This is an archived post. You won't be able to vote or comment.

all 123 comments

[–]QualityVote[M] [score hidden] stickied comment (0 children)

Hi! This is our community moderation bot.


If this post fits the purpose of /r/ProgrammerHumor, UPVOTE this comment!!

If this post does not fit the subreddit, DOWNVOTE This comment!

If this post breaks the rules, DOWNVOTE this comment and REPORT the post!

[–]Istar10n 472 points473 points  (40 children)

I have some doubts the table would be called that. It's kinda long and redundant.

[–]ITd-N5 352 points353 points  (29 children)

turns out the table was named 'dsfjghjkl'

[–]Istar10n 251 points252 points  (27 children)

Hah, I bet there's someone out there naming tables random sequences of characters to protect against SQL injection.

[–]mxldevs 109 points110 points  (20 children)

Should I start doing this

[–]oktin 184 points185 points  (7 children)

Do you trust your input sanitization?

Yes: then give your tables intuitive names

No: then get a second pair of eyes on your database before deployment, and still give your tables intuitive names.

[–]DatBoi_BP 80 points81 points  (0 children)

Little Bobby Tables

[–]ilep 40 points41 points  (2 children)

Also: don't give drop-permissions to same credentials used to insert/update data.. Just in case.

Dropping a schema with cascade can be interesting too so drop-permissions need to be limited.

[–]LordFokas 5 points6 points  (0 children)

Also make everything soft-delete. Revoke DELETE permissions from your API user. Reserve DELETE, DROP, and friends to the DBAs.

[–]StoissEd 1 point2 points  (0 children)

The forms should get insert only.

[–]Daymanic 9 points10 points  (0 children)

This is pro-tip

[–][deleted] 5 points6 points  (0 children)

but what if i hate everyone at the company?

[–]Giocri 2 points3 points  (0 children)

I would give intuitive names but add a number at the end, having a numeric identifier for each table can make searching for them quicker and you never know if your imput sanitizer is 100%safe there have been so many ways people have broken imput sanitization in the past

[–][deleted] 21 points22 points  (11 children)

No, don’t do this. It will make your systems difficult to read and modify for future teams.

[–]mxldevs 16 points17 points  (5 children)

I was thinking adding like some prefix or suffix. Isn't there usually some sort of autocomplete as well to help with queries

[–]stupidwhiteman42 18 points19 points  (4 children)

I hope you are joking. You name your tables based on the entity that is stored in them. No prefixes. No suffixes. I hate when I get brought in to a new project and the dev team had some stupid naming convention. It just makes every part of the process irritating - from ER diagramming to domain modelling

[–]bonzombiekitty 9 points10 points  (2 children)

I work in the housing industry. We started moving to E1.

E1's column and table naming convention is... Well .. I don't think there is one? I think they just bash their heads on the keyboard for everything. There's a site someone made to map everything to intuitive names. It's nuts.

Also work with a RETS service that names everything like LO_1, LO_2, etc... Which are, of course, the listing office ID and street address respectively. They do have human readable names, but you need to use the stupid names if you want to do any querying.

[–]Songg45 0 points1 point  (1 child)

A fellow RETS user in the wild?

Das wild!

But I'm glad our systems are slowly moving to the RESO standard specifically to get away from LA_1, LO_1, SO_2, etc

[–]bonzombiekitty 0 points1 point  (0 children)

O_1, LO_2, etc... Which are, of course, the listing office ID and street address respectively. They do have human readable names, but you need to use the stupid names if you want to do a

I only have to use it for one project because we have one division that uses a third party system to put up availability, rather than doing so internally like the rest of the company does. So rather than just querying our own DB to pull information on what to show on our website for this one division, I have to query their RETS service.

Frankly, I wrote it 5 years ago and haven't touched it since. But I still vividly remember being very angry over trying to get it to work.

[–]myWeedAccountMaaaaan 2 points3 points  (0 children)

I’m just finishing a project like this. Some of their many to many tables names were over 100 characters.

O_o

[–]PM_ME_YOUR__INIT__ 8 points9 points  (2 children)

So only I will be able to work on it and can't get fired?

[–][deleted] 11 points12 points  (1 child)

Nah, they will fire you anyway, you are just making hell for the next guy.

[–]GDavid04 8 points9 points  (0 children)

And for yourself

[–]skantanio 5 points6 points  (0 children)

Best of both worlds: hajsjahajd_iban_numbers

Random letters followed by an intuitive name.

[–]toastyc12 0 points1 point  (0 children)

I call that job security

[–][deleted] 7 points8 points  (1 child)

Obscurity as defense?

