- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
If only he'd read last week's post on SQL injection...
Admin
Universal Password!!! Brilliant!
Admin
So there is no key and the column "username" has the password.
Methinks the coder was "simple"...
Admin
If i had goggles, they would do NOTHING.
Admin
I can't remember having seen a stronger invitation for a brute force attack. Logging in using a single piece of input..
Admin
I think TRWTF was that the actual authentication consisted of redirecting the user to index.php (not exactly a hard to guess name, either). He didn't even note down a session variable saying "the user belonging to this session is authenticated" or something to that effect.
Since the index.php is the page that is normally served by default, I wouldn't be surprised if even non-tech-savvy users could "hack" the site - "hack" as in they won't even notice the site was supposed to be password protected.
Admin
So I get it right:
He runs through all usernames, and the last username in the list (in whatever order SELECT returns them) is the password?
I am impressed.
Admin
Admin
He should be the dictionary definition of 'code monkey'.
Admin
Not only is it simple, it is Easy To Use (TM). I so hate it when I have to log in to a site, navigate 20 clicks through some obscure trail, and when I finally get to my favorite page I can't bookmark it because next time the site forces me through all those convoluted steps again!
This site supports bookmarks! Just login once and no revalidation next time! No wonder he got hired by another company, probably a bank or someone with lots of money to burn.
On second thought, couldn't be a bank. They couldn't work out how to make a site usable if it was the last step between them and a Congressional bailout!
Admin
Perhaps the application never gained more than one user. Plenty of room for growth!!
Admin
Right. You would think this is a WTF, as SELECT without an ORDER BY clause does not guarantee order (As you stated). Except, as there is only a single username in that table, the order is relatively predictable.
Admin
I like how descriptive he gets when naming his variables. Who wouldn't know the meaning of $q and $chumbawumba ?
Admin
Classic example of bad naming. Had the table been named SingleWebPassword and its single column [password] , there wouldn't be WTF
Admin
I call bs on this one.. no one would be that stupid.
Admin
Admin
This is exactly why my company rejects job applications from anyone who listens to Chumbawumba. Or the Scissor Sisters. You just can't trust them.
Admin
Admin
If only last week's post read this - no user input gets sent to the query, 100% SQL Injection Proof!
I'll be using this in all my endeavours.
Admin
On the other hand, it does avoid the risk of SQL injection attacks... ;^) EDIT: Goodness, only three other people mentioned that whilst I was posting...
You're joking. Right? Please tell me you're joking?!? You MUST BE JOKING!?!?!?!?!?Admin
Nope. In a previous system I worked on, the original coder did the following to try and login a user:
boolean login(String username, String password) { Statement s = c.createStatement(); ResultSet rs = s.executeQuery("SELECT username, password FROM account"); while (rs.next()) { if (rs.getString(1).equals(username) && rs.getString(2).equals(password)) { return true; } } return false; }The account table had 1.7 million entries, and there was a perfectly good index on the username column. Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
Admin
<input type="button" onclick=' if(document.getElementById("txtpass").value == "mypassword") document.location="mysecretpage.html"' />Admin
You mean Brillant!
Admin
The real WTF here is the (common) misspelling of Chumbawamba. Who put the U in the wamba?
Admin
Where do you see the possibility for SQL injection in this code?
Admin
Admin
Sadly, that's significantly more elegant than most Single Sign On solutions I've encountered...
Admin
Don't knock down this developer. He'll just get back up again, you're never gonna keep him down.
Admin
I must agree. Perhaps there should be another term - sth like 'code baboon' ...
Admin
I get logged out, but I log in again, you're never gonna keep me out...
Admin
To quote a great movie... "INCONCEIVABLE!"
Admin
Admin
Admin
And I don't think it is nowhere near being the real WTF here
Admin
The reason it came to mind was the same programmers refusal to use parameterised statements. I spent a long time demonstrating an SQL injection vulnerability to him, and how to avoid them with the JDBC PreparedStatement. However, all that happened was that his code went from:
Statement s = c.createStatement(); s.executeQuery("UPDATE foo SET x = " + userSuppliedString);to:
PreparedStatement s = c.prepareStatement("UPDATE foo SET x = " + userSuppliedString);At which point I refused to have him work on any of my projects.
Admin
LOL!!!!!!
Admin
Pissing the WHERE away, pissing the WHERE away!
Admin
Select commment from COMMENTS;
Admin
Shouldn't that read
SELECT comment FROM comments WHERE grey_background = TRUE;
Admin
Admin
I'm guessing that it started out with a hard-coded password (possibly even some pathetic JavaScript validation), and somebody told him he should be using a database for authentication, and he didn't really understand what that meant but figured he'd give it the old college try.
Admin
JAM TIME! And a-one, and a-two, and a one-two-three-four :
Take it, eehoo!Admin
He didn't even spell "Chumbawamba" right.
Admin
Admin
Forgeting the login part for a moment I recognize this pattern. Using a table with one record as a kind of substitute for an Application variable.
I see this more often than I'd like.
Admin
$q->query($sql);
The real WTF, and something I see every day, is why just about everyone feels the need to abstract the mysql functions behind another layer of obfuscation?
I've never heard a convincing reason for this and no doubt the first thing you have to do when looking at someone elses code is have to figure out the bizaare idiosyncrasies of their particular reimplementation.
Admin
Admin
Admin
Damn shit it does.
Admin
One convincing reason is that if you ever need to switch databases from MySQL to something else you don't have to rewrite all your code. Assuming that the SQL code is compatible you'd only need to rewrite the class that handles the API access.
I also do it to simplify a few things. If for instance I know for an undeniable fact I will only receive a single value from a query then my database class has a function that can do exactly that: Return a single value from any given query.
That takes a whole bunch of MySql function calls and reduces it to a single call from the application. Makes my life a whole lot easier.
It also simplies cleanup as the moment my query class goes out of scope it is properly disposed of by the destructor. Same goes for database connections.
So yea, there are a few reasons to put the API behind another layer. Hopefully however this layer is a layer that makes life easier, not obfuscates things.