- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Yeah, in the systems I've worked on, we don't tell the user that it's locked through the interface, we send an email to the account on record.
The interface just always says, "Invalid username/password."
Admin
VB doesn't put colons at the end of its Case statements.
In VB it's Case Else, not Default.
Admin
The HTTP status code should be 200 and the page should have an error message for the user.
When a user submits a form with a required field left blank, do you send back a 400? No, you send back a 200 with the same form again and that field highlighted in red.
Admin
Neither of those points matter, since both statements are commented out, so it's fine to have them in VB. Just don't uncomment them...
Admin
I like this.
Admin
What do you expect from something with the word 'hpnu' in its name?
Admin
Because when he tries the request again without the SQL injection, and it works, he'll figure out that's how you caught him anyway?
Admin
In the age of cellphones and email, they could just do what everyone else does and email/text you a message saying there was multiple login attempts and your account is blocked until you call in with this randomly generated code.
Admin
...and ...?
You have to have another point if you point is to disregard the point.
Or are you just trying to prove that the statement implies something other than what it implies.
Admin
Political correctness is incredibly stupid. I'm glad you cleared that up for everyone.
I'm a very pragmatic person.
If you get offended, that's your own emotion. So manage it by yourself. I don't expect to keep your friendship if your easily offended and I offend you. So, what other way can you "punish" me.
Addendum (2013-07-18 14:32): Just to clear that up.
I make it a point not to offend people, if it's reasonably sane. I have this personal belief as a backup to that. The point being, I don't feel morally obligated to keep you from being offended, but I'd like to try.
Admin
Seriously?
You know what that is right? That's the pregnancy trap. They want you to list any possible scenario you are considering that you haven't committed to (so basically anything that can put you on medical leave act). That's how most people approach having a child. "I can't foresee having a baby, but I want to, and we're trying."
And since they legally can't ask if you're trying to get pregnant, they do this.
Now, for private companies, I give them a pass on this, because it's a big cost to them to have half their staff on medical leave and be forced to leave the spots open for whenever those employees return, legally.
However, when the government employers do that, it's basically saying, "Yeah, I know we make it a point to protect women's 'equality' in the workplace, but we don't want to inhibit ourselves, just private sector businesses. We want to protect what we see as women's rights, but with someone else's money".
Which is basically bigotry in its most gruesome form.
Admin
Admin
No, I don't agree that this is OK. RFC 2616:
By returning 200, you're stating to the client that "I did what you asked me to do. IF there's an entity in the response, that entity represents the results of what you asked me to do." If the request was not "successfully received, understood, and accepted" then 200 should not be returned.
Admin
Note that Julian Reschke is one of the editors of HTTPbis. If he says 422 is the right code to use here, you should believe him.
In fact on the basis of the advice I've seen from him, I'm very happy to admit that my original posting (suggesting only 400 or 404) was incorrect and update my own REST code accordingly. 422 really is the correct response.
Admin
Sanitizing strings is a piss-poor way to prevent SQL Injection.
The only correct approach: http://bobby-tables.com/
Admin
Aside: I tried clicking "Submit" without entering the captcha, and the HTTP result was "200 OK", despite giving me the same form again with "* That's not it" instead of posting my comment. I see nothing wrong with this. This is correct behavior.
Admin
[quote user="anonymousI'm going to go ahead and continue to say that the "wrong" response is correct here. The user is the one who needs to know what went wrong. There is no need for the browser to know this. The browser's request was successfully received, understood, and accepted by the server, and the result was a human-readable error message meant for the user, not their browser.
Aside: I tried clicking "Submit" without entering the captcha, and the HTTP result was "200 OK", despite giving me the same form again with "* That's not it" instead of posting my comment. I see nothing wrong with this. This is correct behavior.[/quote]
I'm not seeing an argument here for why 200 is the "correct" choice. You say that a human-readable response is necessary for the user to take appropriate action, and that's a fair point; but returning 400, 403, 404, 500, or 999 doesn't preclude that. Both the 4xx and 5xx status code classes bear the following general statement: [RFC 2616]
"Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. User agents SHOULD display any included entity to the user."
If the user agent understands that the request was not successful, it can provide an additional nudge to the user to examine the response body for what went wrong.
And, of course, in systems where there isn't a human being available to analyze the response body, the HTTP status code is the only information readily available to decide whether the request was successful or not.
In the specific scenario of posting a comment, I have a hard time understanding how you justify calling a request "accepted" when the clear intent of the request is "here is a commend I would like to post" and the actual result of the operation was anything but "the comment was posted," actual observed behavior notwithstanding.
If I do a GET request for http://someserver/badpath, is someserver justified in sending a 200 status code with a response body indicating that badpath couldn't be found? After all, "there is no need for the browser to know this." By your justification, all status codes should be abolished and replaced with 200.
Admin
By that logic, an incorrect username/password should not be a 200.
