Bad programming

The Toronto Star has an article about how some computer systems are programmed so badly, they choke on some people's last names. The article is about people with apostrophes, spaces, or hyphens in their names, and how some incredibly bad computer systems don't allow these characters. The article mentions that some systems interpret apostrophes and spaces as commands when storing them in the database. If it sounds incredibly dumb to you that a computer would interpret your last name as a command, you're right, it is incredibly dumb. But the Star is right on in this regard: there are a large number of systems that are vulnerable to this and it's a major problem, called SQL Injection.

Basically what happens is an apostrophe in the data is treated as the marker which indicates where the data ends and the commands begin. The problem is worse than mangled last names, though, because the stuff after the apostrophe is (as the article said) interpreted as a command and executed as such. Imagine writing a cheque for two hundred dollars. If you didn't write "Two Hundred Dollars" but instead wrote "Two Hundred", the recipient of the cheque can insert "Thousand Dollars" on the cheque. This would be bad for your bank account. Similarly if a person were to were to type into the last-name field of a website "Shiny'erase all data", the computer will think the last name is "Shiny" and treat the rest as instructions to erase all data (the SQL is paraphrased). Anyone could attack the system and manipulate the database in ways they wouldn't normally be allowed. The XKCD comic strip has a good comic illustrating this issue: little Bobby Tables. The comic is a little nerdy but it's completely accurate.

Frankly there is no excuse for such bad programming. Frankly there is no excuse in 2008 for most of the common computer flaws we see, but companies don't want to spend money doing proper development, QA, or usability testing. The problem with apostrophes, however, is worse than customer inconvenience. It's often a sign of a major problem with the system.

1 comment:

Unknown said...

This is a good reason to use a framework when developing a web based application. Things like form verification, management of database connections and transaction support are all provided for you allowing you to focus on logic specific to your business. There are plenty of good ones in the Java space: Grails, Spring (Grails is built on Spring itself), JSF.