An SQL Injection Attack Is a Legal Company Name in the UK

Someone just registered their company name as ; DROP TABLE "COMPANIES";-- LTD.

Reddit thread. Obligatory xkcd comic.

Posted on January 4, 2017 at 3:17 PM • 22 Comments

Comments

mark hutchinsonJanuary 4, 2017 4:28 PM

Brilliantly subversive.

I would try to use high range unicode characters in a company name that won't render properly or be searchable by low-range ASCII applications.

KarlJanuary 4, 2017 4:40 PM

The CCDC/CTF team at the University of Washington set up a gift budget with an SQL injection name. We were asked to change it and obliged, but apparently it was never updated in various university systems.

Charlie KilianJanuary 4, 2017 4:43 PM

It needs a single quote at the beginning of the company name to actually work. You have to close out the string you're presumably in.

Sam PizzeyJanuary 4, 2017 4:55 PM

I am pretty dodgy, but 'having registered multiple companies' is not on the list of reasons why.

RogerBWJanuary 4, 2017 6:51 PM

I know the registrant - it's deliberately not an actual attack, just a way of getting people to pay a bit of attention to the company name.

Clive RobinsonJanuary 4, 2017 7:18 PM

OK, having got the registered address, has anybody gone and looked at it via google etc?

Maybe see if the company name plate is up on the wall by the entrance as it is supposed to be ;-)

Dr. I. Needtob AtheJanuary 4, 2017 9:35 PM

I don't need to click the link to the comic, I already know which one it is. ;)

Sam PizzeyJanuary 5, 2017 1:53 AM

> OK, having got the registered address, has anybody gone and looked at it via google etc?
> Maybe see if the company name plate is up on the wall by the entrance as it is supposed to be ;-)

That is *not* a requirement - if you'd looked at it on Google you'd see that it is quite obviously my home. It couldn't be more obviously a house if it tried, there's chickens walking around even, who keeps chickens at an office? :)

(Sorry to keep replying to these in such a killjoy manner by the way - I do get that you're having a laugh, it's just, on a site like Bruce's with such SEO juice, it's a bit annoying to have people erroneously saying I'm doing something dodgy for people to find one day)

Clive RobinsonJanuary 5, 2017 2:50 AM

@ Dr. I. Needtob Athe,

I don't need to click the link to the comic, I already know which one it is. ;)

Because it's on the front of your T-Shirt B-)

Clive RobinsonJanuary 5, 2017 3:13 AM

@ Sam Pizzey,

I do get that you're having a laugh, it's just, on a site like Bruce's with such SEO juice, it's a bit annoying to have people erroneously saying I'm doing something dodgy for people to find one day

What is that old marketing meme "There is no such thing as bad news, just opportunity"...

As for,

It couldn't be more obviously a house if it tried, there's chickens walking around even, who keeps chickens at an office?

Hmm there are oh so many jokes one could make on that, you would have thought nobody could come up with a new one, but...

Then some person (in Sweden) decided to make a new gender-neutral personal pronoun so instead of just "his" and "her" we now have "hen" as well, I kid you not, so "hen house" is now ambiguous...

https://en.m.wikipedia.org/wiki/Hen_(pronoun)

And obviously ripe for new "yokes" to be "cracked", "hatched" etc...

HeyRatFansJanuary 5, 2017 5:53 AM

@ Sam Pizzey
> who keeps chickens at an office?

Omlet do ;)

(Disclaimer: I used to work for them, so speak from experience)

jerJanuary 5, 2017 2:15 PM

@Drone: Explain what? By the time you've read and grasped this article, the meaning of the xkcd comic should be obvious?

TJJanuary 5, 2017 11:30 PM

three-to-one says there isn't a person under the name who knows database security..

Someone had the money to spend.. I think you can register in the US for like $500.00. At least a LLC.

EvilKiruJanuary 6, 2017 12:24 AM

@John Leeming: In the USA, LLCs are regulated at the state-level, so the cost of registering an LLC varies by state. In Michigan, for example, it costs $50 and there's a $25 annual fee to maintain the registration in subsequent years.

@TJ: I'd say the odds are pretty even that @Sam Pizzey knows enough about database security to register his company name in a manner that makes it look like an SQL injection attack at first glance, without actually being one, seeing as how it's missing a name, a closing ', and a closing ) from the front of the name.

de La BoetieJanuary 6, 2017 6:40 AM

Might there not similarly be a Wheeze in doing similar with providing text on images and T-Shirts to test those doing text recognition on captured images? Or in those improperly scanning communications?

NameJanuary 10, 2017 8:51 AM

Kim Kardashian's agression hotel is named "No Address".

I also heard of someone tired of being called Mr None (or was it Mr Doe ?) for real.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.