• (cs) in reply to Bellinghman
    Bellinghman:
    ammoQ:
    void main() compiles and works on many compilers

    It may indeed do so. But that still doesn't make it legal C. And your compiler correctly points out that you've misdeclared main().

    (Sadly, it seems to be generating some output code, but a compiler is allowed to do that when faced with erroneous code.)


    As you can clearly see, for the compiler it's a warning, not an error. BTW, the compiler is GCC 3.4.1

  • Kieren Johnstone (unregistered) in reply to Bellinghman

    Yes, it does make it legal C.  If it weren't legal C it wouldnt compile.

  • (cs) in reply to frosty

    You can't login because you keep on putting your username as forsty.

  • (cs) in reply to ammoQ
    ammoQ:
    As you can clearly see, for the compiler it's a warning, not an error. BTW, the compiler is GCC 3.4.1

    The C Standard requires the compiler to emit a diagnostic when an illegal construct is found. Which it did.

  • (cs) in reply to HwAoRrDk
    Anonymous:

    Anonymous:
    I haven't had to think about SQL injection in years. query("SELECT * FROM Message WHERE user_from = %s AND priority = %i AND public = 1", $_GET['from'], $_GET['priority']);

    Oh yes? Well, think again... Use of sprintf() alone does not combat SQL injection. Here, I fixed it for you:

    mysql_query("SELECT * FROM Message WHERE user_from = '%s' AND priority = %d AND public = 1", mysql_real_escape_string($_GET['from']), $_GET['priority']);

    Except that he doesn't use sprintf, he uses prepared statements, the role of his "query" function is to escape automagically every single argument past the initial request, and then inject the escaped values in the SQL query.

    You should try looking it up, it's quite common in non-braindead-retarded language such as pretty much anything other than PHP (Python's DBAPI2 for example, or raw SQL queries using ActiveRecord in Ruby).

    And while mysqli_ is a step forward in PHP, it's still quite far from being "there" yet (seriously, why the flying hell should I have to call an explicit "prepare" method and then manually bind every single fucking argument one by one? Yet Another Proof of the Zend Dev's retardedness i guess...)

  • (cs) in reply to Kieren Johnstone
    Anonymous:
    Yes, it does make it legal C.  If it weren't legal C it wouldnt compile.

    Laugh

    (BTW - you forgot your {joke}{/joke} tags)

  • (cs) in reply to Bellinghman
    Bellinghman:
    ammoQ:
    As you can clearly see, for the compiler it's a warning, not an error. BTW, the compiler is GCC 3.4.1

    The C Standard requires the compiler to emit a diagnostic when an illegal construct is found. Which it did.



    Shouldn't we first agree by which C standard we decide if something is legal or not? K&R, C89, C99?

  • (cs) in reply to ammoQ
    ammoQ:
    Shouldn't we first agree by which C standard we decide if something is legal or not? K&R, C89, C99?

    Well, there is only one current C Standard - C99. But that's ISO rules for you. The rest of us are probably quite happy to consider C89 as well - it was the standard up until C99 came out.

    As for K&R, it was never officially a standard. But if you're going to argue from a document that was superceded before some contributors here were born, go ahead - does K&R allow void main()?

    (The fact that functions returning void were an extension after K&R might be a clue.)

    I suspect that the very requirement that main() returns int goes all the way back to K&R, fossillising a version of the language that was actually unable to return void.

  • brillant (unregistered)

    This is brilliant because it also prevents hackers to type '||password.

  • ChiefCrazyTalk (unregistered) in reply to impslayer

    impslayer:
    Gameh:

    Some of the coments over here are the real wtf.
    ...
    Many of the ones who post messages here should post them to a basic programming course. Beleveing that you have the right to post here is the real WTF!!!

    Damn straight! Let only the professional and brillIant developers post here. When I think about it, add a requirement to be able to spell correctly too.

     

    But...But...Paula said it was "BrillAnt"

     

    Finally - a CAPTCHA that I can read and works!

  • (cs) in reply to Steve Taylor

    What a pitiful lack of culture !

    French writers Georges Sand and Alfred de Musset couldn't have mess up into this database ...

    An educated developper would have pointed out the problem immediately !

  • (cs) in reply to a
    b:
    It does not that C make.

    WTF??? That you, Yoda?
  • Tei (unregistered) in reply to masklinn

    My version 2.0 of the wtfix.

