Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "sanitize"
-
Ok, I just have had wasted 30 mins of my life trying to figure out why one of the stupids grids of the shitty project of my company is missing one element....
...please, always sanitize the data before insert in the db... please....3 -
CR: "Add x here (to y) so it fits our code standards"
> No other Y has an X. None.
CR: "Don't ever use .html_safe"
> ... Can't render html without it. Also, it's already been sanitized, literally by sanitize(), written by the security team.
CR: "Haven't seen the code yet; does X change when resetting the password?"
> The feature doesn't have or reference passwords. It doesn't touch anything even tangentially related to passwords.
> Also: GO READ THE CODE! THAT'S YOUR BLOODY JOB!
CR: "Add an 'expired?' method that returns '!active'?"
> Inactive doesn't mean expired. Yellow doesn't mean sour. There's already an 'is_expired?' method.
CR: "For logging, always use json so we can parse it. Doesn't matter if we can't read it; tools can."
CR: "For logging, never link log entries to user-readable code references; it's a security concern."
CR: "Make sure logging is human-readable and text-searchable and points back to the code."
> Confused asian guy, his hands raised.
CR: "Move this data formatting from the view into the model."
> No. Views are for formatting.
CR: "Use .html() here since you're working with html"
> .html() does not support html. It converts arrays into html.
NONE OF THIS IS USEFUL! WHY ARE YOU WASTING MY TIME IF YOU HAVEN'T EVEN READ MY CODE!?
dfjasklfagjklewrjakfljasdf5 -
Being a programmer for a while now it always irritates me to try to explain what I'm working on to friends and family. I forget what I knew before I developed. I'm always like "I made the strings in the database- oh I mean the words...well they're actually more like strings of letters- well anyway I made a code to sanitize the user input- I mean make it so it is secure before uhhh saving." I spend so much time watering what I'm saying down I forget what I'm talking about
It's not even funny. It'd be funny if one single person in my family or friend group understood what I meant to some degree.3 -
Here's an example of what happens when you don't sanitize your input.
The software in question runs in the user's browser and is used to display text from a Twitch chat.
https://youtu.be/2GtbY1XWGlQ2 -
Told to sanitize a large collection of PowerPoints of customer data. Found one resolvable IP address and about 200 typos and other mistakes. Deleted the IP address.. mission successful!
-
If the database doesn't have the information, they won't be able to login, no need to validate or sanitize
-
I dont understand the Log4j vulnerability.
Isnt the ability to execute code a feature they added so that you can add dynamic data to the logs?
If it is a feature then isnt it written in the documentation?
Is the problem that a lot of companies forgot to sanitize the input before logging it?23 -
PHP code that didn't use sanitize, but manually checked if strings contained ' or ". Not even in a function, but manually implemented whenever the person writing that burning dumpsterfire thought it was a good idea to check for that.
Code also didn't report, it just exited without error code. Users would just get a white screen if that spaghetti code "security" system got tripped. -
Got one right now, no idea if it’s the “most” unrealistic, because I’ve been doing this for a while now.
Until recently, I was rewriting a very old, very brittle legacy codebase - we’re talking garbage code from two generations of complete dumbfucks, and hands down the most awful codebase I’ve ever seen. The code itself is quite difficult to describe without seeing it for yourself, but it was written over a period of about a decade by a certifiably insane person, and then maintained and arguably made much worse by a try-hard moron whose only success was making things exponentially harder for his successor to comprehend and maintain. No documentation whatsoever either. One small example of just how fucking stupid these guys were - every function is wrapped in a try catch with an empty catch, variables are declared and redeclared ten times, but never used. Hard coded credentials, hard coded widths and sizes, weird shit like the entire application 500ing if you move a button to another part of the page, or change its width by a pixel, unsanitized inputs, you name it, if it’s a textbook fuck up, it’s in there, and then some.
Because the code is so damn old as well (MySQL 8.0, C#4, and ASP.NET 3), and utterly eschews the vaguest tenets of structured, organized programming - I decided after a month of a disproportionate effort:success ratio, to just extract the SQL queries, sanitize them, and create a new back end and front end that would jointly get things where they need to be, and most importantly, make the application secure, stable, and maintainable. I’m the only developer, but one of the senior employees wrote most of the SQL queries, so I asked for his help in extracting them, to save time. He basically refused, and then told me to make my peace with God if I missed that deadline. Very helpful.
I was making really good time on it too, nearly complete after 60 days of working on it, along with supporting and maintaining the dumpster fire that is the legacy application. Suddenly my phone rings, and I’m told that management wants me to implement a payment processing feature on the site, and because I’ve been so effective at fixing problems thus far, they want to see it inside of a week. I am surprised, because I’ve been regularly communicating my progress and immediate focus to management, so I explain that I might be able to ship the feature by end of Q1, because rather than shoehorn the processor onto the decrepit piece of shit legacy app, it would be far better to just include it in the replacement. I add that PCI compliance is another matter that we must account for, and so there’s not a great chance of shipping this in a week. They tell me that I have a month to do it…and then the Marketing person asks to see my progress and ends up bitching about everything, despite the front end being a pixel perfect reproduction. Despite my making everything mobile responsive, iframe free, secure and encrypted, fast, and void of unpredictable behaviors. I tell her that this is what I was asked to do, and that there should have been no surprises at all, especially since I’ve been sending out weekly updates via email. I guess it needed more suck? But either way, fuck me and my two months of hard work. I mean really, no ego, I made a true enterprise grade app for them.
Short version, I stopped working on the rebuild, and I’m nearly done writing the payment processor as a microservice that I’ll just embed as an iframe, since the legacy build is full of those anyway, and I’m being asked to make bricks without straw. I’m probably glossing over a lot of finer points here too, just because it’s been such an epic of disappointment. The deadline is coming up, and I’m definitely going to make it, now that I have accordingly reduced the scope of work, but this whole thing has just totally pissed me off, and left a bad taste about the organization.10 -
Guys. Sanitize the Tags input length. Here on devrant. Call the devs, I don't know who they are...8
-
Since the issue is within the legacy backend data, this brings us the great opportunity to solve and sanitize the data on the frontend and therefore killing the performance of the application! Sincerely, a manager that doesn't give a shit3
-
It reaaaally annoys me when my business logic is sound but the data is corrupted.
For example, find duplicates in a HashMap<String>.. but I didn't take into account the input could contain a space either before or after.. so I end up wondering: if a HashMap only contains unique keys, how come the count of items in the map is the same as the count of the input keys?! Well.. spaces were the culprit.
"12345" != "12345 ".. and therefore the Map sees it as two distinct keys..
What an annoying bug.
Lesson learned: 1) Sanitize input first and never trust it. 2) Never make assumptions16 -
I just realized I can easily sanitize the data by using + as “ and I haven’t even had coffee yet. I might be on a roll today.
-
Inherited a legacy system from a previous "developer" who wrote code to sanitize input from sql injection in the front end and then called an web method called execSql which accepts am sql statement in a string value!
Obviously the app ran under admin privileges.2 -
I like to teach sites that don't escape HTML/js in input fields a lesson, and put in a redirect. Where would you redirect them?
I tend to go SFW, like redirecting to a competitor or the NSA. -
Kind of continuation of this my other rant https://devrant.com/rants/2345105/...
I have now reached the point where I want to tear off my exes with my own hands, turn off my brain and "unsee" what's in this garbage bag of code.
I swear to the programmer's gods (assuming something like this do exist apart from the D&D Story in my brain) if I do see another GLOBAL variable I'm gonna kill somebody!
It will take me good part of 2020 to sanitize this shit!