- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It's still cute.
Admin
The most classic invitation for an SQL injection ever, perhaps they're scanning for 'em and only employing the people who do try their haxxor skills since they obviously understand SQL and it's "hidden bonii" :)
Admin
A friend's website had a silly vulnerability like this. All you had to do was select a user where 1 = 1 and you could log into the site with whatever the first user was in the database.
Admin
Is this a joke or does it really work??
Admin
Somehow I doubt it really just fills in the blanks in the SQL string (though it's happened before). The sad part though is their half-hearted attempts to pander to IT people. At least this one is reasonable, whereas the last one posted here was a complete joke.
Admin
I just tried it. It took 5 minutes for the page to refresh. And when it came back, every single job on their site was gone!!! woo hoo!!! hope they have backups.
Admin
This is at least better than their other one. I don't mind this one so much, but the other one was kind of sad in how poorly conceived it was.
Admin
Couldn't find a page that looked anything like that. May be it was a test page.
Admin
Yes. It really does work. Having trouble breathing? Looking pale? At least my friend looked like that when I told him about SQL-injections... after he had developed commercial site and published it.
Admin
IF that was really what the ad did, then yes.
This is a great example for showing what SQL injection is and how it could work. If you don't protect against the user, then eventually, some malicious or curious user is going to run arbitrary queries on your database.
If you could trust the users, then they would only enter (for example) San Fransisco in the City field. However, you can't, and someone could just as easily enter control characters into the input field.
" ; DROP TABLE ends the "city" field then executes the DROP TABLE command.
Protecting against SQL injection is a matter of passing the escape characters along as characters to search against. (I'm not sure; databases aren't often used in embedded systems.) Thus, you'd search for the city:
" ; DROP TABLE
which would have no matches.
What your smart bad guy is going to do is just run a query to get the records for all users, then sell them at $20 each. That's a lot less detectable than having the records suddenly vanish.
I'd like to think that this ad is just to get your attention. It does, however, provide a decent visual aide.
Admin
Doesn't SQL normally use double-quotes for object names, and single-quotes for string literals? So the ad doesn't make sense anyways?
Admin
select * from users where clue>0; no rows returned
Admin
Is this actually live somewhere? And does it actually allow SQL injection? If not, then then this WTF is completely pointless. All the advertisement needs to do is ADVERTISE, not be Turing complete or anything like that.
If they were looking for website developers and made an advertisement that said
Would you rag on it for missing the DOCTYPE declaration and not validating?
Admin
Could they have bought this kind of advertising? I doubt it. Unfortunately, they probably just eliminated their best candidates
captch = waffles. Had the noun for breakfast. Will do the verb for the rest of the day.
Admin
I was going to post this on the sidebar, but I'm not registered. You'd think the other big guy in this field would be have access to some decent resumes, and then you stumble onto this:
http://jobs.thedailywtf.com/1001/listing.aspx?JobId=1000755
Admin
I've always wanted to change my legal name to ;DROP DATABASE; and see what kind of havoc ensues...
Admin
No. I would rag on it for not using an absolute URL and therefore only linking to a child document of the current path named "dice.com."
Admin
I'd rag on it for not including "http://" in the href so it'd go to wherever.the.current.url.is/dice.com
CAPTCHA: Xevious. I've never played Xevious, actually..
Admin
That job listing is missing the requirement for the ability to solve world peace and bend time-space. All other things they have covered :)
Admin
Heh - even my company have made "SQL-languaged" banner for job applicants. Think it is a rather common strategy to separate yourself from the normal crowd.
Admin
No, actually if you put '<base href="http://dice.com">' in the <head> then it works fine. Of course, we're not including all that meta data in our limited-space advertisement.
Then all Dice needs to do is make sure their webserver redirects it to their job search!
Admin
This is not a WTF. I'm certain the code filters to avoid SQL Injections.
Admin
Massive overreaction. Just because it has a picture of some SQL code does not mean that you're actually running SQL queries directly on the box. It's marketing, folks. Get real.
Admin
Admin
The point is that they are trying to attract programmers with dodgy code lol.
It's the equivilent of trying to attract C# developers with code that contained a goto.
Admin
So, has anybody tried it...? <G>
p.s. LOL! My captcha for this comment is "dreadlocks" -- never had a "good" word, before...
Admin
Yeah, this was a pretty weak Error'd article. Just because some marketing guys thought this would be cute does not mean it's a SQL injection vulnerability.
Off-topic: Why do people announce their CAPTCHAs?
Admin
to protect against injection, all you have to do is use parameterized commands. You should never concatenate anything together with a SQL statement and execute it, unless the language/framework/database you are using doesn't support parameters. Of course, in that case, you probably have bigger issues to worry about.