    //V2.0

    <font face="Courier New">$at_post["name"] = (isset($_POST["name"])?$_POST["name"]:false;
    $at_sql["name"] = mysql_real_escape_string($at_post["name"]);


    $sql = 'SELECT IdUser
            FROM dat_users
            WHERE Name="'. $at_sql["name"] + '"';

    $result = query($sql,"Pick a user id");

    if($result){
     foo($result);
    } else {
     bar();
    }</font>

  • Tei (unregistered) in reply to Tei

    oh, crap, I forgot the last "+" on the sql string building phase.

  • Steve (unregistered) in reply to Matthias
    Anonymous:
    Well, I must say that Alex made this submission a little more dramatic than it was in reality. The subcontractors weren't overseas, the second paraph is completely new to me (I submitted this) and the turnaround time after the initial report wasn't "several weeks" but about 18 hours.

    Anyway, I almost like it better this way.



    WTF  -- Bullsh*t injection of Injection Rejection!!!

  • (cs) in reply to TomCo

    Brillant!

  • ammoQ unable to sign in (unregistered) in reply to Bellinghman
    Bellinghman:
    ammoQ:
    Shouldn't we first agree by which C standard we decide if something is legal or not? K&R, C89, C99?

    Well, there is only one current C Standard - C99. But that's ISO rules for you. The rest of us are probably quite happy to consider C89 as well - it was the standard up until C99 came out.

    As for K&R, it was never officially a standard. But if you're going to argue from a document that was superceded before some contributors here were born, go ahead - does K&R allow void main()?

    (The fact that functions returning void were an extension after K&R might be a clue.)

    I suspect that the very requirement that main() returns int goes all the way back to K&R, fossillising a version of the language that was actually unable to return void.



    You are right, in K&R it was implicitely int, as in
    main()
    {
    printf("hello world!\n");
    return 0;
    }
    I wonder where the "void main()" thingy came from - google finds hundreds of thousands of "void main" examples (I also looked for stdio.h, so it's not java or c# ;-)

  • (cs) in reply to Steve Taylor
    Anonymous:
    > As it turned out, the overseas team didn't read the SQL injection article,
    > so they invented their own protection scheme that discriminates against
    > Set
    h, Amanda, and George ...

    I'm glad to see a bit of balance in reporting after yesterday's nasty anti-Steve article. Death to Seth, Amanda and George!


                              Steve


    I thought that anti-Steve attack was a bit over-the-top too.  Completely uncalled for, in fact.

    Steve

  • (cs) in reply to WTF?
    Anonymous:
    Tinfoil hat! Ready...and...conspiracy!

    Where, exactly, does "creates such stuff for the government" fit in? Aspartame is sold COMMERCIALLY around the world and very clearly advertised as such. Where's the conspiracy here?


    It is sold commercially indeed, as a food additive.  And who, exactly, regulates and approves such sales in the country where you live?

    It is very easy to shout "Conspiracy!" as a synonym for "Nutcase!", but this is intellectually very lazy.  It takes a lot more work to sit down and actually figure out what's going on, who the players are, and what their motivations are.  Usually it boils down to money - and lots of it.

    This is terribly off-topic, though.  The whole Diet-Pepsi-squirting-out-of-the-nose bit should have been left alone, at least in this forum.  However, if I had been drinking any, which I wouldn't, I probably would have squirted it out of my nose too when I read the "Jennidatabasefer" post.  That's what I was going to name my daughter, but my wife probably would have considered it inappropriate.  :)

  • (cs) in reply to ammoQ unable to sign in
    Anonymous:
    I wonder where the "void main()" thingy came from - google finds hundreds of thousands of "void main" examples (I also looked for stdio.h, so it's not java or c# ;-)

    If you ever find out, do let me know :-)

    I suspect it was Herb Schildt, who was notorious for writing extremely readable yet insidiously erroneous manuals. The habit seemed to have caught on, and got all over both Microsoft and Borland docs.

  • NogginBoink (unregistered) in reply to Zic

    This would be a supremely bad idea.

    You can't trust the client. Only the most benevolent (or naiive) bad guys will ensure they attack your web app through a web browser.

  • Salizar (unregistered) in reply to Zic

    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    Java script is fine for client side validation, but it does NOT replace server side validation. It is just too elementary to remove javascript from a webpage, not have have server side validation in place as well.

     

  • Casey Allen Shobe (unregistered) in reply to Zic
    Anonymous:
    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    HAHAHA, your comment is a daily wtf is itself. You really think client-language checks are enough to stop /anything/? Javascript cannot be relied upon and is easily bypassed.

  • (cs) in reply to Salizar

    Looks like some people need a better sarcasm detector.

