- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
What amuses me the most in this site is the WTF-a-thon that happen in the comments. Man, what a display of self-inflicting WTF's. And I'm guilty as charged.
Admin
now
$sql == 0
!!!
P.S.: PHP concatenates strings with "." ;P
Admin
What do you want, a big flashing neon sign?
Admin
I had no problem picking up on that, but then I did get a 700 on my GRE verbal :-/
Admin
That's what many of my friends in the manufacturing industry said when containers never turned up or the parts didn't have a single thing in common with the spec. Many companies worked out how to get around most of the problems. Today a company that doesn't outsource at least part of its production is very rare indeed.
Admin
This is a minor WTF as well. A recursive grep of the error message should have pinpointed this problem in just a few minutes.
Admin
The language is not important, you can mess up everything in any language if you're talented enough.
Also - what's the problem with the dollar signs in the variable names? It's there for a reason, it's useful, and it's specific to the language, like ":=" in Pascal or "void main(void)" in C. Get over it. You're neither funny nor smart.
Admin
I think he was saying that if a variable name contains a $, it's a dead give away that the code is not C#. You can't declare a variable with $ anywhere in the name. (I just tried it.)
Admin
<FONT face="Courier New" size=2><babbling verbose="on" admin="true" sqlInjection="off"></FONT>
<FONT style="BACKGROUND-COLOR: #f5f5dc" color=#ff0000>That's true! I create really fine messes on a daily basis in Java, Perl, as well as VB6! Managers love it, too! They ask for it by name. :)</FONT>
<FONT style="BACKGROUND-COLOR: #f5f5dc" color=#ff0000>Gotta love that automation though - it gets you to that *wrong* answer that much quicker. </FONT>
<FONT style="BACKGROUND-COLOR: #f5f5dc" color=#ff0000>However, don't get me started on my shenanigans with dBase III & Clipper! Those were the days. ;)</FONT>
<FONT face="Courier New" size=2></babbling></FONT>
Admin
The problem with the world these days is no one wants to have any fun. In a day and age where you can get a dual MSCE/CEH (Ethical Hacking) certification ... I will try to be insightful in subsequent first posts. ;
_'; DROP TABLE users; --
guess the forum software is safe :-)
<FONT style="BACKGROUND-COLOR: #dddddd" color=#ff0000></FONT>
Admin
Ha. You know that this stuff is more dangerous than cigarettes, right? Aspartam is a potential biochemical "WMD" from a - in my eyes criminal - company ("Monsanto") that creates such stuff for the government.
Admin
They weren't just after this bug; they were supposed to fix all remaining bugs (which of course we all realize means all remaining known bugs)... So while they could've started with pinpoint searches for known bugs, I wouldn't call it a WTF to instead just start by becoming familiar with the code base in general. In fact, at this point I would have low enough confidence in the code that, having been given responsibility for it, I would be inclined to think of pinpoint bug searches as a poor use of my time.
Admin
Admin
Tinfoil hat! Ready...and...conspiracy!
First off, it's spelled "aspartame". (Unless there's a weaponizable biotoxin out there actually named "aspartam", in which case you have my apologies.)
Where, exactly, does "creates such stuff for the government" fit in? Aspartame is sold COMMERCIALLY around the world and very clearly advertised as such. Where's the conspiracy here? Or is "works with the government" nutjob-slang for "teh evil corporation"?
Admin
There's plenty to be said about the hidden costs of outsourcing. Someone said the cost of high-quality software development is the same anywhere in the world. The implication is that cheap outsourcing is a way to buy low-quality development; and I agree.
Of course, we should not be deluded into thinking that every American developer is a good developer. I've seen local folk who are every bit as bad as these overseas developers -- that is, they (a) don't understand security (i.e. wouldn't have recognized the injection threat in the original version of the code); (b) would convince themselves that they could roll their own solution without reading up on the subject; and (c) would write a "fix" consisting of a sloppy hack without considering its side-effects.
