- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It also fails to account for the offending text being the first character of the variable.
Admin
I could have been frist before, but choose not to pollute the boards
Admin
Okay, for the non-PHP, non-SQL people among us... could someone please explain what's going on here?
Admin
I always worry that my code will one day grace these pages, but after reading stories like these, I breathe a little sigh of relief.
Admin
Why reinvent the wheel, even with RegExps? By using prepared statements you get injection prevention for free...
Admin
"Every child knows this is insecure and that Best Practice would be to harness the power of regular expressions"
I wwas told that Best Practice is the use of prepared statements but I wouldn't be such a prick to say "every child knows".
Admin
Admin
What they're doing is checking the username and password for special characters that can be used to escape a SQL statement and inject their own code into the statement.
Admin
Admin
If only there were some kind of
function.Admin
What they've done is completely ineffective, but ok.
Admin
Then "every child" must be a moron, because that solution is even worse than the original code... FAIL!
Admin
Admin
When someone says, on here, that they aren't familiar with <language> and would like someone who is to explain, what are they actually saying? I guess I'm asking coming from the position that there aren't many languages (at least within a familiar paradigm) that can just be read by anyone who understands programming. I have done maybe 250 lines of PHP in my life and I can grok what's going on here pretty completely.
CAPTCHA: venio "venio, vedio, viccio" -> "I come because of the vice Vedius had." (Damn that Vedius.)
Admin
Hello, welcome to no edits.
CAPTCHA: similis "I don't like Vera's similis 'tude one bit."
Admin
Sure use Regex, much better. Hope that was meant as Joke... Also mysql_real_escape_string is not safe at all by itself.
Admin
What I like is that the first case tests for " ", completely negating the last half dozen.
Admin
Admin
Admin
Whoosh!!
Admin
"Every child knows" that the Internet is killing the art of sarcasm.
Admin
Oops. I forgot to include a meme-injection attack in my comment. How's this?
My every child was killed by knowledge and I assure it was no laughing matter.
Admin
And I'm going with "Every child knows..." as being a joke. Because I just couldn't handle it not being a joke.
Admin
A fair question. If you build your SQL query using strings the user provides, someone will be either clever enough or stupid enough to break your SQL, sometimes intentionally and sometimes in ways that compromise your data/users/site whatever.
Programmers who don't know better think they can sanitize the inputs and thus create safe SQL from it. They may reduce the window of vulnerability, but there is a better way.
The better way is "prepared statements." So instead of building SQL code to execute directly like this:
$sql = "select muguser_id, muguser_directory " . "from mugusers " . "where muguser_active = 1 " . " and muguser_email = '" . $_POST["email"] . "' ";you would make a prepared statement:
$stmt = $dbh->prepare("select muguser_id, muguser_directory " . "from mugusers " . "where muguser_active = 1 " . " and muguser_email = ?"); if ($stmt->execute(array($_POST['email']))) { while ($row = $stmt->fetch()) { # do something wonderful; } }This ensures the SQL statements are known text; they aren't built from any bits supplied by user input. Likewise, your user's input is not polluted by strange quoting and string interpolations from your host language (in this case, php).
This same technique is available in pretty much any language that can make SQL calls.
And now you have no excuse.
Admin
I am waiting to see some guy bring out Boby Tables
[image]Admin
Admin
I see - this is the code you use to keep track of who still hasn't been sent their WTF mug? Good of you to share.
Admin
I had a mug once. It was funny.
Admin
Unless that language is perl.
Admin
Admin
Clever MUGgles, they don't know how to use the magic of mysql_real_escape_string, so they have to resort to ingenious workarounds.
Admin
FTFY
Admin
Once again, TRWTF is toys like PHP and MySQL for not having bound parameters and prepared statements from the start, and for people using toys like that in production. Not like mysqli, which finally does support prepared statements, hasn't been around for an entire major version of both PHP and MySQL...
Admin
Oh, a photo site, maybe?
Admin
Seriously? "Every child knows regular expressions are the answer"...and people don't catch the biting sarcasm?
Captcha: "suscipere". Yes, I acknowledge the sarcasm.
Admin
Or JCL.
If one considers JCL An language, and not some horrible misguided practical joke taken to extremes.
Admin
From a usability standpoint, it is nearly to the level of LOLCODE.
Yes Akismet, I just learned to [ab]use url tags. No Akismet, this is not spam.
Admin
Admin
I think the learning curve is on a %2 years:
0-2: no protection 2-4: @see OP 4-6: addslashes() 6-8: mysql_escape_string() 8-10: mysql_real_escape_string() 10+: Become a manager and forget all the above.
Admin
What do they have against SPACES? Surely there's no way you can use a space character to cause a SQL injection...
Admin
Why would you not use a prepared statement ? Where are these people coming from who don't yet know about prepared statements ?
Admin
Admin
I don't mean to sound like a troll, but I hate these smug "You're a moran for asking" comments.
Admin
--
Also, I read this title as "SQL Munging". I guess that's not entirely innacurate.
Admin
I think something about this site is making me unable to spell properly... (I swear I'm proofreading before I hit Submit.)
Admin
Seriously, prepared statements are so easy, and everyone keeps trying to remind you that they are the right way to do it, so why would anybody say "yeah but why can't I keep trying to build a better black-list filter?"
Use prepared statements.
Or stop programming.
Those are your choices.
Admin
Really though, complaining that an article in CodeSOD is not understandable for non-coders is a bit like going to a star-trek forum and asking who this Picard fellow is. Anyone with basic programming skills should know that blacklisting is not a reliable method to prevent SQL injection, and this code is a prime example of why we have so many SQL injection hacks.
Admin
y u no mysql_real_scape_string($email_or_pwd_or_un) ?!
Admin
Captcha: appellatio. An obscene act performed on an apple.
Admin