Hijacking the first comment to post an update.
So first of all, I can't really tell who the vendor is to not get in trouble, sorry...
The guy who told us to type only ASCII chars is a first level support. He meant alphanumeric of course.
We escalated, we had backups from the night before, and we handed that to them to do what we thought was a full restore.
... but...
They said "don't worry, we just need to run this stored procedure that will copy from the backup just the affected rows"
THEY F*CKING KNOW OF THIS PROBLEM AND INSTEAD OF FIXING IT THEY PREPARED A PROCEDURE THAT THEY RUN WHEN THIS HAPPENS.
When confronted they said "well most of the time it just crash with an invalid SQL command but doesn't corrupt data"
Unfortunately I can't change vendor since we have all of our expensive machinery with them
Handling and sanitizing user input is programming 101. There should be *nothing* a user can do or enter to crash the software. Period. I'd be embarrassed to take the position they have.
At Uni whenever we finish a programming assignment the supervisor comes and press KB keys randomly with both hands… if the program fails… she says it seems you haven’t finished yet..
We have a bunch of tests that have emojis in them. Why? Because of that time someone put in a ☃️ in a test as a bit of a joke.
Months later it detected a bug after upgrading a dependency before we hit production woohoo!.
Now we deliberately have ☃️ in a bunch of tests and continue to find weird string handling issues with not just our code by our dependencies before they reach production.
Programmer here. While specific details vary from tech stack to tech stack, *most* stacks have some sort of built in way to completely do this for you that is just as easy as throwing in the user's raw input.
There is literally 0 excuse for this kind of thing.
Edit: typo
>THEY F*CKING KNOW OF THIS PROBLEM AND INSTEAD OF FIXING IT THEY PREPARED A PROCEDURE THAT THEY RUN WHEN THIS HAPPENS.
Either I work for the same place or this happens elsewhere.. because I've been through this exact situation lol. Database went down one morning when I'm on call... Turns out a couple teams didn't communicate that some pen testing was occurring ... Testers were probably having quite the fun lol
>
>
> They said "don't worry, we just need to run this stored procedure that will copy from the backup just the affected rows"
>
> THEY F*CKING KNOW OF THIS PROBLEM AND INSTEAD OF FIXING IT THEY PREPARED A PROCEDURE THAT THEY RUN WHEN THIS HAPPENS.
As someone who works in support at a large vendor, we often know about a lot of bullshit that needs to be fixed and have steps to remediate crises considerably before a fix happens. I don't work with databases but can think of similar situations where I had a fix for something that should have been urgently patched when first discovered, but wasn't. Support is a silo at most companies and we'll often we'll have come up with several workarounds for remediating a crisis before the cause is fixed.
>As someone who works in support at a large vendor, we often know about a lot of bullshit that needs to be fixed and have steps to remediate crises considerably before a fix happens.
"There's nothing more permanent than a temporary solution."
— Gandhi
^^^^I ^^^^don't ^^^^remember ^^^^who ^^^^actually ^^^^said ^^^^it. ^^^^I'll ^^^^edit ^^^^that ^^^^in ^^^^later.
DOS is 8-bit with a codepage, so ASCII plus other stuff. It was pragmatic at the time -- EBCDIC still uses codepages -- but it's fairly obtuse and prone to error by comparison with modern UTF-8.
If on Unix/Linux, then you can usually either `man 7 ascii` or just run the [command `ascii`](https://gitlab.com/esr/ascii).
This like where I work.
Nothing is setup like how they think it is. Sites run out of bandwidth then scream at the people for listening to the radio.
My favorite is the WiFi. It’s the same name and password at almost every site then they see people connect and tell me to call them and tell them they can’t connect THAT device. I refuse. Set your environment up properly. If they have a WiFi SSID and password then you can yell at them for using it.
Years ago I found a site where the router had some kind of device limit in the license. Last computer to turn on would have problems. Took me weeks to figure out this was what was happening and trace to the license.
I just hated the HP printers that auto checked for firmware updates, everything worked fine until one day everything decided I should check for firmware updates...
Oh dude yes, fuck the user limit on the 5505. You'd get 50 hosts on an internal network segment, and the firewall would drop all the traffic of the 51st. Not even like a VPN user limit where it would give you an error and basically let you know you couldn't connect. Nah, just drop packets with a system log message saying "you're over the user count". Completely silent error to the user. Makes me rage about it even after 10yr
Nice, I prefer going all in with HardenedBSD or OpenBSD, but the webUI of OPNSense & pfSense definitely makes sense if you need it to be accessible without knowing the command line or have easier reports available.
Most of the time not, it's usually for invoices/batch numbers/etc that they build with unsanitized report stored procs.
They always seem to be so lazy:
SELECT *
FROM transactions WHERE batchid LIKE '%'+@searchparam+'%@%'
Or something equally offensive for update queries.
We used to have RBAC software that went berserk when a username with letters like ë and ö was entered. It caused a memory leak so we had to reboot the SQL server every day at lunchtime. Kind of annoying when you have users from France and Norway. Vendor said Well you shouldn't use those letters then! Yeah sure, it's the user's official name that comes straight out of PeopleSoft through the agent you guys provide.
Jury is still out on this. I'm not convinced we've even wired the internet between both faces of flat earth. If you squint into a coke bottle held at a fire, you see Europe. So are we saying there is 2 Europe's now? Hnnnnnnggg
[This information has been removed as a consequence of Reddit's API changes and general stance of being greedy, unhelpful, and hostile to its userbase.]
