- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
You won't see JCL here, as there's no room for a WTF. It either runs or it doesn't.
Admin
Also, your attitude is a prime reason why the developer who wrote this likely didn't ask anybody if there was a better way to protect against SQLi.
Admin
Or MUMPS.
Admin
--
So... The real question I have, which was reasonably called out as not clear, is: what would prevent a person who is familiar from coding within a particular paradigm from understanding (at least generally -- nuance withstanding, obviously) a piece of code from the same paradigm in a language with which they are not specifically familiar?
CAPTCHA: paratus "Mea argumentum non paratus."
Admin
http://en.wikipedia.org/wiki/SQL_Injection
Admin
Admin
Or Haskell... I'll just leave out the link, and direct anyone who wants to hurt themselves so badly to Google...
Admin
Lack of knowledge is always the root cause which can happen because lack of training, best practice like code reviews or using code analysis tools, etc.
I'm not defending him, I'm just against that attitude which is a reason (not the only reason) why some developers do shit like this.
Admin
Admin
CATPCHA: erat "QED"
Admin
But I do have an interesting anecdote about Haskell:
Admin
Admin
Sanitizing inputs is so '00s. Lets learn new things.
Admin
I can definitely say that I can't understand some Javascript that I've written myself.
Admin
Let's assume that Tim's QuoteStringForDatabase properly escapes single quotes, and all other magic characters that the db engine recognizes, if any.
Under what circumstances would this function not work but prepared statements would?
Admin
If user names and passwords are not allowed to have embedded spaces, as the first test is apparently enforcing, then all the tests for "or" with a space before or after are redundant. If names and passwords are allowed to have an embedded space and the first test isn't supposed to be there, then the "or" tests would prohibit, say, someone named "george orwell" from using his own name, but most names would pass. This would be rather mysterious to the poor user. It asks for his name, he types it in, and the system replies "SQL INJECTION ATTACK DETECTED! GO AWAY, BOBBY TABLES!"
Admin
Exactly why it's a wtf! It prevents what should be acceptable behavior, while not solving the root problem.
As for your previous question, input cleansing is not a completely reliable method and there are ways that people can still bypass those methods.
The flipside of your question is what is the harm in having prepared statements? There is not much harm in having your database components being aware of the architecture of the database they are connecting to, and if you need to replace the database system then you may likely have to replace your database component with it anyway. It's still a perfectly valid and modular solution, and much less pain than trying to construct the query (in my opinion) anyway.
I think I may have the best CAPTCHA of the day:
Mara: Japanese slang for pen0r.
Admin
Admin
Admin
Admin
Yep, prepared statements and parameter binding all the way...
Admin
Is that the same as a parameterized query? I think that's what I did in my homebrew craptacular web 'site'. Hey, it works, and it's never suffered an injection yet.
Admin
More or less. (Maybe I should type more above the link?)
http://php.net/manual/en/pdo.prepared-statements.php
(Hello, Akismet! My CAPTCHA was verto.) (Hi again, verto sounds like green in Franglish.) (What more do you want from me?)
Admin
Or do you mean "it's never suffered an injection yet that was so serious it made the evening news and the hackers gloated all over twitter and stuff and I had to pay out $9 million to the victims of all the compromised records plus nobody trusts me any more."
Admin
Punks!
I can definitely say that I can't understand the Javascript written out by a Perl program I wrote myself, and I can't understand the Perl either. What's more, I'm fairly certain the Perl program was supposed to emit Haskell in the first place...
Admin
Admin
Every problem child, faced with self, says: "I know what to do. I'll use regular expressions!"
Then problem children have twins.
Admin
This is a humor site. It has jokes.
Admin
// The first WTF is the use of double-quotes ... // so lets use single quotes so php doesn't evaluate the post vars $u = trim(stripslashes($_POST['username'])); $p = trim(stripslashes($_POST['password'])); $e = trim(stripslashes($_POST['email'])); // filter padded spaces and escaped chars .. that's easy enough if(strlen($u.$p.$e) != strlen($_POST['username'].$_POST['password'].$_POST['email']) { bail(); // some bailout function that exits gracefully } //at this point we really don't care if the user name is something like "Egor or Orig"; // if the mugusers table isn't too large...deny injection by reverse comparison $rsrc = mysql_query('SELECT * FROM mugusers WHERE mugusers.active = 1'); $okay = FALSE; while($row = mysql_fetch_object($rsrc)) { if(($row->username) && $row->username == $u) { if(($row->password) && $row->password == md5($p)// assuming md5 encryption { if(($row->email) && $row->email == $e) { $okay = TRUE; break; } } } } if(!$okay) { bail(); } //---- it's okay from this pointAdmin
I know for a fact that in some countries, you cannot sign off on an building drawing before you have at least several years experience as a junior engineer. A doctor usually spends years looking over the shoulder of a more experienced physician. Even if you want to drive a forklift, you need to have a certification before you are allowed anywhere near that thing. For almost any profession you care to name, a long track of apprenticeship and learning is considered normal. But when it comes to websites, apparently the attitude is "well, he should just be able to figure it out on his own and everyone should be kind and gentle when a mistake is made".
