• Bus Raker (cs)
    Bus Raker:

    Bad bad bad!

    First i think

    And where's the QA?  I wonder if it's standard protocal to test against such things

  • ax (unregistered)

    This is a classic wtf, well done.

  • Maurits (unregistered)

    What makes it worse is that arbitrary SQL can STILL be executed using the

    EXEC( CHAR(##) + CHAR(##) + ... + CHAR(##) )

    trick.  Combine this with xp_cmdshell and life starts to get a little dangerous.

    Oh, and Community Server must die.  Apologies to Cato.

  • GoatCheez (cs)

    Somehow, I'm not the least bit surprised.

    You get what you pay for ;-P

  • toddhilehoffer (cs)

    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!

  • Zic (unregistered)

    So I'm guessing it also didn't like the name Jenidatabasefer.

  • Kehvarl (unregistered) in reply to toddhilehoffer
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    it's PHP, however this still fails to excuse the WTF in question.
  • sinistral (cs) in reply to toddhilehoffer
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    preg_match is a PHP function.  The syntax here seems to be PHP.  I'm inclined to think so when the original description indicates it's a web app (not that you can't write a web app in C#).  In addition, the $varname[] = "new value" is a PHP shorthand way of adding a new element to the end of an arrya.
  • ClickHeRe (cs) in reply to toddhilehoffer

    Looks more like PHP to me, though it's a nice one!

  • joe bruin (unregistered) in reply to ax

    Spectacular problem solving skills.

    Here is an assertion: outsource-developers are neither better nor worse than local developers.  However, if the guy who wrote this code was local, you wouldn't let him touch the coffee maker, much less the source code (assuming your company isn't an internal WTF).  The remote developers don't care who writes the code as long as the project is complete.

    As such, I have no worries about outsourcing, and neither should any good developer.

  • TomCo (cs)
      function entireScrewedUpApplication($source) { 
        $result = veryNull;
        if($source eq "out") { $return = "to sender"; } /* Return Outsourced Work to Sender */
        else                 { $return = "file not found"; } /* We can't fix it either! */
        return $result;
      }
    
  • Zic (unregistered) in reply to toddhilehoffer
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.
  • John Bigboote (cs)

    ...and this, my friends, is why I come to this site.

  • Maurits (unregistered)

    What we have here is a failure of imagination.  See "Enumerating Badness:"
    http://www.ranum.com/security/computer_security/editorials/dumb/

  • Jonathan (unregistered)
    <font face="Arial">Very bad, it should have been spotted that the line </font>

    $badSqlCode[] = 'handler';

    <font face="Arial">is made redundant by the line</font>

    $badSqlCode[] = 'and';

    <font face="Arial">:-)</font>

  • Gnpatton (unregistered)

    How can these people understand perl regular expresion syntax but not escaping characters?

  • sinistral (cs) in reply to Gnpatton
    Anonymous:
    How can these people understand perl regular expresion syntax but not escaping characters?


    Especially when PHP makes that so easy.
  • Volmarias (cs) in reply to Gnpatton

    And lo, Internet Jesus wept.

  • Code Commando (unregistered)

    I am a HUGE fan of outsourcing. Especially OFFWORLD outsourcing!

    http://www.twonails.com/~jdieter/gudcodium.html



  • DJ Mike B (unregistered) in reply to Zic

    Anonymous:
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    I think you should not rely on client side Javascript validation only, for it is possible to modify the post data or query string (which bypasses the javascript validation).

    You should always check server side (although not as posted of course).

  • --Tei (unregistered)
    //IMHO sould be something like that:

    $post["name"] = $_POST["name"];

    $sql["name"] = mysql_real_escape($post["name"]);
    $sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';

  • WTF Batman (unregistered) in reply to DJ Mike B
    Anonymous:

    Anonymous:
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    I think you should not rely on client side Javascript validation only, for it is possible to modify the post data or query string (which bypasses the javascript validation).

    You should always check server side (although not as posted of course).



    Good catch, DJ Mike, but I think you may have missed the dripping sarcasm in the parent post.
  • eddiedatabaseboston (unregistered) in reply to Zic
    Anonymous:
    So I'm guessing it also didn't like the name Jenidatabasefer.


    Best. Reply. Ever.

  • WTF Batman (unregistered) in reply to --Tei
    Anonymous:
    //IMHO sould be something like that:

    $post["name"] = $_POST["name"];

    $sql["name"] = mysql_real_escape($post["name"]);
    $sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';




    Think mysqli_prepare().

    By the way, WTF is the "i" doing in there? I haven't done PHP since the early 4.x days, and I sure don't remember that.

  • eddieboston (cs) in reply to eddiedatabaseboston
    Anonymous:
    Anonymous:
    So I'm guessing it also didn't like the name Jenidatabasefer.


    Best. Reply. Ever.



    On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
    (not to start the whole "the real WTF is the forum software" thing again...)
  • Sizer (unregistered) in reply to toddhilehoffer

    > Even for overseas programmers that is shameful.