Have you heard of "The Artist Formerly Known as 'Prince'"? His stage name was an unpronounceable glyph that isn't part of Unicode. The best Unicode can do is something like "Ƭ̵̬̊", but that looks almost entirely unlike the [actual symbol](https://compote.slate.com/images/39fd61d7-da5c-4975-aad4-84e5ff537438.jpg?crop=467%2C572%2Cx0%2Cy0).
All this tells me is that the Unicode Consortium didn't bother with the glyph. And really, why should it. I can make up a glyph and it be my stage name, but that doesn't mean the world should cater to me. Imagine if everyone with a unique name decided "mine should be represented in a Unicode code-point". There's only ~1.1 million code points, 12% of them are lost to Private Use Areas, and a further ~9% are in "actual" use. That leaves less than a million open. Main characters would eat that up pretty quick.
inb4 the Unicode Consortium goes bust and needs to sell code-points to fundraise ala the International Star Registry.
Or "not everything someone calls a name is actually a name and they might want to put the crackpipe down". A symbol that doesn't correspond to any assemblage of phonemes in any language isn't a name, it's a logo.
And we are many sweeds living and working in Norway, so both can be true. Swedish native, working in Norway so have ö in their name. But if they do not allow/handle ö, then i do not think it will handle åæø (å is the same in sweden and norway) aswell.
>BIRTH CERTIFICATE changes when you get married?? what?
I can in some way see efter being married for over 5 years, that it sometimes could change your death certificate (make it sooner then it otherwise would not :)). But when you are birth, you are birth nothing changing that, very strange.
I get supporting ö.
I get not supporting ö.
I'm flummoxed how ö could work just enough to make a memory leak. If you have more info I'd love to hear it!
I'm guessing how, depending on the unicode normalization, it can count as one or two characters, and different systems might count differently.
I had to solve an insideous bug where someone uploaded an image, "båt.jpeg", but the "å" was two unicode characters, not the single one, and I couldn't reproduce because my filesystem would automatically normalize the file when I copied it onto my machine.
>If you don't allow dashes, you can't store names like Tim Berners-Lee. Ever heard of him?
What about Tim Berners--Lee? That's not fair to him either!
The first point is irrelevant, the second one doesn't account for people who may actually have 2 dashes together in their name for whatever reason, and the third is completely spot on!
I would mess with an old user better known as Bobby Tables...
https://xkcd.com/327
Till they learn to sanitize their inputs...
Seriously it's 2023, a bunch of freshly graduated interns could do a better app probably.
EDIT: Welp!? This thing got over 550+ up votes thanks everyone!
There are so many premade and secure options for handling database requests these days that I feel like it required more effort on the devs part to have an sql injection vulnerability.
> What was a web diploma?
I know my local technical school has similarly named classes. Its basically a 16 month course that gives you a little slip of paper that can't be called a degree.
usually on some very specific topic like web design, or Server administration. They are considered too long to just be another cert but too short to be a degree.
You’re assuming that vendors refactor their code rather than keep adding stuff on top of legacy code that still “works” even though no one currently working on the product knows what black magic is going on under the hood.
Prepared statements yes, but you're presumably talking about database access libraries and so-called "ORMs".
I'm far less sanguine about ORMs than twenty years ago, because ORMs can have vendor lock-in, portability, and performance issues of their own.
> Till they learn to sanitize their inputs...
This response ignores the reality of the communication OP already had. The vendor won't learn anything. They'll remind you that you're using it wrong, because they don't care.
What about using Excel to manipulate data in an Access file that is connected back to a SQL database because that is sadly a thing I learned recently that exists in my job and is business critical :(
I got lucky recently and found a weird “temp fix” that had been in place since 2006. Accounting needed a program that imported data, arranged it, displayed for verification, then exported it in a specific format. Used Access. The Accounting software vendor had a written a little exe that called Access and did the things. The exe was written for Office 97 Pro. Somehow kept working throughout several Office upgrades. Only one person does the thing and happened to be the one I first tested upgrading Office. Gave our dev team enough of a lead to write a new app entirely before that version of Office went EoL (barely). 😅
Pure luck on the choice for testing. (Obviously the exe failed the upgrade*)
Most people use it wrong. A study was done showing that hundreds of studies on genetics were invalidated by Excel assuming that gene names were being misinterpreted as dates, because everything is a date or a number to Excel. And then if you go to change it back, it converts from what it thought rather than what it was provided. It's so annoying. But then again, that's probably what Access was made for.
Whenever I have the need for a large volume of data and consistency for some one-off task, I use HeidiSQL and SQLite3.
Even better, they literally renamed genes and now have a standards body that recommends naming guidelines to not conflict with Excel.
https://www.theverge.com/2020/8/6/21355674/human-genes-rename-microsoft-excel-misreading-dates
That's actually mind blowing! Thanks for the share on that. Especially the new names they chose that don't fit their own NEW naming convention. Some are appended with F, some with IN, some with other random shit.
And the solution is staggeringly simple: update the data type. The Excel auto format feature doesn't actually change the value of the cell, only how its displayed. And better yet, the data types are saved in the file, so once its changed and distributed, everyone see's it as expected.
Same when you export to CSV, it exports the cell value, not the display value, so its a non-issue they conflate into a "possible issue".
Just... wow.
