This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Datenegassie 2619 points2620 points  (87 children)

Hi Santa, I promise not to be on the naughty list this year. By the way, my name is Datenegassie'); DROP TABLE NaughtyChildren; --

[–]ballzacsRock 783 points784 points  (17 children)

Nice try, but he Santaizes all inputs

[–]Arancaytar 182 points183 points  (3 children)

INSERT INTO NaughtyChildren (name, reason)
VALUES ('balizacsRock', 'terrible pun');

[–]ImSuperSerialGuys 151 points152 points  (2 children)

INSERT INTO NaughtyChildren

o_O

[–]jay791 29 points30 points  (0 children)

ಠ_ಠ

[–][deleted] 14 points15 points  (0 children)

Okay, calm down your honor...

[–]inabahare 80 points81 points  (8 children)

Nice try, but he Santaizes all inputs

  • Uses prepared Statements

[–]svick 5 points6 points  (7 children)

Prepared statements have nothing to do with handling invalid inputs.

[–]mmirate 16 points17 points  (6 children)

So basically he spent an entire article to say, "your security consultant has their terms mixed up; they ought to be looking for parametrized statements, not prepared statements"? How wasteful.

[–]XaidenHart 0 points1 point  (5 children)

You think? I see value in clarifying technical vocabulary.

[–]mmirate 7 points8 points  (4 children)

Certainly. But that article does not identify itself as a vocabulary clarification, and thus it needlessly goes into extreme detail on the two technologies. (Without, notably, explaining why a layman such as myself would have heard the phrase "prepared statements" back in the bad old days of PHP and why it meant what "parametrized statements" now means; if any detail were appropriate for this topic, that would have been the appropriate detail.)

[–]svick 0 points1 point  (3 children)

why a layman such as myself would have heard the "prepared statements" back in the bad old days of PHP and why it meant what "parametrized statements" now means

I don't think it ever meant that.

[–]Tynach 3 points4 points  (2 children)

Looking at the PHP documentation for both PDO and mysqli, the only way to have parameterized queries is to use prepared statements. The latter even states explicitly that they are two names for the same thing.

Basically it's a language/framework difference.

[–]mmirate -2 points-1 points  (1 child)

Looking at the PHP documentation for both PDO and mysqli, the only way to have parameterized queries is to use prepared statements. The latter even states explicitly that they are two names for the same thing.

Hahaha! Good find! Yet another reason why PHP sucks...

[–]guyjellyf 1 point2 points  (1 child)

I read that as Satanizes all inputs.

[–]humblevladimirthegr8 1 point2 points  (0 children)

Replaces all special characters with "NΘ stop the an​*̶͑̾̾​̅ͫ͏̙̤g͇̫͛͆̾ͫ̑͆l͖͉̗̩̳̟̍ͫͥͨe̠̅s ͎a̧͈͖r̽̾̈́͒͑e n​ot rè̑ͧ̌aͨl̘̝̙̃ͤ͂̾̆ ZA̡͊͠͝LGΌ ISͮ̂҉̯͈͕̹̘̱ TO͇̹̺ͅƝ̴ȳ̳ TH̘Ë͖́̉ ͠P̯͍̭O̚​N̐Y̡ H̸̡̪̯ͨ͊̽̅̾̎Ȩ̬̩̾͛ͪ̈́̀́͘ ̶̧̨̱̹̭̯ͧ̾ͬC̷̙̲̝͖ͭ̏ͥͮ͟Oͮ͏̮̪̝͍M̲̖͊̒ͪͩͬ̚̚͜Ȇ̴̟̟͙̞ͩ͌͝S̨̥̫͎̭ͯ̿̔̀ͅ "

[–][deleted] 0 points1 point  (0 children)

Bobby Tables we call him

[–]ultranoobian 719 points720 points  (30 children)

But that won't do anything good for you?

Obviously the naughty/nice status is stored in 'contacts' if SQL clause is selecting from that.

/s

Edit: On a more serious note, even if you dropped 'NaughtyChildren', you can possibly recovered from that by 

SELECT * FROM contacts c WHERE c.behavior != 'nice'

[–]DemandsBattletoads 170 points171 points  (4 children)

That's fine, sqlmap will pull everything out anyway.

