- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
But how do you implement an Xmlhttprequest without sending a request to a server and getting back a response? I detect a gap in the reasoning around in here somewhere...
Admin
Well yes if you like, but it's still funny.
Admin
I think all references to SQL injection should now be abbreviated to just "327". In fact, it should be a whole new meme. "That code is totally 327ed" or "That code had so many 327s I couldn't decide whether to laugh or cry." Or "Us old timers have assigned all the WTFs a number.... The new guy says, '327'. (Dead silence) The old guy says, 'I guess some people just don't know how to tell a good WTF.'"
Admin
Admin
Admin
I'm glad I'm not the only one who thought that when I saw the 4!. I was suddenly haunted by thoughts of Discreet Math class...
Admin
Is that the one with the cute math tutor... the "one on one sessions"?
Admin
Cute math tutor. Yeah, that's a good one.
Admin
For what it's worth, I was the tutor for that class. It was fun, but I just get tired of proofs after a while.
Admin
"unhomogenous mix of technologies"
What does that mean ?
Admin
It's the technology equivalent of raw milk, fart smell and all.
Admin
This was probably an improvement on the original which just had all the user names statically coded in JS. They probably just edited the files manually every time a new user was added.
Admin
I concur with qbolec that there is no SQL injection vulnerability here.
At first thought, I thought the WTF was going to be a coding standard that prevents SQL injection by requiring you to use no parameters in your query, hence the selection of the entire table. However, this code took it one step further(or is that farther?).
P.S. A lot of those user names look familiar...
Admin
I really want to know where this is. I've been wanting to hack a site, but never really had the time. These guys took care of all the hard work, so all I have to do now is submit a form.
Admin
Admin
First person to deny participation is the guilty party . . .
Admin
Admin
It's not in the code posted, but the text at least suggests that such a vulnerability exists:
Admin
Amen!
Admin
What we really need to see is how they validated passwords.
Admin
It is not "not that big of a deal". It is "not that big a deal".
I know it's a small point, and an error so common as to be standard informal speech in some areas, but you get it wrong every time and it's starting to grate with me.
It always seems a bit hypocritical for a writer to criticise programmers programming when his writing has this sort of mistake in.
Admin
Admin
if((theForm.user.value=="sjenkins" && theForm.password.value=="hunter2") || ...
Admin
That still might not be enough... remember this ad?
https://thedailywtf.com/images/201003/archived_craigslist.htm
Admin
What, no batch files and echo commands to assemble the jscript?
Admin
Admin
Ah... I see the WTF. If there are no usernames yet, then count($used) is 0 and there is no output.
if (<?for($x=0;$x<count($used);$x++) { echo "theForm.user.value==\"$used[$x]\""; <u>if($x<($total-1)) echo " ||"; }?>) {Fix:
if (<?for($x=0;$x<count($used);$x++) { echo "theForm.user.value==\"$used[$x]\"<u> ||"; }?> false) {Admin
On the bright side, SQL injection like attacks wouldn't drop your database. And if all database action is properly logged, any damage would be easily undone.
Admin
To all you 327 xkcd folk: Have anybody checked what the NYPD describes as a code 327?
A little warm love from a forumtroll ;)
Admin
Admin
It's not a WTF. It's HVS (how very sad).
Admin
Dear Ben,
In case you can’t tell, this is a grown-up place. The fact that you insist on using PHP clearly shows that you’re too young and too stupid to be using websites.
Go away and grow up.
Sincerely, Bert Glanstron
Admin
Dear Ben,
In case you can’t tell, this is a grown-up place. The fact that you insist on using JavaScript (aka ECMAScript) clearly shows that you’re too young and too stupid to be using websites.
Go away and grow up.
Sincerely, Bert Glanstron
Admin
Meta-programming FTW!
Admin
How is that SQL injection vulnerability? SQL is in a fixed string literal, which isn't modified as far as I can see.
SQL is in the script source, not in final HTML page source, as far as I can see. How else are you supposed to produce a page with data from SQL database?