Maybe I do have a 'shitty, holier than thou' attitude. But if so, only because I too made this mistake, many years ago. I learned from that, but not before thousands of users lost their data. I know first hand how dangerous it can be to work on something without understanding the fundamentals. Which is why, in my opinion, anyone working as a (web)developer should also pass some form of exam, demonstrating at least a basic understanding of things like input validation.
And input validation is not just limited to webdevelopment. I daresay it is even more important when working on system kernels, and it is downright essential for that man working on radiotherapy machines: just imagine a user is able to enter the intensity of radiation. The program expects a dot decimal separator, but the user enters a comma. The program ignores the comma and 5,10J becomes 510J and the patient is fried. So you blacklist? Great, any input containing a comma is rejected. Now a physician who used a different machine enters 5:10J, it is again interpreted as 510J and the patient is once again fried. You keep adding different characters to the blacklist, and people keep getting fried because the input is in some different format (someone used a different character encoding, or wrote in chinese, etc). If you really thing that proper input validation is limited to webdevelopment, I fear you are the ignorant one here.
Bottomline: some principals are so fundamental that there is simply no excuse for not learning them. Sometimes that means listening to the experienced guys to tell you how it works and what to do; no, nobody likes admitting ignorance, but a bruised ego heals much easier than ten million leaked credit-cards.
Admin
I read that last line as being sarcastic. Im giving the author the benefit of the doubt, I'm sure they realised there are built in PHP functions for escaping SQL strings.
Captcha: Tristique - sadly, sorrowfully (like the feeling you get after rewriting a library function)
Admin
I have to 2nd that. Javascript code has the magical ability to confuse even its writer, with comments in place (nested callbacks, anyone?)
On another note, that code just seems like the norm here, after surfing TDWTF for awhile.
Admin
' OR strpos LIKE 0 anyone? :)
Admin
A lot of the people who visit this site are WebDevelopers, not Programmers. They may think they are capable of reading hte codeSOD articles but need some explaining.
Admin
George Orwell is stored as GeorgeOrwell (with the space removed) and this is what is subsequently checked.....
Admin
Admin
The problem with old programers who think they know more than web-developers is usually evident on their first web site effort. The old programers are the ones scrambling to to find a teenager who understands Javascript and CSS.
Admin
You had me at the first code block. I guess idiots speak every language.
Admin
I can't believe so many people are advocating the use of stored procedures. What is it with you guys? If you're using them to validate your input, then you've got some serious issues. Perhaps they might be appropriate if you've never heard of frameworks, and blindly assume that you will never have to maintain your website after it's been built, but really they are far more pain than they are worth.
I've been dealing with a PHP project that uses stored procedures (hundreds and hundreds of them) for the last two years, which has proven to me that the concept is completely flawed for PHP programming. Not only do you have many issues with repeating yourself ad-nauseum (which means that if you try to modify any part of the database you have to modify loads of stored procedures, you invariably miss one which breaks the client site when it goes live) but if you write the stored procedure to the website as the wrong user then you won't be able to dump the database later on as a different user.
In order of how problematic different approaches are, I would rate the types as follows:
As an indication, I can write a simple CRUD admin system for a database table in around 60 minutes if using stored procedures, and 1 minute if using my framework of choice. Also the framework one is more secure, and quicker to update later on.
Seriously, do yourself a favour and check out some different frameworks. I use CakePHP but there are loads of other ones out there. They will take your programming up a couple of levels, in way less time than you might think.
Admin
Admin
Admin
Admin
Stupid cunting troll who needs his nuts kicked out of his gob. If you come anywhere near any of the programs I'm responsible for I'll fucking kill you, you fucking shithead.
Admin
Beware of the clan!!! http://obrienclan.com/
Admin
Real WTF is that you're building a DB query using string concatenation in the first place. Why can't a username be "OR'"? You should be using stored procedures and parameter passing, not concatenating strings. -- I really hope you're validating against HTMLi/JSi as well... I'd guess you are not from the code snippet.
Admin
It's not about using sprocs to validate your input -- it's about them not being vulnerable to SQLi in the first place.
Admin
I have a good grounding in C-like languages, such as C++ and Java and I know a bit of other languages (lua, BASIC, etc.) but I stay the hell away from anything remotely webby, like PHP and even anything beyond simple HTML because it's not something I'm particularly interested in - so for me, this WTF wasn't completely obvious, although from the context I had an idea as to what the WTFer was trying to do and didn't - I just didn't know why.
I'm thankful to the people who have explained it, I've learned a little something and if 5 or 10 years down the line I happen to be asked to "take a look at" some PHP, there's a chance this little nugget will pop up and I'll have a vague idea where to look, rather than just going "hurrr, dunno anything about PHP". There is absolutely no shame in asking questions about something you don't understand, especially when the site in question revolves around the people who don't understand it in the first place.
It's for the same reason that quip about regex went over so many people's heads - if you just don't know PHP, you're sure as hell not going to know best practices in PHP.
Admin
Really? YOU have issues - PREPARED STATEMENTS are not STORED PROCEDURES. Prepared statements are completely different.
PHP Data Object Google it.
Admin
...actually, every time i see something like this, i wonder if i'm doing it wrong, or just people don't get how simple it can be... i run every user input through htmlspecialchars($blah, ENT_QUOTES), and i NEVER got any SQL injection by using this (i tried to attack one of my sites using this by all SQLI methods i know of, none worked).