- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Am I blind, or did you just censor yourself on the word "crap"? That's....... wow. Words escape me.
There's a perfectly good reason for this: crap is a synonym for shit. Shit is "bad" word. At my enterprise we have to censor by proxy!
(The "quote" button apparantly generated non-matching quote blocks. WTF?!)
Admin
I bet you're not allowed to say "Scunthorpe", either. I am, though.
SCUNTHORPE! SCUNTHORPE! SCUNTHORPE!
Can we have a funny place names thread now?
Simon
Admin
Ya, what kind of fucked up world are we living in when the word crap must be sensored?
Admin
ok guys it seems the soulution is as confusing as the puzzle so why not run the soulution again i hear u ask well the answer to that one is i cant be botherd all i know is that revenger88 sucks cock also i should let you know this is from the onfoumous hacker who has also befor now hacked a live on air shoe of the smimpsons on wich here brocasted his own message on top of the rogram saying something along the lines of dave is a naughty boy and he will paay etc etc etc blah blah blah but as you may or may not of igurd this is the hack code he used to get into the live brodecast systems and trough the fire walls and past the incriptions so who ever found this code lives close to the hacker so anyway the soulotion is;
<FONT size=+0>function</FONT> saveform() { <FONT size=+0>var</FONT> firstName = escapeSql(mainForm.elements.txtFirstName.value); <FONT size=+0>var</FONT> lastName = escapeSql(mainForm.elements.txtLastName.value); /* ... */ <FONT size=+0>var</FONT> offerCode = escapeSql(mainForm.elements.txtOfferCode.value); <FONT size=+0>var</FONT> code = <FONT size=+0>' $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) '</FONT> + <FONT size=+0>' or die("ERROR: Cannot Connect to $DB_SERVER"); '</FONT> + <FONT size=+0>' $db = mssql_select_db($DB_NAME, $cn); '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' if (mssql_query("SELECT 1 FROM APPS WHERE SSN=\''</FONT>+ssn+<FONT size=+0>'\'", $cn)) '</FONT> + <FONT size=+0>' { $ins = false; } '</FONT> + <FONT size=+0>' else '</FONT> + <FONT size=+0>' { $ins = true; } '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' if ($ins) { '</FONT> + <FONT size=+0>' $sql = "INSERT INTO APPS (FIRSTNM, LASTNM, ..., OFFERCD) VALUES ("; '</FONT> + <FONT size=+0>' $sql+= "\''</FONT>+firstName+<FONT size=+0>'\',"; '</FONT> + <FONT size=+0>' $sql+= "\''</FONT>+lastName+<FONT size=+0>'\',"; '</FONT> + <FONT size=+0>' $sql+= "\''</FONT>+offerCode+<FONT size=+0>'\')"; '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' /* ... */ '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' mssql_query($sql, $cn); '</FONT> + <FONT size=+0>' mssql_close($cn); '</FONT>; execPhp(code); }
see i told you anyway for ferther info get in to a game called the universal nd when in space type ?sechat ariya when you do this if anyone is online a list of names should appear if one of these names is smithy953 then you can talk to me ok have fun and run the soulution if you wish
Admin
Can..everyone...stop..flaming..PHP..? (this is said in an exhaling way, thus the dots.)
PHP does require an effin virtual machine to run, it doesn't cost money and it runs on *NIX very well.
I.. am le tired.
Admin
Define "very well." What are you measuring? What are you comparing to? You're going to have to do a little better than that to convince me. Saying PHP runs "very well" is as valid as saying PHP is very pretty.
Which it isn't, by the way. PHP is ugly. Acne. Nose hair. Scrawny. I could go on...
sincerely,
Richard Milhouse Nixon
Admin
err... what you're describing their suggests that you should be using another language that HAS a security model like java - use a servlet for scalability and take advantage of the permissions model and the declarative security whereby the web domain roles can be mapped to a single (and therefore easier to control/manage) role that can perform the SQL. Injecting SQL (or any other code for that matter) is subject to not DoS attacks at the v.least. In java's trust model code must be signed (and accepted to run) if you want to 'inject' in this way and regardless, the developer would have to comply with this model and code it in from the start and developers would have to inject on the server and NOT from the client. Although I think Beanshell perhaps would negate this somehow? Not sure about that one.
