SQL injection prevention may affect your customers



  • At least, if you're an airline.  According to ABC News the TSA will be implementing a system where your name on your ID has to match your boarding pass.  All fine and well, except that according to them most airline ticketing systems cannot accomodate an apostrophe in a name.  So the O'Reilly's will be unable to board.   This is most likely to prevent SQL injection attacks, simply strip the illegal characters out.

    Then again, this may work out like Y2K where diligent programmers work to resolve the issue before it occurs.  Or it may be media scaremongering.  I can say that I have had many issues with US websites in my life.  Some seem unable to comprehend that a surname can have more than one part to it, seperated by a space.



  • Little Bobby is going to have some trouble visiting Grammy in Florida.

    (frist XKCD reference)



  • @toth said:

    Little Bobby is going to have some trouble visiting Grammy in Florida. (frist XKCD reference)

    Hey, morbs, a new target for you.



  • Please meet my friends Parameterised Query and Proper Escaping.

    Dead handy to have around.



  • Wait, what?  Hasn't the TSA done this since 9/11?  They always go over my ID and boarding pass with a fine-toothed comb, presumably to see if the "I plan to hijack this flight" option was selected at check-in. 

     

    Seriously, though, I know it's for the same reason they allow the pissed-off looking Muslim through with little hassle: if we allow common sense to override political correctness, the terrorists will have won.  Metaphorically, of course, not literally; believing security theater is going to save lives is just retarded.


  • Garbage Person

    @morbiuswilters said:

    Wait, what?  Hasn't the TSA done this since 9/11?  They always go over my ID and boarding pass with a fine-toothed comb, presumably to see if the "I plan to hijack this flight" option was selected at check-in. 
    The final time I flew out of BWI (which is the TSA's testbed for new dick moves) the fucker thought my boarding pass was fake because the paper was yellowed (I printed it myself. Via online checkin. My paper is yellowed because it's almost as old as I am.) and furthermore had never seen a driver's license like mine (It was Maryland's standard pre-age-21 vertical format. BWI is in Maryland.)

    Once we passed that hurdle, I was "randomly selected" for extra screening and had to explain that a hard drive is not a bomb and what it's used for and why I can't turn it on and show them.

     

    I don't fly through BWI anymore. I drive the extra hour and a half around Washington DC to go to Dulles.

     

     

     

    Also, I have very large doubts that this has anything to do with SQL injection - the younger airlines don't have problems with it - but the older legacy carriers do. I smell ignorant COBOL and FORTRAN programmers.



  •  The security guard at an airport in Maryland hadn't seen the underage Maryland drivers license? Oy.

     I live in MD and have flown out of BWI several times with no problems... and I've been told I LOOK like a terrorist/the unibomber. D:



  • @Weng said:

    (It was Maryland's standard pre-age-21 vertical format. BWI is in Maryland.)

    Perhaps trying to use the IDs of your teenage victims the best plan, even if you are wearing their faces.

     

    @Weng said:

    Also, I have very large doubts that this has anything to do with SQL injection - the younger airlines don't have problems with it - but the older legacy carriers do. I smell ignorant COBOL and FORTRAN programmers.

    Am I the only one who is a bit confused by this?  Stripping single-quotes from input is not how you handle SQL injection.  In fact, SQL injection isn't something you should ever worry about, assuming you are using a database API that wasn't copied off the resource CD that came with the 2004 edition of PHP For Dummies.



  • @Weng said:

    Also, I have very large doubts that this has anything to do with SQL injection - the younger airlines don't have problems with it - but the older legacy carriers do. I smell ignorant COBOL and FORTRAN programmers.

    Wouldn't that make it the 'younger' systems' fault?  The data clearly can contain characters that the language of choice is sensitive to.  That is not the fault of a COBOL programmer!  I have similar issues with web developers.  They seem to think that just because they have to use HTML (and choose to use XML) that suddenly an account called Mr & Mrs O'Riely <Investment Account> that has existed since 1985 is 'illegal data'.

