Sql Injection Ad Naseaum

Published Sat, Jul 23 2005 0:24 | William

A while ago Scott had a great post about demo code . So I was reading up on The Bleeding Edge, Never Been Done Before Technology Known As Ajax and started surfing around a little b/c I wanted to get in on the mocumentary action. So I come across Peter's where he warns you not to believe the hype. Peter's got some examples on how to use it and then some d1ckhead points out that his code is vulnerable to Injection Attacks.

This was like a total slashdot comment... Why? Well, it's some really stupid unclever point that has nothing to do with the subject matter at hand. I hate dynamic unparamaterized SQL as anyone, hell I started the club, but this code wasn't about Injection attacks and it was for demo puproses only. Hmm, if we're going to nitpick abotu demo code, then there's a lot more to bitch about. But I personally don't really want to start reading code blocks that comprise 10 lines of actual code but have three try/catch blocks in them which span only one line of code each. This is after all, how we code in production but do we really want to see surgically precise exception handling in demo code? Probably not.

This type of sh1t really actually pisses me off. A while ago, I was at a major conference back when the Compact Framework and the MMIT had just come out. This guy was demoing the IBuySpy stuff on the compact framework w/ Sql Server CE. There were about 300 people in the audience and he starts taking questions. So some d1ckhead says “I think it's totally irresponsible for you, as an expert in the field, to display code that's PARADING security flaws in front of developers who aren't experienced with this technology. Your code is using dynamic sql and is open to an injection attack, and people here will look at your coding style and copy it. So one oversight like this on your part could cause several security problems..”

IT WAS DEMO CODE ON SQL SERVER CE. Hmmm, i have full control of the device and it's a demo anyway and I'm going to use a f~cking injection attack to destroy the db. Boy, that's a 3:33t H4ck for you. And this was probably the samef~cktard that was dissing Peter's example. Everyone knows about injection attacks ok. You don't need to point it out every time someone does a f!cking demo already. Sure, if someone's using it at work, have at it. But for demos, it's acceptable - and TRUST ME, you *DON'T* look smart or security conscious by pointing crap like this out when someone's trying to demo some new stuff for you. It just distracts them and wastes everyone elses time.

Filed under: Humor, Me, Coding Techniques

Comments

# William said on July 23, 2005 4:07 PM:

But it is so difficult to wrote a geenric function to prevent "injection" - and use every time ?
Sure - the purpose of the demo was not injection ...you are right about!

# William said on July 23, 2005 4:18 PM:

It's not difficult at all to write such a thing. But for example, my girlfriend is taking a class on ASP.NET and learning ADO.NET in the process. At first, it's difficult enough for a newcommer to learn how to fire a query.. Adding in the complexity of paramaterizing it, and then showing the code to paramaterize the query and fire it, is more complex. FOr most developers, sure, they know this. But for demo code, (which often time is read by pepole still learning how thigns work) - you add some complexity that can make it very difficult for people to learn. Just about every day I see someone (experienced developers) who still don't paramaterize their SQL. I think this is very very verybad and have written about it a lot - but the fact is that many people still are learning and I don't think pointing out that demo code is susceptible to injection attack, over and over, is value added. Sure, if this is security demo - then yes. Sure, once people understand how to fire a query, then show them how to do it right. POint out when you teach them the easy way that 'in production code, you'll need to paramaterize this'. But these guys that always say "What about injection attacks" over and over at every demo, I think they are just trying to look smart and they do little but annoy others.

That's just my two cents - obviously many disagree with me...

ALso, please note that I HATE dynamic sql w/ out paramaters. I think in production code, it's TERRIBLE to do... but demo code and production code are two different things and what makes good production code often makes very difficult to understand demo code.

# William said on July 24, 2005 4:45 PM:

The worst defect a developer can have is to disrespect the work of another developer. Criticizing demo code for the lack of being ‘production code’ is a sure sign of this defect.

It is a nice thought to make your source code read like poetry, for a machine, it becomes mindless machine code. A CPU doesn’t care. If you want to be nice to your slave machines, go for asynchronous, worker threads, and use lots of Thread.Sleep(20). Oops, my bad: Thread.Sleep(ProjectGlobals.CpuCycle).

But here is a shocker: There is no such thing as ‘production code’. It is a myth. In real life, the code that you write runs on a specific domain. That has its advantages. And you make use of that, because it speeds up development. That means cutting some corners and bending some of the rules. In the end, meeting the deadline for the release of the product with an acceptable amount of quality is all that counts.

# William said on July 25, 2005 2:34 PM:

DoubleI,

This post is not production quality. I find that there is too much slang to convey a meaningful journalistic message. Your use of expletives with numeric digits in place of v0w3ls is annoying. You choose to provide an ellipsis to construct a run on sentence with a capitalized second phrase where the first clause is in the subjunctive mood with an improper morphology of a simile and the second clause is in the interrogative mood. You somehow perform this while maintaining consistent declension. Because of these deficiencies, this post is vulnerable to injection comments.

