Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuck
Buy Now
Search - "sanitization"
-
CS teacher tip of the day:
server side input checks and sanitization are always useless. because nowdays all browsers have javascript enabled by default and nobody disables it. so client-side checks are safe.
me: ***WTF!?!***12 -
Alright fuck it, let's release this fucker!
https://lynkz.me is the main domain. The interface is *usable* and nothing more than that. I'll invest more time in that soon but for now, hey, it works.
Api is located at https://api.lynkz.me.
Documentation for this (literally some echoes to the screen but it contains the needed information for now) is at that api url.
Found a bug or a security vulnerability? Please let me know!
Yeah I use mariadb but sql injection is luckily not possible due to quite some sanitization ;)
WARNING: if you make a shortened url and forget the delete key, you won't be able to delete it.
Let's see how this goes 😅116 -
Had a fight with a teacher today, he was teaching PHP to some new students, and I was doing my own stuff, then I suddenly saw a example of his code
Unsanitized SQL query staring at me
I asked him if there was sanitization anywhere in the code
He said: "We don't need to teach that stuff, it just confuses the students, that stuff belongs to advanced course or something."
I decided to give him the facts but no, still the same statement
Next time I'm going to drop his tables😠10 -
CLIENT "So my nephew who does stuff with computers built it and we are ok with how it all works so don't worry about changing that. "
DEV "so like you have a public form with no input filtering, spam mitigation let alone sanitization or remote concern for security. Basically you have a Json flat file that is 34mbs of links to, viagra, replica watches, nock off name brands and one real estate company. It is getting about 15 submissions an hour. Since you don't want me changing how it works are you happy to just leave all that ?"
CLIENT "no no we don't want all that but we have no route to delete it, can you just stop all the spam and let us continue on?"
DEV "ok so back to my first question can we rebuild all of this properly, or do you really want to just leave it all"
:/ FML4 -
Man I felt like a detective today.
A website that has been running for a few years without problem failed today when looking for data of August 2017.
The code was written by people long ago that I have never met (I've been here for 3 months) was horrendous. Looking through an ArrayList of dates for 15 countries and pushing them into a dictionary before finally turning the data into a visual grid of countries that uploaded data. I think can squash this into a single loop and do them side by side. The function that got a single date would open and close an SQL connection 30 X 15 times in a row. God fucking damn. You can open the connection one fucking time if you can write a proper query, how did that spaghetti code get through? I'll never know.
Anyway.. after looping painfully through it I found a rogue Hungarian key failing to be used in the dictionary. This "given key not found" led me to believe that some wrong data in the database.
After finding the SQL responsible in the code, I threw in the right parameters and BAM. Some dolt has allowed data from ANY country to go into each uploader, they didn't sanitise their inputs. This has been operating for years without problem so I have to assume people just.. didn't try uploading lots of data into the wrong country.
I found the author of the file, it gave me their PC ID. Due to the nature of my role I have access to the database that allows me identify people using them. So I found out there was a Hungarian fellow that had originally called the file "teszt xxx" so it was obviously on purpose. Wonder if it's because he knew of the problem (very doubtful, his role has nothing to do with programming) so I'm a tad confused as to why they did that..
Well, will get answers eventually as my senior decided to send out an email with some managers names being cc'd. I assume he wasn't happy because it took a bit of my time and I'm nearing the end of a big project.
I don't know if I'd call this a rant, but it did piss me off trying to understand foreign code so let's leave it as such.
Just as I type this, we have received an email back with the woman raising the issue claiming to not know who or why this man did so.
A mystery :D6 -
I feel compelled to share this - I think every programmer needs to read this.
I know I'm right but I'm not in the mood to validate my argument, that is a privilege I reserve exclusively for real arguments - usually containing foreign user input in dire need of sanitization -which kinda sucks...
so instead here is a morsel and a link, enjoy the read.
https://medium.com/@caspervonb/...4 -
Teach things properly, most teachers are confused and they start throwing keywords at even more confused students who then have no clue what they are doing and they then ask me to do their work for them showing me their unindented(well... kinda, they all seem to fight with the IDE, which is trying to properly indent their mess, for some reason), teachers think that Turbo Pascal is the way of life and that it is used everywhere(one teacher tried to tell me that Pascal is used in the stock market and in modern operating systems - U wot m8?! how high are you right now) and they don't teach user input sanitization and type checking, they stare at you like you are the fucking satan when you dare to use objects, collections and abstraction because they are scared to death of that stuff... and then they think 60 minutes is enough to teach HTML, CSS, JS and PHP in one go(which they even don't know properly - the teacher that made and maintains the school's website is probably stuck in 1998 judging by the design and functionality of the website and his clothes) and they then send absolutely clueless students to compete in a web design competition (and then they get angry at the judges for giving the students 0 points)6
-
If you have any project (personal or not, doesn't matter) that does not have proper code comments and documentation and you don't want to make one because of the effort (maybe even "wasted" effort), think again. When commenting on a wall of code to say what it does, you may find a better way of doing what you have to do, possibly increasing performance, or improving security.
I have been able to do better input sanitization for a method on a personal project of mine because of this.
Don't use the amount of effort for proper documentation as an excuse not to make one.2 -
Working on a legacy PHP project that every single query inserts user-provided data without any sanitization, aka SQL injection ahoy! Also no framework.1