Schneier on Security
A blog covering security and security technology.
« Master Forger Sentenced in the UK |
| Friday Squid Blogging: There's Always More Squid Cartoons »
October 12, 2007
SQL Injection Attack
Okay, this xkcd cartoon is really funny.
Posted on October 12, 2007 at 2:18 PM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It is funny. If you know what it's about! And even more so if you've ever dropped a table or even a WHOLE Database by accident.
"It is funny. If you know what it's about!"
Or if you look it up... and that's the way most XKCD strips are. I like this.
Names are weird. There's a (usually uncodified) assumption that they're all alpha, a-z. And maybe hyphens. All numbers in roman numerals (which are conveniently made up of alpha letters), and almost no punctuation.
I tried to convince my wife that our son's name should be spelled with a silent 5. I was unsuccessful.
Little Bobby Tables would have been better.
Joe, what about Irish surnames, e.g. O'Malley?
Oh, and .
It would be an interesting study to fill out on survey cards / government forms with similar sql injections. See if the data entry person a)picks it up, or b) types it in and drops the table!
Might slow down those companies that have people approach you in the mall.....
"win a free corvette".... LOL.. no database for you!!!
If enough people see this "Bobby Tabled" could become a verb!
I think I might set my browser's user agent string to "Internet Explorer'); DROP TABLE browsers;--"
Or Hen3ry; an old acquaintance of Tom Lehrer....
@nzruss: I think Ed Skoudis had an idea like that.. something involving XSS and a web bug.
Yes, it's funny. To a chosen few. And between these chosen few, it has been flogged to death. Already. Several times. over.
Mother, don't let your kids grow up thinking that they should sanitize the DB input. Teach them to use prepared statements instead.
"DROP TABLE Employees" would be yet more fun.
@Erik - I'm as guilty Nikolai Ivanovich Lobachevsky :)
Is there any XKCD that's *not* really funny? :) But yeah, I rather expected this one to end up here. :)
Only be sure always to call it please 'research'.
Use *placeholders*, Luke ;)
I sent the link to this around to a bunch of my colleagues who, like me, are working on "sanitizing our inputs." It took an hour for the laughter to die down to giggles.
Ha, if you hover over the comic, it reads "Her daughter is named Help I'm Trapped in a Driver's License Factory"
Mama, make sure they if they DO use prepared statements, that they explicitly BIND all user-data variables. PreparedStatements alone just will not do!
isn't a prepared statement with placeholders for any potentially hostile values just a canned method of sanitizing your database input?
Sort-of-yes. What most people mean when they talk about sanitizing the input, they mean "match the user input against a regular expression that accepts all valid input and rejects all invalid input", or alternatively "try to reject all characters in the input that may result in SQL injection".
This usually results in either missing something and then getting a sql injection, or having input sanitizing so strict that nothing of any value can be input.
Using prepared statements with placeholders means you can skip all that.
In the same sense, XSS is best dealt with by output escaping, not by input sanitizing.
I just thought of a movie plot:
Presidential candidate wins due to massive financial backing of his campaign by unknown sources (British Patriots still mad about the American Revolution).
American Armed forces update their database with the name of their new Commander-in-Chief, Bob '; update icbm_targets set city="New York"';' Smith.
Luckily our Hero hacks GoogleMaps to relocate 'New York', causing the missiles to plunge (mostly) harmlessly into [one of the boring square-ish states in the middle].
In an ironic twist of fate, the hack causes the Bad Guy, who is following the directions of his GPS navigator, to drive his SUV off a cliff resulting in a spectacular fireball.
You go to all the trouble to spell your name with a 3 to show what an individualist you are, and then simply make Tom Lehrer references...
For calling MySQL from C++:
istream & In,
ostream & Out
/* writes a MySQL string literal to Out which evaluates to In. */
ThisCh = In.get();
Oh yes, and
istream & In,
ostream & Out
/* writes In to Out, escaping "%" and "_" characters. */
ThisCh = In.get();
if (ThisCh == '\\' or ThisCh == '%' or ThisCh == '_')
for putting user-entered strings into "like" clauses. ALWAYS use these in building your MySQL statements, and you can kiss those SQL injection vulnerabilities goodbye!
As a handy side effect, they also allow you to handle arbitrary binary data in your databases.
Be sure to hover over images in xkcd (so that the title attribute of the img tag gets displayed -- it's often the funniest bit).
Charles Schulz had a Peanuts character, probably in the late 50s or early 60s, called something like 53216906 (known as "5"). When asked if his name was his parents' way of protesting the increasing data-processing ways of the state, he replied, "no, it's their way of giving in."
Little Bobby in this thread seems more subversive.
I am a devout follower of xkcd. This is the funniest one yet. When I read this I laughed more or less continuously for about 30 minutes. The guy in the next cube came over, saw what I had read, and didnt get it; which made it that much funnier.
@Hen3ry, research is ok, it helps you to be prepared (remember the Boy Scouts), but don't let them catch you at it!
As an owner of an apostrophe-laden name, this xkcd really cracked me up. I can't stand when websites tell me my name isn't valid! Sometimes when I'm in a bad mood I'll spell it OapostropheRourke.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.