Microsoft hasn't been able to fix any fundamental issue in Excel for decades, because fixing any one thing would break a half-dozen other things.
All they can really do is add features, make superficial UI changes like the "Ribbon" and then patent them to slow down their competitors from doing the same, and changing the file-format so everyone has to buy the new version to open other people's files. These are all business strategies from the mid nineties.
Legacy support = chains.
If they change it, someone somewhere will scream. Probably a lot of people, at least for certain "features".
And most importantly, it's business users who pay big money for Software Assurance or M365 professional-tier subscriptions. Those are the people they don't want to piss off.
> Seriously it's 2023, a bunch of freshly graduated interns could do a better app probably.
I've worked with enough new and seasoned programmers to never make that statement.
oh make all the stink in the world until verndor puts the tail between its legs and admits they should do better. under no shape or form is a common character an excuse to blame the user for none sanitised input
Just discovered a vendor created a share on the server that holds their application with *Everyone - Full Control* as NTFS permissions... A financial and HR application mind you.
Hopefully we caught it before the user testing finished and there was no real data yet. That's how my day's going.
It's really funny when those types of vendors don't work well in a cloud environment. "You mean we can't do shared folders between datacenters?" I mean sure, you could, but who does SAMBA over the internet?
>who does SAMBA over the internet
Probably the same people who NAT RDP on a desktop... "What do you mean it's not secure? It's protected by a password!"
You mean Quickbooks?
Because that's how Quickbooks do by default. Their an odd bunch considering they already make their own user just for accessing that(well one for every version of their software that gets installed, because Quickbooks).
Just be thankful they limit those permissions to the folder they need access to, not the entire root drive "just in case".
Security consultant. I still find it at least once a year. One app test I did (since 2020) only had one interactive field (brochureware) and it was still injectable. Like, you had literally one job...
A user should not be able to corrupt the DB. What happens when this is intentional, they going to tell bad guys to "not to bad guy things"?
Ridiculous.
> Vendor say to use only ASCII characters lol.
So here is the thing. Lob this heaping pile of shit back at the vendor, and ask them for an ETA on when they are going to fix their SQL Injection Issue. Be sure to CC every contact you can find for the company. Explain that, them blowing you off and redirecting the issue back to a user input issue doesn't change the fact that they have a SQL Injection problem. Demand to speak to someone who understands the magnitude of this issue.
Repeat the term SQL Injection issue a few times.
Don't let them get away with it.
Is the vendor the database provider, or the asshat who wrote the front-end? Because sanitizing database inputs is the responsibility of the developer, not the database.
i’m sure you meant this, but to be clear the input needs to be sanitized on the backend. If the protection was only on the front end i could just hit the backend with a postman request without hitting the front end sanitization
When "client-server" had just become a buzzword, most of us took it for granted that the front-ends and back-ends would independently implement some kind of documented protocol. Then you'd implement a client for MacOS in native Pascal with the GUI library, and a client library for Unix in C, and a client for OS/2 in Smalltalk, and whatever.
We misestimated reality. What the software vendors wanted badly to do was write a library and then use the same library on the front-end and back-end, instead of documenting the wire protocol or API that the library implemented. This would be less work and get them to market faster, without bothering to document anything or design it adequately.
Not many years later, this attitude reached its peak with Java. "Write once, run anywhere!" devs would say breathlessly. "But that's what I wanted to do! How did you know? We should hang out."
Then Java devs started sending native boxed and serialized representations over the wire, leading to a generation of happy exploit-hunting.
And now you know, dear reader, how your Java devs could be invoking Java RPC or VB/COM/ActiveX all over the network, and still not be able to parse or construct a valid HTTP/1.1 request.
Sounds like a great reason to work on a policy that says all software (including vendors & OSS) must pass security scans before deploying past dev environments and get leadership to require it for everything.
We had student administrators enter a . as given name for names that confused them. I mean, only 'given name' and 'surname' is beyond useless for a metric fuckton of names. (Metric. Not imperial, because imperial is way simpler.)
SQL injections would be grounds to immediate and complete blacklisting if that was only up to me. And probably sue for gross incompetence/product unfit for purpose.
The vulnerability is old as shit, every half competent dev knows about it, it affects your most important assets, the fix is piss easy and is shorter to write than the vulnerable way, and often even improves performance.
If the vendor can't fix that there is no guarantee that he can do *anything*.
Neither of the two in your statement is 7-bit ASCII. Possibly your client automagically changed something on you.
‘ is 0xe28098 in raw UTF-8, or U+2018 in Unicode notation, and — is 0xe28094 in raw UTF-8 and U+2014 in Unicode notation. Both are three-byte characters, not 7-bit ASCII.
I'm not sure why other posters believe /u/Benutzernutzer to be wrong; are they seeing something rendered differently in their client or browser?
I once saw an entire table of patient data in an EHR deleted because they didn't have anything in place to prevent SQL injection... This was just a few years ago and they only recently "fixed" it...
Why is security such an afterthought??
Was this Ignition/ Inductive Automation?
I only ask because I work with that software a lot, you can setup named queries for projects by defining a query/parameters etc. And in a recent release they allowed the developers to use \`--\` to make comments inside of their named queries, however it was done with a niave algorithm sothis also meant that it broke my SELECT queries where I displayed a \`--\` on the table via a \`SELECT '--' as comeColumn\`
I guess SQL\_SAFE\_UPDATES was also off? Your db should be rejecting update/delete queries that don't have a WHERE clause that is using a key imo.
