:

Clearly the WTF is SHA1 encryption. This would've been far better:

$result = mysql_query(
"SELECT * FROM users " .
" WHERE SHA1(ROT13(username)) = SHA1(ROT13('" . $_REQUEST["username"] . "')) " .
" AND SHA1(ROT13(password)) = SHA1(ROT13('" . $_REQUEST["password"] . "'))");

Sssh, Nagesh might actually do this

And yet how many companies, lately, have been found storing stuff in plaintext? By comparison, this seems like a major step up.

Why did Paul turn down the offer to have him rewrite the system? It's not like he'd have to keep the SQL injection holes open.

They are storing it in plaintext. They are only encrypting it after they pull it out of the database in plain text.

You do know that query implies that the username and password are plain text...

Craig:

They are storing it in plaintext. They are only encrypting it after they pull it out of the database in plain text.

They are not pulling it out of the database in plain text.. they are sending the plaintext password to the database, then encrypt both (the one they sent and the one present in the database) and then compare the encryptions

Dani:

Craig:

They are storing it in plaintext. They are only encrypting it after they pull it out of the database in plain text.

They are not pulling it out of the database in plain text.. they are sending the plaintext password to the database, then encrypt both (the one they sent and the one present in the database) and then compare the encryptions

That still means they are in the DB in plain text though.

Why can't I login with my username? It's just "') OR 1=1 -- ".

Nagesh strikes again...

Congratulations, you've discovered an application of SHA-1 as a two-way hashing algorithm.

octo:

ted:

Clearly the WTF is SHA1 encryption. This would've been far better:

$result = mysql_query(
"SELECT * FROM users " .
" WHERE SHA1(ROT13(username)) = SHA1(ROT13('" . $_REQUEST["username"] . "')) " .
" AND SHA1(ROT13(password)) = SHA1(ROT13('" . $_REQUEST["password"] . "'))");

Sssh, Nagesh might actually do this

What is Sssh? Secure SSH?

Hey there, my name is "Robert'); DROP TABLE Students;-- "

octo:

ted:

Clearly the WTF is SHA1 encryption. This would've been far better:

$result = mysql_query(
"SELECT * FROM users " .
" WHERE SHA1(ROT13(username)) = SHA1(ROT13('" . $_REQUEST["username"] . "')) " .
" AND SHA1(ROT13(password)) = SHA1(ROT13('" . $_REQUEST["password"] . "'))");

Sssh, Nagesh might actually do this

Not being to understand the problem with this system. Thinking to be SHA1 (standard security algorithm being sucesor to MD5 hash) perfect solution for scenario??? Hackers must be to using the back door comon for implementations in such system where necesary.

I wish all you ivory tower wannabes would get off your high horses. SHA1 is encryption! Do you even know what encryption means? It means to obfuscate. SHA1 is obsfucation. Now STFU.

An this is for all you pathetic jackwagons posting in SHA1:

68a6a81ff9352dfd1910c2907451fb726886328b

I don't get it:

Why did Paul turn down the offer to have him rewrite the system? It's not like he'd have to keep the SQL injection holes open.

I agree; Paul could have just ditched the existing code and rewrote it as if it were a fresh contract. TRWTF is Paul turning the job down.

Bobby Tables:

Hey there, my name is "Robert'); DROP TABLE Students;-- "

Hiya, Bobby Tables!

I think this was done entirely on purpose by a programmer who knows what he needs. One does not need encryption, the database is probably protected by a password already!

But why the SHA1 encryption before comparision you might ask, well it's quite obvious: Backwards compatibilty! Some user might have found a SHA1 collision and now has the habit of being able to use two passwords on the sites that doesn't salt the password before hashing. We don't want to break that users expectations, right?

Don't be too fast to judge someone, always give the benefit of doubt. ;)

These SHA1 jokes don't work as well as the Base64 jokes.

So, metaphoorically speaking: they have a fully-security-approved multi-lock front door, but neglected to use any cement in the brickwork. Shouldn't be a problem, of course, criminals are first and foremost gentlemen and would not dream of using an alternative means of entry into a dwelling but the conventional one.

