- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
And where's the QA? I wonder if it's standard protocal to test against such things
Admin
This is a classic wtf, well done.
Admin
What makes it worse is that arbitrary SQL can STILL be executed using the
EXEC( CHAR(##) + CHAR(##) + ... + CHAR(##) )
trick. Combine this with xp_cmdshell and life starts to get a little dangerous.
Oh, and Community Server must die. Apologies to Cato.
Admin
Somehow, I'm not the least bit surprised.
You get what you pay for ;-P
Admin
That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!
Admin
So I'm guessing it also didn't like the name Jenidatabasefer.
Admin
it's PHP, however this still fails to excuse the WTF in question.
Admin
preg_match is a PHP function. The syntax here seems to be PHP. I'm inclined to think so when the original description indicates it's a web app (not that you can't write a web app in C#). In addition, the $varname[] = "new value" is a PHP shorthand way of adding a new element to the end of an arrya.
Admin
Looks more like PHP to me, though it's a nice one!
Admin
Spectacular problem solving skills.
Here is an assertion: outsource-developers are neither better nor worse than local developers. However, if the guy who wrote this code was local, you wouldn't let him touch the coffee maker, much less the source code (assuming your company isn't an internal WTF). The remote developers don't care who writes the code as long as the project is complete.
As such, I have no worries about outsourcing, and neither should any good developer.
Admin
Admin
Say hello to PHP. IMHO, this problem could have been solved better with Javascript. It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.
Admin
...and this, my friends, is why I come to this site.
Admin
What we have here is a failure of imagination. See "Enumerating Badness:"
http://www.ranum.com/security/computer_security/editorials/dumb/
Admin
Admin
How can these people understand perl regular expresion syntax but not escaping characters?
Admin
Especially when PHP makes that so easy.
Admin
And lo, Internet Jesus wept.
Admin
I am a HUGE fan of outsourcing. Especially OFFWORLD outsourcing!
http://www.twonails.com/~jdieter/gudcodium.html
Admin
I think you should not rely on client side Javascript validation only, for it is possible to modify the post data or query string (which bypasses the javascript validation).
You should always check server side (although not as posted of course).
Admin
Admin
Good catch, DJ Mike, but I think you may have missed the dripping sarcasm in the parent post.
Admin
Best. Reply. Ever.
Admin
Think mysqli_prepare().
By the way, WTF is the "i" doing in there? I haven't done PHP since the early 4.x days, and I sure don't remember that.
Admin
On a meta-note, why is it that everybody becomes "Anonymous" when I click the "quote" button?
(not to start the whole "the real WTF is the forum software" thing again...)
Admin
> Even for overseas programmers that is shameful.
You think so? It's indented and legible, which is more than we've gotten back from outsourced overseas programmers.
Seriously. C/Java with no indenting whatsoever. Would that waste precious disk space?
Admin
<FONT face=Tahoma size=2>OMG - Let's just leave the front door open, turn on the lights, and place signs leading them right to the data. I guess these guys must of thought SQL Injection was some kind of new innoculation against Bird Flu ! </FONT>
<FONT face=Tahoma size=2>What ever happend to good ole N-tier solutions, and stored procs. I know this won't stop all attacks but at least it will thwart a good many of them.</FONT>
Admin
It says that for non-registered/non-signed-in users. On a different note, it won't let me log in. It doesn't complain, it just simply ignores my attempt, as if I don't have cookies enabled. Which I do, of course.
CAPTCHA: broken
Admin
<FONT face=Tahoma size=2>they could have at least checked for spaces before and after the words because "seth" wouldn't mean anything to the database, right?
<FONT face="Times New Roman" size=3>
</FONT>
i think it's not just about the cost, somehow, another factor is the management of the deliverable...
unless the deliverables are managed off-site too...in that case i'll certainly agree...
</FONT>
Admin
//bad sql found -- hack attept! Abort
I love nested WTFs
Admin
The \s's mean they tried.
There are multiple WTFs here. The biggest one is the design. The implementation contains a few gems though.
Admin
MySQLI is a new, OOP interface for PHP/MySQL. It requires PHP >= 5 and MySQL >= 4.1. And yes, it has features to make avoiding SQL injection easier. But even with the old-style MySQL interface, it's not *that* hard. I guess some people just shouldn't be programmers.