    Morbs has it right.  It's easy to do, provided you know where & when to do it and understand what you are doing and why.  The second most idiotic thing is web devs escaping their values too early (or reading data off controls instead of data objects) and spiraling into the relentless maelstrom of encode/decode clinging to the hope that somehow every part of the code hits a correctly en/decoded version of the data.

    It's fucking pathetic.



  • @morbiuswilters said:

    believing security theater is going to save lives is just retarded.

     If you ever run for office let me know so I can move there and vote for you (multiple times per election, if possible).



  •  Hopefully the TSA will just apply a reasonable level of common sense. I hadTSA person jokingly tell me one time that I couldn't get through because my ID said "Michael" and my ticket said "Mike".  I was not amused.



  • @morbiuswilters said:

    Seriously, though, I know it's for the same reason they allow the pissed-off looking Muslim through with little hassle: if we allow common sense to override political correctness, the terrorists will have won.  Metaphorically, of course, not literally; believing security theater is going to save lives is just retarded.

     

    If security was the real goal with this crap, no muslim would get into an airport, forget the plane itself.

    You can call it racism or whatever you like, but I don't see anybody else flying planes into buildings as of late.



  • @Master Chief said:

    @morbiuswilters said:

    Seriously, though, I know it's for the same reason they allow the pissed-off looking Muslim through with little hassle: if we allow common sense to override political correctness, the terrorists will have won.  Metaphorically, of course, not literally; believing security theater is going to save lives is just retarded.

     

    If security was the real goal with this crap, no muslim would get into an airport, forget the plane itself.

    You can call it racism or whatever you like, but I don't see anybody else flying planes into buildings as of late.

    alternatively, you could have special muslim only flights that are continuously followed by fighters.



  • @Master Chief said:

     

    If security was the real goal with this crap, no muslim would get into an airport, forget the plane itself.

    You can call it racism or whatever you like, but I don't see anybody else flying planes into buildings as of late.

    Corey Lidle called and he demands a retraction.


  • @Master Chief said:

    If security was the real goal with this crap, no muslim would get into an airport, forget the plane itself.

    You can call it racism or whatever you like, but I don't see anybody else flying planes into buildings as of late.

    It's been years since even a muslim flew a plane into a building anyway. You have a funny definition of "as of late."



  • @belgariontheking said:

    @Master Chief said:

    If security was the real goal with this crap, no muslim would get into an airport, forget the plane itself.

    You can call it racism or whatever you like, but I don't see anybody else flying planes into buildings as of late.

    It's been years since even a muslim flew a plane into a building anyway. You have a funny definition of "as of late."

    Now they just riot when people draw cartoons they don't like, murder filmmakers who make movies questioning Islam and gun down American soldiers on an Army base.



  • @bstorer said:

    Corey Lidle called and he demands a retraction.

    That's racist.  Just because he's white doesn't mean he isn't Muslim.  In fact, I believe crashing a plane into a building automatically makes you a Muslim.  I read it in the Koran.



  • @Master Chief said:

    @morbiuswilters said:

    Seriously, though, I know it's for the same reason they allow the pissed-off looking Muslim through with little hassle: if we allow common sense to override political correctness, the terrorists will have won.  Metaphorically, of course, not literally; believing security theater is going to save lives is just retarded.

     

    If security was the real goal with this crap, no muslim would get into an airport, forget the plane itself.

    You can call it racism or whatever you like, but I don't see anybody else flying planes into buildings as of late.

    Yes, because "most terrorists are Muslim" is logically equivalent to "most Muslims are terrorists"

    Wait a minute...



  • @morbiuswilters said:

    @bstorer said:

    Corey Lidle called and he demands a retraction.

    That's racist.  Just because he's white doesn't mean he isn't Muslim.  In fact, I believe crashing a plane into a building automatically makes you a Muslim.  I read it in the Koran.

    You read the Koran?!  HE'S A TERRORIST!  GET HIM!


