I just finished reading all available episodes of Candi and MegaTokyo and am waiting for more to arrive, day by day. One of the things I like about them is the ongoing story lines -- something that's largely missing from newspaper style comics these days.. Do you have any others to recommend?
Hmm. Its an exploit of a known problem in common interfaces to MySQL databases using PHP. What often gets coded is something like (Note: I'm not going for accuracy here):
input $name; MySQL($DB,"INSERT TABLE Students ('$name')");
Which tells the database to insert the student into the Students database using the given name. Now, you can string multiple commands together in what you send to MySQL, so when the name from the comic is inserted, what gets sent is:
"INSERT TABLE Students ('Robert');DROP TABLE Students; --')"
Which is a command to insert the name 'Robert', then to delete the entire database, and then to ignore the ending garbage.
The solution is to never blindly plug data accepted from a user into a database (or any other program), without first 'sanitizing' it to make sure its safe, and does what you want.
One also wonders why SQL does not provide Hollerith fields, given that it is used in this crazy string-patching way. If the quoted material were not "'Robert');...--'" but "13HRobert');...--" there would be no difficulty. It's not substantially harder for a machine to generate, anyway.
This reminds me of the fellow on Slashdot who wrote:
"Why do they always say not to use my dog's name as a password? His name consists of a random collection of letters, digits and punctuation, and I change it weekly."
Aha! I liked this one: http://xkcd.com/55/ , which I found used without attribution about a year or so ago, in a student newspaper. I scanned it in and sent to some fellow-student girls on Valentine's Day. Now I know where it is from!
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2007-10-11 03:01 pm (UTC)I just finished reading all available episodes of Candi and MegaTokyo and am waiting for more to arrive, day by day. One of the things I like about them is the ongoing story lines -- something that's largely missing from newspaper style comics these days.. Do you have any others to recommend?
no subject
Date: 2007-10-11 03:14 pm (UTC)http://sti.pooq.com/Reading/Online
But its a bit out of date these days. I really need to update it soon.
no subject
Date: 2007-10-11 03:22 pm (UTC)no subject
Date: 2007-10-11 03:52 pm (UTC)guess I don't get to wear the geek badge of honour
Date: 2007-10-11 03:37 pm (UTC)Re: guess I don't get to wear the geek badge of honour
Date: 2007-10-11 03:52 pm (UTC)input $name;
MySQL($DB,"INSERT TABLE Students ('$name')");
Which tells the database to insert the student into the Students database using the given name. Now, you can string multiple commands together in what you send to MySQL, so when the name from the comic is inserted, what gets sent is:
"INSERT TABLE Students ('Robert');DROP TABLE Students; --')"
Which is a command to insert the name 'Robert', then to delete the entire database, and then to ignore the ending garbage.
The solution is to never blindly plug data accepted from a user into a database (or any other program), without first 'sanitizing' it to make sure its safe, and does what you want.
Re: guess I don't get to wear the geek badge of honour
Date: 2007-10-11 03:59 pm (UTC)no subject
Date: 2007-10-11 07:40 pm (UTC)no subject
Date: 2007-10-11 09:35 pm (UTC)"Why do they always say not to use my dog's name as a password? His name consists of a random collection of letters, digits and punctuation, and I change it weekly."
Re: Geekery
Date: 2007-10-12 03:13 am (UTC)in and sent to some fellow-student girls on Valentine's Day. Now I know where it is from!