So far, today's entry has been setting a record for most people not "getting it". Of course dice.com doesn't actually have this form on their site to fill in; it's just funny that a company that (in theory) is hiring and placing "experts" in programming or technology would display BAD, UNSAFE CODE in their marketing.
that's all , kids. It's just a little ironic if you get it.
Admin
Actually, I think you'd find it'd go to http://dice.com/dice.com if you did that.
Admin
Admin
Weaksauce. Must be a slow day in the clusterfu... er... newsroom.
Admin
Oracle uses single quotes for string literals...I dunno if that's standard though. Object names don't usually need attribution, because if its not a keyword or operator, its gotta be an object. An alias is double-quoted in Oracle, such as
SELECT cust_id "Customer ID" FROM ...
Again, I have no idea if this is ANSI standard or not.
Admin
This is not software code, it's a SQL query. Like a query you would run in Query Analyzer or Toad, not part of a string concatenation routine. It's just marketing targeted more at DBAs and database-driven application developers.
If this is BAD and UNSAFE, then I guess I'm in trouble.
The only people that aren't "getting it" are the people who think this is a possibility for SQL injection. Including whoever did the write-up for the screenshot.
Admin
Never is such a horrible word to use. I concat strings for SQL execution all the time, well, I use System.String.Format, actually, but same effect:
System.String.Format("SELECT * FROM Foo WHERE Bar={0}", SQLExcape(szUserInput));
Now, concatenating raw user input to SQL without escaping it, thats just stupid... Although I do have that one application I use for executing arbitrary SQL, that is by its nature an acceptable use of unescaped SQL, but there is no concatenation involved then, so it doesn't qualify.
Admin
One can hope this isn't a real query but just a "fun" display for the actual query engine.
That is, it's probably a joke. You know, funny? Ha ha.
But please don't type "; DELETE * FROM JOBS ; " anyway, m'kay
SC dreadlocks which rhymes with deadlocks which is what bad SQL programmers get.
Admin
Agreed.
Because they're nerds..
Admin
There's no WTF here. It might be dull, but it's pretty obvious what they're trying to tell you; they're seeking SQL programmers, and if that seems familiar, you're probably one. Securing it against injections would just have blurred intention of the ad.
Admin
The real WTF seems to be that the "select" part of the SQL injection seems to be somewhat irrelevant after the table has been emptied by the "delete" part.
Admin
Admin
The DBMS would certainly be able to restrict the site's "web user" account from being able to execute delete, update, or drop statements.
Admin
There's another ad (I see it mostly on slashdot) just like this for the same business I believe, except it uses PHP:
It flashes a few times between
andThis really annoys me as a PHP developer because they both have a few blatant, even-my-PHB-knows-this mistakes (vars need a $, undefined constants/variables "num" and "location", '%2$s' and '%1$d' are syntactically invalid...)
(captcha: I like how the word "smile" actually looks somewhat like a smile)
Admin
Waitaminute. I have had good uses for goto in C# code.
Let's say I'm talking to some instrument like a spectrum analyzer through a less-than-reliable driver supplied by the instrument vendor, whose name is something like Agile Ant. Lets say that this driver sometimes mysteriously barfs, throwing an Exception with the message "SA Application not installed." Let's also say that the driver behaves normally again with an immediate retry. Let's also say that the Agile Ant people appear to have no desire to fix this problem. My code looks something like this:
runTest: try { this.RunTest(); } catch(Exception e) { if(e.Message.IndexOf("SA Application") != -1) { goto runTest; } else { throw e; } }Better way to solve this problem?
Admin
Admin
I think this ad could have been improved if they had put a disclaimer at the bottom:
*unless your name is "; Drop Table, of course.
Still, it does get the point across.
Admin
That's why I stated on the very next sentence (which you conveniently excluded from your quotation) that it then become's Dice's responsiblity to configure their webserver to redirect the page "dice.com" to their job searching page.
So you see, it ends up being a perfectly valid link.
Admin
I think this is easier way achieve that;
';DELETE xxx/*
Admin
It's the IT version of "punch the monkey"
"Ah ah, I hax0r him and ... what? I click on field and it take me to webpage? This no DB query, this tricky advertisement! Mongo mad!"
Admin
WTF #1 - having a system that allows SQL injection WTF #2 - actually storing passwords. Never store passwords, only store one-way hashes of passwords. This prevents anyone from getting a password hacker or employee....
Jeez, this crap is security 101... -Me
Admin
even better
";DELETE FROM Jobs WHERE "1"="1
Admin
We're talking about advertisements that display said code raw inside a GIF. Did you notice the theme of this thread?
Posting to this forum is like talking to 6 yr olds, I swear. Everything is taken literally.