• Real Old Fart (unregistered)

    I call this sort of code 'job security'. It guarantees I'll always have work fixing this crap.

  • Leak (cs)

    Bah humbug.

    Just drop the Little Bobby Tables attack into the password field and you can use ";--" all you want...

  • RandomDreamer (unregistered)

    So that means I can't use "Drop It Like It's Hot" as my favorite song for the security question?

    CAPTCHA: genitus

  • akatherder (cs) in reply to RandomDreamer
    RandomDreamer:
    So that means I can't use "Drop It Like It's Hot" as my favorite song for the security question?

    CAPTCHA: genitus

    Yes and that holds true for any online security question, whether they block the word "drop" or not.

  • G0atS3 (unregistered)

    uNNNNNGH 5th%%%%%55%%55%%%55five

  • Matt.C (cs)

    I guess you couldn't have 'Pannullo Hydroponics' as your answer to 'Where did my grandfather's vet's brother's neighbour's father work in 1995?' then.

  • tgape (cs)

    The second example is a classic example of 'trying too hard'. For that code, any username with a ' character in it will cause problems, so just ban the lot of them. Of course, I tend to be more draconian, and also ban ", , ,, ., and any other special character that seems interesting to me. (Actually, to be technical, I allow alphanumeric, underscores, and, depending on the system and field, maybe dashes and/or spaces. If it's for international use, I'll also allow unicode characters which are not part of the standard 7-bit ASCII set - but I'm only generous there because I haven't heard of any of those being exploitable.)

  • Smash King (cs)

    base64_decode(base64_encode($witty_comment))

  • m0ffx (unregistered)

    Also from Lincoln County Credit Union's site:

    Why can’t I use my physical keyboard to enter my password/PIN?

    The Password/PIN must now be entered using your mouse. The on-screen keyboard is used to prevent possible hackers from getting passwords while using special software designed to monitor keyboard strokes.

    Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.

  • El Dorko (unregistered)

    $sql = "select * from customers where " . "email_address = '" . base64_decode(base64_encode($email_address)) . "' and password = '" . base64_decode(base64_encode($password)) . "'";

    ...I don't think the purpose of that is to prevent SQL injection but rather to enterprise-y the code. Imagine the CPU cycles that puppy can churn up if they use that everywhere! Whoa momma...

  • Mick (unregistered)

    To see a "professional" financial solutions provider disallowing SQL keywords in all user input simply belies belief. For some shopping cart system written by your brother-in-law's cousin it may be excusable but Harland Financial Solutions? Seriously? You can only imagine what other amateurish garbage goes on in that place; perhaps something like:

    1. Every Friday, an e-mail is sent to all employees to remind them to log onto the McAfee website and update their virus definitions.

    2. The hardware part of a user's two-tier authentication system is attached to the user's machine to prevent loss.

    3. All user passwords are set to "Password1" so the network admins can always reset lost passwords.

    4. An "admin=true" querystring is used to log into the secure area of the website. But it's OK, you only get redirected with that querystring if you pass the client-side Javascript validation routine.

    I for one have made damn sure that my bank does not utilise the services of Harland Financial Solutions.

  • Coincoin (cs)

    Seeing how SQL injection discussions are recurrent over here, we should really start devising a way to remotely inflict excrutiating pain to people dropping (pun intended) Bobby Tables references.

  • me (unregistered)

    One of the ladies I used to work with has a last name is "Null". Which made for some fun times in the support database - it is null or Null?

  • romain (unregistered) in reply to m0ffx
    Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.
    But usually, the positions of the keys are changing randomly so with a design which would be okay, it's not possible to get something from the position of the cursor either
  • ThePants999 (cs)

    Ahh, so Harland is still happy for you to use ALTER then.

  • Kuba (unregistered)

    Those are absolutely great examples of cargo cult programming. Nothing more, nothing less. Made my day. Go TDWTF!

    Cheers, Kuba

  • Ren (cs) in reply to ThePants999
    ThePants999:
    Ahh, so Harland is still happy for you to use ALTER then.

    And CREATE. Also, AND, OR, JOIN, IN...

    Just think of the possibilities!

  • Aaron (cs) in reply to Leak
    Leak:
    Bah humbug.