    You think so? It's indented and legible, which is more than we've gotten back from outsourced overseas programmers.

    Seriously. C/Java with no indenting whatsoever. Would that waste precious disk space?

  • Kodi (cs)

    <FONT face=Tahoma size=2>OMG - Let's just leave the front door open, turn on the lights, and place signs leading them right to the data.  I guess these guys must of thought SQL Injection was some kind of new innoculation against Bird Flu ! </FONT>

    <FONT face=Tahoma size=2>What ever happend to good ole N-tier solutions, and stored procs. I know this won't stop all attacks but at least it will thwart a good many of them.</FONT>

     

     

  • WTF Batman (unregistered) in reply to eddieboston
    eddieboston:
    Anonymous:
    Anonymous:
    So I'm guessing it also didn't like the name Jenidatabasefer.


    Best. Reply. Ever.



    On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
    (not to start the whole "the real WTF is the forum software" thing again...)


    It says that for non-registered/non-signed-in users. On a different note, it won't let me log in. It doesn't complain, it just simply ignores my attempt, as if I don't have cookies enabled. Which I do, of course.

    CAPTCHA: broken
  • xrT (cs)

    <FONT face=Tahoma size=2>they could have at least checked for spaces before and after the words because "seth" wouldn't mean anything to the database, right?


    <FONT face="Times New Roman" size=3>

    GoatCheez:
    Somehow, I'm not the least bit surprised.

    You get what you pay for ;-P


    </FONT>
    i think it's not just about the cost, somehow, another factor is the management of the deliverable...
    unless the deliverables are managed off-site too...in that case i'll certainly agree...
    </FONT>

  • kmerkle (cs)

    //bad sql found -- hack attept! Abort

     

    I love nested WTFs

  • Maurits (unregistered) in reply to xrT
    xrT:
    They could have at least checked for spaces before and after the words


    The \s's mean they tried.

    There are multiple WTFs here.  The biggest one is the design.  The implementation contains a few gems though.
  • bcat (unregistered) in reply to WTF Batman
    Anonymous:
    Anonymous:
    //IMHO sould be something like that:

    $post["name"] = $_POST["name"];

    $sql["name"] = mysql_real_escape($post["name"]);
    $sql = 'SELECT IdUser FROM dat_users WHERE Name="'+ $sql["name"] + '"';




    Think mysqli_prepare().

    By the way, WTF is the "i" doing in there? I haven't done PHP since the early 4.x days, and I sure don't remember that.



    MySQLI is a new, OOP interface for PHP/MySQL. It requires PHP >= 5 and MySQL >= 4.1. And yes, it has features to make avoiding SQL injection easier. But even with the old-style MySQL interface, it's not *that* hard. I guess some people just shouldn't be programmers.
  • VGR (cs)

    Awesome.  Simply awesome.

    First, I'll echo what's already been said:

    • The managers got what they paid for.

    - It's not outsourcing that's the problem, it's people who work for half the price of real programmers that's the problem.  This is why outsourcing isn't a (significant) threat.  Good developers cost roughly the same worldwide.

    Some things that haven't been said:

    I must give a huge and hearty congratulations to the testing team, for having SQL injection checks in their test plan.  It's scary how many web houses aren't even aware of the concept.

    I don't know how literal Alex's explanation of the WTF is (remember, he frequently changes some facts around to protect the guilty), but I would think that tracking down the problem was as easy as searching the code base for the text "Invalid text was entered.  Please correct."  Unless that exact text is used in multiple places (which I would believe).

    Overall, though, a beautiful tale of the archetypal results of outsourcing to save money.  The bugs, the handholding, the cost overrun... it covers everything.
  • frosty (unregistered) in reply to Maurits

    I bet those programmers never heard of "Amanda", "Seth", or "George".

    On another note, suddenly I can't log in.

  • kipthegreat (unregistered) in reply to WTF Batman
    Anonymous:
    eddieboston:
    Anonymous:
    Anonymous:
    So I'm guessing it also didn't like the name Jenidatabasefer.


    Best. Reply. Ever.



    On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
    (not to start the whole "the real WTF is the forum software" thing again...)


    It says that for non-registered/non-signed-in users. On a different note, it won't let me log in. It doesn't complain, it just simply ignores my attempt, as if I don't have cookies enabled. Which I do, of course.

    CAPTCHA: broken


    <font size="4">The Real WTF Is The Forum Software™ 2.0</font>
    Yesterday I was allowed to sign in, but the "remember me" check box didn't do anything--I wouldn't be signed in when I came back.  Today, I can't sign in at all.

    captcha is "broken".  :)
  • WeatherGod (unregistered) in reply to frosty
    Anonymous:
    I bet those programmers never heard of "Amanda", "Seth", or "George".


    Think they heard of "Paula"?

  • Bus Raker (cs) in reply to eddieboston

    eddieboston:
    Anonymous:
    Anonymous:
    So I'm guessing it also didn't like the name Jenidatabasefer.