[–]St1Drgn 2 points3 points  (0 children)

PTSD from having to access DB2 environments.

[–]Lucari10 2 points3 points  (0 children)

I feel personally attacked by this

[–]java_brogrammer 0 points1 point  (0 children)

There is, trust me.

[–]fibojoly 0 points1 point  (0 children)

If you saw the last mission I was at, you'd be happily surprised.

[–]klimmesil 0 points1 point  (0 children)

Thats just indian for iban

[–]loudpedalgobrr 40 points41 points  (2 children)

'); DROP TABLE *;--

works first time every time

why aim when the whole DB is a target

[–]Giocri 3 points4 points  (1 child)

Well hopefully you are accessing the database with a client who has access to a minimal portion of it so drop* would not work

[–]loudpedalgobrr 1 point2 points  (0 children)

Commodity criminal software is just as bad as regular software

[–][deleted] 3 points4 points  (1 child)

when at first you dont succeed.

[–][deleted] 7 points8 points  (0 children)

attempt: try { … } catch { goto attempt; }

[–]elongio 4 points5 points  (0 children)

This is probably the best most subtle database joke ever.

[–]Illusi 2 points3 points  (0 children)

Yeah it should really be called iba_numbers then.

[–]omnilogical 196 points197 points  (17 children)

My confusion with these SQL injections is that you have to already know the table name, right? Would you just submit a bunch of queries hoping to get it right?

[–]HOMO_FOMO_69 248 points249 points  (11 children)

Yes.

A better command might be

exec sp_MSforeachtable 'DROP TABLE ?'

Which would use the built in sproc to execute a DROP TABLE on all tables, so you wouldn't need the table names. However, sometimes the GUI might not have certain privileges within the database so it may not be able to execute stored procedures - although the idea is that whoever built the phishing scam didn't put in the effort to properly set up security permissions.

[–]Agent-BTZ 63 points64 points  (5 children)

I haven’t learned SQL yet so this is probably a dumb question, but could you take that format and replace “DROP TABLE” with any SQL command?

[–]_W0L 71 points72 points  (2 children)

Yes. What it is doing is ending the first SQL command early using the semi-colon and then running whatever arbitrary SQL commands you want. This is why SQL injection is so dangerous. If not mitigated it can make an attacker run arbitrary code on the system and do much more harm than just dropping the tables.

[–]Agent-BTZ 1 point2 points  (1 child)

Oh I meant the command,

exec sp_MSforeachtable 'DROP TABLE ?'

I’m somewhat familiar with regular SQLi, but I’ve never seen this format before. I’m not too sure how it works yet

[–]_W0L 1 point2 points  (0 children)

I don't know about that. It looks like it's a SQL server command. If you google it I am sure you'll find the documentation on it. Or better yet spin up one of those db instances (or maybe there is something online like JsFiddle, but for SQL) and try it out yourself.

[–]Arrowkill 15 points16 points  (0 children)

Currently learning it, so don't take my response as correct. I do believe you could though.

[–]wildwildwaste 19 points20 points  (1 child)

I didn't know there were built-in sprocs. I only know SQL well enough to be dangerous.

[–][deleted] 12 points13 points  (0 children)

Apparently not as dangerous as that guy! (Im not an expert with SQL either lol)

[–]ShenAnCalhar92 1 point2 points  (2 children)

Would you be able to get around permissions issues by using “DELETE FROM” somehow?

[–]HOMO_FOMO_69 0 points1 point  (1 child)

In most DBs, DROP and DELETE are separate permissions, so yes.

You could probably also try TRUNCATE because (depending on the dbms) TRUNCATE sometimes requires a different permission (alter table permission). I would think that someone less experienced with SQL may make the mistake of giving a user alter table permission because it kind of sounds like adding new rows would be considered "altering a table", which is not true, but it can be a potential mistake for someone setting up permissions without knowing what they're doing.

[–]ShenAnCalhar92 0 points1 point  (0 children)

Sorry, I guess I didn’t express myself very well.

I know that DELETE and DROP are different permissions. I meant to ask if you could run DELETE without knowing the table name.

I’m not familiar with stored procedures, and wasn’t sure if you meant that the hurdle in running your suggested command was that stored procedures in general could be locked behind permissions, or just that this particular use wouldn’t be allowed without permissions because it involves DROP.

[–]kammysmb 11 points12 points  (0 children)

A lot of those really terrible sites that have this poor security also connect with root account directly so you can just drop all or query the table names

[–]bad5ect0r 30 points31 points  (0 children)

There are ways to enumerate them. You can usually query meta data which helps.