Please explain.
As far as I can see, that would become completely sensible code with a few minor tweaks. Tweak 1: require user name check to happen without extra HTML requests. Tweak 2: do just one SQL query. Tweak 3: put randomly salted hash values instead of actual user names to the page source. Optional tweak 4, if there are performance problems on client side: make that javascript if sequence into binary search.
Or can anybody come up with better solution, taking the tweak 1 above into account?
Admin
UPDATE users SET user_name = 'zadmin' WHERE user_name = 'admin'
Fixed?
Admin
Yeah, that sounds like a brilliant idea, lets all enable binary logging, preferably to some spare single drive to really clobber performance...
Admin
Depends on how intelligent the database is and how the field has been designed, if it's char(x) the update will happen in place, if it's varchar some databases might choose to just update the pointer to the new string - others might choose to mark the row for collection and insert a new row in the end of the table (or whatever page might fit).
First two scenarios with that type of query the zadmin will still be on top since an unbounded query will always start at the "top" of the table and read onwards. The latter case zadmin will most likely be last, but not because of the z.
Of course if, you chose only to select the field user_name from the table, any index on said field will take precedence in most database systems regardless of bounding (covering indexes ftw.).
Admin
..me too, unfortunately
Admin
The real WTF is that he loops through the resultset twice.
Admin
This is what really happened:
Sales man (SM): "Hey Cliff, I need a user name duplicate check in this app I found... You don't have to hurry, I only need it by tomorrow morning."
Programmer Cliff: "Uh... ok... where is this app located?"
SM: "Well, i'm not quite sure, I found it in my browser history. But hey, you're smart, you'll find it... Oh, gottag go, see you tomorrow morning"
So Cliff began searching on different servers to find this mysterical app which desperately needed a user name duplicate check only because the SM somehow got this delightful feature idea. After hours of searching the clock hit 10 p.m. and Cliff finally found this wonderful app. Unfortunately Cliff had to admit that though he is a capable C# programmer, he has never dealt with PHP before, and this application was a pure PHP programming hell - the initial developer must have been the 14-year-old nephew of the SM. There was no better explanation for this chaos of random script files and the missing functions and classes.
Just as Cliff thought that he found a way to implement this usercheck without going into too much detail wit PHP or this applcation, an e-mail from the dearly beloved SM popped up (it was 2 a.m.), telling Cliff that he should "care about usability" and "avoid page reloads at all costs". That moment Cliff decided to jump from a bridge. Unfortunately, there was no bridge in the area, so he opened a bottle of EPL ("emergency programming liqueur") and started messing with JavaScript.
There are no records about what happened the next hours. Rumours say that after finishing the SM feature request, Cliff realized what he had done - programming in languages he did not know, ignoring basic security thoughts, and listening to the SM. It is said that Cliff took an acid bath to finish his life - his remains have never been found.
So the only thing left from Cliff is what another programmer found a few years later - a miserable combination of basic PHP and JavaScript code lines. And if you look closely at those lines, you can still see Cliff's despair, his EPL and the evil laugh of Cliff's SM...
Admin
HOLY FUCKING HELL.
Admin
low bar to entry.
Admin
Admin
I can't believe he's selecting all columns from the users table. It'd be much more efficient to select only the username field.
Admin
I don`t believe any capable (C#) programmer could make such a code... No matter the time stress and/or no knowledge of language... This is just tooo much for that...
Admin
Welcome to the wonderful world that is called outsourcing.
Admin
Don't worry, neither are the people claiming it is vulnerable.
There is nothing in the code to suggest that sql injection would work - only in the 'fluff' at the bottom of the article which is generally made up anyway.
Seriously.. wtf does 'admin' being the first name in the list have to do with anything? What particular sql query are Ben/Alex creating in their minds which could lead to the admin login being used as a default.
Admin
He's from India, right?
Admin
Almost as bad as the one that constructs SQL queries in Javascript and sends them along through GET.