Another problem with injecting code in this way is that it's prone to error - no matter how much security you put around ensuring legitimate use you can't account/protect for idiocy/mistakes. If you want to parameterise code in some way and have it customized by a client then cool - i think.
Yet another point (since this is a snippet) is that the execPhp() isn't listed. I know you can hide .js from a user which would presumably stop exposing insight into how the server is modelled - in this case table details.
Overall I feel that this guy has just played with something (as we all do) and rather myopically decided to roll it out in a client-exposed form. It says much about his exmployer (assuming he is employed) and their seemingly scant regard for peer-review.
-m.
Admin
Post protection...
Just leave the front door open and shoot the trespassers. :)
Admin
The first i would think of if i located such kinda a script on the web would be something like.
Who do i wanna flood with email's or what ip needs to be packed.
Maybe get a directory structure and check the write permissions on those and if space enough make it to another warez page
Admin
maldrich , you are genius.
Admin
A little question to my fellow co-posters on TDWTF about morale issues:
If you noticed your (experienced and normally rather clever) coworkers create a similar system, would you
- warn them about the stupidity of this approach
or
- wait till it's done, then send it to Alex?
Admin
All of the above? [;)]
Admin
Along with pwning their development box and changing its startup sounds to something by Pete and Dud
Something from the end of this, for example (NOT safe for office browsing) http://stabbers.truth.posiweb.net/stabbers/audio/derek_and_clive/Peter_Cook_%2B_Derek_&_Clive_%2B_Worst_Job_He_Ever_Had_%2B_wwwDOTstabbersORG.mp3
Simon
Admin
Oh, yes, an assumption that devs/users are 'smart enough' has already become a trend in the LAMP/Web 2.0 land. Alas, this assumption is not always true, as you know.
As for Wordpress, its whole codebase together with plugins is just a 'Big Ball of Mud'. Almost every 10th line deserves to be posted on WTF frontpage.
Admin
Why?
Looks like they had better keep me very happy ;)
Admin
Every place you allow untrusted code to execute you create a new environment for security holes. Even if the user's privileges for modifying the data in the database are strictly limited, being able to execute PHP on the server gives them a much greater opportunity for launching attacks on other subsystems, other user accounts (especially since all the PHP scripts are running as the same user ID), and if you can combine it with a cross-zone attack in the browser you can put the blame on someone else.
Admin
running as a normal user, ...) you couldn't run Office, you couldn't print, you couldn't do anything, not even adjust your screen!
So I wouldn't be surprised at anything Windows programmers do if Microsoft themselves are so incompetant.
Admin
MSSQL has to run on Windows, the webserver could be on any SO that can run a webserver/CGI
Admin
I did once run into a web site (some quite big HW manufacturer in Korea or something) that did SQL queries through Javascript. They took the values of some select lists and sent the query via POST.
Naturally you could also do a DELETE through it and it didn't take long before the company had no products available on their website...
Admin
Here's the server-side code:
Admin
mathmatical functions perhaps? Eval("3x^2+2x+1") ??
Admin
STFU NUB STAIN
Admin
Why, oh why...my brains...they are melting...oh this insanity of mankind...will they ever learn .............. (8=X
Admin
That shit is seriously atrocious. He probably thought he was being damn clever too... how very very sad.
Admin
wow that's bad, note that execPhp(code); is a javascript function that sends the code to a php script to be executed, but perhaps the script removes out crap and only pulls out the query. It's still a stupid idea and a bad way to do this, but still it may not be as horrible as it looks like.
I'm going to pretend that this is fake, because I don't want to believe anyone would be that stupid.
Admin
Yeah, I agree with you.
Admin
I've seen some terrible code in my time but this really is stupid code! Like you I hope this isn't a live website, but if it is - I'm sure it won't be for long!
Admin
Perhaps >>stupid<< is too harsh a word, remember php and javascript are often the first and only programming languages that beginning and otherwise untrained programmers learn.