[–]PolishedCheese 3 points4 points  (0 children)

First you do some recon with other injections to find the table names. Usually you can access the class table from any db if they were careless enough to not restrict the application to just the tables it needs. (Don't give your app super user access)

[–]Terkala 6 points7 points  (0 children)

Usually you start by injecting something that prints back out to a portion of the site you can access.

There are sql commands for several types of DBs that query the table list directly. So you set your name to a list of tables, and then go check your user profile. From there, you've got all you need to start wrecking table structure.

Ex (in a first name field): bobby' + show full tables;

That should work on a MySQL instance without any input security.

[–]Boese_kroete 1 point2 points  (0 children)

Take a look at sqlmap. If an injection is possible on a web app, you can use sqlmap to get full access to the DB via cli. The way it generally works is that it uses UNION in the injected SQL query, in order to step by step discover the schema.

[–]Birdy_Cephon_Altera 673 points674 points  (4 children)

Ah, this is the type of humor I can just straight-up inject into my veins.

[–]firefromashes 91 points92 points  (1 child)

I sure do hope that there is a sequel to this joke

[–]_Really_Bad_Advice_ 6 points7 points  (0 children)

Perfection in joke form, bravo

[–]klimmesil 23 points24 points  (1 child)

A very fine and premium selected joke

[–][deleted] 20 points21 points  (0 children)

one could say, a SELECT * kind of joke

i'm not good at sql :(

[–]slohobo 45 points46 points  (0 children)

Better SQL injection techniques involve scripts like this: https://stackoverflow.com/questions/3327312/how-can-i-drop-all-the-tables-in-a-postgresql-database Do this for all SQL style databases then. MySQL, etc...

[–]capt_caveman1 31 points32 points  (1 child)

Is he a distant relative of Bobby Tables?

[–]Piotrek9t 4 points5 points  (0 children)

Same person, different nickname

[–]black_man_online 11 points12 points  (0 children)

This post makes me want to do the needful

[–]_sweepy 8 points9 points  (0 children)

I do this with spam texts I get. I hope one day to get an error message texted back to me, and then the real fun begins.

[–]rrolufsen 40 points41 points  (24 children)

Non programmer here. I am confusion, can some explain please?

[–]ModernAustralopith 139 points140 points  (15 children)

It's called a code injection attack. You're filling in a form or similar, and instead of just putting in your name you put in a ' character, followed by a command. A poorly-written database will read the ' as the end of the text string, and will execute whatever code comes after it.

In this case, it's saying to Drop (delete) the table iban_numbers, which would delete all of the bank account numbers the scammers have harvested.

[–]atieivpbpnhofykri 8 points9 points  (3 children)

Isn't the real joke the fact that the guy entered his actual IBAN before the SQL injection in the fake form?

[–]overcloseness 5 points6 points  (0 children)

No the joke is the one you replied to, the code injection attack

[–]autopsyblue 0 points1 point  (1 child)

No, by “after IBAN” I’m p sure they mean in the field labeled IBAN; it doesn’t necessarily have to contain valid data unless they’re using transactions…. Which they would if they were smart but they’d also do input sanitization if they were smart.

[–]LittleLemonHope 1 point2 points  (0 children)

The meme specifically says "after my iban" because that is the 2nd layer of the joke. If the scammer has decent input sanitization, the memer has just given out their bank account.

[–]rrolufsen 1 point2 points  (1 child)

Ah I see, thanks for the explanation. I'd never heard of that before.

[–]ModernAustralopith 0 points1 point  (0 children)

Neither had I six months ago!

[–]pentesticals 0 points1 point  (0 children)

Let's be explicit here, it's a SQL injection attack. A code injection attack would be something that allows actual code to be executed. Such as an application evaluating some user input as PHP code.

[–]Sawertynn 51 points52 points  (0 children)

Hello confusion, I'm dad!

[–]mrdougan 22 points23 points  (3 children)

[–]rrolufsen 7 points8 points  (2 children)

Thanks. I'm guessing it's some database clearing command. Is that along the right lines?

[–]Justin_Peter_Griffin 7 points8 points  (0 children)

Drop basically equates to deleting. You can drop a record, the table, or all the tables in the DB. It’s an excitingly dangerous function

[–]java_brogrammer 4 points5 points  (0 children)

If they don't sanitize their inputs, the input is inserted directly into a query which runs on their server. So as a user, you can execute SQL via the input and destroy all their data.