As an aside, I think this is what makes outsourcing appear attractive. Sure the cost of good development is the same everywhere, but the cost of sloppy hacking is much higher if it's done here in the USA. Since management often fails to see the difference between the two, outsourcing can appear to be a good deal. I'm convinced it will die out when -- and only when -- management catches on that it's attacking the wrong problem. The high cost isn't the problem -- the low quality is. They need to learn to tell the difference between high- and low-quality development amongst the on-shore ranks.
But I digress. My point was, while outsourcing does introduce new problems into the process -- having to do with communication mostly -- none of those new problems really enter into this WTF; so the real WTF is dragging the whole hot-button "outsourcing" issue into this story. We're told that the project also suffered from communication problems due to outsourcing, and I guess we're supposed to think that the failure of the overseas team to read the provided article about injection was in that class of problem, but it's not.
Admin
It gets worse. We had a guy who wrote a 50 line javascript function in echo'd PHP statements, unindented.
i.e.
echo "function do_validate(
myvar
)";
echo "{";
echo "if (myvar = 'constant')";
echo "do_things();";
echo "}";
etc. etc.
We dropped the whole outsourcing idea pretty quickly after that.
Admin
While I love php, and think it is a great language, it also lends itself to really bad coding practices. There is a severe lack of consistency in the API, and it is hindered by an obligation to backwards compatability. It is very easy to do something stupid in PHP.
Admin
<font face="Verdana" size="2">Alex... I have to ask - why do you still use such useless forum software as Community Server when there are solutions available that actually work? If you could stop gazing adoringly at bill for a moment you may even consider that phpBB is probably the best free one available, and knocks the socks off this pile of shite.
:)
</font>
Admin
But it wastes less precious disk space than if there was indenting.
Admin
I haven't had to think about SQL injection in years.
query("SELECT * FROM Message WHERE user_from = %s AND priority = %i AND public = 1", $_GET['from'], $_GET['priority']);
Admin
<font size="5">S</font>eems to be about par-for-the-course for the overseas jobs I've seen: cut corners, no QA and worst of all--lying to the customer--"Don't worry. we'll fix it."
Admin
This forum used to have a similar "fix" for -moz-binding based JavaScript injection attacks, with a similar work-around involving CSS escapes. (It's fixed with the CS 2.0 upgrade - style attributes are totally disabled - so I can safely mention it here.)
Admin
I'm willing to bet that Alex doesn't want to spend his time applying security fixes every couple weeks.
Admin
PHP - Visual Basic of the Unix world
Admin
> As it turned out, the overseas team didn't read the SQL injection article,
> so they invented their own protection scheme that discriminates against
> Seth, Amanda, and George ...
I'm glad to see a bit of balance in reporting after yesterday's nasty anti-Steve article. Death to Seth, Amanda and George!
Steve
Admin
Well, I must say that Alex made this submission a little more dramatic than it was in reality. The subcontractors weren't overseas, the second paraph is completely new to me (I submitted this) and the turnaround time after the initial report wasn't "several weeks" but about 18 hours.
Anyway, I almost like it better this way.
Admin
Yeah, as if this crapware is far more secure :p
If you're willing to spend some bucks I'd recommend vBulletin.
Admin
I haven't been having any problems with the Simple Machines Forum, and it seems to be fairly robust.
Admin
Alex's post doesn't make any sense, and I don't mean in the WTF sense. The summary says that it only reacted to full occurances of strings in $badSqlCode within names, but it has brackets instead of parentheses, so it would error on almost any name (since all the vowels are covered). If we assume that the brackets were a typo on Alex's part when obfuscating, as he has been known to do, then the regex does 'work' after a fasion. The \s at the start and end will have to match whitespace and thus it would not error on the names with SQL commands in them. Either the code is wrong or the summary is wrong, Of course, there's still the WTF that they didn't use prepared statements, or at the very least mysql_real_escape_string.
Admin
Wow, quick reply on this forum is another WTF.
Anyway, argh, this one just burn in places that shouldn't burn. I was always careful to cover my ass for SQL explication attacks, but shouldn't these guys try proceedures (although considering they're probably using mySQL, I suspose not :-/)
Admin
Not to be one of those guys who submits a "the real WTF is..." post, but the real WTF is that they continued to use overseas programmers after they realized they had no idea what sql injection means.
