- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
The SQL injection calls presume that the parameters are user input. You're absolutely right that there's no way to be sure of this.
It not being vulnerable to SQL injection presume that that homeId isn't a concatenated string of user fields where they fill in their address and, for god knows what reason, that ID is "221BBaker StreetLondon" and status isn't something like: "renting", "owned", "2nd home" or something like that. These all are huuuuge WTFs, but you can't assume they aren't, just because they would be, otherwise. (And that's one nice sentence!)
Admin
I refer you to my post with 9 WTFs outlined. Now that's 9 WTFs for every 15 lines of code. According to my calculator, he's fucking up at least 60% of the time. That's pretty bad, IMHO...
Also, SQL injection isn't the only WTF, but it is a biggie, and having a toxic "someone else will do it" attitude about security is why IT is in the state that it's currently in. I call it "security by passing the buck".
Have you ever heard of trust boundaries or canonicalization? Yes, I would parse and sanitize it every time. That's the whole point of stored procs or prepares statements. When the data from the UI passes to the DB, it should be sanitized, period. It's doesn't cost much and the ramifications of getting p0wned via SQL injection to shave off 6 miliseconds is just dumb. Sorry...
Admin
hey, well while we're having fun inventing flaws in this code simply because there is no proof that they don't exist, lets list some more which I've made up:
I'm sure there are many other bugs which people could imagine about this application.
Admin
Unlikely...
You're either a manager or a CS grad/student... Isn't it funny how it's hard to tell the difference?
Admin
You could do "Where Not Exists (<row with a higher value>)".
Were you looking for one of those? Either one has the advantage of letting you find a different value from the row than the one you checked was the max; that's a more useful test question than "pretend this feature doesn't exist."
Admin
Ok, if that's what you want to do... Personally, I like to base my observations on facts.
Admin
Admin
So, you prefer using your own sanitization code (or worse yet - sanitization code written by the same person who wrote this code) rather than the sanitization code written by the ADO.NET team?
There's a right way to do sanitization. It's at the layer that talks to the database. It's not hard to do. With tools like Enitiy Framework it's hard not to do sanitization!
If you want to add sanitization at higher levels too, be my guest. But there's a "first line of defense" that should exist at your DAL.
Just because your code isn't going to pass unsanitized data doesn't mean that someone else isn't going to. This is particularly true for ASP.NET services (Fiddler) as well as any program written in .NET (Reflector).
Admin
return i;
At first I read that as return 1;
If anything was going to make that code better it would have been THAT!
Besides we all know that the best way to do this would have been to pull the whole table back into a typed dataset then filter it and THEN do a foreach on it...
Admin
I think that will select the top record and then order the output. Maybe:
SELECT TOP 1 column FROM (SELECT column FROM table ORDER BY column DESC);
Admin
That's often the problem though. Just because you can't think of a way to pass bad data, doesn't mean someone malicious can't or won't. If you're doing some shite black-list implemenation looking for "javascript" tags in your impout, then I can simply avoid your filter by typing in java script or JavaSCRiPt, or whatever permutation of that. There is a lot to data sanitization, and people much smarter than us wrote and thoroughly tested code (ADO.NET team) so we wouldn't have to write our own half-baked implementation...
Admin
Yes, but what if there are more than 1 with the same largest value?
You should do a "SELECT DISTINCT TOP 1 FROM table ORDER BY column DESC;"
Or depending on the flavor of SQL, you might need "WHERE ROWNUM = 1" instead of TOP 1.
--Joe
Admin
I respect your other 8 points.. but when you and others say that this is vulnerable to sql injection, this is not based on fact. There is absolutely no evidence of this. The closest you can get is to say that you cannot determine whether it is vulnerable or not - which is hardly a compelling argument.
Admin
Sounds like Nov 10, 2007 in Dilberts conference room ...
Admin
Admin
no idea what this is based on, but whether an internet troll finds it unlikely or not, it is the case.
.. and for all the people offering solutions, you are all more or less coming up with the same answer, which is the one I had in mind. It always suprised me that others couldn't think of this, but maybe that is the pressure of an interview situation.
Admin
Admin
Your solution is indeed cleaner, but in reality it shouldn't matter. The example was looking for the largest value from a single column. If the full return set comes back as
12748 12748 12748 9486 3741 15 4
then TOP 1 will still return the value that I need.
Again, yours is indeed cleaner, but I'll still get the value I need.
EDIT: To clarify, it will return just the first instance of 12748 -- not all three.
Admin
You mipsselled "MROON! MROON! MROON!"
Admin
I think we can conclusively state that this function is vulnerable. The overall program, maybe not at the moment, but somebody adds a SQL keyword to the list of statuses, and the program breaks.
Admin
Oh man, I hope you're trolling.a
Admin
What's so difficult to understand? Is this piece of code vulerable to SQLi? Yes, absolutely it is. Is the consumer always going to pass trusted data? Who knows...
The trouble is that you're basing your views on an uncertanty, which is what you claim "everybody else" is doing wrong... Personally, I would rather not trust the caller and be sure that I can handle safe, malicious and garbage data.
