|
sloosecannon wrote: What is null equal to?
The place I worked in Germany?
|
|
|
|
|
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials...
Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"
Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()
if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end if
So basically if I know your username and I have my own account, I can use your username and my password and log in as you...
Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων!
(Alas! We're devoured by lamb-guised wolves!)
|
|
|
|
|
|
A thing of beauty. Thanks for immortalizing it here.
P.S. I'll also take a moment to point out that such a validation routine should never indicate what went wrong, only that it failed. Telling a potential baddy that the user name doesn't exist makes his job easier -- he's simply stop trying that username and move on to the next without trying any more passwords.
modified 25-Aug-14 11:30am.
|
|
|
|
|
I'm never sure about that one. Yes, it has a marginal effect on security, but it has a big effect on user annoyance, and I think the trade-off is worth it in most cases to let a user know that they mistyped their username.
|
|
|
|
|
Airtight
|
|
|
|
|
Bah, I don't need a valid username OR a valid password...
Username: 'or''='
Password: 'or''='
I know, I know... I'm supposed to drop/wipe the table, but that's just mean.
|
|
|
|
|
Nah, username and password were sanitized earlier in the code. Surprisingly, the sanitization routine is pretty solid (probably copy-pasted from elsewhere though, seems quite out-of-place in terms of coding style).
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων!
(Alas! We're devoured by lamb-guised wolves!)
|
|
|
|
|
I think the lesson you can derive from this is to teach the developer who wrote this what the AND keyword means in SQL syntax.
|
|
|
|
|
Actually, the person who originally wrote this little gem currently has something close to 25 years of active development under their belt, with extensive SQL work as well. I've seen other samples of their work, written about the same time as this, and they are REALLY better than this. So this leads me to think that they were smoking something REALLY good when they wrote this.
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων!
(Alas! We're devoured by lamb-guised wolves!)
|
|
|
|
|
|
Yeah, that might be the case . But not anymore
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων!
(Alas! We're devoured by lamb-guised wolves!)
|
|
|
|
|
Code from the time that Sex was safe and flying dangerous
|
|
|
|
|
Well, flying is still somewhat dangerous...
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων!
(Alas! We're devoured by lamb-guised wolves!)
|
|
|
|
|
Am I the last one to know that the Android SDK defines a constant[^] for the gravity on the first Death Star? Just noticed it today. I wonder whether that is the surface gravity. The gravity inside looked much higher (since people walked normally).
There also are constants for other (real) planets.
|
|
|
|
|
public static final float GRAVITY_DEATH_STAR_I Added in API level 1
Gravity (estimate) on the first Death Star in Empire units (m/s^2)
Constant Value: 3.5303614E-7
Also interesting to note that the Empire now uses metric (SI) units.
And where is the island which has about half of Earth's gravity?
|
|
|
|
|
|
Just out of curiosity (on win 8.1) I wondered if you could enter exponentials. I was gratified that typing 1e automatically changed to 1e+0, but worried if negative exponents worked. Nope, came out -6. Well how close is positive? Typing "1e7=" is 9999993 REALLY disappointing for a calculator (5 place accuracy), that here-to-fore I was very impressed with its accuracy. (Later I cleared memory and 1e7 gave the right answer. It assumed I wanted to subtract 7 from 1e7 or better yet: I wanted to add 1e7 to -7).
The percentage of Earth gravity is about 0.0000036%. So 100 lbm weighs 0.000000036 lbf.(100kg WEIGHS 0.036gm*mm/sec^2 on the death star) I always assumed they could stand like they did because they had developed artificial gravity. Since the pilots could turn like they did without the pilots getting squished, I assumed their star fighters had it too.
My calculator, using the link's numbers --> (((3.5303614/10000000)/9.80665)*100)= 3.5999667572514569195392922149766e-6% (Yes, parens shouldn't be necessary, but I proved to myself years ago it properly supported needed parens and that memory glitch scared me too.)
So, where is half of Earth's gravity mentioned?
PS I think my numbers are right, but I wouldn't bet 100 dollars on it.
|
|
|
|
|
I'm starting to wonder...
That's no moon![^]
It's an OO world.
public class SanderRossel : Lazy<Person>
{
public void DoWork()
{
throw new NotSupportedException();
}
}
|
|
|
|
|
What do you get when you cross a joke with a rhetorical question?
|
|
|
|
|
Brisingr Aerowing wrote: What do you get when you cross a joke with a rhetorical question? I think the answer to your question is "EXACTLY"!
|
|
|
|
|
I was just doing some housekeeping on Facebook, removed the year from a "life event", and saw: Posted on December 31, 1969 .
|
|
|
|
|
Its almost worth joining just to have fun with that
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
Alan Kay.
|
|
|
|
|
static void Main(string[] args)
{
String str1 = "http://toto.com/";
String str2 = "http://toto.com/";
bool eq = str1 == str2;
Console.WriteLine(eq);
str1 = "http://toto.com/";
str2 = "http://toto.com/";
eq = str1 == str2;
Console.WriteLine(eq);
}
See for yourself, but copy the code, do not retype it.
I lost hair on this one, bug on an actual project for one customer.
But it is a nice trick to do to one of your most hated co worker if his computer is unlocked... Also works in configuration files.
This is pure evil though.
[UPDATE] With some advice I found even more evil than that.
"а" == "a"
modified 11-Aug-14 11:13am.
|
|
|
|
|
Wow. That is evil! :evil_grin:
What do you get when you cross a joke with a rhetorical question?
|
|
|
|