- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Ummmm...because John is posing as a professional manager..? A true manager would have fired this developer on the spot, required the rest of the dev team to work weekends for the next year as punishment for allowing such an incompetent in the door, gotten the company legal staff hot on the trail of a bunch of H-1B slave-laborers, and THEN gone off on a three week all-expenses-paid-by-the-company outsourcing-and-recruiting tour of Thailand. Yeah, that's the ticket!
Admin
We really need more background - from the description given this could be a simple order checking utility for staff, that's not on any system accessible from the outside, and the username is simply needed so that staff can check orders they've entered into the system.
Admin
Something's really wrong with his interview process.
Admin
Clearly, he managed to somehow pre-sort the interviews so he was always more pleasantly surprised by the next. Must make the interview process much more enjoyable.
Admin
Oh man, I'm still laughing. That's a GREAT joke.
Admin
Optimized.
Admin
FTFY
Admin
I am interested in purchasing your optimization technology, I think there is a significant market demand for it.
Admin
It's open-source, it should be on SourceForge.
Admin
In my opinion, Jon C. is a lazy cunt.
Admin
I'm actually surprised he and you are that forgiving. If I was Jon and if I saw this, they'd be some heads flying out of the building. I'm not gonna waste my time with idiots who don't understand basic stuff.
Admin
I'm a C# guy and I despise VB probably just like you, but if I had to choose between VB.NET and PHP, I'd choose VB.NET.
And, where did you get that PHP is simpler? When Visual Studio is used, editing almost any language is the simpliest coding there is. Show me one IDE that is better.
Admin
Well, outsourcing generally means having no direct communication with the coder. You communicate with a salesman, who says "yes" to everything ("yes, we can do that, and we're the best out there"). Then the salesman hires coders from India or Pakistan.
So, if Jon really wanted to outsource to save time, he possibly couldn't know what's he's signing up for at all.
Admin
MSIL über alles
Admin
You are all looking at this from the wrong point of view. This is all about local developers and there is no WTF.
Admin
Dear Diary,
Today I learned that the purpose of TDWTF is to afford developers the opportunity to bitch about everything about the stories.
Simon.
Admin
As long as you don't then do dynamic SQL using the passed in parameters, opening yourself up to SQL injection again....
Admin
Holy crap balls -- I think the guy Jon hired was either a former boss or the guy I work with right now
Admin
And the comments, too!
Admin
Bzzt, wrong.
His test is single quoted and you injected a double quote ... no harm there.
No need to obfuscate the attack, if his site (or browser via url) decodes your string then he would still elide a single quote. If his site doesn't decode your string then he'll be querying with the actual numbers which pose no harm.
His solution isn't that bad and probably secures against most robot/crawler attacks. Looking at the code "upgrade" doesn't make it obvious how to inject into it now.
Admin
Nope, injection FAIL.
tempUserName = textBoxUserName.Text.Replace("'", "") ... tempPassword = textBoxPassword.Text.Replace("'", "")You never escaped his single quote jail.
Also, without having the code, you can't assume he has a Users table or that he's using mysql. We've seen the code but a run of the mill hacker will be blind, that's why when you look at webserver logs you see hundreds of fetches from the same attack. One works w/ mysql, one w/ postgresql, one w/ wordpress, one w/ rails, one w/ joomla, etc.... Hence the need to keep up with all security patches!
Admin
Just. Stop. His solution certainly is "that bad".
Look, I can forgive the initial code that contains a clear SQL Injection vulnerability, assuming lack of experience. But what is unforgivable is then going about solving the problem without learning more about it. Even if he still didn't know anything about the term "SQL Injection", an hour on Google surely would have led to copious examples of similarly flawed code with plenty of recommendations to implement parameterized queries, prepared statements, etc.
Trying to scrub out nefarious SQL statements with text manipulation is just simply an inadequate solution. In other words, it is "that bad".
Admin
I resent that remark, you insensitive clod!
Admin
I wish I hired you just so I could say "you're fired".
Admin
Now I know where those "You only typed in 6 characters. Minimum password length is 6" messages come from...
Admin
I actually had this exact problem with my car recently. Shift cable came loose, so when you shifted to park it sometimes wouldn't actually go completely into park and therefore it wouldn't start. Took it to the shop (before I knew what the issue was -- the first time it happened I got stuck 500 miles from home at 8pm and had to get a tow), and of course it started right up for them....but, unlike your average IT tech, they kept looking at it and eventually figured it out.
