327: Exploits of a Mom

explain xkcd: It's 'cause you're dumb.
(Redirected from 327)
Jump to: navigation, search
Exploits of a Mom
Her daughter is named Help I'm trapped in a driver's license factory.
Title text: Her daughter is named Help I'm trapped in a driver's license factory.

[edit] Explanation

The title of this comic is a pun - an exploit can simply mean an accomplishment or heroic deed, but in computer science it means a program or technique that takes advantage of a vulnerability in other software. In fact her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). We can also assume that she regards the name she has given her son as an extraordinary deed.

Mrs. Roberts receives a call from her son's school. The caller asked if the she really named her son Robert'); DROP TABLE students;-- and the mom claimed that they used the nickname "Little Bobby Tables". As the full name is read into the database without "sanitization", the drop table SQL command is being injected and executed which in turn dropped the students table (the mom assumes that the school database would name the students table as "students") and committed it, making the deletion irreversible. At the end, the school informs the mom that her exploit was successful and the mom reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.

In SQL, commands are separated by semicolons ";" and data is often quoted using single quotes -'-. Commands may also be enclosed in parentheses '(' and ')'. Data is stored in tables of similar items (e.g. "students") and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command "DROP" (e.g. "DROP TABLE students").

The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside some SQL statement, instead of being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; its exploit is referred to as SQL injection.

[edit] Transcript

[Mrs. Roberts receives a call from her son's school.]
Caller: Hi, This is your son's school. We're having some computer trouble.
Mrs. Roberts: Oh, dear - did he break something?
Caller: In a way -
Caller: Did you really name your son Robert'); DROP TABLE students;-- ?
Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.
Caller: Well, we've lost this year's student records. I hope you're happy.
Mrs. Roberts: And I hope you've learned to sanitize your database inputs.

[edit] See also

10: Pi Equals's setting is similar to the title text of this comic.

Comment.png add a comment!

Discussion

What about the daughter's name?Guru-45 (talk) 14:57, 17 November 2012 (UTC)
I think that's embellished upon later in a series called l33t. Davidy22(talk) 15:42, 17 November 2012 (UTC)
Retrieved from "http://www.explainxkcd.com/wiki/index.php?title=327:_Exploits_of_a_Mom&oldid=22893"
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox
New Server Fund
Donate Bitcoins