- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Hungarian Notation?
Admin
Doesn't IndexOf return the location of the first occurrence of the string that you're searching for? So wouldn't this function cut off everything after the first space in the string?
No wonder the function is never called; it breaks pretty much any query you pass to it.
Admin
ThRiD. Take this case-sensitive beauty.
Admin
I bet they stopped calling it because a some "Bob von Something" (or the local equivalent) complained that their family name was truncated to "von" on the form...
Admin
Why do all those people even bother to write something like that, even tho there asp.net came out of the box with injection filters from the very start?
Admin
I like how they named the function "PreventSQLInjection".
The very idea that just calling a function to check actively for an attack is a WTF in itself.
It is not just a wrong implementation, it is a wrong paradigm. The code should first of all have on a structural, passive resilience (for the systematic use of prepared statements for SQL queries is good because it is a structural resilience)
Admin
AnD(We're(off)),(Or(nOT))?
Assumptions about hackers being consistent case-wise and ignorant of the fact that spaces aren't crucial to getting a query through are silly.
Is it really that hard to go the easy way of just escaping any (direct or indirect) outside input before putting it into a local API?
Admin
But that does prevent SQL injection. That's all it's supposed to do.
Admin
"yes and no" (but thanks to the function it's a resounding "yes" ;-)
Admin
The function itself is fine, it's just misnamed. It should be called PreventAlmostAnyQueryFromProperlyExecuting or DontCallThis.
Admin
... and then trim it. I don't have a c# compiler to hand to check, but surely if passed any string with a space in it, this will return an empty string.
Admin
Looks like eKRÉTA is in danger of becoming exKRÉTA.
Admin
Trim will remove any whitespace from the end of the string (there is another form to trim from the front, and a third form which trims from the front and back). The resulting string might have whitespace.
Admin
Correct. That is the best part.
It's a good thing they put the "dangerous" keywords in upper cased AnD lowercase so there is Not a way to fool the code oR hack it.
Admin
Correction for Remy Porter: GDPR is going to be applied by Hungarian Data Protection agency (assuming company is Hungarian). Not that it is going to prevent morons from screaming EU anyway...
Admin
Little Bobby Tables? Anyone..?
Admin
It's likely meant to filter 'perceived badness' out of each query parameter, not the entire query. Of course it would still fail at that task as written.
Admin
I don't think it's supposed to be called on queries, but on the input values used to build the query. But yeah, if you input "hello world", it will only insert "hello". And if your name is O'Neil, well, too bad, it's now ONeil.
Admin
Why do you say cleartext contains no spaces? Only leading and trailing spaces are trimmed, but there can still be spaces within the resulting value.
Admin
This!
Admin
It substrings up to the first space, then trims. So the string " this is a string" will return "this".
Admin
Yeah, I thought of that after I had posted, but my way would be a bigger WTF, so I'm gonna stick with that.
Admin
If course it is never called. What happens if you try to pass the name "Amanda" through it? If you cannot pass names through it, what good is it?
Admin
Around the time that SQL injections became popular, one of my webdevs was a bit green and when I reviewed his code it was string concatentation everywhere, wide open for this type of attack. I told him about SQL injection, and demonstrated that it worked on our live website, and instructed him to fix it by using parameters for all his queries instead of string concatenation.
When I checked back a few weeks later, I found that he had changed all instances from this sort of thing:
sql = "SELECT id FROM table WHERE code=" & code
to this sort of thing
Function assembleSQL(ACode) assembleSQL="SELECT id FROM TABLE WHERE code=" & ACode end Function
sql = assembleSQL(code)
He'd misunderstood everything about everything and presumed that somehow passing an argument to a function was the same as using a parameter and therefore somehow stopped SQL injection.
I still don't understand how he did all of those changes across hundreds of instances throughout the codebase without googling or asking me for clarification on what he was doing.
Admin
Doesn't IndexOf return the location of the first occurrence of the string that you're searching for? So wouldn't this method cut out everything after the first space in the string?
No surprise the function is never called; it breaks pretty much any query you provide to it. check out this https://apkofdark.blogspot.com/2022/11/vip-nobita-ff-apk-latest-version-v19312.html
Admin
https://dotnetfiddle.net/BLY0t6 for anyone who wants to play with it, it does keep the first part of the string until the space, so it isn't returning empty strings (unless it starts with a space)
Admin
Same thing happened to me, but the roles were inverted. I was the green dev who found out the app was vulnerable to SQL injection, showed it to the seniors and proposed using prepared statements. Their solution was to do exactly what today's article code tries to do: manually remove SQL keywords. The best part was that it broke one of the admin users password, because it contained the word "from".
Admin
That list of tags does not include all the key words in SQL, not even the common ones. What about ";", "SELECT * FROM", "DROP TABLE", or "INSERT INTO"? Plenty of damage could be done with that if the goal is to overload the system or steal data. It's also missing the ">" operator which means "<" can be overridden by just reversing the arguments.
Admin
So the password wasn't hashed by the time it headed off to the data layer? Which means it probably wasn't hashed at all, eh? Hoo boy.
Admin
Oh don't worry, it won't replace the "and" in "Amanda" because the disallowed keyword " and " is surrounded by spaces! Good to go!
Admin
So, how would this function respond to "something a and nd another"? If it were called, I mean.
Admin
In the next article at Telex an independent expert and a former employee are interviewed and turns out that the published parts are legacy code from a previous software and dead long ago. Also all data found there such as passwords look like test data. The incident itself started by simple phishing. I did not see any report on stolen personal data at telex since then. I am pretty sure they would be happy to report it.
Admin
Did They Find Out You Don't Need Spaces In Your Query?
Admin
its cool
Addendum 2022-11-27 17:46: I can tell you now how you can write an essay on any topic. For example about curiosity, it's awesome and I'm very pleased that I was able to find examples of essays on this topic here. I like this one and you can find the right information here too. I am insanely glad that I managed to find it, I can now be yaku topic rozkriti just because of these examples. Good luck to you.