Admin
Admin
People just don't seem to get the concept of escaping. Then again, natural languages don't have much support for things like nested quotes either.
See also: the countless comment forms that discard &, <, and >, presumably to stop HTML injection.
Admin
But the actual request isn't malformed. It's well-formed and the server understood it correctly, but it couldn't handle the data it was sent in the content body. That's an internal server error.
Admin
The server handled the content fine, so it's not even an error, it's a rejection of the content that was submitted. Hence why it should be a 200.
Admin
Perhaps someone like Matt Westwood could tell me why I have to enter my username at a secured site, then get redirected to a page that tells me I was logged out due to inactivity. I then have to log in again with the same damn username. Why? No idea. Talked to tech support and they said "security". Which pretty much means that they fucked up their logic in the home page.
Admin
What universe do you live in where "rejection of the content that was submitted" is congruent with "the client's request was successfully received, understood, and accepted"? Just like "user agent" cannot be taken to mean "an interactive Mozilla-style web browser in front of which a human being is currently seated," "server" cannot be taken to mean "a general purpose Apache-style web browser." A web application that communicates over HTTP is a "server" for these purposes, regardless of whether that application is hosted behind what we traditionally think of as the "web server." In other words, if the request as provided does not make sense to the web application in charge of providing a response, then an error response is appropriate, regardless of whether the "bare" request was minimally understandable to a general purpose HTTP server acting as a gateway for the web application.
Admin
Here's where you err. The request DOES make sense to the web application. So much in fact that there's a scenario developed precisely to handle the situation.
Admin
In fact, why are we even talking about what status code this returns?
It should be a 200 with the message on the screen, "Your page was successfully updated because this CMS isn't a POS and doesn't try to defend against SQL injection with code that will end up on TheDailyWTF.com."
Admin
Admin
Admin
Boss: Ok, we need a CSV output. Developer: Ok! No commas allowed in the input now!
How fucking hard is it?
Admin
Obscurity is a useful form of security - it just shouldn't be the only kind. You shouldn't depend on hackers not having information, but that doesn't mean you should give them the info for free.
Admin
Pretty much. I'd say there is no correct status code to be sending in this case, because the situation only arises because of incompetent coding. And regardless of how common that might be, that's not covered by the spec, because changes are the incompetent coder hasn't read the spec anyway...
Admin
No punctuation of any form allowed, and no correctly-spelled words either, in case they can inject something with them. Eh, who's going to notice that? 99% of online commentary will go straight past such a filter without problems... ;)
Admin
People seem to forget that the people hiring someone to do a job should have some sort of right that that job gets done - so if they need someone to work flat out for 12 months and there's a chance that person isn't available for part of those 12 months then they sort of need to know that....
Admin
[quote user="Bullhonkey"][quote user="anonymous]I'm going to go ahead and continue to say that the "wrong" response is correct here. The user is the one who needs to know what went wrong. There is no need for the browser to know this. The browser's request was successfully received, understood, and accepted by the server, and the result was a human-readable error message meant for the user, not their browser.
Aside: I tried clicking "Submit" without entering the captcha, and the HTTP result was "200 OK", despite giving me the same form again with "* That's not it" instead of posting my comment. I see nothing wrong with this. This is correct behavior.[/quote]
I'm not seeing an argument here for why 200 is the "correct" choice. You say that a human-readable response is necessary for the user to take appropriate action, and that's a fair point; but returning 400, 403, 404, 500, or 999 doesn't preclude that. Both the 4xx and 5xx status code classes bear the following general statement: [RFC 2616]
"Except when responding to a HEAD request, the server SHOULD include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. User agents SHOULD display any included entity to the user."
If the user agent understands that the request was not successful, it can provide an additional nudge to the user to examine the response body for what went wrong.
And, of course, in systems where there isn't a human being available to analyze the response body, the HTTP status code is the only information readily available to decide whether the request was successful or not.
In the specific scenario of posting a comment, I have a hard time understanding how you justify calling a request "accepted" when the clear intent of the request is "here is a commend I would like to post" and the actual result of the operation was anything but "the comment was posted," actual observed behavior notwithstanding.
If I do a GET request for http://someserver/badpath, is someserver justified in sending a 200 status code with a response body indicating that badpath couldn't be found? After all, "there is no need for the browser to know this." By your justification, all status codes should be abolished and replaced with 200.[/quote]Disclaimer: I don't work in network related stuff
I would have thought the return codes are protocol-specific. This means that a 200 would be returned when from a http perspective the message has been received and accepted. The issue here is in data beyond the HTTP request - the HTTP request is decipherable and acted on, and I tend to agree the correct return would be HTTP success (200) along with a message/page that explains the user what they tried to do beyond the HTTP stuff was no workie.
