SQL injection license plate?



  • It's mildly amusing, but why would anyone do this: http://pixelstech.net/article/index.php?id=1334985588?


  • Discourse touched me in a no-no place



  • Won't work, but funny idea. (I have worked with number plate OCR, and this plate lays outside of the detection area, and even if the ORC did match the right string it would fail the number plate regexp.)



  •  Paging Little Bobby Tables Rosie!



  •  The site appears to be down, what was on it?



  • @ASheridan said:

     The site appears to be down, what was on it?

     

    Someone had pasted an SQL injection string over his (her???) license plate. No idea why.



  • @TGV said:

    No idea why.
    For the lulz, I assume.

    For the record, we laughed.

    I don't think it would ever work, but seeing this sure made my post-lunch-daily-wtf-browse worth it.



  • @TGV said:

    This post would get me banned from SA

    And how!



  • @pkmnfrk said:

    @TGV said:
    This post would get me banned from SA

    And how!

    TL;DR



  • @TGV said:

    It's mildly amusing, but why would anyone do this: http://pixelstech.net/article/index.php?id=1334985588?

    Just to be a dick, of course.


  • Garbage Person

    One of my colleagues is writing an app that processes captured license plate photos. This particular setup (since we're doing the recognition in post-process, not in the camera like a proper ANPR system) absolutely would twig on that image. It also likes to try the writing on the side of trucks and some bumper stickers, until it finds a string that looks like a valid plate. And our regex engine is implemented in the database.  I should remind him to sanitize that particular input (our SOP is 'don't sanitize input unless circumstances require otherwise' because the data comes from supposedly-trusted external entities (I know. This is stupid. But our custom-built in-house development language doesn't do parameterized queries and I haven't had time to hack an extension together.)



  • @Weng said:

    we're doing the recognition in post-process, not in the camera like a proper ANPR system

    @Weng said:
    It also likes to try the writing on the side of trucks and some bumper stickers, until it finds a string that looks like a valid plate.

    @Weng said:
    And our regex engine is implemented in the database.

    @Weng said:
    our SOP is 'don't sanitize input unless circumstances require otherwise' because the data comes from supposedly-trusted external entities

    @Weng said:
    our custom-built in-house development language

    @Weng said:
    doesn't do parameterized queries

    I think you won the contest for "Most WTFs in a single paragraph"..



  • According to the first place I saw this - months ago, so i don't remember where exactly - it was an employee who worked on the database, and warned about the WTFs present in the system.

    Nobody believed him, so thus this was done as proof of concept.  Also, supposedly it took place in poland.



  • @GrizzlyAdams said:

    According to the first place I saw this - months ago, so i don't remember where exactly - it was an employee who worked on the database, and warned about the WTFs present in the system.

    Nobody believed him, so thus this was done as proof of concept.  Also, supposedly it took place in poland.

    This is in some ways the informatic equivalent of the setup someone allegedly rigged in their car with a radar detector wired to some transmitter kit, powered from a bank of enormous capacitors, set up to trigger a massive burst transmission when it detects a police radar - the idea being that the front end of the police radar will overload and blow up with such an enormous signal...



    [The numberplate certainly seems to be Polish.]



  • @morbiuswilters said:

    @Weng said:
    we're doing the recognition in post-process, not in the camera like a proper ANPR system
    @Weng said:
    It also likes to try the writing on the side of trucks and some bumper stickers, until it finds a string that looks like a valid plate.
    @Weng said:
    And our regex engine is implemented in the database.
    @Weng said:
    our SOP is 'don't sanitize input unless circumstances require otherwise' because the data comes from supposedly-trusted external entities
    @Weng said:
    our custom-built in-house development language
    @Weng said:
    doesn't do parameterized queries

    I think you won the contest for "Most WTFs in a single paragraph"..

    Weng? Give snoofle my regards when you bump into him at work, will you?


  • Garbage Person

    @morbiuswilters said:

    I think you won the contest for "Most WTFs in a single paragraph"..
    I could do much worse, actually. I've been trying to, but it's hard to anonymize this shit. Many of our WTF's are one-of-a-kind and anyone (thousands of developers) from entire arms of several companies could easily identify my team from any of those elements, even if by reputation only. And there are only fifteen of us. 

     

    Snoofle has a lot of political bullshit. I have a truckload of technical bullshit.



  • Write it up, anyway.

    Just don't publish it until you're due to leave.


  • Garbage Person

    @Cassidy said:

    Write it up, anyway.

    Just don't publish it until you're due to leave.

    This is a sensible alternative, especially because I signed up to be a faceless cog-in-the-machine C# line developer with pay to match. Meanwhile, I've written about twenty lines of C# in almost 9 months and become one of the world's foremost experts on two proprietary domain-specific languages (easily top 5) and top 1000 or so for a galactically ancient stack-based "standard" language. They don't pay me for that level of expertise (though I understand their full-time rates beat the piss out of their contractor rates, and I might actually accept a conversion offer because it's kind of fun in a sadistic way.)

Log in to reply