Admin
Kate. If you can't code in Kate, you can't code.
Admin
your " would need to be replaced with '
Admin
Reminds me of that scene in Swordfish where the guy is forced to hack a server at gunpoint.
Admin
So what?
tempUserName = tempUserName.Replace("&", "") tempUserName = tempUserName.Replace("#", "") tempPassword = tempPassword.Replace("&", "") tempPassword = tempPassword.Replace("#", "")...and another contracting fee. No problem.
Admin
You are continuing with the wrong solution. If you want to disallow special characters in the username an password, you shouldn't filter them out by replacing them with spaces. You should just reject them.
Put it this way. Say you implement your suggested code. Now you are going to invoke a database call to see if a record exists that you already know doesn't exist (assuming you've implemented similar logic when storing the username/password). So someone who tries to actually submit the password above is going to have your code check for
which won't match any record, unless that really is the person's password, in which case they won't be typing the &'s and #'s in the first place!!!Admin
Admin
Admin
In all seriousness though IDE preference is largely down to personal preference and is probably affected by platform, taks and a whole host of other thigns too....
Admin
I can't log in...
My password is Hello@Wor;d_
Admin
Why cars.
Because they work when you get them new from the factory Software doesn't Thats why software developers need testers :P
Admin
Shouldn't this be Bobby instead of Johnny? http://xkcd.com/327/
Admin
That would be
SELECT * From tblUsers Where UserName ='Frist" or "1==1' and UserPW = 'Frist" or "1==1'
which is not going to work, make it
Frist' or '1==1
CAPTCHA: nulla
I like nu(te)lla for breakfast.
Admin
PDO has prepared statements, and it's tons better than mysqli. Not sure if you're attacking PDO or the guy who clearly doesn't know how to properly use it.
Admin
I like Googles Translator, at least for German their is a readable translation. ;-)
Admin
Stored procedures don't fix SQL injection issues either, I've seen plenty of stored procedures that build unsafe SQL internally then run it giving you exactly the same issue.
Admin
Forgot to add
http://www.troyhunt.com/2012/12/stored-procedures-and-orms-wont-save.html
So perhaps the real WTF is that even those who think they know how to avoid these things on the whole don't.
Admin
I would really like to hear a clarification to this statement. Why does it not solve anything? Can you demonstrate a problem with code using mysql_real_escape_string?
Admin
Sounds like a job for little Johnny Tables.
Admin
Sorry, but I'm struggling here - yes it would pass the filter, but it wouldn't do anything nasty.
The resulting SQL would be
SELECT * From tblUsers Where UserName ='Frist" or "1==1' and UserPW = 'Frist" or "1==1'
Which would just return nothing (probably).
What 'magic' will make the DB server do HTML entity decoding?
If the entity decoding works when the data is read from the query data into the variables, then the Replaces will 'fix' the data.
I know everyone goes on about 'use prepared statements', but, in this WTF, how is there still an SQL injection attack possibility in the 'fixed' code? (I know there's the problem of magically disappearing characters, but that's not an injection attack)
Admin
There seems to be a lot of FUD here from 'prepared statement fanatics'.
Yes, prepared statements are the 'way to go', but if you have legacy code, you can stop SQL injection attacks without totally rewriting your code.
You can stop injection attacks if you are careful using mysql_real_escape_string and sprintf (or similar)
I've spent a while Googling this (since people were saying 'Google it, and you'll find plenty of examples of people telling you to use prepared statements' - well, that's true, but no one has said that mysql_real_escape_string won't work, just that it's not the best solution.
The reasons NOT to use mysql_real_escape_string AFAICS are:
eg for (2), if you have
'SELECT * FROM users WHERE usernumber=' . mysql_real_escape_string($_REQUEST['usernumber']) . ';';
then it won't help at all - because you are expecting $_REQUEST['usernumber'] to be a number, but it may be a string, so if it's: "3 OR 1=1", then the mysql_real_escape_string won't do a thing, but you've still got an injection attack.
To get around this, you could use sprintf (with '%d') or some other way of coercing the parameter to a number before adding it into your query string.
So, mysql_real_escape_string will work fine, as long as it is used everwhere, and properly, by someone who understands what they're doing. If you are writing new software, using prepared statements is probably the way to go (unless your web host's PHP doesn't support PDO), because you're less likely to make mistakes.
I haven't seen anyone (except here) say that mysql_real_escape_string won't work IF USED PROPERLY.
Admin
Admin
Admin