• Fred (unregistered) in reply to AJAX via precognition
    AJAX via precognition:
    I think our hapless/handless programmer got a requirement to check the availability of usernames - like all those fancy sites do, right? - without requiring a submit/reload cycle. Xmlhttprequest was beyond the pale of knowledge alas.
    This almost sounds plausible, which of course, means that clueless requirements writers are also part of TRWTF.

    But how do you implement an Xmlhttprequest without sending a request to a server and getting back a response? I detect a gap in the reasoning around in here somewhere...

  • Matt Westwood (unregistered) in reply to European
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    Can we move on now.

    Well yes if you like, but it's still funny.

  • FuBar (unregistered) in reply to European
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    I think all references to SQL injection should now be abbreviated to just "327". In fact, it should be a whole new meme. "That code is totally 327ed" or "That code had so many 327s I couldn't decide whether to laugh or cry." Or "Us old timers have assigned all the WTFs a number.... The new guy says, '327'. (Dead silence) The old guy says, 'I guess some people just don't know how to tell a good WTF.'"

  • Random Joke (unregistered) in reply to FuBar
    FuBar:
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    I think all references to SQL injection should now be abbreviated to just "327". In fact, it should be a whole new meme. "That code is totally 327ed" or "That code had so many 327s I couldn't decide whether to laugh or cry." Or "Us old timers have assigned all the WTFs a number.... The new guy says, '327'. (Dead silence) The old guy says, 'I guess some people just don't know how to tell a good WTF.'"

    4!

  • (cs) in reply to Random Joke
    Random Joke:
    FuBar:
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    I think all references to SQL injection should now be abbreviated to just "327". In fact, it should be a whole new meme. "That code is totally 327ed" or "That code had so many 327s I couldn't decide whether to laugh or cry." Or "Us old timers have assigned all the WTFs a number.... The new guy says, '327'. (Dead silence) The old guy says, 'I guess some people just don't know how to tell a good WTF.'"

    4!
    24

  • (cs) in reply to frits
    frits:
    Random Joke:
    FuBar:
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    I think all references to SQL injection should now be abbreviated to just "327". In fact, it should be a whole new meme. "That code is totally 327ed" or "That code had so many 327s I couldn't decide whether to laugh or cry." Or "Us old timers have assigned all the WTFs a number.... The new guy says, '327'. (Dead silence) The old guy says, 'I guess some people just don't know how to tell a good WTF.'"

    4!
    24

    I'm glad I'm not the only one who thought that when I saw the 4!. I was suddenly haunted by thoughts of Discreet Math class...

  • wtf (unregistered) in reply to Anguirel
    Anguirel:
    I'm glad I'm not the only one who thought that when I saw the 4!. I was suddenly haunted by thoughts of Discreet Math class...

    Is that the one with the cute math tutor... the "one on one sessions"?

  • (cs) in reply to wtf
    wtf:
    Anguirel:
    I'm glad I'm not the only one who thought that when I saw the 4!. I was suddenly haunted by thoughts of Discreet Math class...

    Is that the one with the cute math tutor... the "one on one sessions"?

    Cute math tutor. Yeah, that's a good one.

  • (cs) in reply to wtf
    wtf:
    Anguirel:
    I'm glad I'm not the only one who thought that when I saw the 4!. I was suddenly haunted by thoughts of Discreet Math class...

    Is that the one with the cute math tutor... the "one on one sessions"?

    For what it's worth, I was the tutor for that class. It was fun, but I just get tired of proofs after a while.

  • sceptic (unregistered)

    "unhomogenous mix of technologies"

    What does that mean ?

  • (cs) in reply to sceptic
    sceptic:
    "unhomogenous mix of technologies"

    What does that mean ?

    It's the technology equivalent of raw milk, fart smell and all.

  • Anon (unregistered)

    This was probably an improvement on the original which just had all the user names statically coded in JS. They probably just edited the files manually every time a new user was added.

  • EngleBart (unregistered) in reply to qbolec
    qbolec:
    Anonymous:
    SQL injection vulnerabilities - check;
    where?
    Anonymous:
    SQL in page source - check;
    where?

    I concur with qbolec that there is no SQL injection vulnerability here.

