Comments

ForRealOctober 12, 2007 3:04 PM

It is funny. If you know what it's about! And even more so if you've ever dropped a table or even a WHOLE Database by accident.

AnonymousOctober 12, 2007 3:26 PM

"It is funny. If you know what it's about!"

Or if you look it up... and that's the way most XKCD strips are. I like this.

Joe PattersonOctober 12, 2007 3:26 PM

Names are weird. There's a (usually uncodified) assumption that they're all alpha, a-z. And maybe hyphens. All numbers in roman numerals (which are conveniently made up of alpha letters), and almost no punctuation.

I tried to convince my wife that our son's name should be spelled with a silent 5. I was unsuccessful.

Little Bobby Tables would have been better.

nzrussOctober 12, 2007 3:32 PM

It would be an interesting study to fill out on survey cards / government forms with similar sql injections. See if the data entry person a)picks it up, or b) types it in and drops the table!

Might slow down those companies that have people approach you in the mall.....
"win a free corvette".... LOL.. no database for you!!!

MichaelOctober 12, 2007 3:47 PM

I think I might set my browser's user agent string to "Internet Explorer'); DROP TABLE browsers;--"

Mike SchiraldiOctober 12, 2007 3:57 PM

@nzruss: I think Ed Skoudis had an idea like that.. something involving XSS and a web bug.

tcliuOctober 12, 2007 4:00 PM

Mother, don't let your kids grow up thinking that they should sanitize the DB input. Teach them to use prepared statements instead.

AnonymousOctober 12, 2007 4:08 PM

Is there any XKCD that's *not* really funny? :) But yeah, I rather expected this one to end up here. :)

sehlatOctober 12, 2007 5:18 PM

I sent the link to this around to a bunch of my colleagues who, like me, are working on "sanitizing our inputs." It took an hour for the laughter to die down to giggles.

LDPOctober 12, 2007 5:25 PM

Ha, if you hover over the comic, it reads "Her daughter is named Help I'm Trapped in a Driver's License Factory"

JimOctober 12, 2007 5:39 PM

Mama, make sure they if they DO use prepared statements, that they explicitly BIND all user-data variables. PreparedStatements alone just will not do!

dragonfrogOctober 12, 2007 6:01 PM

isn't a prepared statement with placeholders for any potentially hostile values just a canned method of sanitizing your database input?

tcliuOctober 12, 2007 7:09 PM

@dragonfrog:

Sort-of-yes. What most people mean when they talk about sanitizing the input, they mean "match the user input against a regular expression that accepts all valid input and rejects all invalid input", or alternatively "try to reject all characters in the input that may result in SQL injection".

This usually results in either missing something and then getting a sql injection, or having input sanitizing so strict that nothing of any value can be input.

Using prepared statements with placeholders means you can skip all that.

In the same sense, XSS is best dealt with by output escaping, not by input sanitizing.

ThomasOctober 12, 2007 8:06 PM

I just thought of a movie plot:

Presidential candidate wins due to massive financial backing of his campaign by unknown sources (British Patriots still mad about the American Revolution).

American Armed forces update their database with the name of their new Commander-in-Chief, Bob '; update icbm_targets set city="New York"';' Smith.

Luckily our Hero hacks GoogleMaps to relocate 'New York', causing the missiles to plunge (mostly) harmlessly into [one of the boring square-ish states in the middle].

In an ironic twist of fate, the hack causes the Bad Guy, who is following the directions of his GPS navigator, to drive his SUV off a cliff resulting in a spectacular fireball.

AnonymousOctober 12, 2007 8:41 PM

@Hen3ry

You go to all the trouble to spell your name with a 3 to show what an individualist you are, and then simply make Tom Lehrer references...

Lawrence D'OliveiroOctober 12, 2007 10:37 PM

For calling MySQL from C++:

void SQLString
(
istream & In,
ostream & Out
)
/* writes a MySQL string literal to Out which evaluates to In. */
{
Out.put('"');
for (;;)
{
uchar ThisCh;
ThisCh = In.get();
if (In.eof())
break;
switch (ThisCh)
{
case 0:
Out.put('\\');
Out.put('0');
break;
case 8:
Out.put('\\');
Out.put('b');
break;
case 9:
Out.put('\\');
Out.put('t');
break;
case 10:
Out.put('\\');
Out.put('n');
break;
case 13:
Out.put('\\');
Out.put('r');
break;
case 26:
Out.put('\\');
Out.put('z');
break;
case '"':
case '\'':
case '\\':
Out.put('\\');
Out.put(ThisCh);
break;
default:
Out.put(ThisCh);
break;
} /*switch*/
} /*for*/
Out.put('"');
} /*SQLString*/

Oh yes, and

void QuoteSQLWild
(
istream & In,
ostream & Out
)
/* writes In to Out, escaping "%" and "_" characters. */
{
for (;;)
{
uchar ThisCh;
ThisCh = In.get();
if (In.eof())
break;
if (ThisCh == '\\' or ThisCh == '%' or ThisCh == '_')
{
Out.put('\\');
} /*if*/
Out.put(ThisCh);
} /*for*/
} /*QuoteSQLWild*/

for putting user-entered strings into "like" clauses. ALWAYS use these in building your MySQL statements, and you can kiss those SQL injection vulnerabilities goodbye!

As a handy side effect, they also allow you to handle arbitrary binary data in your databases.

JamesOctober 13, 2007 12:46 AM

Be sure to hover over images in xkcd (so that the title attribute of the img tag gets displayed -- it's often the funniest bit).

John GOctober 13, 2007 7:49 PM

Charles Schulz had a Peanuts character, probably in the late 50s or early 60s, called something like 53216906 (known as "5"). When asked if his name was his parents' way of protesting the increasing data-processing ways of the state, he replied, "no, it's their way of giving in."

Little Bobby in this thread seems more subversive.

bobOctober 15, 2007 6:53 AM

I am a devout follower of xkcd. This is the funniest one yet. When I read this I laughed more or less continuously for about 30 minutes. The guy in the next cube came over, saw what I had read, and didnt get it; which made it that much funnier.

AnonymousOctober 15, 2007 8:29 AM

@Hen3ry, research is ok, it helps you to be prepared (remember the Boy Scouts), but don't let them catch you at it!
:-)

O'RourkeOctober 15, 2007 7:44 PM

As an owner of an apostrophe-laden name, this xkcd really cracked me up. I can't stand when websites tell me my name isn't valid! Sometimes when I'm in a bad mood I'll spell it OapostropheRourke.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..