So the little piggies were penny-wise and hired outsourced labor to build a straw house, and then the big bad wolf came and huffed and puffed and blew their house in.

RealUlli:

There are more than enough low-paid devs out there turning out code this bad. Unfortunately, there's a market for them, too...

And there always will be, as long as there are companies that think they can go two orders of magnitude cheaper and think they'll get similar quality.

In contrast, people will spend six-figures for a really nice car, and five-figures for a decent car. If you're only spending four-figures you automatically wonder what's wrong with it.

A Gould:

RealUlli:

There are more than enough low-paid devs out there turning out code this bad. Unfortunately, there's a market for them, too...

And there always will be, as long as there are companies that think they can go two orders of magnitude cheaper and think they'll get similar quality.

In contrast, people will spend six-figures for a really nice car, and five-figures for a decent car. If you're only spending four-figures you automatically wonder what's wrong with it.

Reminds me of the saying: Fast, Cheap, and Good. Pick two...

So, if I join this site do I get the option to hide all posts from zunesis? Or should I just erase The Daily WTF from my bookmarks and get back to work?

No, really - if I can't block his posts, I'll simply stop coming here.

captcha: plaga. zunesis is a plaga upon this site.

PHP and mysql... and an overseas dev/sweatshop too...

What a surprise.

A Gould:

RealUlli:

There are more than enough low-paid devs out there turning out code this bad. Unfortunately, there's a market for them, too...

And there always will be, as long as there are companies that think they can go two orders of magnitude cheaper and think they'll get similar quality.

In contrast, people will spend six-figures for a really nice car, and five-figures for a decent car. If you're only spending four-figures you automatically wonder what's wrong with it.

You can of course get a decent car in Britain for four figures. Our workmanship is so much better. (Let's ignore the fact that the currencies are such that "4 figures" in the UK may be considerably more than 4 figures in the US.

Some damn Yank:

So, if I join this site do I get the option to hide all posts from zunesis? Or should I just erase The Daily WTF from my bookmarks and get back to work?

No, really - if I can't block his posts, I'll simply stop coming here.

captcha: plaga. zunesis is a plaga upon this site.

I agree. (Goodness gracious, cranky Brit agrees with damn Yank. Must be a first.)

I once heard a story about the quality of Indian developers that explained a lot. A consultant that we worked with at my current employer told me of his experience working directly with software engineers in India. (that is, in country. Not over the phone)

He was trying to get some of his teammates to read some software engineering texts like Code Complete, and no one would do it. Eventually, one of them broke down in frustration from being nagged and said, "Look, Bob. In this company's culture, you aim for management. If three years have passed, and you're still a developer, you failed."

So there seems to be a company (if not broader) culture that does not reward engineers. Many companies in the US (including mine) are implementing dual-track career ladders, so that purely technical people can achieve the same rate of pay and benefits as upper-level management. I highly doubt that a similar thing is happening at any Indian developer sweatshops.

So, yeah, I'm not surprised that working with continually neophyte engineers produces crappy projects. Noobs are noobs wherever you go. It's just that in the states, noobs eventually become the experienced engineers. In India, they become managers.

Perhaps these Indian managers could learn something from Herbert Hoover:
"Engineering ... it is a great profession. There is the fascination of watching a figment of the imagination emerge through the aid of science to a plan on paper. Then it moves to realization in stone or metal or energy. Then it brings jobs and homes to men. Then it elevates the standards of living and adds to the comforts of life. That is the engineer's high privilege.

The great liability of the engineer compared to men of other professions is that his works are out in the open where all can see them. His acts, step by step, are in hard substance. He cannot bury his mistakes in the grave like the doctors. He cannot argue them into thin air or blame the judge like the lawyers. He cannot, like the architects, cover his failures with trees and vines. He cannot, like the politicians, screen his shortcomings by blaming his opponents and hope the people will forget. The engineer simply cannot deny he did it. If his works do not work, he is damned....

On the other hand, unlike the doctor his is not a life among the weak. Unlike the soldier, destruction is not his purpose. Unlike the lawyer, quarrels are not his daily bread. To the engineer falls the job of clothing the bare bones of science with life, comfort, and hope. No doubt as years go by the people forget which engineer did it, even if they ever knew. Or some politician puts his name on it. Or the credit it to some promoter who used other people's money ... but the engineer himself looks back at the unending stream of goodness which flows from his successes with satisfactions that few professionals may know. And the verdict of his feloow professionals is all the accolade he wants."