    At first thought, I thought the WTF was going to be a coding standard that prevents SQL injection by requiring you to use no parameters in your query, hence the selection of the entire table. However, this code took it one step further(or is that farther?).

    P.S. A lot of those user names look familiar...

  • ÃÆâ€â„ (unregistered)

    I really want to know where this is. I've been wanting to hack a site, but never really had the time. These guys took care of all the hard work, so all I have to do now is submit a form.

  • sino (unregistered) in reply to Neil
    Neil:
    Mark:
    You guys misspelled "thorough".
    They were just spelling it thouroughly.
    Missed a golden opportunity, there, Neil...
  • (cs) in reply to jonsjava
    jonsjava:
    Just FYI. I wasn't really the coder.

    First person to deny participation is the guilty party . . .

  • ideo (unregistered) in reply to qbolec
    qbolec:
    Anonymous:
    PHP - check and f-ing check!
    JS - check!
    Yeah, cause the proper response for a php monkey being trolled is to get his panties in a bunch and redirect his ire at the lingua franca of [behavior on] the internet? That's like a pointer to a pointer to a... whoopsie, you lost it, better start over. Here, Let me help you out before you sprain something:
    qbolec:
    TRWTF is VB! And I, qbolec, am a blithering ID10T, though Anonymous isn't much better, what with the SQL injection hallucinations. I mean seriously, if you're gonna hallucinate, at least make it something good, like green-skinned alien babes in a state of undress, or maybe a smorgasbord of fine foods with a penis themed decor. Embarrassing, Anonymous. And I should know, I live there. Squeeee! Snarf.
    QFT.
  • Anon (unregistered) in reply to EngleBart
    EngleBart:
    qbolec:
    Anonymous:
    SQL injection vulnerabilities - check;
    where?
    Anonymous:
    SQL in page source - check;
    where?

    I concur with qbolec that there is no SQL injection vulnerability here.

    At first thought, I thought the WTF was going to be a coding standard that prevents SQL injection by requiring you to use no parameters in your query, hence the selection of the entire table. However, this code took it one step further(or is that farther?).

    P.S. A lot of those user names look familiar...

    It's not in the code posted, but the text at least suggests that such a vulnerability exists:

    TFA:
    Though, from a security standpoint, it's not really that big of a deal, as entering a password of ' OR ''=' would log you in as the first user in the database (admin), anyway.
  • Your mom (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    This is, sadly, a lot more common than we would hope. I've seen a LOT of codebases that, while not this bad, exhibited the same "I have no idea WTF I'm doing so I'll do the first thing that pops into my head" type developer mentality. In all cases it was because management was breathing down the developer's neck and they didn't have the time to do things properly, so they HAD to throw together some nonsense and never got around to fixing it.

    That doesn't excuse the WTFs in this particular article because there's NO excuse for this kind of idiocy, but I guarantee it wasn't just a stupid developer; probably a newbie who had to do the first thing that they thought of due to stupid deadlines from their boss.

    Amen!

  • Vic (unregistered)

    What we really need to see is how they validated passwords.

  • Andrew (unregistered)

    It is not "not that big of a deal". It is "not that big a deal".

    I know it's a small point, and an error so common as to be standard informal speech in some areas, but you get it wrong every time and it's starting to grate with me.

    It always seems a bit hypocritical for a writer to criticise programmers programming when his writing has this sort of mistake in.

  • (cs) in reply to Random Joke
    Random Joke:
    FuBar:
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    I think all references to SQL injection should now be abbreviated to just "327". In fact, it should be a whole new meme. "That code is totally 327ed" or "That code had so many 327s I couldn't decide whether to laugh or cry." Or "Us old timers have assigned all the WTFs a number.... The new guy says, '327'. (Dead silence) The old guy says, 'I guess some people just don't know how to tell a good WTF.'"

    4!
    The unusual landscape sketch? It was okay, but I really don't see the relevance, here.

  • Wow (unregistered) in reply to Vic
    Vic:
    What we really need to see is how they validated passwords.

    if((theForm.user.value=="sjenkins" && theForm.password.value=="hunter2") || ...

  • Mike (unregistered) in reply to Anon
    Anon:
    Hasteur:
    Oh holy hell...