  • awefawfeawfe (unregistered) in reply to ammoQ

    Unfortunately I've dealt with way too many developers that roll up their own sql injection filters, unaware of things like "prepared statements" and "bound parameters".  It's quite sad actually.  Most of them also declare their solution superior to whatever the language (and DBMS) provides to prevent these things.

  • Dave (unregistered) in reply to kmerkle
    kmerkle:

    //bad sql found -- hack attept! Abort

     

    I love nested WTFs



    What you probably mean to say is, "Brillant"!
  • Joe Dietz (unregistered)

    I saw this once in a lovely application called portlandmaps.com built by the City of Portland Oregon.  Seriously, I love this application.  Anyways somebody must have had a sudden realization about SQL injection and came up with the same obvious solution.  Suddenly I wasn't able to find my house on 'Flanders St.' anymore. (yes THE 'Ned' Flanders St.).  Fortunately a quick email and it was fixed up within hours.

  • Hotta (unregistered) in reply to Daniel Vandersluis

    Those should have been parentheses (), not square brackets.

  • Hotta (unregistered) in reply to Casey Allen Shobe
    Anonymous:
    Anonymous:
    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.

    HAHAHA, your comment is a daily wtf is itself. You really think client-language checks are enough to stop /anything/? Javascript cannot be relied upon and is easily bypassed.

    Maybe he's talking about Rhino? LOL

  • DZ-Jay (unregistered) in reply to ammoQ
    ammoQ:
    Looks like some people need a better sarcasm detector.


    What is this "Sarcasm" that you speak of?

        -dZ.
  • (cs) in reply to Joe Dietz

    Anonymous:
    I saw this once in a lovely application called portlandmaps.com built by the City of Portland Oregon.  Seriously, I love this application.  Anyways somebody must have had a sudden realization about SQL injection and came up with the same obvious solution.  Suddenly I wasn't able to find my house on 'Flanders St.' anymore. (yes THE 'Ned' Flanders St.).  Fortunately a quick email and it was fixed up within hours.

    Is that near the Reverend Lovejoy Steet, or by Duff's garage?

    Wait .. I work for the City of Portland!

  • Jeff Lomax (unregistered)

    I believe the "in house programmers" WTF is that it took them hours to dig thru the code rather than simply to search for "Invalid text was entered. Please correct.".  Maybe we should transfer them overseas?

  • Hotta (unregistered) in reply to Matthias
    Anonymous:
    Well, I must say that Alex made this submission a little more dramatic than it was in reality. The subcontractors weren't overseas, the second paraph is completely new to me (I submitted this) and the turnaround time after the initial report wasn't "several weeks" but about 18 hours.

    Anyway, I almost like it better this way.

    The "overseas" bit is extremely careless, and to imagine having to invent those "communication issues"... It's really pathetic.

    -- It's the daily WTF because of the forum software!

  • Hotta (unregistered) in reply to Philipp Keller
    Anonymous:
    Did they really spot the error with that?
    When I try this at home
    checkForBadSql('George')
    gets 1, that means the preg_match didn't match and the function tells me that the SQL isn't bad.

    I fear something is terribly wrong here. The WTF is that they spotted the wrong error.. or am I terribly mistaken here?

    The WTF is that 90% of this story is fabricated. Yes, including the code. Nice coding skills, alex!

  • (cs) in reply to Matthias
    Matthias:
    Well, I must say that Alex made this submission a little more dramatic than it was in reality. The subcontractors weren't overseas, the second paraph is completely new to me (I submitted this) and the turnaround time after the initial report wasn't "several weeks" but about 18 hours.

    Anyway, I almost like it better this way.



    I thought so. From your name I would say you live in a German speaking country, probably Germany; and considering the prices, I've guessed the subcontractors were in Eastern Europe, probably Poland or Slovakia.

  • Gnictigezoink (unregistered) in reply to ammoQ

    I wonder which type of post is more frequent?

    a) Repeat posts correcting sarcastic posts, where the authors both missed the joke AND did not read the 50 existing posts by other people who also missed the joke

    or

    B) Repeat posts offering solutions (wtf? If these were rocket-science problems, they would not be wtfs in the first place) where the authors did not read the 50 existing posts offering solutions...

    Alex? Any stats?

  • Bustaz Kool (unregistered) in reply to Bus Raker
    Bus Raker:

    And they decided that 'AND' and 'OR' were bad, but 'IN', 'JOIN', and 'UNION ALL' are OK?

    WTF?

    "ALTER PROC" is legal, too.  Man, we could have a good time with "ALTER PROC".  It makes all of the other security superfluous.

  • Hotta (unregistered) in reply to Cthulhon
    Anonymous:
    The summary says that it only reacted to full occurances of strings in $badSqlCode within names, but it has brackets instead of parentheses, so it would error on almost any name (since all the vowels are covered).