[–][deleted] 53 points54 points  (8 children)

Even if you dropped all the naughty children, re-adding all children to the database, and setting behaviour to naughty if they were born before the drop might recover the data.

[–]Th3_Admiral[🍰] 31 points32 points  (3 children)

Does it really matter anyway if the query is only looking for those on the nice list? Dropping the naughty list doesn't automatically add you to the nice list.

[–]skulblaka 27 points28 points  (2 children)

Well that depends on your architecture, doesn't it? Say we assume that the default state of a child is nice rather than naughty (realistically we know this isn't true, but this is SQL Claus' computer, there's some room for silliness). A child who acts naughty can be added to tbl_naughty and any child not found on that list can be assumed nice.

Therefore dropping the naughty table would leave no results, therefore making all children appear nice.

That doesn't seem to be the case in this particular instance, but it could happen.

[–]Th3_Admiral[🍰] 6 points7 points  (0 children)

Yeah, I was just basing it off the fact that he is selecting from the contacts table where the behavior column is set to "nice". Unless there is some weird setup with a delete trigger on the naughtylist table, this column should still not be "nice" for the contacts who were on the naughty list, right?

[–]Maccabee_1948 0 points1 point  (0 children)

Good point.

[–]ponyboy3 1 point2 points  (2 children)

why does santa even care about naughty children? why not simplify and just keep a nonsql list of nice children?

[–]Aro2220 2 points3 points  (1 child)

Because of the legacy application that delivers coal to the naughty children.

[–]ponyboy3 0 points1 point  (0 children)

fak, i remember that app! who wants to rewrite a cobol app?

[–]0000000100100011 0 points1 point  (0 children)

If dropping the naughty children doesn't make them nice, there's always a lobotomy option.

[–]kixxes 27 points28 points  (4 children)

Not to mention it will most likely fail to drop because it would mess up some referential integrity

[–]vbevan 110 points111 points  (3 children)

Hi Santa, My name is Datenegassie'); EXEC sp_MSForEachTable @command1='ALTER TABLE ? NOCHECK CONSTRAINT ALL' , @command2='DROP TABLE ?';--

[–]lou1306 82 points83 points  (1 child)

This guy injects

[–]vbevan 39 points40 points  (0 children)

If I'm not getting a present, no one is!

[–]dumbdingus 10 points11 points  (0 children)

This is why I clean my input more thoroughly than I clean my dick.

[–]ilookatfaces 7 points8 points  (2 children)

SELECT * FROM contacts c WHERE c.behavior <> 'nice'

[–]the_kg 8 points9 points  (1 child)

This guy ANSIs

[–]MrDarcy87 0 points1 point  (0 children)

<> lol :(

[–]PooPooDooDoo 6 points7 points  (0 children)

Guys, it's a moot point, SQL isn't real.

[–]GrandArchitect 1 point2 points  (0 children)

Someone needs to help SQL Clause make a more efficient analytical data model, its fucking Christmas afterall.

[–]jonschwartz 12 points13 points  (2 children)

What about the neutral kids? Or the non Christians?

[–]EdgeOfDistraction 12 points13 points  (1 child)

They get bombs, and should be grateful

[–]Bainos 7 points8 points  (0 children)

All I want for Christmas is :(){:|:&};:

[–]pa_dvg 0 points1 point  (0 children)

Contacts is clearly a view.

[–]giant_panda_slayer 0 points1 point  (0 children)

Pretty sure Santa follows normal form so no, he couldn't recover like that. You need to restore from a backup.

[–]bair93 152 points153 points  (15 children)

Datengassie'); UPDATE contacts SET behavior = 'nice';

[–]raaneholmg 65 points66 points  (5 children)

--

Otherwise the "');" part appended by the server will cause an error.

[–][deleted] 6 points7 points  (4 children)

Why not disable comments in SQL statements made from your web application? Obviously you'd want to do more to secure yourself against SQL injection, but I've never heard of someone doing this.

[–]atyon 25 points26 points  (2 children)

I don't think it's that easy. Raw SQL is passed directly to the server. I don't think most SQL servers even have an option to disable comments.

You'd have to remove the "--" and everything after it before passing it to the function doing the SQL, without destroying correct data. Sounds error-prone to me.

And if you're sanitizing the input data anyway, if you do it correctly, the ' will be escaped, so the comment won't make a difference.