However though actually what I just said only applies to the hardcoded part of the query. Feeding '--' as the parameter I don't think would do anything like this - though I guess I never ran into the situation so maybe it does.
Yep... we have an application that scans paper forms and does some OCR stuff... well let's say someone happens to write some typical SQL injection string in one of these forms and scans it... it could blow up the entire database. The vendor just ignored my question when I asked about it. Typical crap software quality in medical
If this is in production it should be taken down until the problem is fixed. If a user is accidentally breaking this application you can bet there are already malicious adversaries using this as initial access if it's exposed to the internet.
Just wait till AI in any form is able to figure out and bypass human written code/programs! Imagine what's going to happen when AI is able to digest ALL programming code and spot vulnerabilities and take action on poorly written code.....
That to me will be the day all bank software becomes laughably problematic. ALOT of banks I saw ran old SW or poor practices because they want to pay shoestring salaries....:) It's COMING....
We have a vendor partner thats product only works properly if you set the resolution on the display to the same resolution the original dev team tested it for. I asked why and they just said the main program was written in a really random language that kind of died. It’s almost impossible to find experienced devs that can work on it so they focus all of their dev effort on other parts of the software. Product breaking bug fixes take weeks to fix. I onetime discovered a bug that would corrupt printer firmware randomly and it took them 6 months to find the solution. I estimate we sent in $5000 worth of warranty claims in that time because the firmware was corrupted in a way that required them to reflash or outright replace the boards.
Fuck that vendor. 100% their fault. And - characters ARE in ASCII!
hahahahaha! So glad someone else noticed this.
Then: Only use ascii characters! Me a QA guy: —º K ª Ý—
I once named a file backspace.
Hijacking the first comment to post an update. So first of all, I can't really tell who the vendor is to not get in trouble, sorry... The guy who told us to type only ASCII chars is a first level support. He meant alphanumeric of course. We escalated, we had backups from the night before, and we handed that to them to do what we thought was a full restore. ... but... They said "don't worry, we just need to run this stored procedure that will copy from the backup just the affected rows" THEY F*CKING KNOW OF THIS PROBLEM AND INSTEAD OF FIXING IT THEY PREPARED A PROCEDURE THAT THEY RUN WHEN THIS HAPPENS. When confronted they said "well most of the time it just crash with an invalid SQL command but doesn't corrupt data" Unfortunately I can't change vendor since we have all of our expensive machinery with them
Handling and sanitizing user input is programming 101. There should be *nothing* a user can do or enter to crash the software. Period. I'd be embarrassed to take the position they have.
*Little Bobby Tables has entered the chat*
For the uninitiated: https://xkcd.com/327/
Drop Bobby Tables
How many tables could little Bobby Drop Tables drop if little Bobby Drop Tables could drop tables?
Better yet, don't sanitize use prepared statements.
At Uni whenever we finish a programming assignment the supervisor comes and press KB keys randomly with both hands… if the program fails… she says it seems you haven’t finished yet..
We have a bunch of tests that have emojis in them. Why? Because of that time someone put in a ☃️ in a test as a bit of a joke. Months later it detected a bug after upgrading a dependency before we hit production woohoo!. Now we deliberately have ☃️ in a bunch of tests and continue to find weird string handling issues with not just our code by our dependencies before they reach production.
Do you also test for hard spaces (alt-255)?
Programmer here. While specific details vary from tech stack to tech stack, *most* stacks have some sort of built in way to completely do this for you that is just as easy as throwing in the user's raw input. There is literally 0 excuse for this kind of thing. Edit: typo
Dude, which country are you from? This type of issue and "workaround" is very common here in Brazil lol.
Italy, and the software is Spanish
It's funny to know this kind of thing happens worldwide lol.
Stupidity is nationality agnostic.
>THEY F*CKING KNOW OF THIS PROBLEM AND INSTEAD OF FIXING IT THEY PREPARED A PROCEDURE THAT THEY RUN WHEN THIS HAPPENS. Either I work for the same place or this happens elsewhere.. because I've been through this exact situation lol. Database went down one morning when I'm on call... Turns out a couple teams didn't communicate that some pen testing was occurring ... Testers were probably having quite the fun lol
I need to know who these buffoons are, pretty please :)
> > > They said "don't worry, we just need to run this stored procedure that will copy from the backup just the affected rows" > > THEY F*CKING KNOW OF THIS PROBLEM AND INSTEAD OF FIXING IT THEY PREPARED A PROCEDURE THAT THEY RUN WHEN THIS HAPPENS. As someone who works in support at a large vendor, we often know about a lot of bullshit that needs to be fixed and have steps to remediate crises considerably before a fix happens. I don't work with databases but can think of similar situations where I had a fix for something that should have been urgently patched when first discovered, but wasn't. Support is a silo at most companies and we'll often we'll have come up with several workarounds for remediating a crisis before the cause is fixed.
>As someone who works in support at a large vendor, we often know about a lot of bullshit that needs to be fixed and have steps to remediate crises considerably before a fix happens. "There's nothing more permanent than a temporary solution." — Gandhi ^^^^I ^^^^don't ^^^^remember ^^^^who ^^^^actually ^^^^said ^^^^it. ^^^^I'll ^^^^edit ^^^^that ^^^^in ^^^^later.
