- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
As you can clearly see, for the compiler it's a warning, not an error. BTW, the compiler is GCC 3.4.1
Admin
Yes, it does make it legal C. If it weren't legal C it wouldnt compile.
Admin
You can't login because you keep on putting your username as forsty.
Admin
The C Standard requires the compiler to emit a diagnostic when an illegal construct is found. Which it did.
Admin
Except that he doesn't use sprintf, he uses prepared statements, the role of his "query" function is to escape automagically every single argument past the initial request, and then inject the escaped values in the SQL query.
You should try looking it up, it's quite common in non-braindead-retarded language such as pretty much anything other than PHP (Python's DBAPI2 for example, or raw SQL queries using ActiveRecord in Ruby).
And while mysqli_ is a step forward in PHP, it's still quite far from being "there" yet (seriously, why the flying hell should I have to call an explicit "prepare" method and then manually bind every single fucking argument one by one? Yet Another Proof of the Zend Dev's retardedness i guess...)
Admin
Laugh
(BTW - you forgot your {joke}{/joke} tags)
Admin
Shouldn't we first agree by which C standard we decide if something is legal or not? K&R, C89, C99?
Admin
Well, there is only one current C Standard - C99. But that's ISO rules for you. The rest of us are probably quite happy to consider C89 as well - it was the standard up until C99 came out.
As for K&R, it was never officially a standard. But if you're going to argue from a document that was superceded before some contributors here were born, go ahead - does K&R allow void main()?
(The fact that functions returning void were an extension after K&R might be a clue.)
I suspect that the very requirement that main() returns int goes all the way back to K&R, fossillising a version of the language that was actually unable to return void.
Admin
This is brilliant because it also prevents hackers to type '||password.
Admin
But...But...Paula said it was "BrillAnt"
Finally - a CAPTCHA that I can read and works!
Admin
What a pitiful lack of culture !
French writers Georges Sand and Alfred de Musset couldn't have mess up into this database ...
An educated developper would have pointed out the problem immediately !
Admin
WTF??? That you, Yoda?
Admin
My version 2.0 of the wtfix.
//V2.0
<font face="Courier New">$at_post["name"] = (isset($_POST["name"])?$_POST["name"]:false;
$at_sql["name"] = mysql_real_escape_string($at_post["name"]);
$sql = 'SELECT IdUser
FROM dat_users
WHERE Name="'. $at_sql["name"] + '"';
$result = query($sql,"Pick a user id");
if($result){
foo($result);
} else {
bar();
}</font>
Admin
oh, crap, I forgot the last "+" on the sql string building phase.
Admin
WTF -- Bullsh*t injection of Injection Rejection!!!
Admin
Brillant!
Admin
You are right, in K&R it was implicitely int, as in
I wonder where the "void main()" thingy came from - google finds hundreds of thousands of "void main" examples (I also looked for stdio.h, so it's not java or c# ;-)
Admin
I thought that anti-Steve attack was a bit over-the-top too. Completely uncalled for, in fact.
Steve
Admin
It is sold commercially indeed, as a food additive. And who, exactly, regulates and approves such sales in the country where you live?
It is very easy to shout "Conspiracy!" as a synonym for "Nutcase!", but this is intellectually very lazy. It takes a lot more work to sit down and actually figure out what's going on, who the players are, and what their motivations are. Usually it boils down to money - and lots of it.
This is terribly off-topic, though. The whole Diet-Pepsi-squirting-out-of-the-nose bit should have been left alone, at least in this forum. However, if I had been drinking any, which I wouldn't, I probably would have squirted it out of my nose too when I read the "Jennidatabasefer" post. That's what I was going to name my daughter, but my wife probably would have considered it inappropriate. :)
Admin
If you ever find out, do let me know :-)
I suspect it was Herb Schildt, who was notorious for writing extremely readable yet insidiously erroneous manuals. The habit seemed to have caught on, and got all over both Microsoft and Borland docs.
Admin
This would be a supremely bad idea.
You can't trust the client. Only the most benevolent (or naiive) bad guys will ensure they attack your web app through a web browser.