    Just drop the Little Bobby Tables attack into the password field and you can use ";--" all you want...

    Thanks for the reference. We've only seen it 537 times on this site so far, so people might have started to forget.

  • Error Proof (unregistered) in reply to romain
    romain:
    Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.
    But usually, the positions of the keys are changing randomly so with a design which would be okay, it's not possible to get something from the position of the cursor either
    Uhhh, that's why the SCREEN SHOTS...
  • Bob (unregistered)

    Thank god Harland don't ban all SQL keywords. You can imagine the hassle:

    Q: What state were you born in? A: Indiana

    BEEEP You cannot use the letters 'IN'. Please try again. Note: if you were born in Indiana, please enter the TOWN you were born in.

    A: Ingalls

    BEEEP

    <Gunshot>
  • snoofle (cs)
    // Secure user input
    int inpNum = 42;     // user input from wherever
    int hexNum = inpNum; // convert to hex
    int octNum = hexNum; // convert to octal
    int decNum = octNum; // convert back to decimal
    // decNum is now safe to use
    

    ...

    And to answer someone above, yes, it IS a frequent occurrence to have major financial institutions use bad-word lists to filter sql injection - I've personally fixed it in more than 10 major apps over the years (I'm talking Wall Street brokerages here).

  • Elanthis (unregistered)

    Dare I even suggest that Truncate would be available. Hey we stopped the hacker! Of course we lost all our data.

  • s0be (cs) in reply to Ren
    Ren:
    ThePants999:
    Ahh, so Harland is still happy for you to use ALTER then.

    And CREATE. Also, AND, OR, JOIN, IN...

    Just think of the possibilities!

    Truncate...

  • Uber Haakker (unregistered)
    password = '" . base64_decode(base64_encode($password))
    That's why I always base64_decode(base64_encode($attack_string)) before I send it!
  • th30519 (cs) in reply to Mick
    Mick:
    3. All user passwords are set to "Password1" so the network admins can always reset lost passwords.

    I feel sorry for the poor sap who "loses" his passwords in a place that sets all user passwords to "Password1".

  • Smash King (cs) in reply to m0ffx
    m0ffx:
    Also from Lincoln County Credit Union's site:
    Why can’t I use my physical keyboard to enter my password/PIN?

    The Password/PIN must now be entered using your mouse. The on-screen keyboard is used to prevent possible hackers from getting passwords while using special software designed to monitor keyboard strokes.

    Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.

    I'll play devil's advocate for a while, then. While it really is not failproof, this technique forces the <loose, vague term> hacker </loose, vague term> app to monitor the mouse and take screenshots. Those are a lot harder to mask from a knowing user, because they are more processor-hungry and use somewhat more disk space. Of course you shouldn't rely on the absence of these signals to assume you're in a secure environment.

    A while ago I had to use a friend's computer because my connection was down. He had an antivirus and he is not the sort of screw-up that plays around malware-ridden sites. Yet when I had to enter my mail password, I typed every keyboard character onto notepad and went back and forth copy-pasting them on my webmail password field, and not on the correct sequence. Sometimes I used the mouse, sometimes the keyboard. I would copy a string where only two separated characters mattered to me, then place the cursor between them and hold Del (single keystroke) until they were together. Anyone trying to recreate my password would have to log all my activity very carefully.

  • Global Warmer (unregistered) in reply to m0ffx
    m0ffx:
    Also from Lincoln County Credit Union's site:
    Why can’t I use my physical keyboard to enter my password/PIN?

    The Password/PIN must now be entered using your mouse. The on-screen keyboard is used to prevent possible hackers from getting passwords while using special software designed to monitor keyboard strokes.

    Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.

    I have seen that other places too. Taking screen shots and monitoring mouse clicks is a bit tedious don't you think? When do you do it? Constantly? I'm not a hacker but it seems to me that besides the huge burden that could be on the host system and network you would have to go through thousands of screen shots just to find the one were the user is entering the desired info. Once you find it you then have to match up clicks from the same moments while praying they don't move the input screen or maximize it or flip over to their IM screen in the middle make some clicks then flip back etc. Like I said, I’m not a hacker so maybe it is easier then I am thinking but I don’t think so.