Stev:

And yet how many companies, lately, have been found storing stuff in plaintext? By comparison, this seems like a major step up.

is my sarcasm detector broken ... because it's still plaintext in the db.

Stev:

And yet how many companies, lately, have been found storing stuff in plaintext? By comparison, this seems like a major step up.

You do realize that the WHERE clause has a temporary SHA1 encoding? It's the plaintext passwords that are permanent in the database.

QJo:

So, metaphoorically speaking: they have a fully-security-approved multi-lock front door, but neglected to use any cement in the brickwork. Shouldn't be a problem, of course, criminals are first and foremost gentlemen and would not dream of using an alternative means of entry into a dwelling but the conventional one.

Car analogy fail.

This reminds me of a *hypothetical* security fail we came up with one time. Imagine a marginal coder deciding it would be a good idea to error check *each character* on a password field as the user typed it in.

Some damn Yank:

So, if I join this site do I get the option to hide all posts from zunesis?

grep -v

Oh, you're not using Lynx? Sucks to be you...

redblacktree:

in the states, noobs eventually become the experienced engineers. In India, they become managers.

Oh goodie, does that mean we can outsource our managers to India? That would fix a lot!

Lee:

Some damn Yank:

So, if I join this site do I get the option to hide all posts from zunesis?

grep -v

Oh, you're not using Lynx? Sucks to be you...

How well does that work?

And yes, being him does involve a form of sucking...

Jack:

QJo:

So, metaphoorically speaking: they have a fully-security-approved multi-lock front door, but neglected to use any cement in the brickwork. Shouldn't be a problem, of course, criminals are first and foremost gentlemen and would not dream of using an alternative means of entry into a dwelling but the conventional one.

Car analogy fail.

A: not all analogies are about cars.
B: Actually it isn't really that bad of a car analogy: a car that has a security-approved multi-lock front door, made with bricks but lacking cement...

I don't get it:

Why did Paul turn down the offer to have him rewrite the system?

Perhaps because once he saw just how technically inept and tight-fisted management was, he didn't want to spend the next few months fighting them over dimes and explaining that he couldn't just "fix the bugs" in a day.

Carl:

redblacktree:

in the states, noobs eventually become the experienced engineers. In India, they become managers.

Oh goodie, does that mean we can outsource our managers to India? That would fix a lot!

How could an overseas manager lose at golf to a vice-president? I've had managers I could have replaced with a very small shell script, if only I could have gotten past that hurdle.

TechNeilogy:

This reminds me of a *hypothetical* security fail we came up with one time. Imagine a marginal coder deciding it would be a good idea to error check *each character* on a password field as the user typed it in.

PML. "A", nope, doesn't start with "A". "B", nope, "C", aha. "CA", nope, "CB", nope, ...

I remember pointing out to my boss once that the login process as programmed by a contractor once that went something like: "The username was correct but the password was not" (or words to that effect) was less than optimal but he didn't understand what I was trying to point out. Comms fail.

Why? Why do so many programmers even bother to pretend they know anything about security? They might just as well be honest about it:

$result = mysql_query(

  "SELECT * FROM users " .

  " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . 

  "   AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");

Coyne:

Why? Why do so many programmers even bother to pretend they know anything about security? They might just as well be honest about it:

$result = mysql_query(

  "SELECT * FROM users " .

  " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . 

  "   AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");

Because when you're BSing someone, you really only need to know 1% more than the other person to impress them. And because this 1% impresses manager/PM types who have heard the words SHA, encryption, SQL, etc., but don't know how the pieces fit together.

Why did Paul turn down the offer to have him rewrite the system?

The core of the problem is the customer. They tried to find the cheapest company and apparently didn't care about quality. Those are not the most ideal customers.

The Law of the Internet (Troll or be trolled) appears to be in full force today.

PedanticCurmudgeon:

The Law of the Internet (Troll or be trolled) appears to be in full force today.

Shove it up your ass, you self-promoting fag.