Here is a database query that has a potentially huge problem:

  select * from users where username = '$username' and password = '$password'

If you’re not a programmer, bear with me, I’m sure you can still follow the problem here.  In the line above, $username contains the value the user gave for their username, and $password contains the value given for their password.  Let’s say my username is “kip” and my password is “12345”.  That gives us:

  select * from users where username = 'kip' and password = '12345'

So far so good, a database can execute that just fine.  But what if my password is “My dog’s name is spot”?  That gives us this:

  select * from users where username = 'kip' and password = 'My dog's name is spot'

See the problem?  The database will think the password is just “My dog”, since there is a single-quote in the password.  It will additionally not know how to handle the rest of the statement and probably return an error, preventing the user from ever logging in.

Nothing I’ve said here of this should be news to a programmer.  In introductory programming courses, students are often asked to write a program where the user is asked for input (let’s say, a number from 1-10), and the program must not fail if the user enters something entirely different (let’s say, “judicious”).  What is happening in my example is in no way fundamentally different.

If you’re thinking to yourself, “Hey Kip... you’re not writing this post because you just figured this out.. are you?”, rest assured that I am not.  I am writing this because (a) I like to pretend that my blog has more than a dozen readers; and (b) because I have seen several sites discussing this type of bug lately.  The implication is that many programmers—presumably the paid, professional types (not just amateurs)—would put user input inside single-quotes without entertaining the possibility that the user might enter text with single quotes in it.  It seems like one of those things that you shouldn’t need to be taught—you should logically know to validate user input, even if you have never received formal training in programming.

Thus far, I haven’t even talked about the security hole caused by this code:  someone could intentionally use a single-quote in their password to exploit this bad code.  For just one of many examples, giving a password of “‘ or ‘abc’ = ‘abc” will let you into any existing user’s account (this is called SQL Injection).  I can understand why a programmer might not see that security hole immediately.  But the security hole is just an abuse of a bug that a logical human being should have seen in the first place.

</soapbox>

I don’t consider yesterday’s post to be a real post, just a few questions for the world.  Feel free to keep responding to it, but I’m going to go on with a more typical post.

So my grandfather does not wear a seat belt in a vehicle.  This is something that drives me crazy.  When my dad was driving the van from Oak Island down to Myrtle Beach one day during our vacation, my grandfather was in the passenger seat with no seat belt, while we were going down Highway 17 at 60+ miles per hour.  I’m not sure why he does this.  I’ve been told something about needing to be able to get out of the car if there is an accident.  I’m not really sure if that’s true or not though.  But then I got to thinking—why is it illegal to not wear a seat belt?  I mean, the government can require that cars have seat belts, and it can make sure that people are educated about them.  Buy why is it the government’s responsibility to make sure that we use them?  If I don’t use a seat belt, I am not harming anyone else.  I mean, there is no law requiring that I eat three servings of fruits and vegetables a day, although that probably has a similar statistical effect on my life expectancy.  All that being said, I still don’t understand why anyone would opt to not use a seat belt, and I would probably use much harsher words to describe such a person were I not closely related to one.

I just learned something about human behavior while exploring this topic:  there is a phenomenon called risk compensation, which was “discovered” when researchers were trying to figure out why laws requiring seat belts to be worn didn’t reduce the injury or fatality rates from traffic accidents.  It seems that if you give people a safety feature—say, seat belts, air bags, or anti-lock breaks—they will drive more recklessly, so that the level of risk stays more or less the same.  So my grandfather being in the passenger seat without a seat belt may have made the rest of my family safer, by causing my dad to drive more cautiously.  And it may actually be true that you drive better after one or two beers, because you are being extra careful.  However, I wouldn’t recommend explaining that to a police officer.

Stick shifts and safety belts, bucket seats have all got to go
When I’m driving in my car, it makes my baby seem so far

<--- THIS IS NOT LONDON BRIDGE!

Today while making my lunch I had Fuse on in the background, and I saw a video by the girl from Black Eyed Peas called “London Bridge.”  Only, in the video she is not in front of London Bridge.  She is in front of Tower Bridge.  There have been three London Bridges in London.  The first one was the famous one and no longer exists.  The second one is currently located in Arizona.  The third one still stands, but there’s nothing special about it.  You’d think someone involved in the photo shoot would have said “You do realize that’s not London Bridge you’re posing in front of, right?”

I recently discovered that there is a classification of political ideologies that is kinda like what I believe:  South Park Republican.  Okay so the term was coined five years ago, but I had never heard it until about a month ago.  So I thought I’d share.

Today I figured out a way to avoid getting shocked all the time at work.  I actually applied knowledge from PY 208 too!  All I have to do is hold a straightened paper clip in my hand (touching as much skin as possible) and touch the other end to metal.

For background information- one of my cubicle walls is mostly metal.  Everytime I get up to go do something and then come back and sit in my chair, I’ve accumulated a static charge.  This means that the number of free electrons in my body is either higher or lower than the number of free electrons in the metal wall of the cubicle.  When contact is made with this metal, the body with excess electrons tries to reach equilibrium with the other body by giving it more electrons.  This results in a flow of electrons (a.k.a. electricity).

So the Physics 2 knowledge that I applied was this: charges collect around sharp points.  This is why lightning rods are most effective when they have very sharp points at the top.  Okay so the article on lightning rods says that my statement about them is false.  Regardless, there is some mathematically provable reason that charges collect around sharp objects, and my application of this rule was effective.  So when I touch the paper clip and the wall, electricity arcs between them, but since the paper clip is in contact with my whole hand, the shock is distributed evenly across all of the skin it is in contact with.  Since this constitutes the opposite of a sharp point, the charge is very small (so small, in fact, that I don’t feel it).  If I were to hold the paper clip between two fingers, I would still feel the charge, as it would be distributed across much less skin.

Take that, Zeus!