    Best. Reply. Ever.



    On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
    (not to start the whole "the real WTF is the forum software" thing again...)

    If they haven't logged in but only supplied a name, they will become 'anonymous'.  Notice how my 'first' post which was deleted by Gene Wirchenko (sincerely I am sure) still has my login in my second and now first post. 

  • John Bigboote (cs) in reply to WeatherGod
    Anonymous:
    Anonymous:
    I bet those programmers never heard of "Amanda", "Seth", or "George".


    Think they heard of "Paula"?



    Doubtful. "Parva," maybe.
  • Daniel Vandersluis (cs) in reply to Bus Raker

    I don't know if it was via anonymizing or what, but the regex won't even work as advertised -- the implode() is wrapped in []+ which means that it's looking for one or more letters that exist in any of those words or the | character (ie [create|database|table...]+ ). That means that even names like 'Will' will fail too... ;)

    Of course, they could just be even worse than it appears, and mess up their regex themselves... ;)

  • Bus Raker (cs)

    Alex Papadimoulis:

      if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode))
      {
        //bad sql found -- hack attept! Abort
        $ERROR_TEXT = "Invalid text was entered. Please correct.";
        return 0;
      }

    And why is there no search for a ['] or a [;]   ?  10 minutes on google with the keyword 'hack' would have led straight to that.  Do they not use that in SQL 'overseas'?

  • 604 (unregistered) in reply to Zic

    Wouldn't that still allow people to use an injection attack but just require them to create their own "page" to submit it?  

    Sure you ought to use some client-side validation,  but you still need to defend against the attack on the server side.

  • Bob (unregistered) in reply to eddiedatabaseboston

    Diet pepsi out the nose hilarious.

  • Gene Wirchenko (cs) in reply to Bus Raker
    Bus Raker:
    eddieboston:
    On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?

    (not to start the whole "the real WTF is the forum software" thing again...)

    If they haven't logged in but only supplied a name, they will become 'anonymous'.  Notice how my 'first' post which was deleted by Gene Wirchenko (sincerely I am sure) still has my login in my second and now first post.


    Alex does not like the "First!" posts.  Your second post was marginal.

    Sincerely,

    Gene Wirchenko

  • codeman (cs)

    <Sarcasm>

    Perhaps a different approach to stuff like security is warranted.

    Instead of constantly battling stupid developers and hackers in order to protect precious data from prying eyes, why not encrypt the whole thing using public algorithms (eg: RSL), and just expose everything with public read access - only those with the key can make use of it.

    </Sarcasm>

    Seriously though, when management teams with whom I've worked were considering outsourcing, I've tried to make them understand that it's not just the cost they must consider, but the relative experience of the developers/managers who will be doing/managing the actual work. A team of cheap rookies won't beat the quality (or even total costs) of a team of expensive (but experienced) veterans who have done it before.

  • Bus Raker (cs) in reply to WeatherGod

    Anonymous:
    Anonymous:
    I bet those programmers never heard of "Amanda", "Seth", or "George".


    Think they heard of "Paula"?

    Well 'Pauline' has an IN.

    And they decided that 'AND' and 'OR' were bad, but 'IN', 'JOIN', and 'UNION ALL' are OK?

    WTF?

  • kipthegreat (unregistered) in reply to 604
    Anonymous:
    Wouldn't that still allow people to use an injection attack but just require them to create their own "page" to submit it?  

    Sure you ought to use some client-side validation,  but you still need to defend against the attack on the server side.


    You didn't quote who you're referring to... but PHP is server side.
  • Tim (unregistered)

    This is hardly an international problem. I see this all the time with programmers in multiple languages. I think the biggest flaw with calling them "Prepared Statements" is that people immediately look up the tech and say, "My database doesn't support Prepared Statements". And so they don't use them. I've known so many php, perl, and java programmers who only use string concatentation for SQL statements. It's freightening.
    Please, if you use php use the PEAR database abstraction classes, and please always use prepared statements.

  • Ram's Bladder Cup (unregistered)

    For all you clever kids trying to deduce whether this is C# or not, it's very similar to Java (in loathsomeness as well as syntax). The differences involve stuff that's probably over your heads (e.g. delegates).

    But just for starters, it's a statically type-checked language that doesn't have f****g dollar signs in the f****g identifers. WTF...?

    function checkForBadSql($sqlcode)
    {
    global $CONTEXT, $ERROR_TEXT;



  • Ram's Bladder Cup (unregistered) in reply to Ram's Bladder Cup

    Let me clarify that: <font size="5">C#</font> is very similar to Java in loathsomeness and syntax.

    It's important to disambiguate the antecedent there, lest some shambling halfwit try to convince me that I meant to say the WTF PHP code was "very similar to Java".

  • Will (unregistered) in reply to Zic
    Anonymous:
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    Please say that's a joke :/

Leave a comment on “Injection Rejection”

Log In or post as a guest

Replying to comment #:

« Return to Article