- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Can't wait to TORRENT the next season of GAME OF THRONES!
Admin
Good trolling Lorne, about 50 nerds are going to bite.
Admin
Although ALTER is not in the whitelist of commands it gets executed antway, as one of its arguments matches a word in the whitelist.
In other words: why did the origional programmer match against all words in the string, and not just the first ...
Admin
Because that's not using a function that has just "worked" for so long.
When you play by the book and don't just rip things out when they've been in production, you're seen as more as a team player by the PHB. The more that you're willing to sacrifice your morals for what the people above want, the more money you're likely to make.
Admin
Also grammar-WTF!
Admin
We store scripts that apply the necessary changes from one version to the next, but we don't store a complete creation script for the whole database schema.
In theory that should be sufficient to tie the schema to the code version, but as our deployment tools do not automatically apply scripts to the database there are enough opportunities for human error.
This is actually not the main reason why we don't use stored procedures - the main reason is that it was a company guideline not to use them. This is just the reason why we never felt much urge to break that rule.
Admin
Well, depending on the definition of "word", your queries/statements will look rather strange:
SELECT * fRoM [^p^e^r^s^o^n^] -- *w*i*l*l n*o*t w*o*r*k! INSERT [^p^e^r^s^o^n^] (g,s,b) -- *v*a*l*u*e*s(...) n*o*t a*l*l*o w*e*d! SELECT ('S' + 'U' + 'M' + 'M' + 'E' + 'R'), ('G' + 'L' + 'A' + 'U'), ('J' + 'U' + 'L' + 'Y 24 1981')and of course no 'BEGIN TRANSACTION' / 'COMMIT TRANSACTION', not even a 'go'!
Admin
valid:
Admin
So if you can't write and use a stored procedure, use a trigger instead.
Create some table and insert the parameterised records into it to generate the trigger.
That gets you round the filter because INSERT is an approved word.
In incidentally SQLServer allows MERGE which is a properly concurrent-safe "INSERT or UPDATE".
Admin
What if they wanted to select from a table called execute?
Admin
Obligatory XKCD: http://xkcd.com/327/
Admin
Create a view called "vExecuet" and select from that.
Admin
You sir, disgust me also.
Admin
Admin
I really thought this one was going to be that they keep all valid SQL statements in a table somewhere so that nobody can create an unapproved one.
I am disappoint.
Admin
Could just change the function body to "Return True", but that might reject all user input as a potential SQL injection attack...
Admin
DECLARE @count int
SELECT @count = COUNT(1) FROM validSQLStatements WHERE @statement LIKE Statement
RETURN @count > 0
validSQLStatements
Statement
%select% %insert% %update% %delete%
Admin
But he is making program in Visual Basic. If you want respect, best code in Java.
Admin
Do you really think that schema access is provided to users? DBA is much smarter than normal guys.
Admin
Admin
Msg 3701, Level 11, State 5, Line 1 Cannot drop the table 'students', because it does not exist or you do not have permission.
SUCKS TO BE YOU!
Admin
Ook?!?
Ook!
Admin
Admin
It's very easy, actually:
execute sproc_name_here_followed_by_args go select count(*) from some_known_table_name_here
Admin
How stupid of me (that above); better yet:
execute sproc_name_here @param1=@value1, ..., @paramN = @valueN; go; select 1;
Something like that...
Admin
You are being waaaaaaaaaaaaaaaaaay too optimistic about the DBAs out there.
They're just very lucky that it's not that exciting to see someone using the sa account to connect to a database, otherwise you would see a lot more DBA WTFs on this site.
Admin
He should have changed the function to do a regex. This matching pattern should have done it:
/{s,d,ins,updat}*e{xe,le,le,rt}*{cu}*{te,ct}*/i(Oh yes, it only really matches an "e", but like the guy on the commercial said, "You're good!")
Admin
Why are the problem functions always "deep within the codebase"? The more, usually unnecessary, layers you add, the harder it is to debug. Can we please just fire all the "enterprise" developers already?
Admin
FTFY
Admin
+1
Admin
"Excuse me, sir? Those students over there called you a monkey."
Admin
Modifying the validation function could induce risk. I believe the least risky solution would be to add "-- select" to all execute statements, which makes them validate correctly
Admin
rewrite that mofo
Admin
Admin
Are you using a plug-in? My browser doesn't support the XKCD: protocol
Admin
TRWTF is assigning the return value to a variable instead of returning from inside the loop immediately.
Admin
Amateur.
SQL> create procedure "select" as 2 begin 3 null; 4 end; 5 /
Procedure created.
SQL>
Admin
To be fair, this seems like a very good way if you want to allow every valid adress without going insane. http://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx But on the other hand, demanding a "." is also too much, as "admin@com" would be a valid adress for the TLD .com.
Admin
This implementation would lead to some interesting workarounds. The main thing to notice is that each character is either even or odd, with the addition of even characters keeping the new string in the same class and odd characters causing a switch.
Turns out spaces and newlines don't matter, because they're even in ASCII. Capitalization doesn't matter either, as there's an even number of characters between upper and lower case. However, tabs and semicolons are odd, so adding one to a failing statement will make it work and vice versa. Other good choices are adding stuff like comments, AS statements, or where clauses that are always true.
Furthermore, you can pretty quickly tell if a particular statement will work by memorizing whether the most common words as a whole are even or odd. For instance, SELECT is even and thus has no impact on whether a statement works.
There may be a strong bias towards either working or failing. I suspect failing will be more common (the required ";" at the end makes the simplest possible statement fail, and SELECT, FROM, and * are all even words).
Admin
If this is anything like the codebases I've encountered, the function is only ever called with a variable as a parameter, whose value is supplied by code far, far away from the call site. And depending on the return value, different things get executed. Removing a function like this can take days.
Admin
Who knows what horrors lurk down in the dank depths of the code where no mortal has tread since the Clinton Administration. Perhaps this worthless function, as terrible as it is, is the only think keeping the world from falling to ruin.
Oh yes remove it, and who knows what strange previously blocked SQL query will suddenly get executed against the database because this shabby knight no longer feebly guards the door.
Admin
Someone help me please - I can't tell what the bigger WTF is - is it the company guideline not to used stored procedures, or is the developers who think putting tsql in their apps a better way to go?
Admin
That's actually a design pattern. A design anti-pattern, IMO.
Admin
Guys, this obviously isn't an anti-injection thing. If it were, they wouldn't allow "Delete". That's all you need to wipe the database of any actual data.
If I were to speculate...
Somewhere, some variable was getting set with a value that was either SQL or something else. And this function was created as a quick and dirty way to figure out whether it was SQL - the person who programmed this knew it wasn't perfect, but it was good enough for what they needed to do with it. And then someone else noticed the function and decided that everything that calls the database should use it, because validation is good. Nobody else even noticed, because they weren't using stored procedures at the time. And then, years later, someone tried to use a stored procedure, found they couldn't, shrugged, told everyone else that stored procedures wouldn't work on the codebase, and found another way to do things.
Admin
exec usp_select_your_mom
Problems?
Admin
"Dear Balrog, how do you type with boxing gloves on your hands? Crapfully yours..."
Admin
What is ML? Wiat, I will google that.
Admin
But that requires storing a map. To avoid that, and still be consistent, calculate the MD5 hash and take the first bit to determine true/false.
This would, however, be deterministic and allow the developer to determine in advance if their SQL statement would work or not... much like adding the comment ";--select" at the end would work with the original function.
Captcha: consequat
Admin
It's a good job it didn't support regular expressions, otherwise you would've had two problems.
Admin
Not if you're using Oracle.