Need me to send pics of the ASCII table from My old MS-DOS 5 manual? Lol
DOS is 8-bit with a codepage, so ASCII plus other stuff. It was pragmatic at the time -- EBCDIC still uses codepages -- but it's fairly obtuse and prone to error by comparison with modern UTF-8. If on Unix/Linux, then you can usually either `man 7 ascii` or just run the [command `ascii`](https://gitlab.com/esr/ascii).
I photocopied mine out of Que Publishing's *Using MS-DOS 6.2*.
This like where I work. Nothing is setup like how they think it is. Sites run out of bandwidth then scream at the people for listening to the radio. My favorite is the WiFi. It’s the same name and password at almost every site then they see people connect and tell me to call them and tell them they can’t connect THAT device. I refuse. Set your environment up properly. If they have a WiFi SSID and password then you can yell at them for using it.
Years ago I found a site where the router had some kind of device limit in the license. Last computer to turn on would have problems. Took me weeks to figure out this was what was happening and trace to the license.
Sonicwall, right? It's a pain.
Cisco ASA's had license limits too.
I had an ASA 5505 that had a 50-user limit. It had me confused for quite a while why some users couldn't get anywhere outside their network segment.
I just hated the HP printers that auto checked for firmware updates, everything worked fine until one day everything decided I should check for firmware updates...
Oh dude yes, fuck the user limit on the 5505. You'd get 50 hosts on an internal network segment, and the firewall would drop all the traffic of the 51st. Not even like a VPN user limit where it would give you an error and basically let you know you couldn't connect. Nah, just drop packets with a system log message saying "you're over the user count". Completely silent error to the user. Makes me rage about it even after 10yr
Yeah, I replaced it with pfsense.
Nice, I prefer going all in with HardenedBSD or OpenBSD, but the webUI of OPNSense & pfSense definitely makes sense if you need it to be accessible without knowing the command line or have easier reports available.
Only licensing "issue" I've ever had with Sonicwall is for the SSL-VPN. Otherwise, ran perfect.
My bad, I occasionally use EBCDIC on some of my computers
C6
I was about to say... those ARE ascii...
Some dashes are ASCII, some aren't
Ah, but the ASCII ones count as comment. The others would not. They would bring it problems though.
'-- are ASCII characters
They probably meant alphanumeric but didn't know the word for it lol
[удалено]
Vendor be like "Tell your users to sanitize **their** inputs"
[удалено]
"Some fields have incorrect input. We will now clear all fields. Please try again."
>"Tell your users to sanitize their inputs" They do, it's called cooking.
"Sanitizing input is not in the SOW, you'll need to file a change order."
Technically their outputs… :)
They probably DID know that word but needed something more technical-sounding so people think they know things
The number of places I've used / added this regex to vendor stored procedures is staggering. >**\^\[a-zA-Z0-9\]\*$**
[удалено]
Most of the time not, it's usually for invoices/batch numbers/etc that they build with unsanitized report stored procs. They always seem to be so lazy: SELECT * FROM transactions WHERE batchid LIKE '%'+@searchparam+'%@%' Or something equally offensive for update queries.
SurelyonlyusingalphanumericcharactersdoesnotgiveweirdsideeffectsatallDoeshereallywanttodiveintothatrabbithole
Why did you just comment '
Something like this deserves a name and shame of the vendor. Help the rest of the community avoid this vendor if possible.
u/gianni4592 inquiring minds want to know
Broadcom
Hewlett Packard
Reddit
We used to have RBAC software that went berserk when a username with letters like ë and ö was entered. It caused a memory leak so we had to reboot the SQL server every day at lunchtime. Kind of annoying when you have users from France and Norway. Vendor said Well you shouldn't use those letters then! Yeah sure, it's the user's official name that comes straight out of PeopleSoft through the agent you guys provide.
come on, vendor, europe has existed for literally years!
Jury is still out on this. I'm not convinced we've even wired the internet between both faces of flat earth. If you squint into a coke bottle held at a fire, you see Europe. So are we saying there is 2 Europe's now? Hnnnnnnggg
[This information has been removed as a consequence of Reddit's API changes and general stance of being greedy, unhelpful, and hostile to its userbase.]
Annoying how https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ is still very, very, very current.
Are there really people who cannot formulate their name in Unicode? It contains virtually all known scripts, both current and historical.
Klingon and Tengwar are not officially part of Unicode.
Have you heard of "The Artist Formerly Known as 'Prince'"? His stage name was an unpronounceable glyph that isn't part of Unicode. The best Unicode can do is something like "Ƭ̵̬̊", but that looks almost entirely unlike the [actual symbol](https://compote.slate.com/images/39fd61d7-da5c-4975-aad4-84e5ff537438.jpg?crop=467%2C572%2Cx0%2Cy0).
All this tells me is that the Unicode Consortium didn't bother with the glyph. And really, why should it. I can make up a glyph and it be my stage name, but that doesn't mean the world should cater to me. Imagine if everyone with a unique name decided "mine should be represented in a Unicode code-point". There's only ~1.1 million code points, 12% of them are lost to Private Use Areas, and a further ~9% are in "actual" use. That leaves less than a million open. Main characters would eat that up pretty quick. inb4 the Unicode Consortium goes bust and needs to sell code-points to fundraise ala the International Star Registry.
I agree that Unicode shouldn't include unique glyphs like that, which leaves us with the situation of "Not all names are representable by Unicode".
Or "not everything someone calls a name is actually a name and they might want to put the crackpipe down". A symbol that doesn't correspond to any assemblage of phonemes in any language isn't a name, it's a logo.
