Opt-out wtf



  • Today I recieved one of those newsletter-ish spam mails, with those little "Click here to get out of the list" links at the bottom. Out of paranoia, I didn't want to click, so I just copied the link and removed the parameters, just to see what would happen:

    http://asp.isprit2.de/ff/us_1.php

    <font size="3"><!-- ErrorCode: 1064</font>
    <font size="3"> Description: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
    SELECT e.ENTITY_ID,p.PERSON_ID,LOGO_URL FROM ENTITY e, PERSON p, MESSAGE m WHERE e.ENTITY_ID = p.ENTITY_ID AND p.PERSON_ID = m.PERSON_ID AND m.MSG_ID =

    --></font>

    And as if echoing your SQL errors back to your visitor wasn't bad enough, the application also seems to copy the parameters right into the Query string.... kind of scary if you ask me.



  • @halcyon said:

    And as if echoing your SQL
    errors back to your visitor wasn't bad enough, the application also
    seems to copy the parameters right into the Query string.... kind of
    scary if you ask me.
    <font size="5">T</font>hat's a nice clear error for a developer to see but it shoud be placed in a log file and replaced with a generic error mesage.




  • If it is a spammer, I suppose it would be quite tempting to test their site for protection against sql-injection attacks...



  • Something like
    MSG_ID=''; DROP TABLE PERSON;
    would be fun 🙂



  • Except that MySQL doesn't let you do send more than one query in one packet.



  • http://asp.isprit2.de/ff/us_1.php now just reads "sorry! something went wrong :("

    maybe they read tdwtf!



  • This is funny in itself, but what's even funnier is that apparently spammers read TDWTF. Should we throw them a welcoming party or something, wheel out goggles full of spam and 'BRILLANT' banners and hats? (hey - those aren't a bad idea - cafepress t-shirts and hats with 'BRILLANT' or 'My eyes! The goggles, they do nothing!' on them).



  • @nickf said:

    http://asp.isprit2.de/ff/us_1.php now just reads "sorry! something went wrong :("

    maybe they read tdwtf!


    View the source of the page.  It still has the comment mentioned above. 



  • El Foo said:



    This is funny in itself, but what's even
    funnier is that apparently spammers read TDWTF. Should we throw them a
    welcoming party or something, wheel out goggles full of spam and
    'BRILLANT' banners and hats? (hey - those aren't a bad idea - cafepress
    t-shirts and hats with 'BRILLANT' or 'My eyes! The goggles, they do
    nothing!' on them).

    ---



    Try this link



    http://www.cafepress.com/thedailywtf -- its on the homepage for ages


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.