- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
YAY for SQL Injection.
Admin
Could it be frist?
Admin
I made this bullet-proof vest out of plain cotton, because everyone uses armour-piercing rounds nowadays plus it is easier this way.
Admin
So the idiot colleague thinks that an encrypted hashed hashed hashed encrypted password is more secure than one that is merely hashed. Wonderful.
Maybe someone should hash the colleague.
Admin
ftfy
Admin
I see what happened here. The developer is from Russia and took his ideas from the Matryoshka doll. Hence this pointless but funny crypt inside hash inside (blah,blah)...
Admin
I'm so confused! Second or third time now.. a story before noon! Did I get transported to another time zone or did Alex finally get a day job?
Admin
As we know, md5 has been broken and it is probably only a matter of time before sha1 and sha2 fall as well. So this code is future proof.
Now some would argue you shouldn't use md5 if you know it is borken, but that didn't stop us from using plaintext, did it?
Admin
Seriously. I was getting used to not getting an update until the afternoon. Maybe Alex got fired?
Admin
Not being bad idea to use multipal incription skemes. As haker, I am probable trying sha1 or md5 or base 64 decription skemes. Can it be finding ranebow tables for md5-sha1-sha2 hash?
I am thinking no.
Don't be a H8R.I undertake project in java, if you need help with homework, contact me.
Admin
It's a hash within a hash. Hashception.
Admin
Hint: if you didn't get the OR = reference and you call yourself a web developer, step away from the keyboard immediately and go get a job more suited to your knowledge and integrity, like maybe selling used cars.
Admin
I've heard people say this before. Can someone explain why this isn't more secure? I'm not arguing that it actually is. Security is not really my field, so I'd just like someone to give me the "For Dummies" overview of why this doesn't help.
My thought process (and clearly the guy who wrote it like this) would be that you'd have to brute force it multiple times AND know the exact order that the encryptions were applied.
I can't be the only one in the dark, so someone help the rest of us learn something new today.
Admin
Fail troll is fail, and your spelling is too atrocious even for Hinglish.. Also the amusing (or sad?) part is that this Nagesh is copy/pasting that signature every time it posts.
To stay on topic: Developer is an idiot. 'Nuff said.
Admin
I don't 100% understand it, but I don't call myself a web developer either. But I feel like I only 52% understand it and would like to know more.
I get that you can do things like change the URL in your browser to tack something like OR 1=1 onto the end of a query to make a DB return all contents of a table (or in this case I guess it lets anyone in if this is entered in a password field?)
If you know of a good easy to read reference, can you share? Thanks.
Admin
No one care what you think neither if too lazy to evan read content.
Don't be a H8R.I undertake project in java, if you need help with homework, contact me.
Admin
For people who's browsers didn't wrap the code:
Admin
Performing multiple hashes can make it harder to brute force a password - because it adds a few milliseconds to your authentication process, but could add years to a brute force attack. Checkout Key Stretching. Checkout bcrypt as it has a built in mechanism to avoid the need for key stretching.
It's interesting because Moore's Law about computer speed doubling every so often means that an algorithm that is secure today may be brute forced in 10 years time when computers are faster.
Using different algorithms adds some strength in that if a vulnerability is discovered in one, it won't leave you open to attack.
Having a special hashing order like in this example gives you some security through obscurity - but you can't rely on that.
My PHP ain't great, but it looks like this guy has gone a little over the top. I reckon I'd "WTF" if I came across that - but it's not as shocking as people are making out.
Admin
Admin
Using several hashs is actually way more secure, but using crypt as final step can be an real problem, since it only considers the first 8 characters. If the md5 is hex-encoded, we just have to find a collision of the first 4 md5 bytes to login. (on the other hand the exact password can never be found)
Admin
Actually that's a common misconception people have. The concept of hashception is me planting the hash inside your hash without you knowing...
CAPTCHA: luctus - Dr House argued, "It's not luctus"
Admin
http://en.wikipedia.org/wiki/SQL_injection
The basics of it... to my understanding... is that the end product results in a query such as:
Replace the "userName" with something like 'or 1 = 1' ending up with something like:
Tack on a "robert'; drop table users; --" and you have http://xkcd.com/327/:
Admin
The concatenation operator in PHP is ".", not "+" (addition). Because of how the addition operator performs typecasting, that line is essentially equivalent to:
custom_step(123, $seed);
...except in cases where crypt returns a string that begins with "valid numeric data". Then it's the sum of the "valid numeric data" and 123 as the first argument. What counts as "valid numeric data"? Read this: http://sg.php.net/manual/en/language.types.string.php#language.types.string.conversion
Admin
Smart developers will just use parameterized queries and go home early.
Admin
Admin
giggity...
Admin
check = super_crypt (weak_crypt (user_input)) if check = super_crypted_password_in_database ...
Say weak_crypt only returns two bits, or a total of four possible values. Then it doesn't matter if super_crypt makes 16 passes and returns a 2048 byte string... there will still be only four possible values, and thus the hacker can pass the equals test in about 2 tries.
Admin
I am not even cliking link and already knew it was some cigarette linking XKCD.
**** off, your not clever.
Admin
And now you know!
Admin
I won't keep you long... I'll keep you forever...
Admin
According to the article, in this particular case, you don't even have to add the SQL in the URL, you can just type it into the username field.
I don't know of an easy reference that explains everything you need to know about SQL injection. I do know the silver bullet, however: Never, ever ever use string concatenation to create SQL queries out of user input. Always, always use parameterized queries. And fire anyone who doesn't.
Admin
0,Vx2,Ax2 Now yer talkin'!
Admin
In addition to points already made, that $rand worries me. Is it going to be the same value every time? If so, WTF is it called $rand? If not, a user who gets his password right every time is still going to need luck to log in.
Admin
What is matryoshka doll? Is it like Barby?
Admin
Cargo Cult Programming!
Admin
Admin
Admin
Hey! C-Octo! Good to see ya!
I WANT TO FUCK YOUR BRAINS OUT!
Admin
The real smart developers don't even use SQL, they spin their own custom in-house database system, or use a slightly less obscure 3rd party database system.
The smart hackers will be put off when they realize the backend of the website is not even using SQL and will go off for an easier target.
It's not a popular view I know. But that's because the widespread belief that "industry standard" database systems using SQL should be chosen in development is pure dogma driven by a desire to not have to bother writing a DBS or to bother knowing how to write one.
Admin
:consfued:
Admin
Whoever's running Nagesh is really lonely today, isn't he?
Admin
Found it.
http://en.wikipedia.org/wiki/Matryoshka_doll
Admin
What makes you think it's one person?
Admin
Admin
Therein lies the security...
Admin
Admin
If only there were some kind of network where they could connect with each other and exchange pictures of their winkies or something.
Admin
Love me internet!
Admin
Admin