- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Maybe this is what was intended?
$sql = "select * from customers where " . "email_address = base64_decode('" . base64_encode($email_address) . "') and password = base64_decode('" . base64_encode($password) . "')";Admin
They forgot to block out SHOW TABLES, CREATE, ALTER, RENAME, and TRUNCATE. You could still have some fun in there, unless they validate input
Admin
That is true; they're not panacea. OTOH, in controlled environments they do solve a big part of the problem -- without resorting to disallowing large chunks of your potential user base.
Just sayin.
Admin
null Mwhuhuhahaahaaaa!
ah crap!
Admin
Double WTF ... I forgot to quote in my last message:
This is what my "panacea" comment referred to.
Admin
No-one, and I mean no-one, which is to say "DELETE FROM PERSON;" has yet spotted The Real WTF here, which is:
"therefore, the following words are restricted."
Not forbidden, you understand; just "restricted." Not "restricted for use around the water-cooler," but presumably "restricted to use by top-notch executive types who want to enter them into their Web forms at any time of the day or night."
I once had a boss who lost the company $29 million in a single weekend simply by being a raving incompetent maniac and ignoring all sane advice. She did so entirely through legitimate stupidity. I shudder to think what she'd make of powers like these.
Admin
There's a even more secure method, but it uses more RAM:
base64_decode(base64_decode(base64_encode(base64_encode($sensitive_string))))
Admin
Please try to be more careful with your posts in future. It's all too easy to get into a rut (oops) and submit this sort of filth to a government website, at which point half the Feebs in Indiana will be breaking down your door to check out the nonexistent kiddy porn on your laptop...
Admin
ROFL OK, I didn't catch that, but... just... WTF.
Admin
Password to Air Shield: 12345
Admin
As I understand it, this would be exponentially more effective -
base64_decode(base64_decode(base64_encode(base64_encode($sensitive_string))))
Admin
Re. the third one: Hey, at least they made sure to tell the hackers exactly how their injection-avoidance works! I.e., at least they're not relying on security through obscurity.
Admin
.. or grab it on the way out via a man-in-the-browser attack, which requires a lot less attention as it can be automated. Nice try, though. Indeed, the aforementioned applet approach requires more recording and more manual labour, but if you've been following what has been happening with CAPTCHAS you may realise that that isn't quite the challenge it used to be.
Admin
Multiple personality disorders aside, I think the main point is that you're wasting 40 seconds on what is an illusion of security - all your elaborate (and IMHO quite ingenius) work is undone by the fact that it is eventually sent as one (1) string, thus perfect material for a man-in-the-browser grab.
Now don't get too depressed, as for logon authentication it's a not so well kept secret that almost ALL eBanking approaches have weaknesses. They just differ per bank.
OTP a la RSA tokens is right out, it has zero impact on transmission security, and is not man-in-the-middle proof. Challenge-response is better, but is again no match for MITM if your browser has been hijacked (not to mention that few know how to check) and especially MITB (browser) will undo all the good work. This is where that nice Java Applet MAY help, if it wasn't for the fact that you can mess with the browser..
The only workable solution at present for both authentication and later authorization is mTAN: sending a message via a different method (known as out-of-band), for mTAN this is SMS. Challenges: SMS is not secure, and there is no SLA on SMS, especially if you're abroad, and in that case it's not exactly confidential either as SMS doesn't travel encrypted over inter-operator gateways. But it's a start, the exposure is contained by limiting SMS content.
There is a solution, I know the above because I spent time analysing it all for private banking.. We are, however, by now HUGELY offtopic as the original subject was SQL cleaning..
Admin
(Either make your code robust against all inputs, or validate the inputs at a point where you have control and reject anything that's bad. It is exactly that simple. Oh, and remember that names can legitimately contain apostrophes; consider "Peter O'Toole"…)
Admin
right.
so it's all about YOU being GENEROUS to the users (customers)?
it's crap practices like yours that make using web services such a delight.
Admin
My username is "Robert'); DROP TABLE users; --"
Admin
Admin
--Tim
Admin
I guess I'm missing something here. Parameterized queries aren't that hard (at least in Perl DBI, they aren't), and they aren't even hard to explain. [I tell people to think of mail merge/fill-in-the-blank/MadLibs.] Are they really difficult to do in PHP?
Admin
I don't know about PHP, but they're somewhere between "difficult" and "nightmare" in C, depending on your database.