Of course, the line between HTTP, the internet, web apps etc has really been blurred in the last few lustra, but surely the codes were originally intended to be specific to the protocol, not to the page/app/whatever providing it. An address that points to something that doesn't exist (or is not allowed) is a problem. A user using a bodgey password might be a problem, but not in terms of HTTP (or at least not in this example).
Admin
Admin
Admin
Using text pattern to filter and declare "guarded against SQL injection" is plain bad.
Admin
VB-compiler rejects it too. "Compile error: Syntax error"
Use ' instead of ; for comments.
Admin
Yes. It seems you are to only one reading it.
Admin
O dear, did I really write something that does this? Which website was this? Let me know and I'll see what I can do to fix it.
Admin
If they need someone to work flat out for 12 months they need to make that very clear in the hiring process. Three months, yeah, 6 months maybe, but 12 months no way. I'd demand at least 2 weeks off during that time to take the family away for a while, and perhaps so we could visit the inlaws at xmas for a day or two.
Admin
If all else fail, always resort to the HTTP 418 error code.
Admin
Sorry, but I was taught that you always return 404 whatever the real error because the bad guys can deduce too much from the valid error messages.
Admin
Admin
I think it would be much more pertinent, if confusing, and scary to that naughty user, to return a "405 Forbidden".
Admin
And I don't care what Reschke is the editor of; if what he says is in clear contradiction to the relevant RFC then he is wrong.
Admin
Nonsense. 403: "The request was a valid request, but the server is refusing to respond to it.[2] Unlike a 401 Unauthorized response, authenticating will make no difference.[2] On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content)."
You won't be allowed to access the data, no matter what authentication you provide.
Admin
You're right, 400 Bad Request
Admin
Admin
"The request" does not extend only to a physical file on a disk. For example, imagine that we have a server at someserver, which has a web application that displays something--recipes, let's say. We'll make it a RESTful-like API, so if I want to view recipe 1204, I send this request:
http://someserver/recipes/view/1204
So clearly we have some sort of application on someserver that handles requests of this form, goes out to the database to find recipe #1204, and returns the result to the user agent. Now, what happens if recipe #1204 doesn't exist? By your argument, the HTTP status code should be 200 since the app that returns recipes itself was successfully found, even though the recipe we asked for wasn't. I think we can all agree 404 is the right response here, despite there being no "protocol" issues involved. Is there a substantive difference between the above form and a non-RESTful form like:
http://someserver/recipe.cgi?id=1204
Again, in this case, the recipe app is successfully found, but the recipe we're asking for was not. In this case, we can argue that the query string is "extra data" that the HTTP server doesn't know or care about, and so from a "protocol perspective," the request was successful, even though the human sitting in front of the screen can clearly tell it was not.
But let's go back to RFC 2616 and look at some definitions.
A "resource" is "A network data object or service that can be identified by a URI".
A URI can be relative and some other stuff; what we're interested in is what an "http URL" looks like:
Furthermore, when we compare URLs to see if they're equal "a client SHOULD use a case-sensitive octet-by-octet comparison of the entire URIs" with some exceptions that aren't relevant here.
So we see here that the query string isn't extraneous information. A unique query string represents a unique resource. http://someserver/recipe.cgi?id=1204 SHOULD return a 404 result because the resource we are asking for was not found, even though recipe.cgi was.
Now recall that form data, when using the GET method, is directly adjoined to the form action URL as a query string, and you see that a GET-submitted form is functionally identical to the kind of request discussed above. The entire request, query string included, represents a unique resource, and if there is a problem accessing that resource (because it doesn't exist, can't be authorized, the request was incomplete or erroneously stated, etc), then an appropriate HTTP status code should be returned.
Furthermore, POST is no escape hatch: "The actual function performed by the POST method is determined by the server and is usually dependent on the Request-URI. The posted entity is subordinate to that URI in the same way that a file is subordinate to a directory containing it, a news article is subordinate to a newsgroup to which it is posted, or a record is subordinate to a database."
By this rule, unique POST body content represents a unique resource, in the same way that every file in a subdirectory is a unique resource, and in the same way that every GET query string is a unique resource. And again, any problems with processing that resource should be responded to with an appropriate HTTP status code.
In particular, it should be noted that the "server"--from HTTP's perspective--is "[a]n application program that accepts connections in order to service requests by sending back responses". I think there's a tendency to focus on the first part--IIS or Apache or nginx is accepting the connection, so it's "the server"--but this definition makes it clear that if your web application is "sending back responses" (and it wouldn't be much of a web app if it weren't) then that makes it the "server," or at least some substantial part of the server. The transaction, after all, is not complete until it is responded to in some way!
HTTP 1.1 is not a low-level protocol; it is a high-level protocol, and an application providing responses to requests is a part of that protocol. So, I agree with you when you say "a 200 would be returned when from a http perspective the message has been received and accepted." Where we differ is where the "http perspective" ends. I think my reading of RFC 2616 clearly includes the web application as playing a crucial role in the protocol itself.