- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
First! Sounds a blast - how on earth did this company even get a project if they are this bad? I'd hate to see the rest of the code!
Admin
At least it will make SQL injection just a tiny bit harder as an extra bracket it required that the hacker would not expect.
Admin
68a6a81ff9352dad1909c2907451fb726886328b
0323094163a8ecd15bf19efe081cf793ec345376
Admin
Clearly the WTF is SHA1 encryption. This would've been far better:
$result = mysql_query( "SELECT * FROM users " . " WHERE SHA1(ROT13(username)) = SHA1(ROT13('" . $_REQUEST["username"] . "')) " . " AND SHA1(ROT13(password)) = SHA1(ROT13('" . $_REQUEST["password"] . "'))");
Admin
CAPTCHA: damnum, a damn number?
Admin
There are more than enough low-paid devs out there turning out code this bad. Unfortunately, there's a market for them, too...
At a guess, it was either some beginner who'd read the basic examples for SQL programming or someone similar from some offshore company...
Captcha: damnum (kinda fitting... ;-)
Admin
You get what you pay for (are you listening Verizon?)
Admin
Sssh, Nagesh might actually do this
Admin
And yet how many companies, lately, have been found storing stuff in plaintext? By comparison, this seems like a major step up.
Admin
Why did Paul turn down the offer to have him rewrite the system? It's not like he'd have to keep the SQL injection holes open.
Admin
They are storing it in plaintext. They are only encrypting it after they pull it out of the database in plain text.
Admin
You do know that query implies that the username and password are plain text...
Admin
They are not pulling it out of the database in plain text.. they are sending the plaintext password to the database, then encrypt both (the one they sent and the one present in the database) and then compare the encryptions
Admin
That still means they are in the DB in plain text though.
Admin
Why can't I login with my username? It's just "') OR 1=1 -- ".
Admin
Nagesh strikes again...
Admin
Congratulations, you've discovered an application of SHA-1 as a two-way hashing algorithm.
Admin
What is Sssh? Secure SSH?
Admin
Hey there, my name is "Robert'); DROP TABLE Students;-- "
Admin
Admin
I wish all you ivory tower wannabes would get off your high horses. SHA1 is encryption! Do you even know what encryption means? It means to obfuscate. SHA1 is obsfucation. Now STFU.
An this is for all you pathetic jackwagons posting in SHA1:
68a6a81ff9352dfd1910c2907451fb726886328b
Admin
I agree; Paul could have just ditched the existing code and rewrote it as if it were a fresh contract. TRWTF is Paul turning the job down.
Admin
Admin
I think this was done entirely on purpose by a programmer who knows what he needs. One does not need encryption, the database is probably protected by a password already!
But why the SHA1 encryption before comparision you might ask, well it's quite obvious: Backwards compatibilty! Some user might have found a SHA1 collision and now has the habit of being able to use two passwords on the sites that doesn't salt the password before hashing. We don't want to break that users expectations, right?
Don't be too fast to judge someone, always give the benefit of doubt. ;)
Admin
These SHA1 jokes don't work as well as the Base64 jokes.
Admin
So, metaphoorically speaking: they have a fully-security-approved multi-lock front door, but neglected to use any cement in the brickwork. Shouldn't be a problem, of course, criminals are first and foremost gentlemen and would not dream of using an alternative means of entry into a dwelling but the conventional one.
Admin
So the little piggies were penny-wise and hired outsourced labor to build a straw house, and then the big bad wolf came and huffed and puffed and blew their house in.
Admin
And there always will be, as long as there are companies that think they can go two orders of magnitude cheaper and think they'll get similar quality.
In contrast, people will spend six-figures for a really nice car, and five-figures for a decent car. If you're only spending four-figures you automatically wonder what's wrong with it.
Admin
Admin
So, if I join this site do I get the option to hide all posts from zunesis? Or should I just erase The Daily WTF from my bookmarks and get back to work?
No, really - if I can't block his posts, I'll simply stop coming here.
captcha: plaga. zunesis is a plaga upon this site.
Admin
PHP and mysql... and an overseas dev/sweatshop too...
What a surprise.