  • @toth said:

    Yes, because "most terrorists are Muslim" is logically equivalent to "most Muslims are terrorists"

    Wait a minute...

     

    That is precisely the point of profiling them in high-security environments, as opposed to taking more drastic measures like, say, interning all of them, which would be necessary if the second condition were true.



  • I lol'ed!



  • @morbiuswilters said:

    Am I the only one who is a bit confused by this?  Stripping single-quotes from input is not how you handle SQL injection.  In fact, SQL injection isn't something you should ever worry about, assuming you are using a database API that wasn't copied off the resource CD that came with the 2004 edition of PHP For Dummies.
     

    Airline reservation systems are old. Super-old. One of the first use of computers for business, period. Which means this software probably pre-dates "PHP For Dummies" by at least a couple decades.



  • @Aaron said:

    @toth said:

    Yes, because "most terrorists are Muslim" is logically equivalent to "most Muslims are terrorists"

    Wait a minute...

     

    That is precisely the point of profiling them in high-security environments, as opposed to taking more drastic measures like, say, interning all of them, which would be necessary if the second condition were true.

    Right.  I'm not just saying we should profile only Muslims in high-security situations.  What I find ridiculous is this politically correct notion that we should assume the 80-year-old vet in a wheelchair is as likely to blow up a plane as the 24-year-old Muslim.  To me, the high-risk groups ares:

    - young (under 40)

    - male

    - most likely unmarried

    - probably middle-class

    - holding radical political or religious views

     

    Guess what?  I fit into the first 4 groups.  Should I be given closer scrutiny than the 30-something mom who is flying with her obnoxious crotchfruit?  Hell yes.  Now, when it comes to religion or political ideology, it's a bit harder to discern.  You can probably tell someone is Muslim by the way they dress, but IIRC, none of these terrorist shitbags has gone onto the plane dressed like Aladdin.  Of course, being Arab would certainly be a bit of a tip-off, even if they're dressed in jeans and button-up shirts like the 9/11 hijackers were.  I'm not saying every Arabesque person should be strip searched, but if they fit the profile, maybe it would be worth it to ask them a few more questions than is normal or look at their bags a little more closely.

     

    What we do now not only makes little sense from a security perspective, but it's also stupid from a psychological one.  Anyone who is going to hijack a plane is going to be a bit nervous as it is, but the TSA is going to go out of its way to ignore any warning signs from young, male Arabs simply so they don't get sued or called racist or what-have-you.  And the thing is, any potential terrorist knows this.  They know they're going to be waved through security with nary a glance while the agents desperately look for some old, crippled woman whose wheelchair they can pull apart looking for bomb components.  Not only does this bullshit keep guards from doing the proper screening they should be doing, but if there are any young, male Arabs in the line who have ambitions to take down a plane, they know that they will receive the least scrutiny simply because the ACLU has terrified the TSA bureaucrats to the point where nobody on the ground would risk a PR fiasco by looking more carefully at the guy who is most likely to kill everyone.



  • @blakeyrat said:

    @morbiuswilters said:

    Am I the only one who is a bit confused by this?  Stripping single-quotes from input is not how you handle SQL injection.  In fact, SQL injection isn't something you should ever worry about, assuming you are using a database API that wasn't copied off the resource CD that came with the 2004 edition of PHP For Dummies.
     

    Airline reservation systems are old. Super-old. One of the first use of computers for business, period. Which means this software probably pre-dates "PHP For Dummies" by at least a couple decades.

    True, but wouldn't they also pre-date SQL (and hence, SQL injection) as well?



  • @morbiuswilters said:

    True, but wouldn't they also pre-date SQL (and hence, SQL injection) as well?
     

    Fuck if I know. It pre-dates my entire lifespan, so it's not like I'm sitting there hacking away at COBOL in college.



  • @Aaron said:

    @toth said:

    Yes, because "most terrorists are Muslim" is logically equivalent to "most Muslims are terrorists"

    Wait a minute...