    Wrong. It will only match 1-letter words, since there are no quantifiers.

  • (cs) in reply to Bellinghman
    Bellinghman:
    Anonymous:
    Digitalbath:

    Anonymous:
    or "void main(void)" in C.

    Mr. C expert I presume?

    You don't have to be much of an expert to know that void main() isn't legal C.

    It is not legal in a hosted environment (which, admittedly, is where most will use it), but it is legal in a standalone environment.

    Sincerely,

    Gene Wirchenko

  • (cs) in reply to Bellinghman
    Bellinghman:
    Anonymous:
    I wonder where the "void main()" thingy came from - google finds hundreds of thousands of "void main" examples (I also looked for stdio.h, so it's not java or c# ;-)

    If you ever find out, do let me know :-)

    I suspect it was Herb Schildt, who was notorious for writing extremely readable yet insidiously erroneous manuals. The habit seemed to have caught on, and got all over both Microsoft and Borland docs.



    I think that it is multiple sources.  Before I knew better, I came up with the idea myself.  The argument is something like, "But I am not using the return value, so why have one?"

    Sincerely,

    Gene Wirchenko

  • Maurits (unregistered) in reply to Hotta
    Anonymous:
    It will only match 1-letter words, since there are no quantifiers.


    + is the quantifier.

    Community Server must die.
  • Anaerin (unregistered) in reply to WTF?
    Anonymous:
    Tinfoil hat! Ready...and...conspiracy!

    First off, it's spelled "aspartame". (Unless there's a weaponizable biotoxin out there actually named "aspartam", in which case you have my apologies.)

    Where, exactly, does "creates such stuff for the government" fit in? Aspartame is sold COMMERCIALLY around the world and very clearly advertised as such. Where's the conspiracy here? Or is "works with the government" nutjob-slang for "teh evil corporation"?


    You (And the original poster) have been Snoped: http://www.snopes.com/medical/toxins/aspartame.asp
  • Owen (unregistered)

    <FONT face="Courier New">That's why in previous posts I've said we should encourage the outsourcing trend wherever possible.  The rework will give us employment for years!  </FONT>

    <FONT face="Courier New"></FONT> 

  • (cs) in reply to Anaerin
    Anonymous:


    You (And the original poster) have been Snoped: http://www.snopes.com/medical/toxins/aspartame.asp


    That just proves that Snopes is in on it. The greed and machinations of the artificial sweetener giants are boundless.
  • (cs) in reply to WTF Batman
    Anonymous:

    <snip>
    By the way, WTF is the "i" doing in there? I haven't done PHP since the early 4.x days, and I sure don't remember that.



    I assume you mean the i after the regular expression in the line:   
      if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode))
    While I don't know PHP, my experience in Perl would suggest that it means ignore case.

    Anyways, this is a classic WTF, my rating brillant (yes, yes, I know, it been done to death).

    Shadowhawk
  • Malcalypse (unregistered) in reply to Zic
    Anonymous:
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.


    I think that's a horrible idea.  I think anyone who is trying to inject sql could also easily circumvent the client side execution of javascript...
  • (cs) in reply to Malcalypse
    Anonymous:
    Anonymous:
    toddhilehoffer:
    That is just amazing. Even for overseas programmers that is shameful. That can't be C#, can it? They are writing C# and regular expressing but don't know about parameters. This is one scary WTF!


    Say hello to PHP.  IMHO, this problem could have been solved better with Javascript.  It's better to offload some of the validation on the client-side. That leaves the server free to perform other, more critical tasks... such as echoing the contents of the credit card table to my screen.


    I think that's a horrible idea.  I think anyone who is trying to inject sql could also easily circumvent the client side execution of javascript...

    Have all the sarcasm detectors of the forum burst today or something?

    I guess CS2 is to blame for it, the forum is the real WTF after all...

  • Hotta (unregistered) in reply to Maurits
    Anonymous:
    Anonymous:
    It will only match 1-letter words, since there are no quantifiers.


    + is the quantifier.

    Community Server must die.

    Ok. I missed that. But the original assertion is still wrong, since all the letters of the word must be enumerated in the square brackets.

  • (cs)

    This reminds me of a guy I once knew on IRC. His nickname was "essex".  He kept getting banned from channels for an "inappropriate nickname" by bots matching on 'sex'.

  • Nobody S. Pecial (unregistered) in reply to Rob

    scoop is even better!

Leave a comment on “Injection Rejection”

Log In or post as a guest

Replying to comment #:

« Return to Article