This post represents examples of English which, if observed by the novice English speaker or writer, might be misconstrued as valid English. Consider all of your female teenage readers and the impact a post of this nature may have on that demographic. These practices may be satisfactory in your private conversations, but they are unsuitable for blog posts where only valid examples of proper English (not the Queen's English, but the only true English: American) are the norm.

I'd also ask that you parameterize this post at your earliest convenience. Might I suggest wrapping your expletives in try/catch/finally blocks with the finally block handling suitable text replacement of the expletive for readers that may be offended by said expletives.

I write this comment in the sheer hope that everyone notices that I'm security conscious and I hope it makes me look smart. I do this solely at the expense of you, the writer. As I have not been able to attend many conferences or demos, I find myself lacking in "I'm smart, you're stupid" comment outbursts. As such, I find myself compelled to comment here. Please let me know if you will be presenting a demo in the near future so I can "assist" with verbal comments of your code.

BTW, your use of Spanish in your subtitle "Dos en el rosade, y uno en el morado" is without question, your best work to date.

---O

p.s. All joking aside, you now have the nickname DoubleI at JJBR (The Irish Instigator or II or as I put it: DoubleI). See:

http://www.jjbresearch.org/acs/blogs/optionsscalper/archive/2005/07/21/DoubleIComments.aspx

p.p.s. You mention a girlfriend. What breed of seeing-eye dog does she have?

# William said on July 25, 2005 3:05 PM:

I've seen demo code that I can't focus on because it's littered with weird programming practices that are well beyond the scope being discussed. I don't need some full solution I can compile, I just need to know the specifics about the scope of the demo.

Too many times I focus on the outside "crust" of a demo that I can't get into the meat of it. Too many times that "crust" tends to suck tremendously hard and abstract things in some weird mishmash of jarbled characters. I don't want to have to decypher your programming speak to get at what I'm trying to learn. I don't have that much time any more and I'll tend to skip over something if it's like a Linux man page: 20000 pages of useless text when I happen to be looking for just one line yet because I don't understand their concept of english, I can't use the search command and find that line. Argh? Yes, argh.

Also the IBuy* ASP.NET* demos are littered with SQL injection problems and a LOT of other bad programming practices. Anyone that guts them and proceeds to use them as a base for "something better" (didn't DotNetNuke do just this?) is asking for trouble. Apparently someone did them as a demo in a hurredly fashion and they haven't been updated in quite some time. Hell even if they were, I'm sure they're still not a complete end to end perfect solution using only the most best programming practices.

And I do agree that demo and production are just words for the same code. Production code tends to have more thought and real world examples. Demo code, for me at least, consists of some abstract method that I achieved in production and in almost every case is done completely differently so as not to throw too much out there at once. I have a number of abstractions to my SalesLogix code (VBScript, still code, though code lite) and if I had to explain each abstraction the demo would be completely useless or so huge you'd know every single secret I have. I can't make every line completely perfect because a demo is usually done outside of a billing environment and since time is money I don't spend a lot of money on a demo. Yes I may be introducing bad behavior if someone decided to use my code out of context but if they stick with the scope of the demo, they should be just fine. That's how I think it should be but of course people want something for nothing, i.e. your demo code to be their production code complete with 24/7 support.

# William said on July 25, 2005 7:17 PM:

OS - Thanks!!!!! As far as Kim's Seeing Eye dog, it's a ChiHuaHua Now I'm going to go back to laughing my a33 off about the Injection Comments

# William said on July 25, 2005 7:20 PM:

J - I know what you mean. There's a difference between terrible demo code and code that's too verbose. You need to be clear but you can't keep it so simple that it's 'wrong'. I think Frans actually had a post about how bad some of that code sucked. But when I'm trying to just show a quick example, I often poitn out that 'in production you'd do _______" and that seems to go over pretty well.

I just hate the nitpicking that some people do-- if it's added value, I"m all for it, but seldom it is.

# TrackBack said on August 8, 2005 5:06 AM:

Sql Injection Ad Naseaumooeess

/bill's House O Insomnia

Sql Injection Ad Naseaum

Comments

Search

This Blog

Tags

Community

Archives

News

Twitter Updates

My other sites

Cool Stuff

Book Stuff

Security

ORM

Data Access

Funny Stuff

Compact Framework Stuff

Web Casts

My KnowledgeBase Articles

My MVP Profile

Design Patterns

Performance

Debugging

Remoting

My Fellow Authors

My Books

LINQ

Misc

Speech

Syndication

Email Notifications