327: Exploits of a Mom

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Exploits of a Mom
Her daughter is named Help I'm trapped in a driver's license factory.
Title text: Her daughter is named Help I'm trapped in a driver's license factory.

[edit] Explanation

The title of this comic is a pun - an exploit can simply mean an accomplishment or heroic deed, but in computer science it means a program or technique that takes advantage of a vulnerability in other software. In fact her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). We can also assume that she regards the name she has given her son as an extraordinary deed.

Mrs. Roberts receives a call from her son's school. The caller asked if the she really named her son Robert'); DROP TABLE students;-- and the mom claimed that they used the nickname "Little Bobby Tables". As the full name is read into the database without "sanitization" it causes the student table to be deleted.

In SQL, commands are separated by semicolons ; and data is often quoted using single quotes '. Commands may also be enclosed in parentheses ( and ). Data is stored in tables of similar items (e.g. students) and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command DROP (e.g. DROP TABLE students).

The ); closes the current command allowing the DROP TABLE students; command to run. The -- that follows it tells the interpreter to ignore everything after it so that the injection is complete. At the end, the school informs the mom that her exploit was successful and the mom reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.

The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as SQL injection.

For example, if the site was running PHP, the code might take the student's name in a variable called $student and generate an SQL statement to check that the name is valid, like this:

$sql = "SELECT * FROM Students WHERE (student_name='" . $student . "')";

For a student named "Annie", this would give the following SQL command:

SELECT * FROM Students WHERE (student_name='Annie')

However, with Mom's exploit, this becomes:

SELECT * FROM Students WHERE (student_name='Robert'); DROP TABLE Students;--')

That can be seen as three statements, separated by semicolons: the SELECT which runs as normal; the DROP TABLE command which does the damage; and a comment, which consists of everything from the -- to the end of the line (thus "eating" the "')" characters) and prevents SQL from saying "hold on, there's some goofy syntax in this line".

For this to work, it helps to know a little about the structure of the database. But it's quite a good guess that a student management database might have a table called "Students". Mom's code also assumes that the person who wrote the SQL used exactly one set of parentheses around "student_name='Robert'"; that might need a little trial and error to get it to work. (Of course, most exploits of this kind are done not by social-engineering the hapless user into typing your kid's funny name, but by getting access to the system yourself and trying lots of combinations until something works, probably starting with an injection of the SHOW TABLES command to see how the database is structured.)

There is a site about preventing SQL injection named http://bobby-tables.com.

[edit] Transcript

[Mrs. Roberts receives a call from her son's school.]
Caller: Hi, This is your son's school. We're having some computer trouble.
Mrs. Roberts: Oh, dear - did he break something?
Caller: In a way -
Caller: Did you really name your son Robert'); DROP TABLE students;--?
Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.
Caller: Well, we've lost this year's student records. I hope you're happy.
Mrs. Roberts: And I hope you've learned to sanitize your database inputs.
comment.png add a comment!

Discussion

What about the daughter's name?Guru-45 (talk) 14:57, 17 November 2012 (UTC)

I think that's embellished upon later in a series called l33t. Davidy22(talk) 15:42, 17 November 2012 (UTC)
It's for novelty license plates with people's names on them (like "Bort" for example). 199.27.128.67 18:15, 6 July 2014 (UTC)

After fixing my stupid undo I think this comic is still incomplete: What is the "driver's license factory" at the title text? --Dgbrt (talk) 16:17, 11 June 2013 (UTC)

The common tale is that someone purchases some item or other with writing on it (or somewhere where writing can appear, on closer examination) and finds that this writing reads "Help, I'm trapped in a <item> factory", or similar, as appropriate to the object concerned. This suggests that someone is trapped (or perhaps even enslaved to work) within such a place and their only hope of escape is to make 'messages in a bottle' out of the product that leaves the facility. This is often extended to various fantastical situations, like the (British only?) joke about the stick of sea-side rock.
(Of course, the writing in sticks of rock generally starts to become unreadable (for normal-sized sticks) for any name larger than "Bridlington", although with care I suppose they've made them with a semi-legible "Western-super-Mare" set through them. But one aspect of this version of the joke could definitely well be that the theoretical SOS message wouldn't legibly fit.)
So, anyway, Mrs Roberts (who waited for a number of years for Little Bobby Tables to grow up to school-age, for the illustrated exploit) is patiently waiting for her daughter to get to somewhere in her mid-teens, or later, all the while intending that she will get to spoof such a message from the local DMV's license-printing facility at some point. (Turns out that could be as 'soon' as her reaching 14-16 years of age for her first Learner license, depending on state.) Momma Roberts likes playing the long-game, it appears. 178.98.31.27 16:02, 19 June 2013 (UTC)
The mouseover text might also be a reference to an easter egg in classic Mac OS, in which the text "Help! Help! We're being held prisoner in a system software factory!" was embedded in the system suitcase. 173.245.50.90 20:02, 13 April 2014 (UTC)
Personal tools
Namespaces

Variants
Actions
Navigation
Tools

It seems you are using noscript, which is stopping our project wonderful ads from working. Explain xkcd uses ads to pay for bandwidth, and we manually approve all our advertisers, and our ads are restricted to unobtrusive images and slow animated GIFs. If you found this site helpful, please consider whitelisting us.

Want to advertise with us, or donate to us with Paypal or Bitcoin?