I'm all for learning on the job, but you shouldn't be learning on code that's going into production.
Admin
I'd have more to say about this awesome WTF, except that I've got to go and use SQL injection to break into some Indian banks right now...
Admin
Pepsi Max is better
Admin
Some of the coments over here are the real wtf. What programming language does know "Anonymous"? It is obvious not C# among them (it does not even know its sintax). Nor PHP.
Not to mention the wise guy who would perform security tasks using JavaScript, which can be disabled with a few clicks (see for example "The spider of doom").
Many of the ones who post messages here should post them to a basic programming course. Beleveing that you have the right to post here is the real WTF!!!
Admin
The Javascript post was a joke. He was not being serious.
Admin
D'Oh :-)
Admin
Yeah except no, PHPbb is just as big of a steaming pile of shit as CS, it's just that it's written in PHP and not in .Net
PunBB, on the other hand, is clearly in another ballpark, on every count (including the quality of the HTML output).
Admin
I get it. The WTF is that it's written in PHP!
Admin
Mr. C expert I presume?
Admin
Did they really spot the error with that?
When I try this at home
checkForBadSql('George')
gets 1, that means the preg_match didn't match and the function tells me that the SQL isn't bad.
I fear something is terribly wrong here. The WTF is that they spotted the wrong error.. or am I terribly mistaken here?
Admin
No, no, no...I don't know whether to laugh, cry, or poke my eyes out.
Admin
Oh yes? Well, think again... Use of sprintf() alone does not combat SQL injection. Here, I fixed it for you:
mysql_query("SELECT * FROM Message WHERE user_from = '%s' AND priority = %d AND public = 1", mysql_real_escape_string($_GET['from']), $_GET['priority']);
Admin
I think you're quite right. The \s and \s in the regular expression actually make the regular espression match if and only if the text contains two whitespace characters, with some junk in between.
Now I think the real error is the usage of the square brackets [ and ] instead of ( and ). This means that any text that contains two whitespace characters with one or more characters in [abcdehilmnoprstuvw|] (case-insensitive) matches. So "George" doesn't match, "Bla George Bla" doesn't , but "George W Bush is a monkey" does!
Admin
You don't have to be much of an expert to know that void main() isn't legal C.
Admin
<font face="Courier New">[erich@localhost erich]$ cat wtf.c
#include <stdio.h>
void main() {
printf("WTF!\n");
}
[erich@localhost erich]$ make wtf
cc wtf.c -o wtf
wtf.c: In function
main':<br>wtf.c:2: warning: return type of 'main' is not
int'[erich@localhost erich]$ ./wtf
WTF!
[erich@localhost erich]$
</font>
Admin
char *main="\xc3"; also works on some compilers. It does not that C make.
Admin
They don't, otherwise they'd not have used a character class. Not only names containing keywords would be caught but also any other name that consists entirely of the characters abcdehilmnoprstuvw - "ronald", "stuart", "susan"...
And they'd have used a wordbreak (\b) on each side of the word rather than a whitespace (\s).
Is this WTF fictional? because I can't see this function passing even the most basic tests.
-robin
Admin
Those aren't mutually exclusive statements, you know. But here's a little story. A few years ago I went to an interview at an embedded systems shop and was shown some code that started 'void main()'. "A-ha!" says I, being terribly clever, "that's not legal C, it should be int." "A-HA!" came the reply, "only in a hosted implementation. It's legal in a free-standing one."
According to the standard they were perfectly right. A free-standing implementation such as many embedded systems needn't return int from main(), and indeed needn't have a main() function at all. There might not be anything for it to return to.
I didn't get the job ;)
Admin
It may indeed do so. But that still doesn't make it legal C. And your compiler correctly points out that you've misdeclared main().
(Sadly, it seems to be generating some output code, but a compiler is allowed to do that when faced with erroneous code.)
Admin
Damn straight! Let only the professional and brillIant developers post here. When I think about it, add a requirement to be able to spell correctly too.