CodeSOD: D’Tables

, Software Pundits
This post was originally published on this site

The Daily WTF

Wim works on a web app with a problem. Specifically, the error log is the fastest growing file on the system. Well, perhaps that’s not the problem, but actually a symptom. Like so many applications, it’s a PHP web app with a MySQL backend, and the previous developer made… choices.

$sqlisgt = “insert into ser_gen_tj values (4, ‘$type_juridiction’, ‘$enr[23]’, ‘O’)”;

There’s your SQL injection vulnerability. Just dump variable values directly into SQL statements, what could go wrong?

Well, one problem is that sometimes this application needed to handle names. Names, especially in French, frequently contain ‘. So this wouldn’t work:

$sql = “INSERT INTO personne VALUES (‘$matricule’,’$nom’,’$prenom’,’$tel’,Null);”;

A single quote in $nom would break the query, it’d become syntactically invalid. And that’s why the log file was the fastest growing set of data in the system. But the developer responsible “fixed” this, don’t you worry.

$sql = “INSERT

To read the full article click on the 'post' link at the top.

Date

You May Also Like

A Tapestry of Threads

Error'd: Are You Old Enough to Know Better?

Perfect Uptime

Classic WTF: Working Around, Over and Through the Process

CodeSOD: Constantly Magic

CodeSOD: In House Refactoring

More Posts From: Software Pundits

Error'd: No Time Like the Present

CodeSOD: Don't Date Me

CodeSOD: Expressing a Leak

Representative Line: Broken Up With

COGNOS: Fast, Private & On-Demand Answers for Business Operations

CodeSOD: Where is the Validation At?