     

    That is precisely the point of profiling them in high-security environments, as opposed to taking more drastic measures like, say, interning all of them, which would be necessary if the second condition were true.

    Just a difference of degree, I'd say. The point is that you'd be about as well off screening all men as all Arabs. Random searches are not very useful, though, I think. I understand the motivation behind them, I just feel like it's such a crapshoot that you'd actually snag someone with incriminating paraphernalia (whether you screen only Muslims or not) that it serves little actual purpose.



  • @morbiuswilters said:

    @Aaron said:

    @toth said:

    Yes, because "most terrorists are Muslim" is logically equivalent to "most Muslims are terrorists"

    Wait a minute...

     

    That is precisely the point of profiling them in high-security environments, as opposed to taking more drastic measures like, say, interning all of them, which would be necessary if the second condition were true.

    Right.  I'm not just saying we should profile only Muslims in high-security situations.  What I find ridiculous is this politically correct notion that we should assume the 80-year-old vet in a wheelchair is as likely to blow up a plane as the 24-year-old Muslim.  To me, the high-risk groups ares:

    - young (under 40)

    - male

    - most likely unmarried

    - probably middle-class

    - holding radical political or religious views

     

    Guess what?  I fit into the first 4 groups.  Should I be given closer scrutiny than the 30-something mom who is flying with her obnoxious crotchfruit?  Hell yes.  Now, when it comes to religion or political ideology, it's a bit harder to discern.  You can probably tell someone is Muslim by the way they dress, but IIRC, none of these terrorist shitbags has gone onto the plane dressed like Aladdin.  Of course, being Arab would certainly be a bit of a tip-off, even if they're dressed in jeans and button-up shirts like the 9/11 hijackers were.  I'm not saying every Arabesque person should be strip searched, but if they fit the profile, maybe it would be worth it to ask them a few more questions than is normal or look at their bags a little more closely.

     

    What we do now not only makes little sense from a security perspective, but it's also stupid from a psychological one.  Anyone who is going to hijack a plane is going to be a bit nervous as it is, but the TSA is going to go out of its way to ignore any warning signs from young, male Arabs simply so they don't get sued or called racist or what-have-you.  And the thing is, any potential terrorist knows this.  They know they're going to be waved through security with nary a glance while the agents desperately look for some old, crippled woman whose wheelchair they can pull apart looking for bomb components.  Not only does this bullshit keep guards from doing the proper screening they should be doing, but if there are any young, male Arabs in the line who have ambitions to take down a plane, they know that they will receive the least scrutiny simply because the ACLU has terrified the TSA bureaucrats to the point where nobody on the ground would risk a PR fiasco by looking more carefully at the guy who is most likely to kill everyone.

    ITT: Typical conservatard ACLU-bashing.



  • @toth said:

    ITT: Typical conservatard ACLU-bashing.
    Not really. He seems to be bashing the idiots at the TSA that let political correctness (and fear of getting sued by the ACLU) get in the way of properly securing our airports. Personally, I just wish that the government was more afraid of the ACLU’s lawsuits about warrantless wiretapping and other blatantly unconstitutional activity and stopped doing that instead.



  •  "TL;DR" would have been quicker to type.



  •  @toth said:

    ITT: Typical conservatard ACLU-bashing.
    Not really. He’s more bashing the bureaucrats at the TSA that are so afraid of getting sued by the ACLU (or anybody with a discrimination claim) that they consciously make bad, politically-correct decisions that negatively influence the actual security of our airports.



  • @toth said:

    ITT: Typical conservatard ACLU-bashing.

    If you had any clue about the ALCU and their purpose, you would know the organization doesn't give a shit about preserving civil liberties.



  • @morbiuswilters said:

    @toth said:

    ITT: Typical conservatard ACLU-bashing.

    If you had any clue about the ALCU and their purpose, you would know the organization doesn't give a shit about preserving civil liberties.

    So what organization does?


  • @snover said:

    Personally, I just wish that the government was more afraid of the ACLU’s lawsuits about warrantless wiretapping and other blatantly unconstitutional activity and stopped doing that instead.