    Where is the coder who developed that? I won't even begin to describe the potential for spearfishing attacks, but to grab every single user out of the database is grossly inefficent.

    Bring me the developer. I must cut off his hands so that they never develop anything like that ever again.

    I'd poke out their eyes too. Only way to be sure.

    That still might not be enough... remember this ad?

    https://thedailywtf.com/images/201003/archived_craigslist.htm

  • (cs)

    What, no batch files and echo commands to assemble the jscript?

  • vindico (unregistered) in reply to Mark
    Mark:
    You guys misspelled "thorough".
    The spelling brings the article up to number 4 in a google search, so was probably deliberate.
  • (cs)

    Ah... I see the WTF. If there are no usernames yet, then count($used) is 0 and there is no output.

    if (<?for($x=0;$x<count($used);$x++) { 
      echo "theForm.user.value==\"$used[$x]\"";
      <u>if($x<($total-1)) echo " ||"; }?>) {
    

    Fix:

    
    if (<?for($x=0;$x<count($used);$x++) { 
      echo "theForm.user.value==\"$used[$x]\"<u> ||";
      }?> false) {
    
  • Cheong (unregistered)

    On the bright side, SQL injection like attacks wouldn't drop your database. And if all database action is properly logged, any damage would be easily undone.

  • Forumtroll (unregistered)

    To all you 327 xkcd folk: Have anybody checked what the NYPD describes as a code 327?

    A little warm love from a forumtroll ;)

  • iagorubio (unregistered) in reply to Anonymous
    Anonymous:
    This is like a who's-who of common WTFs. If I were a little less experienced I would think this was a fake, somebody's idea of the "perfect storm" of WTFs (SQL injection vulnerabilities - check; SQL in page source - check; unhomogenous mix of technologies - check; PHP - check and f-ing check!). But I see this shit waaay to often so I don't doubt the veracity of the OP for a second.
    Oh cmon, don't blame the language. The only problem with PHP is that its learning curve is so flat that a drunken monkey can produce working code. Blame the manager who hired a drunken monkey instead.
  • not-of-this-Earth (unregistered)

    It's not a WTF. It's HVS (how very sad).

  • Bert Glanstron (unregistered)

    Dear Ben,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using PHP clearly shows that you’re too young and too stupid to be using websites.

    Go away and grow up.

    Sincerely, Bert Glanstron

  • Bert Glanstron (unregistered)

    Dear Ben,

    In case you can’t tell, this is a grown-up place. The fact that you insist on using JavaScript (aka ECMAScript) clearly shows that you’re too young and too stupid to be using websites.

    Go away and grow up.

    Sincerely, Bert Glanstron

  • History Teacher (unregistered)

    Meta-programming FTW!

  • History Teacher (unregistered) in reply to Anonymous
    Anonymous:
    SQL injection vulnerabilities - check; SQL in page source - check
    Could somebody explain these to me? I'm not a web programmer.

    How is that SQL injection vulnerability? SQL is in a fixed string literal, which isn't modified as far as I can see.

    SQL is in the script source, not in final HTML page source, as far as I can see. How else are you supposed to produce a page with data from SQL database?

    Please explain.

    As far as I can see, that would become completely sensible code with a few minor tweaks. Tweak 1: require user name check to happen without extra HTML requests. Tweak 2: do just one SQL query. Tweak 3: put randomly salted hash values instead of actual user names to the page source. Optional tweak 4, if there are performance problems on client side: make that javascript if sequence into binary search.

    Or can anybody come up with better solution, taking the tweak 1 above into account?

  • (cs)
    the article:
    entering a password of ' OR ''=' would log you in as the first user in the database (admin), anyway

    UPDATE users SET user_name = 'zadmin' WHERE user_name = 'admin'

    Fixed?

  • Mikkel (unregistered) in reply to Cheong
    Cheong:
    On the bright side, SQL injection like attacks wouldn't drop your database. And if all database action is properly logged, any damage would be easily undone.

    Yeah, that sounds like a brilliant idea, lets all enable binary logging, preferably to some spare single drive to really clobber performance...