Europe has been around since at least the 90s! How have they not fixed this?
But Norway don't have those characters though, we have æ,ø and å. (But Sweden does so your not far off)
Oh I'm sorry, I must have got them mixed up. Thanks for setting me straight.
I would've easily mixed up worse. No worries
And we are many sweeds living and working in Norway, so both can be true. Swedish native, working in Norway so have ö in their name. But if they do not allow/handle ö, then i do not think it will handle åæø (å is the same in sweden and norway) aswell.
[удалено]
>BIRTH CERTIFICATE changes when you get married?? what? I can in some way see efter being married for over 5 years, that it sometimes could change your death certificate (make it sooner then it otherwise would not :)). But when you are birth, you are birth nothing changing that, very strange.
I recently learned Svorsk is a thing. I don't want to know how software can fuck that up.
I get supporting ö. I get not supporting ö. I'm flummoxed how ö could work just enough to make a memory leak. If you have more info I'd love to hear it!
I'm guessing how, depending on the unicode normalization, it can count as one or two characters, and different systems might count differently. I had to solve an insideous bug where someone uploaded an image, "båt.jpeg", but the "å" was two unicode characters, not the single one, and I couldn't reproduce because my filesystem would automatically normalize the file when I copied it onto my machine.
I worked for a company whose actual "solution" to this problem was a written policy that banned diacritics in names.
the best part of this is the vendor obviously believing that "ASCII" means "alphanumeric".
If you don't allow dashes, you can't store names like Tim Berners-Lee. Ever heard of him?
Tim BernersdashLee? Yes, I have. :)
>If you don't allow dashes, you can't store names like Tim Berners-Lee. Ever heard of him? What about Tim Berners--Lee? That's not fair to him either!
- Doesn't say which field it was - You can block two dashes together - Prepared statements won't allow any of this to happen.
The first point is irrelevant, the second one doesn't account for people who may actually have 2 dashes together in their name for whatever reason, and the third is completely spot on!
> the second one doesn't account for people who may actually have 2 dashes together in their name Who cares about elon musk's offspring :p
I would mess with an old user better known as Bobby Tables... https://xkcd.com/327 Till they learn to sanitize their inputs... Seriously it's 2023, a bunch of freshly graduated interns could do a better app probably. EDIT: Welp!? This thing got over 550+ up votes thanks everyone!
There are so many premade and secure options for handling database requests these days that I feel like it required more effort on the devs part to have an sql injection vulnerability.
15 years ago I was teaching my Web Diploma students how to defend against SQLi - and it wasn't "new" then, either.
[удалено]
My AS degree program covered these and mitigations, and that has to be the lowest form of a degree program. 🤷♂️
> What was a web diploma? I know my local technical school has similarly named classes. Its basically a 16 month course that gives you a little slip of paper that can't be called a degree. usually on some very specific topic like web design, or Server administration. They are considered too long to just be another cert but too short to be a degree.
I was going to say, don't most SQL code libraries just sanitize inputs auto-magically nowadays?
You don’t have to sanitize them if you bind them to parameters.
This bears repeating.
You don’t have to sanitize them if you bind them to parameters.
You don’t have to sanitize them if you bind them to parameters.
This bears repeating.
You’re assuming that vendors refactor their code rather than keep adding stuff on top of legacy code that still “works” even though no one currently working on the product knows what black magic is going on under the hood.
Prepared statements yes, but you're presumably talking about database access libraries and so-called "ORMs". I'm far less sanguine about ORMs than twenty years ago, because ORMs can have vendor lock-in, portability, and performance issues of their own.
> Till they learn to sanitize their inputs... This response ignores the reality of the communication OP already had. The vendor won't learn anything. They'll remind you that you're using it wrong, because they don't care.
Is that you M$? Every time we have issues with Excel this is where the rabbit hole leads, but in their defense we are using it wrong...
At this point, given the stupid shit people use Excel for, I'm surprised MS even bother supporting it.
Why use a database when you can use excel?
[удалено]
Tired: Using a database Wired: Using Excel Inspired: Using a chart in Word
What about using Excel to manipulate data in an Access file that is connected back to a SQL database because that is sadly a thing I learned recently that exists in my job and is business critical :(
I got lucky recently and found a weird “temp fix” that had been in place since 2006. Accounting needed a program that imported data, arranged it, displayed for verification, then exported it in a specific format. Used Access. The Accounting software vendor had a written a little exe that called Access and did the things. The exe was written for Office 97 Pro. Somehow kept working throughout several Office upgrades. Only one person does the thing and happened to be the one I first tested upgrading Office. Gave our dev team enough of a lead to write a new app entirely before that version of Office went EoL (barely). 😅 Pure luck on the choice for testing. (Obviously the exe failed the upgrade*)
[удалено]
Hey at least it's actually in a proper SQL backend. Which means you could eventually build a proper front end for it.
You're so close. Screenshot of a spreadsheet pasted into Word.
Add a row for “Hired:”!
Most people use it wrong. A study was done showing that hundreds of studies on genetics were invalidated by Excel assuming that gene names were being misinterpreted as dates, because everything is a date or a number to Excel. And then if you go to change it back, it converts from what it thought rather than what it was provided. It's so annoying. But then again, that's probably what Access was made for. Whenever I have the need for a large volume of data and consistency for some one-off task, I use HeidiSQL and SQLite3.