I guess you're far more trusting than myself and everybody else, including security experts, are...
You're also failing to think about the junior devs who will maintain this code several years down the road. Do they know about sqli? Probably not. But at least you can be sure you're piece of code is written safely and can handle it.
Admin
Admin
The program is also broken if someone adds ""+(1/0) to the list of statuses.
Admin
Admin
Admin
I realize I may be lambasted for making assumptions, however based on this code, the values likely come from down-downs in the UI. And if this is web based, then you can easily toss in any value for the drop down using a simple proxy tool (I think someone already mentioned) like fiddler or paros. So a safe value like 'ACTIVE' for myStatus could easily be replaced with '-- drop table whatever', and it'll happily do as you request.
Admin
When you ask such narrowly focused questions on an interview, all you accomplish is that you determine whether the person can figure out the solution of which you are thinking. Any idiot can google the best algorithm for doing something.
A better approach is to figure out how the person goes about solving a problem with which they're not familiar. If they can think through a problem with a reasonable approach (and don't penalize for missing some subtle detail on a 30 second analysis), and they are personable, they'll probably make a good addition to your team.
Admin
I think I'm being trolled. My TrollMeter(tm) is pegged.
Nevertheless, in the event that my database experience is that rusty . . .
Why the hell does it matter? I'm looking for a single value returned from a single column. I'm not looking for its associated key value. If I get 12748 from a row that has a keyID of 3748 and then run the same query and get 12748 from a row with a keyID of 159938 what does it matter? It's still the maximum value in the column.
But I'm pretty sure I'm being trolled here . . . so I don't really know why I'm even answering.
Admin
Everyone knows about SQLi. There was an xkcd about it, so yes, even juniors.
Let's imagine you go ahead and put SQL sanitization at every level of this program, including internal functions like the one shown.
Years later, someone looks at it and thinks "What's with all the redundancy? I'm posting this to TDWTF!"
Perhaps it's more the program's structure that is in question? If you're re-sanitizing several times, I think something is wrong.
Admin
Hmm, that one was pretty dull. Yes, of couse he should have used count(*) and guarded against SQL injection. It's bad code, but it just doesn't rise to the level of mind-boggling stupid code that would make it funny.
Alex must be getting short on submissions.
Hey, I just came across a line of Java where the programmer wrote "x=x+1;" Ha ha! What a jerk! Didn't he know he could have just written "x++;"? Isn't that hysterical?
Admin
Admin
Yes, and that would be a problem if this code was used for that purpose.
And SQL-injection is always something to keep in mind.
But we have no idea if it applies or not.
I don't know, man... Sometimes I wonder what the point of this is.
Admin
SELECT -MIN(-theColumn) FROM theTable;
Admin
While we're unsure if the code needs to do sql injection prevention, how sure are we that this isn't the best way to count the rows? There could be some context-specific issue that resulted in this being necessary.
And the unused string reference: It may have been necessary in order to trigger some obscure side-effect, who knows?
Admin
simple test of response time of dbreader
Admin
Admin
And while we're at it, we can check a make sure the incoming string doesn't contain any arithmetic problems like "1/0". Or that the incoming table name isn't misspelled, 'cause later devs (damn juniors!) might misspell a table name and then everything's fucked!
Admin
Righteous indignation? Raucous indigestion? WTF?
Captcha: tego - for here to tego?
Admin
I'll have to say: websites like this are fairly popular amongst students. If you've seen the problem on here, there's a good chance they've heard of it.
Admin
Admin
No he does ot...becuse is usage is completely wrong.
First you do not need Close and Dispose. Second the implementation does not ensure that Dispose (or Close) is called in the event of an exception.
Using something WRONG is typically worse than not using it at all from a "grading/points" perspective.
Admin
So fuckin' predicable...
sQL injection! sql InJectiOn! sql 'n' jerkoFf!
Oh really, "SQL injection", what's that? No one else here has ever heard of it before! How smart you are for being aware of that!
pat on the head
Have a cookie, geniuses.
Admin
Clearly this is because embedded databases don't implement the Count function.
Captcha ideo ...where the code shows was clearly written by a richeos ideot
Admin
As others pointed out, the METHOD itself if vulerable. A caller of the method can subvert the functionallity.
This is what defense in depth is all about. You code based on the presumption that the parameters to each method can be "anything" from correct, to silly to downright attacks.
Admin
In every method/function on every level? For every type of parameter? Does anyone actually do that?
Admin
This guy deserve a MCM from Microsoft. Genius!
Admin
I don't see it as a narrow question. There are presumably many different methods of getting the correct result. This also does challenge problem solving skills. Anyone who could break it down into a few easier questions such as "how can I sort", "how can I select just 1 element", "how do I get the correct column" etc would get just about full marks as far as I would be concerned, giving the actual syntax is the icing on the cake.
Admin
yes, far too many assumptions. Such as the one where this application has a UI.
Admin
I have one thing to say to this: TDWTF.