- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Oh, stop being picky!
Admin
boot.ini ... this must be a very odd SQL vuln
Admin
Provide a link, and I'll wager they'll quickly change their minds.
Admin
That particular client deserves everything they get..
Captcha: erat - you thought live vermin were bad, what about virtual ones?
Admin
that is probeily the frist time they ever faced sql injection problems
Admin
Typical quality prose from Alex.
Admin
Admin
It looks like they put their best VB programmer on the job.
Admin
hmm, I guess all we "superhackers" needed to pay better attention in Math class. Apparently, through the miracle of modern math, 2 != 2, but I guess I'm too stupid to understand this kind of wonder.
Captcha: minim. What a pity these guys don't even have a minim of programming ability.
Admin
They should have used an embedded system, because without a file system, there's nowhere to store a database.
Admin
Sure there is. XML in a null terminated string created at design-time.
Admin
Easy one to fix.
After installing, just set up a cron job that sabotages the application once a week with a semi-random SQL injection.
It will infuriate the morons that bought it and cost the cowboys that sold it to them a fortune in support.
Admin
Won't the first bit protect against SQL injections? So, it is actually safe now?
OK, the second bit (all the replaces) is dumb, but converting ' to '' is all that is required isn't it (even though it is being done in a lame way in this case)?
AIUI SQL injection attacks are thing like entering: ' OR 23!=46-- in a username box. By quoting the ' character you've prevented the attack
Without the quoting you get SQL queries like: select * from users where username='' OR 23!=46--' so, it will return everything. With the quoting you get select * from users where username=''' OR 23!=46--' so it will return nothing (unless there is a user called "' OR 23!=46--")
Or am I missing something?
Admin
select * from thistable where 1=1 ----
select * from thistable where 1=1 --
wohoo!
Admin
They don't even need the '='. Just a simple '1' would do it.
Admin
"alter table" seems to be in there twice. Perhaps because it's twice as dangerous? This code is way above my head.
Admin
OMG, i remember such code being in production at the largest webshop around here ... Talk about lame ;)
Admin
Admin
If I understand correctly, and the reviewer is the corporation's internal IT department, the department head is feckless. He should flat-out refuse to install this. If he doesn't have that authority, he needs to get it to do his job effectively, so he'd best get to convincing whoever gives out that authority.
Admin
Admin
Am I the only one who noticed the name of the function is "FQ"?
Admin
It would be nice if the person who posts a WTF concerning code would explain what is wrong with the code. It is not always obvious, especially if it's in a language we're unfamiliar with.
Admin
You're missing something:
''; DROP TABLE users; --
Source: http://unixwiz.net/techtips/sql-injection.html
Also, captcha quoters: You're not funny. You're tedious. Tedious and boring.
Admin
Only a matter of time now before someone posts a link a certain webcomic, which will no doubt be followed by a thousand people groaning...
Admin
Admin
Oh, I don't know. I tend to find that submitting an obviously-not-sanitized form saying "I could delete your database right now; you're lucky I'm a scrupulous person" tends to get people's attention.
Admin
The problem with the code is it is trying to catch strings that could do bad things to the database.
Imagine a field on the webform that asks for your name.
You enter: John Doe.
The app converts that to something like "select record from customers where name='John Doe';
No problem.
Now assume for the name you enter 1=1; DROP TABLE CUSTOMERS; --
Now the app converts that to: select record from customers where 1=1; DROP TABLE Customers; -- this lass double dash ensures anything after gets treated as a comment.
You've just managed to drop the customer table from the database.
Obviously their approach can't catch every possible combination.
My above example might be caught, but that's fine. I can then try 2=2; SELECT * from customers; --
Now I can get a full list of all their customers.
CAPTCHA: Saluto - I saluto the geniuses who thought up this solution.
Admin
Also notice the script tag/javascript filtering at the end - stopping SQLi and XSS at the same time!
Admin
It's also missing "Robert); DROP TABLE Students;--?"
(http://xkcd.com/327/ for the uninitiated)
Admin
and of course in a years time some poor sap of a developer will be trying to use a query that does actually need a UNION and will have no idea why it doesn't work.
Admin
@paul: there is the problem of indirect sql injection. once you got a ' on the server, if the server trusts its own data to build the joins, then you are escaping the joined query
this is protected not trusting even the server stored data, but why in hell isn't everybody using named parameters query, for god sake? the database KNOW how to escape it, and it has the added benefit of providing the same statement for different inputs, so the database may actually do its thing and cache the query path.
Admin
' or 1=1
because this code would convert it into ''
Admin
Ask and you shall receive
http://xkcd.com/331/
Also TRWTF is this site.
Admin
I'm not overly familiar with the language used in this case either, but the failure of the code is fairly obvious to anyone experienced with SQL injection issues. The code does make an attempt to sanitize the query by doubling up the single quote characters, but depending on the DBMS this may not be the only way of injecting arbitrary SQL into a request. Also, it still leaves the code vulnerable to cross-site scripting attacks by failing to catch for all potential of attack vectors.
Of course, it's almost impossible to catch all known and future attack vectors using a technique such as the one demonstrated in the code as the variations could be endless (example: "language = javascript" would not be caught). It would be far better to use parametrized SQL statements, stored procedures, and/or to HTML encode the incoming data before persisting it in the DB thus making it safe to display in a browser.
Admin
Groan
Admin
I'm guessing that since it's a customer of yours you're in the dubious position. While you're trying to get them to accept the discount programming they paid for was worthless, you can't outright refuse them without potentially losing them, and your objections may come off as trying to bolster your own sales department.
I think your best out in that situation would be to install the software and then give your customer instructions to follow that would make them crap themselves. You could either have them create a new administrator account or have them to cripple their database, and in either case they'd do so with copy-and-paste operations between your email and the app. If you went with the crippling route, this would preferably by with an UPDATE statement that changes some system value that can easily be reset back to what it should be with another UPDATE. You know, nothing that would require a full DB restore.
Admin
Is there no suitable string escaping (preferably shell-style) function in the language or a relevant library for that language?
Admin
Admin
'' is just '' in SQL.
So you will end up with
''''; DROP TABLE users; --
which can't be used for SQL injection.
or are you using a SQL-like database which treats '' as a metacharacter?
Ah, that only works with MySQL. SQL compliant databases won't suffer from that weakness.Admin
Admin
OK, but how do we know they're using MySQL?
If they're using an SQL compliant DB, then quoting '' characters would be a bug, not a security fix, so, without knowing what DB they're using, their fix might be safe (but stupid) or not safe at all.
Admin
Admin
It's official, 331 == Frist!11
Admin
Or they could sidestep the whole issue by using a real fix, like parametrized queries.
Admin
This is typical for an embedded programmer without file system experience
Admin
¹ Javascript. Just Say NoScript.
Admin
Admin
Why doesn't anyone address the security side of it. Minimum permissions, grant the select, insert, delete, update ONLY as needed, but don't grant DBO permissions to any user accounts. This way the outside vendor can deliver the crappy code, and you can install it anyway, but you're less concerned about damage. Still, using views, stored procedures and other good practices should be the norm, but the reality is that you can't control everything, so control what you can.
Admin
Admin
Sorry, didn't mean to quis you off.