SQL Injection Attack
Okay, this xkcd cartoon is really funny.
Comments
Anonymous • October 12, 2007 3:26 PM
“It is funny. If you know what it’s about!”
Or if you look it up… and that’s the way most XKCD strips are. I like this.
Joe Patterson • October 12, 2007 3:26 PM
Names are weird. There’s a (usually uncodified) assumption that they’re all alpha, a-z. And maybe hyphens. All numbers in roman numerals (which are conveniently made up of alpha letters), and almost no punctuation.
I tried to convince my wife that our son’s name should be spelled with a silent 5. I was unsuccessful.
Little Bobby Tables would have been better.
Nix • October 12, 2007 3:30 PM
Joe, what about Irish surnames, e.g. O’Malley?
Oh, and http://littlebobbytables.com/.
Nix • October 12, 2007 3:32 PM
Damn URL snipping. Trying again: http://littlebobbytables.com/
nzruss • October 12, 2007 3:32 PM
It would be an interesting study to fill out on survey cards / government forms with similar sql injections. See if the data entry person a)picks it up, or b) types it in and drops the table!
Might slow down those companies that have people approach you in the mall…..
“win a free corvette”…. LOL.. no database for you!!!
Hen3ry • October 12, 2007 3:47 PM
If enough people see this “Bobby Tabled” could become a verb!
Michael • October 12, 2007 3:47 PM
I think I might set my browser’s user agent string to “Internet Explorer’); DROP TABLE browsers;–“
Erik W • October 12, 2007 3:48 PM
Or Hen3ry; an old acquaintance of Tom Lehrer….
Mike Schiraldi • October 12, 2007 3:57 PM
@nzruss: I think Ed Skoudis had an idea like that.. something involving XSS and a web bug.
buntklicker.de • October 12, 2007 4:00 PM
Yes, it’s funny. To a chosen few. And between these chosen few, it has been flogged to death. Already. Several times. over.
tcliu • October 12, 2007 4:00 PM
Mother, don’t let your kids grow up thinking that they should sanitize the DB input. Teach them to use prepared statements instead.
Anonymous • October 12, 2007 4:02 PM
“DROP TABLE Employees” would be yet more fun.
Hen3ry • October 12, 2007 4:07 PM
@Erik – I’m as guilty Nikolai Ivanovich Lobachevsky 🙂
Anonymous • October 12, 2007 4:08 PM
Is there any XKCD that’s not really funny? 🙂 But yeah, I rather expected this one to end up here. 🙂
Anonymous • October 12, 2007 4:24 PM
@Hen3ry:
Only be sure always to call it please ‘research’.
dil • October 12, 2007 4:29 PM
Use placeholders, Luke 😉
Jim Cropcho • October 12, 2007 4:40 PM
Ha! Loved it, Bruce.
sehlat • October 12, 2007 5:18 PM
I sent the link to this around to a bunch of my colleagues who, like me, are working on “sanitizing our inputs.” It took an hour for the laughter to die down to giggles.
LDP • October 12, 2007 5:25 PM
Ha, if you hover over the comic, it reads “Her daughter is named Help I’m Trapped in a Driver’s License Factory”
Jim • October 12, 2007 5:39 PM
Mama, make sure they if they DO use prepared statements, that they explicitly BIND all user-data variables. PreparedStatements alone just will not do!
dragonfrog • October 12, 2007 6:01 PM
isn’t a prepared statement with placeholders for any potentially hostile values just a canned method of sanitizing your database input?
tcliu • October 12, 2007 7:09 PM
@dragonfrog:
Sort-of-yes. What most people mean when they talk about sanitizing the input, they mean “match the user input against a regular expression that accepts all valid input and rejects all invalid input”, or alternatively “try to reject all characters in the input that may result in SQL injection”.
This usually results in either missing something and then getting a sql injection, or having input sanitizing so strict that nothing of any value can be input.
Using prepared statements with placeholders means you can skip all that.
In the same sense, XSS is best dealt with by output escaping, not by input sanitizing.