Admin
You can of course get a decent car in Britain for four figures. Our workmanship is so much better. (Let's ignore the fact that the currencies are such that "4 figures" in the UK may be considerably more than 4 figures in the US.
Admin
I agree. (Goodness gracious, cranky Brit agrees with damn Yank. Must be a first.)
Admin
I once heard a story about the quality of Indian developers that explained a lot. A consultant that we worked with at my current employer told me of his experience working directly with software engineers in India. (that is, in country. Not over the phone)
He was trying to get some of his teammates to read some software engineering texts like Code Complete, and no one would do it. Eventually, one of them broke down in frustration from being nagged and said, "Look, Bob. In this company's culture, you aim for management. If three years have passed, and you're still a developer, you failed."
So there seems to be a company (if not broader) culture that does not reward engineers. Many companies in the US (including mine) are implementing dual-track career ladders, so that purely technical people can achieve the same rate of pay and benefits as upper-level management. I highly doubt that a similar thing is happening at any Indian developer sweatshops.
So, yeah, I'm not surprised that working with continually neophyte engineers produces crappy projects. Noobs are noobs wherever you go. It's just that in the states, noobs eventually become the experienced engineers. In India, they become managers.
Perhaps these Indian managers could learn something from Herbert Hoover: "Engineering ... it is a great profession. There is the fascination of watching a figment of the imagination emerge through the aid of science to a plan on paper. Then it moves to realization in stone or metal or energy. Then it brings jobs and homes to men. Then it elevates the standards of living and adds to the comforts of life. That is the engineer's high privilege.
The great liability of the engineer compared to men of other professions is that his works are out in the open where all can see them. His acts, step by step, are in hard substance. He cannot bury his mistakes in the grave like the doctors. He cannot argue them into thin air or blame the judge like the lawyers. He cannot, like the architects, cover his failures with trees and vines. He cannot, like the politicians, screen his shortcomings by blaming his opponents and hope the people will forget. The engineer simply cannot deny he did it. If his works do not work, he is damned....
On the other hand, unlike the doctor his is not a life among the weak. Unlike the soldier, destruction is not his purpose. Unlike the lawyer, quarrels are not his daily bread. To the engineer falls the job of clothing the bare bones of science with life, comfort, and hope. No doubt as years go by the people forget which engineer did it, even if they ever knew. Or some politician puts his name on it. Or the credit it to some promoter who used other people's money ... but the engineer himself looks back at the unending stream of goodness which flows from his successes with satisfactions that few professionals may know. And the verdict of his feloow professionals is all the accolade he wants."
Admin
is my sarcasm detector broken ... because it's still plaintext in the db.
Admin
You do realize that the WHERE clause has a temporary SHA1 encoding? It's the plaintext passwords that are permanent in the database.
Admin
Admin
This reminds me of a hypothetical security fail we came up with one time. Imagine a marginal coder deciding it would be a good idea to error check each character on a password field as the user typed it in.
Admin
Oh, you're not using Lynx? Sucks to be you...
Admin
Admin
And yes, being him does involve a form of sucking...
Admin
Admin
Perhaps because once he saw just how technically inept and tight-fisted management was, he didn't want to spend the next few months fighting them over dimes and explaining that he couldn't just "fix the bugs" in a day.
Admin
How could an overseas manager lose at golf to a vice-president? I've had managers I could have replaced with a very small shell script, if only I could have gotten past that hurdle.
Admin
PML. "A", nope, doesn't start with "A". "B", nope, "C", aha. "CA", nope, "CB", nope, ...
I remember pointing out to my boss once that the login process as programmed by a contractor once that went something like: "The username was correct but the password was not" (or words to that effect) was less than optimal but he didn't understand what I was trying to point out. Comms fail.
Admin
Why? Why do so many programmers even bother to pretend they know anything about security? They might just as well be honest about it:
$result = mysql_query( "SELECT * FROM users " . " WHERE SECURITY_PRETENSE(username) = SECURITY_PRETENSE('" . $_REQUEST["username"] . "') " . " AND SECURITY_PRETENSE(password) = SECURITY_PRETENSE('" . $_REQUEST["password"] . "')");Admin
Admin
Admin
The Law of the Internet (Troll or be trolled) appears to be in full force today.
Admin