undefined | Better HN

0 pointsabanana8mo ago0 comments

The simplest aspects of the concept of escaping are beyond the comprehension of some people.

Several years ago, I showed a colleague that in the simple file-storage web app he'd written, just changing part of the URL from e.g. "/folder/23/" to "/folder/23 OR 1=1" would show every file ever uploaded by any user, ever. (He hadn't even added a clause to limit it to the logged-in user, but that's another matter.)

He was taking that folder number from the URL, passing it through mysql_real_escape_string() because he'd simply learned by rote that that's how you make any user input safe, then concatenating the SQL, without putting quotes around the variable in the query because it's meant to be an integer: "...WHERE folder_id = $folder_id".

It didn't matter how I tried to explain things, he just didn't get it. He still works there (I left, I'd had enough) - his job title is "senior developer".

0 comments

userbinator8mo ago

he'd simply learned by rote

That's a common problem. A lot of people don't realise that if you accept user input, you can get every single byte and sequence of bytes possible. Validating that a parameter is an integer ([0-9]+) is even easier than escaping.

his job title is "senior developer".

Likely that's purely because of how long he's worked there, not how much he actually knows.

j / k navigate · click thread line to collapse