John Andrews is a Competitive Webmaster and Search Engine Optimization Consultant in Seattle, Washington. This is John Andrews blog on issues of interest to the SEO community and competitive webmasters. Want to know more?

johnon.com  Competitive Web & SEO

Mother’s Day 2009 - explained

Okay so it’s been a few weeks and now I will explain this comic for those who don’t get it. It is technical, but relevant so if you’re not a techie you probably don’t get it, but it might still be relevant (if explained).

School calls…of course we know that means little Bobby is in trouble (especially because the school rep said Bobby had some computer trouble, and we know our Bobby is the one who fixes OUR computer troubles). But Mom is quick and sharp… and comes to his defense without pause.

That reference to “Bobby tables”… that’s the key. Because website programmers frequently forget to check incoming data to make sure it is what it is supposed to be, hackers have learned that they can “inject” code into a form field, and that code may actually be run on the back end of the web server.

If a programmer has been sloppy, and left a “NAME: ” field unchecked, for example, typing database code into that field may actually cause the web server to run that database code, instead of taking in the name as it was supposed to do.A clever hacker can jam nonsense into a web form to make it cough up an error message, which usually includes details of the underlying database structure. With that new info, the hacker can craft an “attack” on the database by injecting code into a field like the NAME field.
So here we see little Bobby has entered something other than his name into the NAME field of a web form at school. He actually typed in:

Robert’); DROP TABLE Students;

which, if accepted, would prematurely complete the SQL command behind the web application, telling it to delete the student table from the school’s database. Because the school programmer was lazy (or ignorant), the NAME field was left unchecked (we say “unsanitized”), and the school database left vulnerable to an “SQL injection” like this.

The school is onto little Bobbie. But Mom is very sharp. Without pause, she replies that yes, her boy is known as little “Bobby tables”… a quick cover-up of her son’s exploit attempts. And just to confirm that web security awareness runs in the family, Mom is sure to admonish the school administrator, reminding him of the importance of sanitizing web inputs.

So, to a geek, that’s the Greatest Mom in The World, and another very sharp comic from XKCD. To the rest of you, a friendly reminder to only hire good web programmers, and even then have their work audited by security-aware third parties, to avoid vulnerabilities like this one.

★★ Click to share this article:   Digg this     Create a del.icio.us Bookmark     Add to Newsvine

One Response to “Mother’s Day 2009 - explained”

  1. George Says:

    LOL, that’s the nerdiest cartoon ever…

Leave a Reply: All comments with embedded links will be placed into moderation. All SPAM is reported.