  • Mikkel (unregistered) in reply to toth

    Depends on how intelligent the database is and how the field has been designed, if it's char(x) the update will happen in place, if it's varchar some databases might choose to just update the pointer to the new string - others might choose to mark the row for collection and insert a new row in the end of the table (or whatever page might fit).

    First two scenarios with that type of query the zadmin will still be on top since an unbounded query will always start at the "top" of the table and read onwards. The latter case zadmin will most likely be last, but not because of the z.

    Of course if, you chose only to select the field user_name from the table, any index on said field will take precedence in most database systems regardless of bounding (covering indexes ftw.).

  • yep.. (unregistered) in reply to Mike

    ..me too, unfortunately

  • Chris (unregistered)

    The real WTF is that he loops through the resultset twice.

  • Jo (unregistered)

    This is what really happened:

    Sales man (SM): "Hey Cliff, I need a user name duplicate check in this app I found... You don't have to hurry, I only need it by tomorrow morning."

    Programmer Cliff: "Uh... ok... where is this app located?"

    SM: "Well, i'm not quite sure, I found it in my browser history. But hey, you're smart, you'll find it... Oh, gottag go, see you tomorrow morning"

    So Cliff began searching on different servers to find this mysterical app which desperately needed a user name duplicate check only because the SM somehow got this delightful feature idea. After hours of searching the clock hit 10 p.m. and Cliff finally found this wonderful app. Unfortunately Cliff had to admit that though he is a capable C# programmer, he has never dealt with PHP before, and this application was a pure PHP programming hell - the initial developer must have been the 14-year-old nephew of the SM. There was no better explanation for this chaos of random script files and the missing functions and classes.

    Just as Cliff thought that he found a way to implement this usercheck without going into too much detail wit PHP or this applcation, an e-mail from the dearly beloved SM popped up (it was 2 a.m.), telling Cliff that he should "care about usability" and "avoid page reloads at all costs". That moment Cliff decided to jump from a bridge. Unfortunately, there was no bridge in the area, so he opened a bottle of EPL ("emergency programming liqueur") and started messing with JavaScript.

    There are no records about what happened the next hours. Rumours say that after finishing the SM feature request, Cliff realized what he had done - programming in languages he did not know, ignoring basic security thoughts, and listening to the SM. It is said that Cliff took an acid bath to finish his life - his remains have never been found.

    So the only thing left from Cliff is what another programmer found a few years later - a miserable combination of basic PHP and JavaScript code lines. And if you look closely at those lines, you can still see Cliff's despair, his EPL and the evil laugh of Cliff's SM...

  • (cs)

    HOLY FUCKING HELL.

  • bob (unregistered) in reply to remi bourgarel
    but why so many cowboy-style developers choose this language ?

    low bar to entry.

  • (cs) in reply to Mike
    Mike:
    I think I used to work with this guy.
    Me too. Or someone just like him. Today's example is kinda lame compared to some of his other work I've had to clean up. Like slurping the entire content of a database table not once, but THREE times within the same method, and then searching through the records in code. With three different database connection and dataset objects.
  • JB (unregistered)

    I can't believe he's selecting all columns from the users table. It'd be much more efficient to select only the username field.

  • Gandor (unregistered) in reply to Jo

    I don`t believe any capable (C#) programmer could make such a code... No matter the time stress and/or no knowledge of language... This is just tooo much for that...

  • usa (unregistered)

    Welcome to the wonderful world that is called outsourcing.

  • (cs) in reply to History Teacher
    History Teacher:
    Anonymous:
    SQL injection vulnerabilities - check; SQL in page source - check
    Could somebody explain these to me? I'm not a web programmer.

    Don't worry, neither are the people claiming it is vulnerable.

    There is nothing in the code to suggest that sql injection would work - only in the 'fluff' at the bottom of the article which is generally made up anyway.

    Seriously.. wtf does 'admin' being the first name in the list have to do with anything? What particular sql query are Ben/Alex creating in their minds which could lead to the admin login being used as a default.

  • internetz (unregistered)

    He's from India, right?

  • Patrick (unregistered)

    Almost as bad as the one that constructs SQL queries in Javascript and sends them along through GET.

Leave a comment on “Thourough Username Validation”

Log In or post as a guest

Replying to comment #:

« Return to Article