Geekery.

[swestrup]

I'm enough of a geek to really love the most recent issue of XKCD:



I've always wondered at the folks who never bother to ensure that ANY input string, no matter how weird, would be correctly handled.

Comments

[hendrikboom.livejournal.com]

I liked that one too.

I just finished reading all available episodes of Candi and MegaTokyo and am waiting for more to arrive, day by day. One of the things I like about them is the ongoing story lines -- something that's largely missing from newspaper style comics these days.. Do you have any others to recommend?

[swestrup]

Well, I read a bunch of webcomics. I have a list at:

http://sti.pooq.com/Reading/Online

But its a bit out of date these days. I really need to update it soon.

[sps.livejournal.com]

That's a very targeted name! I always favoured for broader (if shallower) fun.

guess I don't get to wear the geek badge of honour

[rosy1.livejournal.com]

and see I don't know WTF it means!

Re: guess I don't get to wear the geek badge of honour

[swestrup]

Hmm. Its an exploit of a known problem in common interfaces to MySQL databases using PHP. What often gets coded is something like (Note: I'm not going for accuracy here):

input $name;
MySQL($DB,"INSERT TABLE Students ('$name')");

Which tells the database to insert the student into the Students database using the given name. Now, you can string multiple commands together in what you send to MySQL, so when the name from the comic is inserted, what gets sent is:

"INSERT TABLE Students ('Robert');DROP TABLE Students; --')"

Which is a command to insert the name 'Robert', then to delete the entire database, and then to ignore the ending garbage.

The solution is to never blindly plug data accepted from a user into a database (or any other program), without first 'sanitizing' it to make sure its safe, and does what you want.

[swestrup]

Ha! LJ sanitized away your string!

Re: guess I don't get to wear the geek badge of honour

[sps.livejournal.com]

One also wonders why SQL does not provide Hollerith fields, given that it is used in this crazy string-patching way. If the quoted material were not "'Robert');...--'" but "13HRobert');...--" there would be no difficulty. It's not substantially harder for a machine to generate, anyway.

[thepersona.livejournal.com]

That's why I always put backslashes before apostrophes in my children's names.

[swestrup]

This reminds me of the fellow on Slashdot who wrote:

"Why do they always say not to use my dog's name as a password? His name consists of a random collection of letters, digits and punctuation, and I change it weekly."

Re: Geekery

[capj.livejournal.com]

Aha! I liked this one: http://xkcd.com/55/ , which I found used without attribution about a year or so ago, in a student newspaper. I scanned it
in and sent to some fellow-student girls on Valentine's Day. Now I know where it is from!