Admin
Java script is fine for client side validation, but it does NOT replace server side validation. It is just too elementary to remove javascript from a webpage, not have have server side validation in place as well.
Admin
HAHAHA, your comment is a daily wtf is itself. You really think client-language checks are enough to stop /anything/? Javascript cannot be relied upon and is easily bypassed.
Admin
Looks like some people need a better sarcasm detector.
Admin
Unfortunately I've dealt with way too many developers that roll up their own sql injection filters, unaware of things like "prepared statements" and "bound parameters". It's quite sad actually. Most of them also declare their solution superior to whatever the language (and DBMS) provides to prevent these things.
Admin
What you probably mean to say is, "Brillant"!
Admin
I saw this once in a lovely application called portlandmaps.com built by the City of Portland Oregon. Seriously, I love this application. Anyways somebody must have had a sudden realization about SQL injection and came up with the same obvious solution. Suddenly I wasn't able to find my house on 'Flanders St.' anymore. (yes THE 'Ned' Flanders St.). Fortunately a quick email and it was fixed up within hours.
Admin
Those should have been parentheses (), not square brackets.
Admin
Maybe he's talking about Rhino? LOL
Admin
What is this "Sarcasm" that you speak of?
-dZ.
Admin
Is that near the Reverend Lovejoy Steet, or by Duff's garage?
Wait .. I work for the City of Portland!
Admin
I believe the "in house programmers" WTF is that it took them hours to dig thru the code rather than simply to search for "Invalid text was entered. Please correct.". Maybe we should transfer them overseas?
Admin
The "overseas" bit is extremely careless, and to imagine having to invent those "communication issues"... It's really pathetic.
-- It's the daily WTF because of the forum software!
Admin
The WTF is that 90% of this story is fabricated. Yes, including the code. Nice coding skills, alex!
Admin
I thought so. From your name I would say you live in a German speaking country, probably Germany; and considering the prices, I've guessed the subcontractors were in Eastern Europe, probably Poland or Slovakia.
Admin
I wonder which type of post is more frequent?
a) Repeat posts correcting sarcastic posts, where the authors both missed the joke AND did not read the 50 existing posts by other people who also missed the joke
or
B) Repeat posts offering solutions (wtf? If these were rocket-science problems, they would not be wtfs in the first place) where the authors did not read the 50 existing posts offering solutions...
Alex? Any stats?
Admin
"ALTER PROC" is legal, too. Man, we could have a good time with "ALTER PROC". It makes all of the other security superfluous.
Admin
Wrong. It will only match 1-letter words, since there are no quantifiers.
Admin
It is not legal in a hosted environment (which, admittedly, is where most will use it), but it is legal in a standalone environment.
Sincerely,Gene Wirchenko
Admin
I think that it is multiple sources. Before I knew better, I came up with the idea myself. The argument is something like, "But I am not using the return value, so why have one?"
Sincerely,
Gene Wirchenko
Admin
+ is the quantifier.
Community Server must die.
Admin
You (And the original poster) have been Snoped: http://www.snopes.com/medical/toxins/aspartame.asp
Admin
<FONT face="Courier New">That's why in previous posts I've said we should encourage the outsourcing trend wherever possible. The rework will give us employment for years! </FONT>
<FONT face="Courier New"></FONT>
Admin
That just proves that Snopes is in on it. The greed and machinations of the artificial sweetener giants are boundless.
Admin
I assume you mean the i after the regular expression in the line:
if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode))
While I don't know PHP, my experience in Perl would suggest that it means ignore case.
Anyways, this is a classic WTF, my rating brillant (yes, yes, I know, it been done to death).
Shadowhawk
Admin
I think that's a horrible idea. I think anyone who is trying to inject sql could also easily circumvent the client side execution of javascript...
Admin
Have all the sarcasm detectors of the forum burst today or something?
I guess CS2 is to blame for it, the forum is the real WTF after all...
Admin
Ok. I missed that. But the original assertion is still wrong, since all the letters of the word must be enumerated in the square brackets.
Admin
This reminds me of a guy I once knew on IRC. His nickname was "essex". He kept getting banned from channels for an "inappropriate nickname" by bots matching on 'sex'.
Admin
scoop is even better!