- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Why listen to your IT department when management know exactly what is best? I wonder why some companies bother having an IT department at all, surely it's just an unnecesary overhead?
Admin
I wanted to post a comment, but I had nowhere to store it. Ah, I'll just throw it into Session and we're all set. No WAY it can be lost there!
Admin
Who actually uses Access, for anything?
Admin
Of course it will be the IT departments fault when the application inevitably crashes and burns...
Admin
"Signed an NDA", huh? I guess I'm not supposed to see that huge chunk of code then.
Admin
(The "3 days" thing is critical. Too soon, and they haven't lost enough data. Too late, and they're beyond the point of falling back to the previous solution while they rethink.)
And yes, your IT department is nothing more than a cost overhead. All modern companies are eliminating them as they just stand in the way of progress and fat bailout bonuses.
Admin
Admin
Admin
This is why it pays to be cynical.
After 30+ years, my metric is simply, "Do the paychecks bounce?" If no, then I'm good with whatever cockamamie thing they dream up.
Face it, folks. We're all just prostituting ourselves to some greater or lesser degree.
Admin
Somehow, I always read that as "ass-enter". Don't know why.
Admin
Still remember what fun it was to show the vendor of an "industry leading" online brokerage package how to use their bulletproof code to grab a copy of /etc/passwd off the host. Gulp. Blink. Sales weasel shrivels and shuts up. Technical guy "um, yeah, I'll open a bug on that..."
It's not like an insecure stock trading system could cause much of a problem, right?
Oh, but in their defense, the colors were quite vivid. And our marketing people were infatuated with their marketing people.
Admin
Could someone explain why typing ' OR ''=' in the password field would give him access to anything? I don't see the magic happening there. :/
Admin
Dammit... So... much... rage...!
Admin
Acchole
Admin
Admin
To be fair, instead of queuing the Access database every page request to fetch user information, it makes sense to put all that data in the session. It's likely quicker than Access. No real WTF there in my opinion. Makes sense with the tools they have at their disposal.
The rest, though.. yikes. SQL injection to dumbass management. Sounds like my previous company. Which is a nice story on itself. Basically: I recommended not to hire person X as my replacement, because he simply didn't know how to program. They hired him anyway. Only a few months later they decided he was indeed not worth the paycheck they threw at him so willingly. He's now picking up the phone, and the company hires some company in India to do their programming - something I also discouraged.
Admin
They certainly don't. Unless Dave's working, apparently.
Admin
"Sir, incoming trace on the troll radar!"
"Son, that's a big one. Give it everything we've got!"
Admin
Can't say that this is really a "Curious perversion in IT".
Where I work, it's more like "An everyday occurrence".
Admin
I can imagine this happening over politics, like the software developers were big clients, or they were friends with someone in the company that got offended, i.e. the president's son's cousin's friend.
Admin
Ehm, no, I'm serious. I really don't get it.
Admin
shakes fist
I use ASP (.Net though) and I can tell you that large sessions KILL EVERYTHING. Who'd have thought IE crashes when presented with a 2 meg postback? Weird, huh?
/sarcasm
Admin
Admin
see http://xkcd.com/327/ and http://en.wikipedia.org/wiki/SQL_injection if you still dont get it
Admin
Because the code that called the SQL they were using was probably along the lines of ...WHERE...AND [Password] = '" + string_user_entered + "'
Which when inputed with ' OR ''=' results in the following SQL ...WHERE...AND [Password] = '' OR ''=''
Notice the last part the OR ''='' - that's always going to be true :P
Admin
Everything is now being shipped off to India, and it sounds like they're replacing what was possibly the worst systems I'd ever inherited with something even worse! Hurrah
Admin
Admin
The SQL statement behind the scenes was something to the effect of:
select * from tblUserLogin where username='<%=request.form("username")%>' and password ='<%=request.form("password")%>'
If you enter your password as ' OR ''=' the resulting SQL statement is:
select * from tblUserLogin where username='whatever' and password ='' OR ''=''
Since ''='' you will be logged in as whatever username you entered.
Admin
I get the concept of SQL injection, but I don't get how the "OR =" affects the SQL stuff.
Admin
Which, when entering a username of bob and password of ' OR ''=' then becomes: SELECT * FROM USER WHERE username = 'bob' AND password = '' OR ''=''
Admin
Maybe you mixed up sessions with ViewState?
Admin
Yer doin it wrong.
It's not "OR "="
It's ' OR ''=''
The difference: " != ''
(double v single quotes...it is in effect saying OR BLANK SPACE IS EQUAL TO BLANK SPACE)
Admin
Pretty standard SQL injection. You send a username and password to the server, the server tries to find your account by executing something like this: "Select * From Users Where USERNAME = '<insert entered username here>' and PASSWORD = '<insert entered password here>'. Send "admin" as the username and "' OR ''='" as the password and this turns into "Select * From Users Where USERNAME = 'admin' and PASSWORD = '' OR ''=''". This query will search the database for every user where a) the username is admin, and b) either the password is empty or an empty string is the same as an empty string. Since an empty string is always the same as an empty string, this effectively completely removes the password check - all you have to do is guess the name of the administrator account (and admin is pretty standard for that), and you can log in as the system administrator without having to actually know the password.
Admin
The login code overlooks best practices and trustingly adds the password field to the database query looking up the user account.
The additional (injected) string shown in the example checks for a blank string equal to a blank string. Because this test is connected to the first test with OR, you now have a tautology.
So any person that can guess a username now has access to the system. This likely means the attacker will be able to gain administrative rights within the system.
CAPTCHA: similis - This is similis to the dumbest thing I've ever seen.
Admin
No need to use SQL injection if the database is in the wwwroot :) Just download database.mdb and grab the passwords.
Admin
Admin
What is the website? I want to use ' OR ''=' and see what's going on!
Stupid CEO will get what he deserves soon enough I suppose.
Admin
Hmm... could be the same thing, I suppose.
Admin
I'm continually amazed at just how naïve some programmers are, even after years of experience. (I'm also worried that I used to be just as bad…)
Admin
Yep, Why listen to your local experts when you can outsource them to people who will tell you anything you want to hear.
Isn't that the FIRST thing they cover in Managment 101 nowadays?
Admin
Thanks for all the explanations. :)
Admin
For some extra resources on SQL Injection:
http://xkcd.com/327/
(oldie but goodie)
Admin
And that's what I get for only reading 75% of comments. I hate myself
Admin
Admin
Lesdyxia...
Admin
Well, if Accenture did it!
Did you guys see that story on Digg a while back about how the London Stock Exchange was "ditching Windows", because some (Windows based) software Accenture wrote crashed, so they were replacing it with a (Unix based) alternative?
Yeah, I'm sure Windows was the deciding factor there, not some idiot at Accenture's shitty code.
Admin
Since I worked for Arthur Andersen when Accenture was still Andersen Consulting I enjoy anything that pokes fun at self-absorbed AC consultants.
Admin
Like the other guy said, yer mixing up session and viewstate. viewstate is a type of session - http://www.martinfowler.com/eaaCatalog/clientSessionState.html
The session they are talking about here means the server side session. Don't stick 2mb worth of anything in the viewstate! That's a WTF all in itself.
Admin
Admin
So, if HR explicitly chooses to use a system without security. Does that make it legal to 'improve' the data in such a system ... like everyone's salary (except the HR people of cource)?