    What's interesting is that the ACLU is anti-strict-constructionist when it comes to most issues, but not when it comes to warrantless wiretapping.  After all, warrantless wiretapping has been deemed constitutional by the Bush and Obama administrations, both a Republican- and a Democrat-majority Congress and by the Supreme Court.

     

    Now, no sane person could argue that any of those actors were strict constructionists, but I find it curious that all the talk about the Constitution being a "living document" goes out the window when the ACLU finds something it doesn't agree with.  Basically, they're fine with activist judges when it comes to things they like, but have a problem with flexible interpretations of the law if they don't get their way.



  • @snover said:

    @morbiuswilters said:

    @toth said:

    ITT: Typical conservatard ACLU-bashing.

    If you had any clue about the ALCU and their purpose, you would know the organization doesn't give a shit about preserving civil liberties.

    So what organization does?

    Is that supposed to be an argument?  Amazingly, having the words "civil liberties" appear in their name does not automatically make them an infallible authority on liberty.  The ACLU has a disgraceful history of fighting the 2nd Amendment (guess that's not a civil liberty), opposing economic free enterprise and doing their best to neuter the ability of law enforcement to apprehend and charge violent criminals.  In fact, that's precisely why I brought the ACLU up in the first place: because they are at the forefront of the movement to treat airport security as some kind of exercise in political correctness rather than a necessary annoyance to stop murder.  They've advocated for the closing of Guantanamo Bay and the release of hundreds of dangerous terrorists with no regard for the reality of trying to fight a war on terror.  Their concern is first and foremost a laundry list of rights that they believe mass murderers are entitled to, whatever the cost in civilian and law enforcement lives lost.  They've used the fear of lawsuits to instill bureaucratic paralysis within law enforcement and the military, with predictable results such as institutional inaction concerning a clearly unbalanced Muslim in the military who praised jihad and condemned "infidels" in long-winded rants to his colleagues before he hauled-off and gunned over a dozen of them down.  To believe that the ACLU is not partially responsible for an environment where a man like this is ignored amid fears of discrimination lawsuits is potent ignorance.



  • @morbiuswilters said:

    Is that supposed to be an argument?
    No, it was a genuine question. Not everybody is out to get you, I promise. :) I seriously don’t know of any organisation other than the ACLU that fights to maintain so many of our various constitutional rights, so if you do, I would love to know about them.

    @morbiuswilters said:

    Amazingly, having the words "civil liberties" appear in their name does not automatically make them an infallible authority on liberty.  The ACLU has a disgraceful history of fighting the 2nd Amendment (guess that's not a civil liberty), opposing economic free enterprise and doing their best to neuter the ability of law enforcement to apprehend and charge violent criminals.
    Law enforcement would have an easier time of it if we just allowed 1984, put cameras and microphones in every home, and allowed police to monitor, record, and interrogate anyone they wanted with no checks or balances—but such a system would be tyranny, prone to rampant abuse (even more than our current system, which is far from perfect in that area).

    I sometimes wonder how so many people have seemingly completely forgotten the Cold War and all the propaganda about how America was “better” because we were “free” and didn’t, for example, require papers to travel within the country—and now we have checkpoints 100 miles inside the border, the government is still pushing to implement national IDs, and the FBI are wiretapping people without warrants, oversight, or accountability. Is that all really a-OK with you? Just because the police need to rise to a reasonable burden of proof and get a warrant before they go snooping on people doesn’t mean it’s not possible to stop crime—we’ve been doing it successfully for hundreds of years, with far fewer surveillance and forensic tools than are available today.

     

    @morbiuswilters said:

    In fact, that's precisely why I brought the ACLU up in the first place: because they are at the forefront of the movement to treat airport security as some kind of exercise in political correctness rather than a necessary annoyance to stop murder.
    But it is that. Well, assuming by “political correctness” you mean security theatre. Commercial air travel was extremely safe for the decades of flight before September 11, and it would likely be just as safe now without any of the changes that were made post-9/11. I don’t think that all of the changes were completely foolish (securing cockpit doors, for example: probably a good idea). However, in my opinion, a lot of them were kneejerk reactions to make people feel safe without actually making them safe.