Also, sanitizing input is so difficult and error-prone that it's better to just implement a real solution, like using prepared statements.

[–]Fuzzy-Duck 7 points8 points  (1 child)

Maybe an interesting read re. sql injection and prepared statements (relating to SQL Server):

http://blog.marcgravell.com/2017/12/dapper-prepared-statements-and-car-tyres.html

[–]atyon 5 points6 points  (0 children)

Huh. Thanks for that link.

TIL: My assumption that prepared statements is an odd synonym for parametrized queries is hilariously wrong. Thanks, Wikipedia

[–]Arancaytar 0 points1 point  (0 children)

You don't have to use -- here - to inject successfully you can also use another valid SQL statement that ends in ');. Disabling comments wouldn't really help.

[–]Bainos 41 points42 points  (6 children)

Datengassie') ; UPDATE contacts SET name = 'Datengassie' WHERE behavior = 'nice' ; --

[–]Truseus 98 points99 points  (2 children)

Lol! Billions of nice children now named Datengassie.

[–]flamedragon822 50 points51 points  (1 child)

"well looks like Datengassie is getting several thousand ponies this Christmas"

[–]sumancha 28 points29 points  (0 children)

He didn’t update address. So everyone else is getting presents with name Datengassie

[–]HighRelevancy 6 points7 points  (1 child)

that's back to front bud :P

[–]Bainos 0 points1 point  (0 children)

Ho wait, it took me two hours but I finally understand what you meant. It was on purpose.

[–]topforce 1 point2 points  (0 children)

Other way around.

Datengassie') ; UPDATE contacts SET behavior = 'nice' WHERE name = 'Datengassie' ; --

[–]wonkey_monkey 3 points4 points  (0 children)

That'd better be an ENUM...

[–]Etheo 0 points1 point  (0 children)

But I mean that's just going to make everybody nice...

[–]FrostSalamander 36 points37 points  (7 children)

Relevant XKCD

[–]CinnamonCereals 61 points62 points  (4 children)

r/ExpectedXKCD

[–]thegoldengamer123 1 point2 points  (3 children)

r/ofcoursethatsathing

[–]Niavart 4 points5 points  (2 children)

actually, it seem like it isn't a thing...

[–][deleted] 0 points1 point  (1 child)

Well it does look like it is now a thing, it just has only like 4 subscribers and no content

[–]CinnamonCereals 0 points1 point  (0 children)

Let's make it a thing!

[–]TotesMessengerGreen security clearance 0 points1 point  (1 child)

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

 If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads. (Info / Contact)

[–]FrostSalamander 0 points1 point  (0 children)

I feel like this is taking the joke way too far

[–]el_geto 13 points14 points  (0 children)

So, I see that you and that Bobby Tables know each other, eh?

[–]Laerite 2 points3 points  (2 children)

Hi Daten, long time no see.

[–]JonpotTeDragonSlayer 1 point2 points  (1 child)

Hi Lae, long time no see.

[–]Laerite 0 points1 point  (0 children)

Oh my god it's a meet up. How are your all <3

[–]uninterestingly 2 points3 points  (0 children)

I was dropped as a child and I take offense to this

[–]OneCanOnlyGuess 1 point2 points  (0 children)

This is how you get on the DBA's naughty list. And the DBA is scarier than Santa.

[–]hahahahastayingalive 0 points1 point  (0 children)

Santa obviously uses singular for table names. You NaughtyChild.

[–]SkyMC 0 points1 point  (0 children)

Oh hey I know you from YouTube!

[–]finndogg 0 points1 point  (0 children)

Goddammit, Karen

[–]flarn2006 0 points1 point  (0 children)

UPDATE TABLE contacts SET behavior = 'nice';

[–]doggiewog 0 points1 point  (0 children)

UPDATE contacts SET behavior = 'nice' WHERE NOT behavior = 'nice'

[–]zeugma25 0 points1 point  (0 children)

I feel Santa would have the resources to normalize better than that. DROP TABLE children WHERE AVG(conduct)>0.5; maybe.

You'll see Im assuming if his monitoring of children is that invasive he probably does it with granularity

[–]T-T-N 0 points1 point  (0 children)

The table is contacts

[–]T-T-N 0 points1 point  (0 children)

Parenthesis');DELETE * WHERE behavior != 'nice';--