Admin
Awesome. Simply awesome.
First, I'll echo what's already been said:
- It's not outsourcing that's the problem, it's people who work for half the price of real programmers that's the problem. This is why outsourcing isn't a (significant) threat. Good developers cost roughly the same worldwide.
Some things that haven't been said:
I must give a huge and hearty congratulations to the testing team, for having SQL injection checks in their test plan. It's scary how many web houses aren't even aware of the concept.
I don't know how literal Alex's explanation of the WTF is (remember, he frequently changes some facts around to protect the guilty), but I would think that tracking down the problem was as easy as searching the code base for the text "Invalid text was entered. Please correct." Unless that exact text is used in multiple places (which I would believe).
Overall, though, a beautiful tale of the archetypal results of outsourcing to save money. The bugs, the handholding, the cost overrun... it covers everything.
Admin
I bet those programmers never heard of "Amanda", "Seth", or "George".
On another note, suddenly I can't log in.
Admin
<font size="4">The Real WTF Is The Forum Software™ 2.0</font>
Yesterday I was allowed to sign in, but the "remember me" check box didn't do anything--I wouldn't be signed in when I came back. Today, I can't sign in at all.
captcha is "broken". :)
Admin
Think they heard of "Paula"?
Admin
If they haven't logged in but only supplied a name, they will become 'anonymous'. Notice how my 'first' post which was deleted by Gene Wirchenko (sincerely I am sure) still has my login in my second and now first post.
Admin
Doubtful. "Parva," maybe.
Admin
I don't know if it was via anonymizing or what, but the regex won't even work as advertised -- the implode() is wrapped in []+ which means that it's looking for one or more letters that exist in any of those words or the | character (ie [create|database|table...]+ ). That means that even names like 'Will' will fail too... ;)
Of course, they could just be even worse than it appears, and mess up their regex themselves... ;)
Admin
And why is there no search for a ['] or a [;] ? 10 minutes on google with the keyword 'hack' would have led straight to that. Do they not use that in SQL 'overseas'?
Admin
Wouldn't that still allow people to use an injection attack but just require them to create their own "page" to submit it?
Sure you ought to use some client-side validation, but you still need to defend against the attack on the server side.
Admin
Diet pepsi out the nose hilarious.
Admin
Alex does not like the "First!" posts. Your second post was marginal.
Sincerely,
Gene Wirchenko
Admin
<Sarcasm>
Perhaps a different approach to stuff like security is warranted.
Instead of constantly battling stupid developers and hackers in order to protect precious data from prying eyes, why not encrypt the whole thing using public algorithms (eg: RSL), and just expose everything with public read access - only those with the key can make use of it.
</Sarcasm>
Seriously though, when management teams with whom I've worked were considering outsourcing, I've tried to make them understand that it's not just the cost they must consider, but the relative experience of the developers/managers who will be doing/managing the actual work. A team of cheap rookies won't beat the quality (or even total costs) of a team of expensive (but experienced) veterans who have done it before.
Admin
Well 'Pauline' has an IN.
And they decided that 'AND' and 'OR' were bad, but 'IN', 'JOIN', and 'UNION ALL' are OK?
WTF?
Admin
You didn't quote who you're referring to... but PHP is server side.
Admin
This is hardly an international problem. I see this all the time with programmers in multiple languages. I think the biggest flaw with calling them "Prepared Statements" is that people immediately look up the tech and say, "My database doesn't support Prepared Statements". And so they don't use them. I've known so many php, perl, and java programmers who only use string concatentation for SQL statements. It's freightening.
Please, if you use php use the PEAR database abstraction classes, and please always use prepared statements.
Admin
For all you clever kids trying to deduce whether this is C# or not, it's very similar to Java (in loathsomeness as well as syntax). The differences involve stuff that's probably over your heads (e.g. delegates).
But just for starters, it's a statically type-checked language that doesn't have f****g dollar signs in the f****g identifers. WTF...?
Admin
Let me clarify that: <font size="5">C#</font> is very similar to Java in loathsomeness and syntax.
It's important to disambiguate the antecedent there, lest some shambling halfwit try to convince me that I meant to say the WTF PHP code was "very similar to Java".
Admin
Please say that's a joke :/