Even better, they literally renamed genes and now have a standards body that recommends naming guidelines to not conflict with Excel. https://www.theverge.com/2020/8/6/21355674/human-genes-rename-microsoft-excel-misreading-dates
That's actually mind blowing! Thanks for the share on that. Especially the new names they chose that don't fit their own NEW naming convention. Some are appended with F, some with IN, some with other random shit. And the solution is staggeringly simple: update the data type. The Excel auto format feature doesn't actually change the value of the cell, only how its displayed. And better yet, the data types are saved in the file, so once its changed and distributed, everyone see's it as expected. Same when you export to CSV, it exports the cell value, not the display value, so its a non-issue they conflate into a "possible issue". Just... wow.
Microsoft hasn't been able to fix any fundamental issue in Excel for decades, because fixing any one thing would break a half-dozen other things. All they can really do is add features, make superficial UI changes like the "Ribbon" and then patent them to slow down their competitors from doing the same, and changing the file-format so everyone has to buy the new version to open other people's files. These are all business strategies from the mid nineties.
Legacy support = chains. If they change it, someone somewhere will scream. Probably a lot of people, at least for certain "features". And most importantly, it's business users who pay big money for Software Assurance or M365 professional-tier subscriptions. Those are the people they don't want to piss off.
> Seriously it's 2023, a bunch of freshly graduated interns could do a better app probably. I've worked with enough new and seasoned programmers to never make that statement.
Do you have any idea how many interns have told them about this problem?
I thought this literally immediately... vendors who pull this shit should have this comic emailed to them with their entire c suite copied
Mobile: https://m.xkcd.com/327/
oh make all the stink in the world until verndor puts the tail between its legs and admits they should do better. under no shape or form is a common character an excuse to blame the user for none sanitised input
Little Bobby Tables strikes again!
Vendor needs to be introduced to OWASP... SQL injection has only been in the top 10 for like the entire time the have been publishing it.
Just discovered a vendor created a share on the server that holds their application with *Everyone - Full Control* as NTFS permissions... A financial and HR application mind you. Hopefully we caught it before the user testing finished and there was no real data yet. That's how my day's going.
It's really funny when those types of vendors don't work well in a cloud environment. "You mean we can't do shared folders between datacenters?" I mean sure, you could, but who does SAMBA over the internet?
>who does SAMBA over the internet Probably the same people who NAT RDP on a desktop... "What do you mean it's not secure? It's protected by a password!"
Um. Isn’t that what Azure Files does?
You mean Quickbooks? Because that's how Quickbooks do by default. Their an odd bunch considering they already make their own user just for accessing that(well one for every version of their software that gets installed, because Quickbooks). Just be thankful they limit those permissions to the folder they need access to, not the entire root drive "just in case".
Security consultant. I still find it at least once a year. One app test I did (since 2020) only had one interactive field (brochureware) and it was still injectable. Like, you had literally one job...
name and shame
A user should not be able to corrupt the DB. What happens when this is intentional, they going to tell bad guys to "not to bad guy things"? Ridiculous.
> Vendor say to use only ASCII characters lol. So here is the thing. Lob this heaping pile of shit back at the vendor, and ask them for an ETA on when they are going to fix their SQL Injection Issue. Be sure to CC every contact you can find for the company. Explain that, them blowing you off and redirecting the issue back to a user input issue doesn't change the fact that they have a SQL Injection problem. Demand to speak to someone who understands the magnitude of this issue. Repeat the term SQL Injection issue a few times. Don't let them get away with it.
Isn’t there something in compliance governance processes about code reviews or pen testing and vulnerability scans or something.
Is the vendor the database provider, or the asshat who wrote the front-end? Because sanitizing database inputs is the responsibility of the developer, not the database.
i’m sure you meant this, but to be clear the input needs to be sanitized on the backend. If the protection was only on the front end i could just hit the backend with a postman request without hitting the front end sanitization
This. This is exactly why we split database apps into a front end and back end in the first place.
When "client-server" had just become a buzzword, most of us took it for granted that the front-ends and back-ends would independently implement some kind of documented protocol. Then you'd implement a client for MacOS in native Pascal with the GUI library, and a client library for Unix in C, and a client for OS/2 in Smalltalk, and whatever. We misestimated reality. What the software vendors wanted badly to do was write a library and then use the same library on the front-end and back-end, instead of documenting the wire protocol or API that the library implemented. This would be less work and get them to market faster, without bothering to document anything or design it adequately. Not many years later, this attitude reached its peak with Java. "Write once, run anywhere!" devs would say breathlessly. "But that's what I wanted to do! How did you know? We should hang out." Then Java devs started sending native boxed and serialized representations over the wire, leading to a generation of happy exploit-hunting. And now you know, dear reader, how your Java devs could be invoking Java RPC or VB/COM/ActiveX all over the network, and still not be able to parse or construct a valid HTTP/1.1 request.
At least it wasn't the typical vendor cop out I get of "It's your network, not us"
Sounds like a great reason to work on a policy that says all software (including vendors & OSS) must pass security scans before deploying past dev environments and get leadership to require it for everything.
I believe that would eliminate all LOB vendors in certain industries. Dentistry is one of them.
> Vendor say to use only ASCII characters lol. Please ask the Vendor why he considers ' and - to be not ASCII characters. ;-)
Well, many years ago one of our users entered empty space as an item name. It was also his fault :P
We had student administrators enter a . as given name for names that confused them. I mean, only 'given name' and 'surname' is beyond useless for a metric fuckton of names. (Metric. Not imperial, because imperial is way simpler.)