Maybe we should just call them Ignorant Fools instead.
Ignorant -- because they lack the knowledge to know any better.
Fools -- because they seem unwilling to learn...
On second thought, I guess Ignorant Fool is a synonym for Stupid. ;-o
Astonishingly enough, as FDR and others illustrate far too clearly, there are certainly plenty of people who qualify. I just want to know one thing FDR, what is the url of your site?? Do you have anything juicy for us to steal??? maybe some credit cards? Given your strident defense of this WTF code it should be pretty easy to break into your web site. ;-)
Some people seem to not understand the difference between script code and compiled code. A Thick Client App is going to be deployed as compiled code. It would be very hard to modify without access to the source. But script code on the other hand ~is~ the source and thus trivial to modify. VB is compiled code, so is C. You certainly could extract any embedded passwords that aren't encrypted, from the complied code, but doing anything else is several orders of magnitude more difficult.
Some people also seem to not appreciate the difference between running in a TRUSTED environment (well, mostly trusted anyway), which is where you will find a Thick Client. Versus running in the Wild and Woolly Internet where deliberate attacks are a constant occurrence which -- on the public servers that I maintain -- happens hundreds of times per day.
Even so, thick clients without a security layer between them and the data, is still not a real good idea... just because you can get away with it does not mean that you should do it. You better have a very reliable network connection when running your Thick Client with direct access to the db.
In spite of anything M$ marketing might try to con-vince you into believing, Running ODBC is never a good idea... at least not if you value performance and data integrity. ODBC is a big fat really slow elephant pig (IMHO). On top of that installing an app that requires ODBC is a royal pain to get it to work due to version dependencies and registry garbage. Also data corruption is far more likely to occur. The only thing ODBC ought to be used for is >>converting<< between different database systems and it does do a superb job of that, but at a price of complexity and speed.
As for using Access for a Web App, don't make me laugh... nothing screams rank (putrid) amateur more than an app written in Access. As a sysadmin I was constantly having to repair the corrupt tables of a ~wonderful~ multi-user app written in Access... Access can not reliably cope with even 4 users without corrupting it's tables, at least that was my experience, to even think that you might use it for a web scale app is insane.
Using phpMyAdmin as an example of why this WTF is >>good code<< is just plain Ignorant er uh Stupid. Have you never paid any attention to the number of security flaws/fixes that phpMyAdmin has undergone??? The only reason it exists at all is so that shared webhosts can give you some level of access to your database without allowing direct access. But even with the zillions of security fixes, that program is inherently dangerous. Never leave it exposed, web-crack probers are always searching for it.
The syntax of the WTF code is fine, the people who said otherwise don't understand what they are looking at. I admit that I too did a double take on the syntax. It could/should have been presented a little more clearly. The code you are looking at is a JavaScript snippet and as such plus signs (+) are the correct way to concatenate the strings. If you try to put that snippet into php then yes, you will get errors, it is not a php program, it is a javascript program which creates a php program.
I love the idea of using php to create the javascript that creates the php... some very nice recursion there. ;-)
I bet the guy who wrote this WTF works at a Bank... remember the Code Red Worm?? it was able to shut down all the Banks because they had left their mssql servers directly exposed to the internet. Thus proving beyond any doubt the stupidity of the IT departments at Banks, which I suppose also explains their choice of db software.
So, this WTF code is probably very typical of what is used by Banks and Government Agencies... and eVoting machines. That's why we ~need~ the new department of Cyber Defense Thought Police and Internet Censorship to ~Protect~ us from Idiot... er uh Ignorant programmers like this.
I'll bet this WTF programmer is JS Certified too. Just because someone has memorized enough syntax to pass a test, does not mean that they know squat about how to write code. In my experience Agencies and Big companies love little pieces of worthless paper that prove that you know how to fk everything up. They use it to cover their a* when things go wrong, they can deflect blame by pointing out that their programmers are certified so it must have been somebody else's fault.
-- codeslinger compsalot
Admin
Wow! Really impressive! Best one so far. It also includes SQL injection prevention in client side JavaScript!