  • enim (unregistered) in reply to s0be

    I think truncate shouldn't be blocked. After all, it's not logged, so whether someone used it not, we wouldn't know anyway.

  • snoofle (cs) in reply to Smash King
    Smash King:
    A while ago I had to use a friend's computer because my connection was down. He had an antivirus and he is not the sort of screw-up that plays around malware-ridden sites. Yet when I had to enter my mail password, I typed every keyboard character onto notepad and went back and forth copy-pasting them on my webmail password field, and not on the correct sequence. Sometimes I used the mouse, sometimes the keyboard. I would copy a string where only two separated characters mattered to me, then place the cursor between them and hold Del (single keystroke) until they were together. Anyone trying to recreate my password would have to log all my activity very carefully.
    With all due respect to your diligence, if you do this on a FRIENDs computer, what do you do when using the computer of a less trusted individual?
  • JR (unregistered)

    I wonder why the coder responsible for the first example didn't see fit to increase the security in the same way that he created it. After all, the following routine would be twice as effective:

    base64_decode(base64_encode(base64_decode(base64_encode($sensitive_string))))

    And even more secure:

    base64_decode(base64_encode(base64_decode(base64_encode(base64_decode(base64_encode($sensitive_string))))))

    Genius stuff, surely.

  • akatherder (cs) in reply to El Dorko
    El Dorko:
    $sql = "select * from customers where " . "email_address = '" . base64_decode(base64_encode($email_address)) . "' and password = '" . base64_decode(base64_encode($password)) . "'";

    ...I don't think the purpose of that is to prevent SQL injection but rather to enterprise-y the code. Imagine the CPU cycles that puppy can churn up if they use that everywhere! Whoa momma...

    You could create a function called doAbsolutelyNothingMeaningful() which calls base64_decode and base64_encode().

  • Matt S (unregistered)

    I guess paramaterized queries are just TOO HARD to implement.

  • Marvin the Martian (unregistered) in reply to Bob
    Bob:
    Thank god Harland don't ban all SQL keywords. You can imagine the hassle:

    Q: What state were you born in? A: Indiana

    I guess "in" is not intrinsically manipulative, like "select" or the downright evil twins "delete" and "drop".

    Well this still bans enough cities, places and names (Geldrop, NL springs to mind).

  • KattMan (cs) in reply to Global Warmer
    Global Warmer:

    I have seen that other places too. Taking screen shots and monitoring mouse clicks is a bit tedious don't you think? When do you do it? Constantly? I'm not a hacker but it seems to me that besides the huge burden that could be on the host system and network you would have to go through thousands of screen shots just to find the one were the user is entering the desired info. Once you find it you then have to match up clicks from the same moments while praying they don't move the input screen or maximize it or flip over to their IM screen in the middle make some clicks then flip back etc. Like I said, I’m not a hacker so maybe it is easier then I am thinking but I don’t think so.

    Open Spy++ sometime. On a mouse click message, is the window ID the same as the window ID you saved when they created the window for IE (or other browser). Now is the window ID data looking at website X? If you get a yes to these two checks, screen cap just that window ID and timestamp the sucker. You now have just the clicks for the website you want in the order they were done, instant PIN scraping made easy. Of course you get every other form they clicked on after that on the same site also. It isn't really that hard and you don't slow the client machine down for every click by that much.

    Edit: Umm I ment every other click not in the browser.

  • Andre (unregistered) in reply to m0ffx
    m0ffx:
    Also from Lincoln County Credit Union's site:
    Why can’t I use my physical keyboard to enter my password/PIN?

    The Password/PIN must now be entered using your mouse. The on-screen keyboard is used to prevent possible hackers from getting passwords while using special software designed to monitor keyboard strokes.

    Evidently they've never heard of the latest feature in that 'special software' - monitoring mouse clicks and taking screenshots.

    That must be why the on screen keyboard is a ****** keyboard rather than a QWERTY keyboard, i.e. all the keys are asterisks.

    CAPTCHA: tation

  • Global Warmer (unregistered)

    I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?

