- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
As the good book says .... "The last shall be frist and the frist shall be last".
Admin
What's so intricate about authentication? Many moons ago, I've seen this in the wild:
Function privilege (username as string, password as string) as integer if username ="view" and password = "" then privilege = 0 if username = "operator" and password = "oper" then privilege = 1 if username = "engineer" and password = "eng" then privilege = 2 if username = "admin" and password = "1234" then privilege = 100 End Function
I'm not joking...
Admin
Yikes
Admin
Scott and Tiger, hem hem ...
Admin
Bue WHERE is SQL. That's so 1970s!
Addendum 2021-03-08 07:55: *but
Admin
"don't write your own authentication code"
When this warning is brought up, it's usually about how you shouldn't roll your own hashing algorithm or try to be clever in similar ways, because you'll almost certainly fail.
There's none of that here. Just someone who doesn't have a clue about some basic fundamentals of how a database works or how to run queries in a sane, sensible way. I'd say this a database WTF, rather than an authentication WTF.
Admin
Too many programmers can't database themselves out of a paper bag.
Admin
If it had the break this wouldn't really be much of a WTF - it would have been functionally correct, just inefficient.
But it is surprising how it seems to be accepted that 'normal' developers can have an unapologetic zero knowledge of how to use databases. You don't even have to use SQL, you can use Linq or an ORM like Hibernate and pretend you aren't. Almost all production level applications need to interact with a data store, often a relational database, and so application developers should have at least a basic understanding of how their data store works, even if they aren't experts (just as we should all understand how our UI works and be able to do small tweaks, even if we're not UX experts).
Admin
I've never taken a job somewhere that didn't have something like this in at least one place.
Admin
I was thinking this should say "coworker", but that would mean someone who co-works. (Or orks cows, possibly.) But it doesn't say coworker, it says peer.
Admin
Well in the hands of this programmer I would not start talking about the WHERE clause and let him have his break. He will not sanitize the input, and little bobby tables will ruin your database.
Admin
Can't have a SQL injection bug if you don't construct any SQL statements
<insert Roll Safe image here>Admin
And worse: it says peer without using quotes, which implies that Christopher is as stupid as the orker-of-cows.
Admin
if (_some_condition) result = true; else result = false;
Waaaaaah! headshake
Admin
And it's clear from their snippet that their password hashing algorithm is crap. It's better than not hashing, but they're definitely not using state-of-the-art password hashing because with argon2, scrypt, or even bcrypt you don't validate hashes with 'dr["hashPassword"].ToString() == hashValue'.
It's also very likely they're not salting their hash, but it's possible they may be using the username as a salt, which would be acceptable.
And finally, == allows for a timing attack, which would allow an attacker to extract the password hash by using repeated logins over the internet, and then be able to use much faster local brute forcing of the hash. Assuming the site doesn't limit login attempts.
Admin
Nah, don't use break. Use or-equals to change this.authenticated to true if any of them match. Then you won't have a time difference depending on whether the username was towards the start or end of the data set. Prevents timing attacks and increases security ;-P
Admin
Actually (and in the strictest sense) it just implies that, were one of the two to be tried for some crime or other (say, causing a nuclear explosion by not adding a break in a while statement), then the other would be available as a potential jury member in the resultant trial.
Not that I'd want this coworker on any jury I'd face, of course.
Admin
Maybe someday this website will stop thinking it's slashdot and not "censor" that word...
Admin
The here issue is not authentication code but someone just being really bad at SQL. Unlike crypto, there isn't ridiculously complicated maths involved, nor hidden complexities where using some perfectly sound primitives together in the wrong way can break things horribly, nor weirdness like side-channel attacks.
Admin
When I first used hibernate I used java streams to implement the filter logic, foolishly assuming an equivalence with linq2sql. Only when it started performing like a dog on big databases did we realise the issue. To this day I can't understand why hibernate has no type safe way of efficiently querying a database. Even linq2sql (pre .net 3.0), can bite you if it fails to compile your query fully into SQL.
Admin
So let me get this straight: they knew enough about database in theory to know what an index is, but not enough to write a proper SQL query? Code red, we're dealing with an academic here!!!
Admin
I long ago got tired of how often I was seeing this search algorithm bug in Stack Overflow questions (most don't involve a DB query, so can't be fixed with a simple WHERE clause). I wrote a generic answer: https://stackoverflow.com/questions/42913798/searching-array-reports-not-found-even-though-its-found/42913882#42913882
Admin
WHEREfore Art thou Valid User?
Admin
I'd honestly rather deal with an unapologetically database clueless person than one who derps their way forward using an ORM with zero understanding of how it works. They make it easy to write innocuous looking code that utterly hammers the crap out of the database server for no good reason. eg doing searches in ways that require pulling the entire table(s) to the application instead of generating a WHERE on the database side, or generating multiple independently executed queries for each record instead of doing everything in a single shot.
Admin
A developer who does not understand the rudiments of database access is no developer. Fire such people. (Or make an attempt to train them first, if you must.)
Admin
I actually wrote (pre-Java 8) a library to do load on demand query building for exactly this reason. It's amazing that Java doesn't have execute-on-demand LINQ like capabilities.
I guess Hibernate would claim their Criteria API is along these lines.
Admin
Only teach him about how to do parameterized WHERE clauses.
I'm quite frankly surprised that more people don't do this. Parameterized WHERE clauses are not that difficult to do, and can be used for all cases. It may be a little less efficient to use a parameterized where clause when your where clause is a constant, but it's not technically complicated and works.
Admin
The database lecture was one of the most important ones in my curriculum - not officially, but in terms and of insights for program design.
I haven't used SQL since, but the principles used for designing a database scheme translate directly to keeping data structures sane.
Our code is full of duplicated data and the bugs are often related to accessing a version that has become outdated.