- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
!TSRIF
Admin
!DNOCES
Admin
TRWTF is that Jon didn't explain how to fix the problem, he just explained what the problem was.
Admin
tempUserName= Frist" or "1==1 tempPassword= Frist" or "1==1
Passes the filter nicely
Admin
Well we really can't tell anything about code provided to us because maybe they used addslashes() on username and password even before putting it to sql query.
Admin
Why should John explain how to fix something as common as SQL injection to somebody who poses as professional programmer?
Admin
:-)
Admin
WHOOSH! The concept of SQL Injection goes sailing overhead, presumably along with a myriad of other concepts of potential attacks and problems.
Admin
I think that using unhashed passwords in the database adds a nice touch to the matter.
Admin
I mean, given the evident lack of concern for security that is about as likely as me winning the Australian national lottery, but still :)
Admin
Client side? Burn him!
Admin
If a user actually has any of those characters in their username or password, then they won't be able to log in.
Admin
So Jon should pay good money to have work done for him; and then still do it himself? Sorry no; Jon was provided with a defective product and the provider should make it right.
If you bought a new car and discovered it only starts 7 in 10 times you turn the key; you would not do a complete tear down diagnose the problem and then take it back to the dealer with a proposed repair in mind. No you'd just take it back to the dealer show them problem and say "fix it".
Admin
Why every reference to software always ends up with a car analogy? Software projects, factories, workers, repairs, maintenance, etc. I mean, people today deal with more problems with computers than with cars. And really, car building isn't something to take as a innovative industry to begin with.
Oh well, since I can't think of a better suited set of analogies right now, you may carry on.
Finally, John is TRWTF in this story for commissioning any thing to be built with VisualBasic, and specially a web site. None of the other candidates used something simple like, hmmm, PHP? Not that this would mean he wouldn't be obtaining a WTF riddled product... so... I'm hungry.
Admin
The real WTF is Jon's process for hiring a contractor.
But obviously he didn't ask security related questions. A simple printout with some code that facilitates sql injection like the one from today's article, together with a question like "Does this code work? Do you see any problems with this code? Could it be improved?" should do the trick. Yes. Just like in a sequence from 1 to 10, 1.1 is higher than 1, but it is still a long way from 10. Ok, this sentence has some inherent ambiguity, but my first thought was: "Oh, that website's great! It has unicorns!!" (no offence meant).You pick the developer that best fits your job description and meets the quality criteria you have set before you started looking for a contractors, not the one you "like" best.
Erm, perhaps it's an unfounded bias, but I wouldn't hire a contractor who suggests Visual Basic as the implementation language for a web application. Not even for a "very simple order tracking system".Ah well. Making mistakes is ok, especially if you do things the first time and the possible damage is more like a nuisance than a desaster. Just make sure that for the "slightly more complex order tracking system" your hiring process has improved substantially.
Admin
So far I've experienced this with products as diversive as a tape deck, a home computer and, yes, also a car.
Sometimes it really pays off diagnosing the cause yourself and then just telling the repairshop what to do.
Admin
Depends if he used the same method to "" escape "" the creation of users as well!
Admin
I have no sympathy. After all as the saying goes, "If you pay peanuts, you get monkeys".
Admin
SQL injection in a VB application? Did this story just fall through a wormhole from 2004?
Admin
Admin
That's VB.NET, part of the ASP.NET framework to build web applications
Admin
Well, you see, it's a bit like driving down the highway and seeing a sign telling you where something is, which is easier to find than the actual place because the place is hidden behind the trees. So we use car analogies to hint at the real meanings of things, because some of the complete morons out there can't see those meanings.
Admin
I'm still not sure what the WTF is here. Those replacements seem to fix the SQL injection possibility.
Admin
That, and we can't quite figure out how to make programming analogies with beer.
Admin
Clearly you've never dealt with SAP technical support for bugs in Crystal Reports.
Admin
Clearly you've never dealt with SAP technical support for bugs in Crystal Reports.
Admin
WTF No. 2 is that the proposed fix does not address the fundamental problem (you simply don't build sql command strings like this in a web environment) but instead shows that the contractor does not understand the problem domain. As others have pointed out: a) people can't use the characters-to-be-replaced in their passwords any more, so people who already have passwords like that can't log in any more and b) the fix can be circumvented with unicode sequences, so it does not fix the problem.
Admin
Well, you see, developers (and techs) are like car mechanics: They think they should be paid equally no matter the quality of their work, and you often can't tell when they're screwing you over because their work is hidden behind a dozen layers of tacked-on parts. When something breaks, they claim it isn't their responsibility, since you must have done something to it after you left the shop.
Admin
Pfffft... speak for yourself dude. What you said only applies to most of them.
Admin
I find monkeys are too smart for that, they want bananas.
"If you pay peanuts, you get squirrels". Squirrels know nuts (vis. 'Charlie and the Chocolate Factory') and what to do with bad nuts.
Admin
addslashes() doesn't solve anything. For that matter, all you php devs, mysql_real_escape_string doesn't solve anything. The proper solution is simple: prepared statements. Use them whenever there is user input being used in a query. They allow the database engine, itself, to take care of any escaping that may need to be done in the variable(s).
Admin
Even better, prepared statements prevents the data from ever touching the control logic. Data is treated as data.
Admin
Admin
Admin
You lost my interest at DIM.
Admin
Nope. I remember a freelancer who insisted in using his beloved fancy php framework's pdo classes cause they were sooo much better and secure compared to the existing db abstraction classes. In the end he put some variables into the prepare statement like
$db->prepare('SELECT * FROM t WHERE foo=:bar LIMIT ' . $_REQUEST['limit'] )
PDO can help preventing injections but neither it's its intention nor the solution.
Admin
I guess the passwords are either salted nor hashed oO
Admin
Admin
"He interviewed many prospects, each more hopeful than the last."
That is the correct way. Schedule your interviews in ascending order of their optimism. Test them on their pessimism beforehand. http://www.learnmyself.com/personality.asp?p=Quick_Test&i=LOT
Admin
Admin
Turn key, car started. Unable to reproduce. Resolution: Fixed
Admin
Why bother? If a "programmer" shows me that, I throw him out of the window.
But really, if you let anyone this dumb past your evaluation, you are half-guilt.
Admin
+1
Was surprise it took that long for me to scroll down before someone mentioned that the fix itself is a WTF
Admin
Because the meanings are hidden behind... trees? Would those be B-trees or B*-trees? Or maybe tries?
Admin
Admin
The real WTF is not using stored procedures. I would have thought that would be a given for anything .NET.
Captcha: commoveo... I hope I keep my hair so I never have a commoveo.
Admin
Total agreement here, I must say. Anybody wanting to hire a software programmer to do anything useful (without at least already knowing how to do it better themselves) is totally TRWTF.
Admin
Yeah, cos addslashes is proper secure like. Fail.
Admin
The problem domain speaks of orders, tracking, customer details, product codes and the like. The solution domain speaks of databases, queries, web forms, and so on, all the way down to how to construct (parameterised) queries.
Admin
But...but...but...this guy's websites were, like, WAY cool!!!