Thomas • October 12, 2007 8:06 PM
I just thought of a movie plot:
Presidential candidate wins due to massive financial backing of his campaign by unknown sources (British Patriots still mad about the American Revolution).
American Armed forces update their database with the name of their new Commander-in-Chief, Bob ‘; update icbm_targets set city=”New York”‘;’ Smith.
Luckily our Hero hacks GoogleMaps to relocate ‘New York’, causing the missiles to plunge (mostly) harmlessly into [one of the boring square-ish states in the middle].
In an ironic twist of fate, the hack causes the Bad Guy, who is following the directions of his GPS navigator, to drive his SUV off a cliff resulting in a spectacular fireball.
Anonymous • October 12, 2007 8:41 PM
@Hen3ry
You go to all the trouble to spell your name with a 3 to show what an individualist you are, and then simply make Tom Lehrer references…
Lawrence D'Oliveiro • October 12, 2007 10:37 PM
For calling MySQL from C++:
void SQLString
(
istream & In,
ostream & Out
)
/* writes a MySQL string literal to Out which evaluates to In. /
{
Out.put(‘”‘);
for (;;)
{
uchar ThisCh;
ThisCh = In.get();
if (In.eof())
break;
switch (ThisCh)
{
case 0:
Out.put(‘\’);
Out.put(‘0’);
break;
case 8:
Out.put(‘\’);
Out.put(‘b’);
break;
case 9:
Out.put(‘\’);
Out.put(‘t’);
break;
case 10:
Out.put(‘\’);
Out.put(‘n’);
break;
case 13:
Out.put(‘\’);
Out.put(‘r’);
break;
case 26:
Out.put(‘\’);
Out.put(‘z’);
break;
case ‘”‘:
case ‘\”:
case ‘\’:
Out.put(‘\’);
Out.put(ThisCh);
break;
default:
Out.put(ThisCh);
break;
} /switch/
} /for/
Out.put(‘”‘);
} /SQLString*/
Oh yes, and
void QuoteSQLWild
(
istream & In,
ostream & Out
)
/* writes In to Out, escaping “%” and “” characters. */
{
for (;;)
{
uchar ThisCh;
ThisCh = In.get();
if (In.eof())
break;
if (ThisCh == ‘\’ or ThisCh == ‘%’ or ThisCh == ‘‘)
{
Out.put(‘\’);
} /if/
Out.put(ThisCh);
} /for/
} /QuoteSQLWild/
for putting user-entered strings into “like” clauses. ALWAYS use these in building your MySQL statements, and you can kiss those SQL injection vulnerabilities goodbye!
As a handy side effect, they also allow you to handle arbitrary binary data in your databases.
James • October 13, 2007 12:46 AM
Be sure to hover over images in xkcd (so that the title attribute of the img tag gets displayed — it’s often the funniest bit).
John G • October 13, 2007 7:49 PM
Charles Schulz had a Peanuts character, probably in the late 50s or early 60s, called something like 53216906 (known as “5”). When asked if his name was his parents’ way of protesting the increasing data-processing ways of the state, he replied, “no, it’s their way of giving in.”
Little Bobby in this thread seems more subversive.
bob • October 15, 2007 6:53 AM
I am a devout follower of xkcd. This is the funniest one yet. When I read this I laughed more or less continuously for about 30 minutes. The guy in the next cube came over, saw what I had read, and didnt get it; which made it that much funnier.
Anonymous • October 15, 2007 8:29 AM
@Hen3ry, research is ok, it helps you to be prepared (remember the Boy Scouts), but don’t let them catch you at it!
🙂
O'Rourke • October 15, 2007 7:44 PM
As an owner of an apostrophe-laden name, this xkcd really cracked me up. I can’t stand when websites tell me my name isn’t valid! Sometimes when I’m in a bad mood I’ll spell it OapostropheRourke.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
ForReal • October 12, 2007 3:04 PM
It is funny. If you know what it’s about! And even more so if you’ve ever dropped a table or even a WHOLE Database by accident.