  • Otac0n (cs) in reply to tgape
    tgape:
    The second example is a classic example of 'trying too hard'. For that code, any username with a ' character in it will cause problems, so just ban the lot of them. Of course, I tend to be more draconian, and also ban ", \, ,, ., and any other special character that seems interesting to me. (Actually, to be technical, I *allow* alphanumeric, underscores, and, depending on the system and field, maybe dashes and/or spaces. If it's for international use, I'll also allow unicode characters which are not part of the standard 7-bit ASCII set - but I'm only generous there because I haven't heard of any of those being exploitable.)
    This is EXACTLY what is WRONG with a lot of sites. Why can't you be bothered to use parameters? or at least manually escape the data yourself?

    Stuff like this pisses me off, especially on the sites of financial institutions.

    Please let me use any character in a password, over a certain length. For usernames, alphanumeric is fine with me.

    </rant>
  • KattMan (cs) in reply to Global Warmer
    Global Warmer:
    I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?

    As others have shown, you will be banning valid words. Ban "drop" and when asking for someones favorite song they can't enter a true statement "Drop it like it's hot". Or perhaps if you aren't look for just the single word but any string containing it, then Mr. Andropolis can't get an account with you.

  • oldami (unregistered) in reply to Smash King

    All this password by mouse and the absurd copy and paste excersize is mostly a waste of time. Any good malware (is that an oxymoron) will simply hook into IE and capture the data that gets posted.

  • Global Warmer (unregistered) in reply to KattMan
    KattMan:
    Global Warmer:

    I have seen that other places too. Taking screen shots and monitoring mouse clicks is a bit tedious don't you think? When do you do it? Constantly? I'm not a hacker but it seems to me that besides the huge burden that could be on the host system and network you would have to go through thousands of screen shots just to find the one were the user is entering the desired info. Once you find it you then have to match up clicks from the same moments while praying they don't move the input screen or maximize it or flip over to their IM screen in the middle make some clicks then flip back etc. Like I said, I’m not a hacker so maybe it is easier then I am thinking but I don’t think so.

    Open Spy++ sometime. On a mouse click message, is the window ID the same as the window ID you saved when they created the window for IE (or other browser). Now is the window ID data looking at website X? If you get a yes to these two checks, screen cap just that window ID and timestamp the sucker. You now have just the clicks for the website you want in the order they were done, instant PIN scraping made easy. Of course you get every other form they clicked on after that on the same site also. It isn't really that hard and you don't slow the client machine down for every click by that much.

    Edit: Umm I ment every other click not in the browser.

    OK, makes sense, I'll buy that, thanks

  • JR (unregistered)
    Global Warmer:
    I have seen that other places too. Taking screen shots and monitoring mouse clicks is a bit tedious don't you think? When do you do it? Constantly? I'm not a hacker but it seems to me that besides the huge burden that could be on the host system and network you would have to go through thousands of screen shots just to find the one were the user is entering the desired info. Once you find it you then have to match up clicks from the same moments while praying they don't move the input screen or maximize it or flip over to their IM screen in the middle make some clicks then flip back etc. Like I said, I’m not a hacker so maybe it is easier then I am thinking but I don’t think so.

    Actually, monitoring software along these lines is both available and relatively effective. I have also written similar programs myself for legitimate logging purposes. You asked when the screenshots are taken; that's simple. Screenshots are taken consitently for the duration of the session, configurable to be taken once every x seconds or once every x mouse clicks. Additionally, a screenshot is taken whenever the software detects a combination of keys that affects the windows on the screen. So for example, an ALT-TAB would result in a screenshot being taken always, since ALT-TAB is very likely to have brought a hidden window into visibility. Same with ALT-F4, which may well reveal a new window underneath the window that was just closed.

    True, you end up with masses of screenshots and just a dump of mouse clicks and locations. But obviously, you then have a piece of software that parses the data to present the appropriate screenshots with the given mouse data. This technique is known, used and remarkably easy to implement.

  • Coincoin (cs) in reply to Global Warmer
    Global Warmer:
    I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?

    Because it's like lining the inside of an armoured tank with paper.

    It adds complexity and pisses of the users for absolutely no gain compared to actually preventing the keywords from doing damage.