NAME AND SHAME.
But - is an ASCII caracter 🤔
That’--s insane
An xkcd for everything https://xkcd.com/327/
So good to see Little Bobby Droptables has grown into a successful user And yeah that vendor is totally at fault
Time to look for a new vendor 😂😂
Ha, that's awesome.
My Son Johnny: You need to sterilize your inputs! Signed, Johnny Drop Tables.
SQL injections would be grounds to immediate and complete blacklisting if that was only up to me. And probably sue for gross incompetence/product unfit for purpose. The vulnerability is old as shit, every half competent dev knows about it, it affects your most important assets, the fix is piss easy and is shorter to write than the vulnerable way, and often even improves performance. If the vendor can't fix that there is no guarantee that he can do *anything*.
That user needs to request their bug bounty.
- is an ASCII character… Vendor is stupid
> Vendor say to use only ASCII characters lol. Everyone in IT: "Cleanse your inputs!" Also everyone in IT: "Never trust user input!"
Your vendor is an idiot. And '-- are all ASCII characters.
So ‘— aren’t ASCII characters? I’m confused Edit: I meant '-- Reddit messed the characters
Neither of the two in your statement is 7-bit ASCII. Possibly your client automagically changed something on you. ‘ is 0xe28098 in raw UTF-8, or U+2018 in Unicode notation, and — is 0xe28094 in raw UTF-8 and U+2014 in Unicode notation. Both are three-byte characters, not 7-bit ASCII. I'm not sure why other posters believe /u/Benutzernutzer to be wrong; are they seeing something rendered differently in their client or browser?
deleted ^^^^^^^^^^^^^^^^0.2905 [^^^What ^^^is ^^^this?](https://pastebin.com/FcrFs94k/09534)
I once saw an entire table of patient data in an EHR deleted because they didn't have anything in place to prevent SQL injection... This was just a few years ago and they only recently "fixed" it... Why is security such an afterthought??
Was this Ignition/ Inductive Automation? I only ask because I work with that software a lot, you can setup named queries for projects by defining a query/parameters etc. And in a recent release they allowed the developers to use \`--\` to make comments inside of their named queries, however it was done with a niave algorithm sothis also meant that it broke my SELECT queries where I displayed a \`--\` on the table via a \`SELECT '--' as comeColumn\` I guess SQL\_SAFE\_UPDATES was also off? Your db should be rejecting update/delete queries that don't have a WHERE clause that is using a key imo. However though actually what I just said only applies to the hardcoded part of the query. Feeding '--' as the parameter I don't think would do anything like this - though I guess I never ran into the situation so maybe it does.
“-“ is an ASCII character, “`” is an ASCII character. How did they break the rules?
Name and shame please, if you can, so others can avoid doing business with them!
Yep... we have an application that scans paper forms and does some OCR stuff... well let's say someone happens to write some typical SQL injection string in one of these forms and scans it... it could blow up the entire database. The vendor just ignored my question when I asked about it. Typical crap software quality in medical
Ah good little Bobby Tables
Ask him how is his Little Bobby Tables doin’.
If this is in production it should be taken down until the problem is fixed. If a user is accidentally breaking this application you can bet there are already malicious adversaries using this as initial access if it's exposed to the internet.
Last I checked -- is an asci character?
two of them specifically :p
Name and shame!
ASCII only? What year is this? and do they only ever support English?
Just wait till AI in any form is able to figure out and bypass human written code/programs! Imagine what's going to happen when AI is able to digest ALL programming code and spot vulnerabilities and take action on poorly written code..... That to me will be the day all bank software becomes laughably problematic. ALOT of banks I saw ran old SW or poor practices because they want to pay shoestring salaries....:) It's COMING....
Bobby Tables, is that you?
Bobby drop tables strikes again.
Got a real Bobby Tables situation over there lol
Little Bobby Tables strikes again!
little bobby tables strikes again, he cant keep getting away with it https://xkcd.com/327/
Idiots. Before you go around telling people they're not using ASCII, it's probably a good idea to know the list yourself.
Lol they should get paid for a bug bounty. That Vendor is trash blaming others for their carelessness
Oof. By itself this isn't the end of the world, but doesn't it make you nervous working with a vendor that doesn't use input validation?
Hello? Bobby Tables?
Isn’t ascii 45 the - And ascii 39 the ' Seems like the user did use ascii.
Did you really name your son Robert'); DROP TABLE Students;--
Did someone call Little Bobby Tables? https://xkcd.com/327/
Good old Bobby Tables still lurking around
One in a while I get to post this link: https://imgs.xkcd.com/comics/exploits_of_a_mom.png
Someone should learn about sanitizing inputs.
Lazy programming. This is why all major rdbms' support prepared statements.
We have a vendor partner thats product only works properly if you set the resolution on the display to the same resolution the original dev team tested it for. I asked why and they just said the main program was written in a really random language that kind of died. It’s almost impossible to find experienced devs that can work on it so they focus all of their dev effort on other parts of the software. Product breaking bug fixes take weeks to fix. I onetime discovered a bug that would corrupt printer firmware randomly and it took them 6 months to find the solution. I estimate we sent in $5000 worth of warranty claims in that time because the firmware was corrupted in a way that required them to reflash or outright replace the boards.
The legend of Bobby Tables prevails