    The fact of the matter is that it is not possible to conclusively prove or disprove that the new security policies have done anything beneficial since there has not been another hijacking originating in this country, but it is possible to prove at least some harm (waste, detainment without cause, no-fly lists), and it is also possible to prove that, at best, most of these policies are completely ineffective at actually preventing terrorism. At worst, they actively distract us from enacting meaningful security restrictions. When you have people carrying huge knives into the cabin because the TSA is more concerned about investigating somebody’s water bottle, for example, the system is not working—and that has nothing to do with the ACLU.

     

    @morbiuswilters said:

    They've advocated for the closing of Guantanamo Bay and the release of hundreds of dangerous terrorists with no regard for the reality of trying to fight a war on terror.  Their concern is first and foremost a laundry list of rights that they believe mass murderers are entitled to, whatever the cost in civilian and law enforcement lives lost.
    Unfortunately, many of the “dangerous terrorists” at Guantánamo are not terrorists. If they are actual terrorists, then there should not be a problem taking them to a real court and giving them a proper conviction and sentencing, instead of holding them indefinitely without cause or the right to a fair trial.

    Nobody—not even the ‘crazies’ at the ACLU—wants to allow actual dangerous criminals to go free, but the problem is that the government is quite keen to take this sort of dragnet approach where they pick up as many people as possible with little to no evidence and then torture them or let them rot in a cell for years when they have done nothing wrong. And that’s not speculation—as time goes on, we see more and more reports of people who have suffered under extraordinary rendition and other similar programmes because the military was too stupid and short-sighted to do due diligence beforehand, and left too unregulated to do some really abhorrent things to people under their care.

     

    @morbiuswilters said:

    They've used the fear of lawsuits to instill bureaucratic paralysis within law enforcement and the military, with predictable results such as institutional inaction concerning a clearly unbalanced Muslim in the military who praised jihad and condemned "infidels" in long-winded rants to his colleagues before he hauled-off and gunned over a dozen of them down.  To believe that the ACLU is not partially responsible for an environment where a man like this is ignored amid fears of discrimination lawsuits is potent ignorance.
    I’m sorry, but that’s like saying the NRA is partially to blame every time a criminal manages to buy a gun and shoots somebody.



  • @morbiuswilters said:

    @toth said:

    ITT: Typical conservatard ACLU-bashing.

    If you had any clue about the ALCU and their purpose, you would know the organization doesn't give a shit about preserving civil liberties.

    Let me guess: they're secretly trying to overthrow the government and turn it into a godless communist dictatorship where people are allowed to marry box turtles?



  • @toth said:

    @morbiuswilters said:

    @toth said:

    ITT: Typical conservatard ACLU-bashing.

    If you had any clue about the ALCU and their purpose, you would know the organization doesn't give a shit about preserving civil liberties.

    Let me guess: they're secretly trying to overthrow the government and turn it into a godless communist dictatorship where people are allowed to marry box turtles?

    Ah, I see you've read our newsletter.



  • @bstorer said:

    @toth said:

    @morbiuswilters said:

    @toth said:

    ITT: Typical conservatard ACLU-bashing.

    If you had any clue about the ALCU and their purpose, you would know the organization doesn't give a shit about preserving civil liberties.

    Let me guess: they're secretly trying to overthrow the government and turn it into a godless communist dictatorship where people are allowed to marry box turtles?

    Ah, I see you've read our newsletter.

    Read it? I buy ad space in it.

    I'm looking for a nice box turtle to share my life with.



  • @snover said:

    I’m sorry, but that’s like saying the NRA is partially to blame every time a criminal manages to buy a gun and shoots somebody.

    mmm (scratchs head and thinks)


Log in to reply