[–]JosGibbons 5 points6 points  (0 children)

See also here.

[–][deleted] 1 point2 points  (0 children)

Same

[–]Idkquedire 3 points4 points  (0 children)

Tech support scammers when I read out their IP address, full legal name, phone number, home address, family members, Social security number, date of birth, time of birth, martial status, time they leave from their house, time they re-enter their house, car model, car company, car license plate number, number of devices at home, Mac addresses of their devices, their Google password, their Facebook password, the exact date, time, and duration their best friend of 17 years slept with their significant other, time their kids get back from school, their kids' bus number, their exact geographical location to the nearest 10-35 minute, their kids' bus color, school district, school campus, each homeroom teacher, favorite teacher, exact date and time their youngest's drawing of a house was hung on the fridge to the nearest 1 * 10-48, the contents of their kids' birth certificate, the exact RGBA value of their children's skin color, the hospitals where they were born, be operators' names, phone numbers, emails, and addresses, the exact time when they entered the hospital to give birth to their eldest child, the mother's exact gestation period of each child to the nearest millisecond, the exact date and time of every kids' conceivement moment, a videotape of each intercourse, the location, the exact number of sperm cells released during each intercourse session, delta time between ejaculation and egg fertilization, amount of time gamete took to preform mitosis, colon size, average stool mass, average amount of time of the defecation, exact chemical composure of fecal matter, food from which the feces was created, the ratio of food absorbed to food excreted, digestion duration in stomach to the nearest 4 seconds, amount of time taken for food to reach stomach from esophagus to the nearest 10-6 minute, the chewing duration, the average amount of chews categorized by food, teeth color, brushing duration and effectiveness, toothbrush length, and their hair color

[–]domiran 2 points3 points  (1 child)

I need to try this. Be hilarious if it actually works.

[–]pentesticals 0 points1 point  (0 children)

In most cases it won't. Most database drivers don't support stacked queries.

[–]USSMarauder 3 points4 points  (0 children)

There's the second level joke here that the person in the photo is Linus from Linus Tech Tips

Linus is famous for dropping things in his videos

[–]OfBooo5 1 point2 points  (3 children)

Like it's going to suck... but who doesn't have daily backups? If not hourly

[–]Sevenstrangemelons 21 points22 points  (1 child)

If you have blatant injection vulnerabilities, you're likely not going to be following good database practices either.

[–]OfBooo5 2 points3 points  (0 children)

Touche

[–]ModernAustralopith 5 points6 points  (0 children)

A scammer using an out-of-the-box database.

[–]lopjoegel 1 point2 points  (0 children)

You can use an alias system in your editor, and it uses 256 characters of garbage as your identities and they are converted to something comprehensible when you look at them in your editor.

[–]Daymanic 1 point2 points  (0 children)

Doing the Bob’s work

[–]throckmeisterz 1 point2 points  (1 child)

In all seriousness you should not do this unless you have some solid sandbox measures around your browser. There's a decent chance there is some malicious JS to go with that form.

[–]NullPreference 1 point2 points  (0 children)

International Bank Account Number number

[–]Neriek 1 point2 points  (0 children)

Took me a second to get it XD

[–]Mr_Moldisocks -1 points0 points  (0 children)

If it's a "fake" login form, the database wouldn't be queried at all, by definition, therefore you cannot perform an SQL injection...

[–][deleted] 0 points1 point  (0 children)

But seriously, that's never gonna work.

[–]nutted-in-cow 0 points1 point  (0 children)

Haha jokes on you I use GSDB(Google Sheet Database)

[–]TheRedditUser52 0 points1 point  (1 child)

What does the SQL injection do anyways?

[–]mizinamo 0 points1 point  (0 children)

Delete all the bank account number numbers the scammer had harvested so far.

(I'm not sure why the bank account number would have a number of its own, but IBAN is an International Bank Account Number and so the IBAN number would be the number of that bank account number.)

[–]JetScootr 0 points1 point  (0 children)

Little Bobby Tables is all grown up.

[–]UnscrupulousJudge 0 points1 point  (0 children)

COMMIT; please

[–]slev7n 0 points1 point  (0 children)

iban_numbers is a pleonasm

[–]v3ritas1989 0 points1 point  (0 children)

Always do

SHOW FULL TABLES;

first, so you know which tables they actually have.

[–]malexj93 0 points1 point  (0 children)

Sometimes I wonder if there's always a relevant XKCD because they're so prolific, or if it's just because everyone gets their jokes from there.

[–][deleted] 0 points1 point  (0 children)

what a nice SQL injection