327: Exploits of a Mom

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
Exploits of a Mom
Her daughter is named Help I'm trapped in a driver's license factory.
Title text: Her daughter is named Help I'm trapped in a driver's license factory.

[edit] Explanation

Mrs. Roberts receives a call from her son's school. The caller, likely one of the school's administrators, asks if the she really named her son Robert'); DROP TABLE Students;--, a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables". As the full name is read into the school's system's databases without data sanitization, it causes the student table in the database to be deleted.

The title of this comic is a pun—exploit can mean an accomplishment or heroic deed, but in computer science the term refers to a program or technique that takes advantage of a vulnerability in other software. In fact, one could say that her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). The title can also refer to her choice of name for her son, which is rather extraordinary.

In SQL, a database programming language, commands are separated by semicolons ; and strings of text are often delimited using single quotes '. Parts of commands may also be enclosed in parentheses ( and ). Data entries are stored as "rows" within named "tables" of similar items (e.g. Students). The command to delete an entire table (and every row of data in that table) is DROP, as in DROP TABLE Students;).

The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been parsed as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as SQL injection. Mrs. Roberts thus reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.

For example, if the site was running PHP, the code might store the student's name in a variable called $name, and generate an SQL statement to search the database and check that the name is valid, like this:

$sql = "SELECT * FROM Students WHERE (first_name='$name');";

For a student named "Annie", this would give the following SQL command:

SELECT * FROM Students WHERE (first_name='Annie');

which is a valid command where the 5-character string "Annie" has been substituted for "$name" in the PHP code above. However, with Mrs. Roberts' exploit, the SQL command becomes:

SELECT * FROM Students WHERE (first_name='Robert'); DROP TABLE Students;--');

As semicolons separate statements, this will be read by the interpreter as three commands:

SELECT * FROM Students WHERE (first_name='Robert');
DROP TABLE Students;

The first line runs as normal, caused by the '); punctuation in part of Little Bobby Tables' name properly closing the current command. The second injected command then does the damage, deleting the student records from the school's database. The third line begins with two hyphens -- which are used to mark a comment in SQL, meaning that the interpreter ignores it as well as the partial fragment of code originally after $name in the PHP statement.

For this to work, it helps to know a little about the structure of the database. But it's quite a good guess that a school's student management database might have a table named Students. Mrs. Roberts' exploit also assumes that the person who wrote the code used exactly one set of parentheses around (first_name='$name') in the PHP example, so that the single close parenthesis in the name could match it, which apparently was a successful guess. Of course, in real life most exploits of this kind would be performed not by socially engineering a person's name such that it would eventually be entered into a database query, but rather by accessing some kind of input system (such as a website's login screen or search interface) and guessing various combinations by trial and error until something works, perhaps by first trying to inject the SHOW TABLES command to see how the database is structured.

This xkcd comic has become rather famous, spawning at least one site about preventing SQL injection named http://bobby-tables.com.

[edit] Transcript

[Mrs. Roberts receives a call from her son's school.]
Caller: Hi, This is your son's school. We're having some computer trouble.
Mrs. Roberts: Oh, dear - did he break something?
Caller: In a way -
Caller: Did you really name your son Robert'); DROP TABLE Students;-- ?
Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.
Caller: Well, we've lost this year's student records. I hope you're happy.
Mrs. Roberts: And I hope you've learned to sanitize your database inputs.
comment.png add a comment! ⋅ Icons-mini-action refresh blue.gif refresh comments!


What about the daughter's name?Guru-45 (talk) 14:57, 17 November 2012 (UTC)

I think that's embellished upon later in a series called l33t. Davidy22(talk) 15:42, 17 November 2012 (UTC)
It's for novelty license plates with people's names on them (like "Bort" for example). 18:15, 6 July 2014 (UTC)

After fixing my stupid undo I think this comic is still incomplete: What is the "driver's license factory" at the title text? --Dgbrt (talk) 16:17, 11 June 2013 (UTC)

The common tale is that someone purchases some item or other with writing on it (or somewhere where writing can appear, on closer examination) and finds that this writing reads "Help, I'm trapped in a <item> factory", or similar, as appropriate to the object concerned. This suggests that someone is trapped (or perhaps even enslaved to work) within such a place and their only hope of escape is to make 'messages in a bottle' out of the product that leaves the facility. This is often extended to various fantastical situations, like the (British only?) joke about the stick of sea-side rock.
(Of course, the writing in sticks of rock generally starts to become unreadable (for normal-sized sticks) for any name larger than "Bridlington", although with care I suppose they've made them with a semi-legible "Western-super-Mare" set through them. But one aspect of this version of the joke could definitely well be that the theoretical SOS message wouldn't legibly fit.)
So, anyway, Mrs Roberts (who waited for a number of years for Little Bobby Tables to grow up to school-age, for the illustrated exploit) is patiently waiting for her daughter to get to somewhere in her mid-teens, or later, all the while intending that she will get to spoof such a message from the local DMV's license-printing facility at some point. (Turns out that could be as 'soon' as her reaching 14-16 years of age for her first Learner license, depending on state.) Momma Roberts likes playing the long-game, it appears. 16:02, 19 June 2013 (UTC)
The mouseover text might also be a reference to an easter egg in classic Mac OS, in which the text "Help! Help! We're being held prisoner in a system software factory!" was embedded in the system suitcase. 20:02, 13 April 2014 (UTC)
Someone should probably put something like this on the actual page instead of just the discussion... 02:23, 11 March 2015 (UTC)

Wasn't there another comic that had the digits of pi with "Help I'm trapped in a universe factory!" included in it? (talk) (please sign your comments with ~~~~)

Yes, the earlier 10: Pi Equals. 20:32, 29 January 2015 (UTC)

The example talks about a SELECT query (for looking up information in a database), but I think an INSERT query (for inserting new information in the database) makes more sense, because of the closing bracket. A SELECT query is usually of the following form: SELECT column1, coulm2 FROM table WHERE username='somethingsomething'. An INSERT query is usually of the following form: INSERT INTO table (column1, columns2) VALUES (value1, value2)

In the case of the comic, I think it's reasonable to assume it's the start of the school year and someone is adding the name of a new student (Bobby) to the database, which triggers the exploit. 21:23, 23 March 2015 (UTC) David
Personal tools


It seems you are using noscript, which is stopping our project wonderful ads from working. Explain xkcd uses ads to pay for bandwidth, and we manually approve all our advertisers, and our ads are restricted to unobtrusive images and slow animated GIFs. If you found this site helpful, please consider whitelisting us.

Want to advertise with us, or donate to us with Paypal or Bitcoin?