MyWTF



  • A colleague just showed me a representative snippet from a home-grown accounting application:

       string newOrderID = label_order_id.Text.Replace("# ", "");
       string sqlCmd = "UPDATE objednavky SET " +
         "invoice_id='" + newOrderID + "', " +
         "invoice_notes='" + invoice_notes.Text + "', " +
         "invoice_created='" + strCreated + "', advance_created='" + strCreatedAdv + "', " +
                        "f_company='" + f_company.Text + "', f_address='" + f_address.Text + "', f_city='" + f_city.Text + "', " +
         "f_zip='" + f_zip.Text + "', f_state_id='" + f_state_id + "', ico='" + ico.Text + "', dic='" + dic.Text + "', " +
         "d_company='" + d_company.Text + "', d_address='" + d_address.Text + "', d_city='" + d_city.Text + "', " +
         "d_zip='" + d_zip.Text + "', d_state_id='" + d_state_id + "', notes='" + notes.Text + "', " +
         "payment='" + payment + "', state_id='" + state + "', " +
         "include_vat='" + (include_vat.SelectedItem.ToString() == "yes" ? "1" : "0") + "', " +
         "due='" + due.Value.ToString() + "', account_id='" + ((ItemStruct)cbAccount.SelectedItem).id + "', " +
         "currency='" + cbCurrency.SelectedItem.ToString() + "', " +
         "charge_incl=" + (cChargeIncl.Checked ? "1" : "0") + ",  " +
         "n_delivery='" + tbNDelivery.Text + "', " +
         "credit='" + (cbCredit.Checked ? "1" : "0") + "', " +
         "credit_invoice_id='" + relOrderID + "' " +
         "WHERE id='" + drOrder["id"].ToString() + "'";
    
       MyFunctions.SQLquery(ref conn, sqlCmd, parentStatusBar);
    

    (the query itself is slightly anonymized by translating the column names from our native language to English, the last line is exactly as it was)

    1. It is surprising that we only ran across Little Bobby Tables after about 10 years the company and that abomination exists (it is not public facing, so it is not a security threat; we have other programs for that).

    2. A programmer who creates a class named MyFunctions should be shot on the spot. In our case it actually most likely was the founder (who lost the company to the single worst strategic mistake).

    3. In some places, apostrophes are escaped. Like f_company.Text.Replace("'", "\\'"). On others, like above, they are not.



  • Oh, and I should add the solution I suggested:

    Just replace U+0027 APOSTROPHE with U+2032 PRIME in the database and be done with it.

    The point is we need to print an invoice, the printing fails because of the above code exploding on apostrophe in address, and we would like to get rid of the PoS anyway (we also have a Joomla+Virtuemart-based e-shop, so we are in process of making all orders go through it) so we don't want to spend much effort fixing it.



  • One more update.

    For some strange reason the database did not like U+2032 PRIME. It accepted U+2019 RIGHT SINGLE QUOTATION MARK though.


  • area_pol

    Looks like every SQL query on Tizen.



  • @Bulb said:

    it is not public facing, so it is not a security threat

    Yes it is! The threat is just from inside.



  • This is a small company. All the cowboys here have administrator password to the database. No need to exploit bugs like this.



  • @Bulb said:

    All the cowboys here have administrator password to the database.

    @Bulb said:

    home-grown accounting application

    uh, the accountants would also be a threat. Though if you are including them in the cowboys, then there are additional issues to worry about.



  • @locallunatic said:

    Uh, the accountants would also be a threat. Though if you are including them in the cowboys, then there are additional issues to worry about.

    This is a small company. The invoices are usually done by the owner himself, the assistant, or now the one other salesman we have. I believe the external accountant does not work with this, only exports from it.



  • @Bulb said:

    The invoices are usually done by the owner himself, the assistant, or now the one other salesman we have.

    That reduces the threat area of the security hole, but you had stated:

    @Bulb said:

    it is not public facing, so it is not a security threat

    Which is a bald faced lie. It may not be something that is worth spending time on due to the range of attackers, but it is still a threat even if it is a dismissed one.



  • Well, yes, in the strict sense, it is. We have much bigger security holes all over the place, so we don't care much about this one.

    As I said, we are trying to get rid of it and switch all invoices to go through the e-shop we already have. Which requires rewriting some licensing code to use the shop also in cases where it still uses the old system, but since we are hitting limits of the old system, we fortunately have an excuse to do it.



  • @locallunatic said:

    bald faced lie

    :wtf:

    Oh



  • Well at least you aren't blakey and bothered to take a look, I'm assuming the link is to the top google result?


  • FoxDev

    The title on that page appears pver the moddle of the article :wtf:



  • MPRE{RP



  • Well, as always, with words, there is disagreement.

    However, the most common interpretation is that

    bare-faced/bald-faced means telling a lie, knowing it is a lie, without shame.

    bold-faced means telling a lie, and drawing attention to it.

    Drawing attention to it, doesn't necessary imply "without shame", so there is a slight difference, but I'm not so sure the difference is enough to bother making sure you are saying the right one, for most uses of either phrase. Of course, you can lie without shame, and not bring attention to it.



  • @xaade said:

    Of course, you can lie without shame, and not bring attention to it.

    It was in a parenthetical (not attention) and was defended. Pretty sure I used the right one.



  • sorry for the tangent, I was just curious.

    @hungrier said:

    MPRE{RP

    Oh comon. Why do I have to google everything.


  • Java Dev

    @hungrier said:

    MPRE{RP

    <abbr> tag requested.



  • It was a NOREPRO regarding the

    @RaceProUK said:

    title on that page appears pver the moddle of the article

    written in the style of

    @RaceProUK said:

    pver the moddle


  • FoxDev

    Oh, now the image loads! :rolleyes:



  • also, table names in czech/slovak, everything else within tables and app in english?



  • @sh_code said:

    also, table names in czech/slovak, everything else within tables and app in english?

    @Bulb said:

    (the query itself is slightly anonymized by translating the column names from our native language to English, the last line is exactly as it was)

    Columns were also in Czech in the original. I translated them to make it clearer what it is about and at the same time not to match the actual code. I missed the table name when doing it.



  • Probably the strange reason is that the database encoding is not Unicode but cp1252 or similar, which contains U+2019 but not U+2032 :)



  • That is, indeed, quite possible.



  • @Bulb said:

    it is not a security threat; we have other programs for that

    :rofl:


  • Notification Spam Recipient

    @Bulb said:

    it is not public facing, so it is not a security threat; we have other programs for that

    Specialized security threat programs, I like that.



  • oh, promiň, tu vÄ›tu jsem si nevÅ¡iml :-D


Log in to reply