  • Smash King (cs) in reply to snoofle
    snoofle:
    With all due respect to your diligence, if you do this on a FRIENDs computer, what do you do when using the computer of a less trusted individual?
    Then I do not access any authenticated system, if I can avoid it of course. If I can't, then I would try to increase the security of the machine at user level. Most of the times I would run an antivirus and an antispyware from my USB keychain and only after it came back clean I would proceed as I did at my friend's house.
  • jonnyq (cs)

    Here's hoping that last one is a case of "belt and suspenders".

  • Zap Brannigan (unregistered) in reply to th30519
    th30519:
    Mick:
    3. All user passwords are set to "Password1" so the network admins can always reset lost passwords.

    I feel sorry for the poor sap who "loses" his passwords in a place that sets all user passwords to "Password1".

    That's why I have a Post-It note on my monitor with all my passwords and PINS.

    Password: password1 Luggage Combination & Bank PIN: 1234

  • ST (unregistered) in reply to Smash King
    Smash King:
    Then I do not access any authenticated system, if I can avoid it of course. If I can't, then I would try to increase the security of the machine at user level. Most of the times I would run an antivirus and an antispyware from my USB keychain and only after it came back clean I would proceed as I did at my friend's house.

    No disrespect my friend, but I would not let you use my computer to check your e-mail!

  • ahnfelt (cs) in reply to snoofle
    Smash King:
    A while ago I had to use a friend's computer because my connection was down. He had an antivirus and he is not the sort of screw-up that plays around malware-ridden sites. Yet when I had to enter my mail password, I typed every keyboard character onto notepad and went back and forth copy-pasting them on my webmail password field, and not on the correct sequence. Sometimes I used the mouse, sometimes the keyboard. I would copy a string where only two separated characters mattered to me, then place the cursor between them and hold Del (single keystroke) until they were together. Anyone trying to recreate my password would have to log all my activity very carefully.
    That, or log the contents of password fields.
  • Global Warmer (unregistered) in reply to KattMan
    KattMan:
    Global Warmer:
    I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?

    As others have shown, you will be banning valid words. Ban "drop" and when asking for someones favorite song they can't enter a true statement "Drop it like it's hot". Or perhaps if you aren't look for just the single word but any string containing it, then Mr. Andropolis can't get an account with you.

    OK I can see that problem, but isn't it more of a minor inconvenience for really a minimal number of people? I don’t think it would rise to the level of grabbing torches and marching over to the developer’s house in the middle of the night to rid the world of one more moron like some seem to advocate. And no, I have never used this method of security. I am just curious so if I ever do run across a reason to have to implement something.

  • Global Warmer (unregistered) in reply to Coincoin
    Coincoin:
    Global Warmer:
    I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?

    Because it's like lining the inside of an armoured tank with paper.

    It adds complexity and pisses of the users for absolutely no gain compared to actually preventing the keywords from doing damage.

    Now that makes sense to me.... thank you

  • KattMan (cs) in reply to Global Warmer
    Global Warmer:
    KattMan:
    Global Warmer:
    I am not a hacker or a security guru so could someone please explain to me why banning SQL keywords as part of your strategy is a bad thing? I realize it should not be your only defense but what is wrong with it being part of it?

    As others have shown, you will be banning valid words. Ban "drop" and when asking for someones favorite song they can't enter a true statement "Drop it like it's hot". Or perhaps if you aren't look for just the single word but any string containing it, then Mr. Andropolis can't get an account with you.

    OK I can see that problem, but isn't it more of a minor inconvenience for really a minimal number of people? I don’t think it would rise to the level of grabbing torches and marching over to the developer’s house in the middle of the night to rid the world of one more moron like some seem to advocate. And no, I have never used this method of security. I am just curious so if I ever do run across a reason to have to implement something.

    Depending on the words you use this "minimal" number of people could grow to be a significant percentage. Remember, one person has the problem, he tells three. All this for soemthing that doesn't even address the issue. You are trying to prevent user entered data from escaping out of a SQL statement and being run like a command. This is resolved by implemeting easy to use parameterized queries; bonus for these is that you piss no one off. Why would you turn away even a small percentage of potential clients when you don't have to?

Leave a comment on “SQL Injection Protection * 3”

Log In or post as a guest

Replying to comment #:

« Return to Article