Admin
np: Tied & Tickled Trio - Tamaghis (Aelita)
Admin
Admin
Admin
$stmt = $db->prepare("SELECT name, dateOfSignup, creditLimit FROM Users WHERE creditLimit > ? AND name LIKE ?"); $stmt->bind_param("ii", $_GET["cl"], $_GET["name"]."%"); // Since MySQL does type inference, the "ii" parameter has no useful purpose. $stmt->execute(); // You can't bind and execute in one step. Seriously. $stmt->bind_result($name, $dateOfSignup, $creditLimit); // The *only* way to retrieve data is to give mysqli a bunch of references, into which it will read each row's values. $results = array(); // So just to get just a simple array of data, which is what I'd normally do to separate my model and view, ... while ($stmt->fetch()) // ... I must call this function repeatedly, making mysqli assign values to those references I specified earlier ... $results[] = array("name" => $name, "dateOfSignup" => $dateOfSignup, "creditLimit" => $creditLimit); // Then I manually put together the array that I really want.If you jump through the necessary hoops, it's possible to hide this crap behind a nice interface. At that point, it becomes easier to implement the nice interface in terms of real_escape_string.Admin
For reference, I looked up the Perl DBI library, and it seems to be more sensible, something like this:
my $results = $db->selectall_arrayref("SELECT name, dateOfSignup, creditLimit FROM Users WHERE creditLimit > ? AND name LIKE ?", {Slice=>{}}, ($cl, $name."%"));Admin
I'm shocked and offended that you would even suggest that. If I were to follow your advice, all I'd end up with is crap developers who are not only pumping out crap code, but who also get special compensation for being differently abled (unbroken boned challenged).
No, your solution is TRWTF because it leaves them with the physical ability to continue coding. You are supposed to break their hands so they can't type, snap their toes so they can't foot-control, crush their larynx so they can't speech-to-text, and then for good measure, gouge out their eyes so they can't eye-track.
After all, it's all about security through layers...
Admin
telekinesis, I shouldn't wonder.
Admin
You've done it completely wrong! How could that possibly increase security if you always instantly decode what you encode? This would be correct:
base64_decode(base64_decode(base64_decode(base64_encode(base64_encode(base64_encode($sensitive_string))))))
Admin
In PHP, you could also just use PDO:
$sth = $db->prepare('SELECT id FROM users WHERE username = ? AND password = ?'); $sth->execute(array('someuser', 'somepassword')); $results = $sth->fetchAll(); // returns array of resultsThis seems quite a bit cleaner than just using mysqli directly, and it's (theoretically) portable across databases.
Admin
Admin
TRWTF are people who don't know the difference between parameterized queries (a client side feature) and stored procedures (a server side feature) and write clueless rants as a consequence thereof.
Admin
You fool! Anyone well versed in Securitology knows that you want
base64_decode(base64_decode(base64_decode(base64_encode(base64_encode(base64_encode($sensitive_string))))));
and the coefficient of securitishness is multiplicative with the number of nests, not additive, so if the securitishness is x for the original implementation, it is now x^3.
Doesn't anyone know ANYTHING?!?!?!
Admin
alright, clearly, I need to read each page, but I'm honestly touched that everyone including me decided to use exactly 3 nests.
Admin
You may even make your security parametrizable:
int securitivness = 50;//
for (i=1; i< securitivness; i++){ $sensitive_string = base64_decode(base64_encode($sensitive_string)); } }
Admin
Parametrized queries are okay as long as the database libraries handling those don't have bugs. After having to occasionally work with MySQL I know from personal experience that that is not always true.
Admin
Admin
Evidently they have not heard of the real problem of someone looking over your shoulder. Far simpler.
Admin
Admin
Get a clue. Embed something like Python into your application, and do it right. Don't worry about the trivial database crap, because somebody else has sorted all that out for you. Just SWIG it and carry on as normal.
Jeez, C programmers these days ...
Admin
Hmm, looks like they also need to lookup the keyword "TRUNCATE TABLE"....
Admin
Admin
But that just undoes the security each time!
Here's the real secure version: base64_decode(base64_decode(base64_decode(base64_encode(base64_encode(base64_encode($sensitive_string))))))
Admin
I store passwords in a database using strong encryption algorithm called tripleROT13: ROT13(ROT13(ROT13(password)))
I think it's a good idea to increase the security of my database, therefore I think I shold consider switching to tripleROT13(tripleROT13(password)) encoding.
Admin
Reading the idiots on this site literally makes my head hurt. Seriously. How many of you have programmed anything for money?
THIS is how you stop SQL injection without wordlists, manual escaping, or other faggotry (PHP/MySQL):
$mysqlsearch = mysql_real_escape_string($_POST['search']);
$search=<<<SQL SELECT field1 FROM table WHERE field2 = '{$mysqlsearch}' SQL; //mysql query, fetch object, etc goes here
THERE! That's all you do! That's all you need to do! The problem was solved by PHP, itself, long ago!
Jesus!
Admin
Admin
Only noobs use dynamic SQL
Admin
Admin
Bet they'll like TRUNCATE too.