• LCrawford (unregistered)

    As the good book says .... "The last shall be frist and the frist shall be last".

  • Industrial Automation Engineer (unregistered)

    What's so intricate about authentication? Many moons ago, I've seen this in the wild:

    Function privilege (username as string, password as string) as integer if username ="view" and password = "" then privilege = 0 if username = "operator" and password = "oper" then privilege = 1 if username = "engineer" and password = "eng" then privilege = 2 if username = "admin" and password = "1234" then privilege = 100 End Function

    I'm not joking...

  • (nodebb)

    Yikes

  • Sole Purpose Of Visit (unregistered)

    Scott and Tiger, hem hem ...

  • Álvaro González (github)

    Bue WHERE is SQL. That's so 1970s!

    Addendum 2021-03-08 07:55: *but

  • Moss (unregistered)

    "don't write your own authentication code"

    When this warning is brought up, it's usually about how you shouldn't roll your own hashing algorithm or try to be clever in similar ways, because you'll almost certainly fail.

    There's none of that here. Just someone who doesn't have a clue about some basic fundamentals of how a database works or how to run queries in a sane, sensible way. I'd say this a database WTF, rather than an authentication WTF.

  • Andrew (unregistered)

    Too many programmers can't database themselves out of a paper bag.

  • Best Of 2021 (unregistered)

    If it had the break this wouldn't really be much of a WTF - it would have been functionally correct, just inefficient.

    But it is surprising how it seems to be accepted that 'normal' developers can have an unapologetic zero knowledge of how to use databases. You don't even have to use SQL, you can use Linq or an ORM like Hibernate and pretend you aren't. Almost all production level applications need to interact with a data store, often a relational database, and so application developers should have at least a basic understanding of how their data store works, even if they aren't experts (just as we should all understand how our UI works and be able to do small tweaks, even if we're not UX experts).

  • (nodebb) in reply to Industrial Automation Engineer

    Function privilege (username as string, password as string) ...

    I've never taken a job somewhere that didn't have something like this in at least one place.

  • (nodebb)

    this code from Christopher. His peer wrote this code,

    I was thinking this should say "coworker", but that would mean someone who co-works. (Or orks cows, possibly.) But it doesn't say coworker, it says peer.

  • Dlareg (unregistered)

    Well in the hands of this programmer I would not start talking about the WHERE clause and let him have his break. He will not sanitize the input, and little bobby tables will ruin your database.

  • Anonymous') OR 1=1; DROP TABLE wtf; -- (unregistered)

    Can't have a SQL injection bug if you don't construct any SQL statements

    <insert Roll Safe image here>
  • (nodebb) in reply to jkshapiro

    I was thinking this should say "coworker", but that would mean someone who co-works. (Or orks cows, possibly.) But it doesn't say coworker, it says peer.

    And worse: it says peer without using quotes, which implies that Christopher is as stupid as the orker-of-cows.

  • Your Name (unregistered)

    if (_some_condition) result = true; else result = false;

    Waaaaaah! headshake

  • Alipha (unregistered)

    And it's clear from their snippet that their password hashing algorithm is crap. It's better than not hashing, but they're definitely not using state-of-the-art password hashing because with argon2, scrypt, or even bcrypt you don't validate hashes with 'dr["hashPassword"].ToString() == hashValue'.

    It's also very likely they're not salting their hash, but it's possible they may be using the username as a salt, which would be acceptable.

    And finally, == allows for a timing attack, which would allow an attacker to extract the password hash by using repeated logins over the internet, and then be able to use much faster local brute forcing of the hash. Assuming the site doesn't limit login attempts.

  • ooOOooGa (unregistered)

    Nah, don't use break. Use or-equals to change this.authenticated to true if any of them match. Then you won't have a time difference depending on whether the username was towards the start or end of the data set. Prevents timing attacks and increases security ;-P

  • Sole Purpose Of Visit (unregistered) in reply to Steve_The_Cynic

    Actually (and in the strictest sense) it just implies that, were one of the two to be tried for some crime or other (say, causing a nuclear explosion by not adding a break in a while statement), then the other would be available as a potential jury member in the resultant trial.

    Not that I'd want this coworker on any jury I'd face, of course.

  • tbo (unregistered) in reply to LCrawford

    Maybe someday this website will stop thinking it's slashdot and not "censor" that word...

  • osmarks (unregistered)

    The here issue is not authentication code but someone just being really bad at SQL. Unlike crypto, there isn't ridiculously complicated maths involved, nor hidden complexities where using some perfectly sound primitives together in the wrong way can break things horribly, nor weirdness like side-channel attacks.

  • Wizofaus (unregistered) in reply to Best Of 2021

    When I first used hibernate I used java streams to implement the filter logic, foolishly assuming an equivalence with linq2sql. Only when it started performing like a dog on big databases did we realise the issue. To this day I can't understand why hibernate has no type safe way of efficiently querying a database. Even linq2sql (pre .net 3.0), can bite you if it fails to compile your query fully into SQL.

  • Spot The Academic (unregistered)

    So let me get this straight: they knew enough about database in theory to know what an index is, but not enough to write a proper SQL query? Code red, we're dealing with an academic here!!!

  • (nodebb)

    I long ago got tired of how often I was seeing this search algorithm bug in Stack Overflow questions (most don't involve a DB query, so can't be fixed with a simple WHERE clause). I wrote a generic answer: https://stackoverflow.com/questions/42913798/searching-array-reports-not-found-even-though-its-found/42913882#42913882

  • Barf4Eva (unregistered)

    WHEREfore Art thou Valid User?

  • dan (unregistered)

    I'd honestly rather deal with an unapologetically database clueless person than one who derps their way forward using an ORM with zero understanding of how it works. They make it easy to write innocuous looking code that utterly hammers the crap out of the database server for no good reason. eg doing searches in ways that require pulling the entire table(s) to the application instead of generating a WHERE on the database side, or generating multiple independently executed queries for each record instead of doing everything in a single shot.

  • Prime Mover (unregistered)

    A developer who does not understand the rudiments of database access is no developer. Fire such people. (Or make an attempt to train them first, if you must.)

  • Best Of 2021 (unregistered) in reply to Wizofaus

    When I first used hibernate I used java streams to implement the filter logic, foolishly assuming an equivalence with linq2sql.

    I actually wrote (pre-Java 8) a library to do load on demand query building for exactly this reason. It's amazing that Java doesn't have execute-on-demand LINQ like capabilities.

    I guess Hibernate would claim their Criteria API is along these lines.

  • Some Ed (unregistered) in reply to Dlareg

    Only teach him about how to do parameterized WHERE clauses.

    I'm quite frankly surprised that more people don't do this. Parameterized WHERE clauses are not that difficult to do, and can be used for all cases. It may be a little less efficient to use a parameterized where clause when your where clause is a constant, but it's not technically complicated and works.

  • (nodebb)

    The database lecture was one of the most important ones in my curriculum - not officially, but in terms and of insights for program design.

    I haven't used SQL since, but the principles used for designing a database scheme translate directly to keeping data structures sane.

    Our code is full of duplicated data and the bugs are often related to accessing a version that has become outdated.

Leave a comment on “Last One In”

Log In or post as a guest

Replying to comment #524114:

« Return to Article