Explain xkcd: It's 'cause you're dumb.
The title of this comic is a pun - an exploit can simply mean an accomplishment or heroic deed, but in computer science it means a program or technique that takes advantage of a vulnerability in other software. In fact her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). We can also assume that she regards the name she has given her son as an extraordinary deed.
Mrs. Roberts receives a call from her son's school. The caller asked if the she really named her son
Robert'); DROP TABLE students;-- and the mom claimed that they used the nickname "Little Bobby Tables". As the full name is read into the database without "sanitization" it causes the student table to be deleted.
The '); closes the current command allowing the DROP TABLE students; command to run. The -- that follows it tells the interpreter to ignore everything after it so that the injection is complete. At the end, the school informs the mom that her exploit was successful and the mom reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.
In SQL, commands are separated by semicolons ";" and data is often quoted using single quotes -'-. Commands may also be enclosed in parentheses '(' and ')'. Data is stored in tables of similar items (e.g. "students") and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command "DROP" (e.g. "DROP TABLE students").
The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside some SQL statement, instead of being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; its exploit is referred to as SQL injection.
There is a site about preventing SQL injection named http://bobby-tables.com.
The title text refers to this joke: Someone found a fortune cookie message that reads Help! I’m trapped in a fortune cookie factory!.
- [Mrs. Roberts receives a call from her son's school.]
- Caller: Hi, This is your son's school. We're having some computer trouble.
- Mrs. Roberts: Oh, dear - did he break something?
- Caller: In a way -
- Caller: Did you really name your son
Robert'); DROP TABLE students;-- ?
- Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.
- Caller: Well, we've lost this year's student records. I hope you're happy.
- Mrs. Roberts: And I hope you've learned to sanitize your database inputs.
- 10: Pi Equals's setting is similar to the title text of this comic.
add a comment! ⋅ refresh comments!
What about the daughter's name?Guru-45 (talk) 14:57, 17 November 2012 (UTC)
- I think that's embellished upon later in a series called l33t. Davidy22(talk) 15:42, 17 November 2012 (UTC)
- It's for novelty license plates with people's names on them (like "Bort" for example). 18.104.22.168 18:15, 6 July 2014 (UTC)
After fixing my stupid undo I think this comic is still incomplete: What is the "driver's license factory" at the title text? --Dgbrt (talk) 16:17, 11 June 2013 (UTC)
- The common tale is that someone purchases some item or other with writing on it (or somewhere where writing can appear, on closer examination) and finds that this writing reads "Help, I'm trapped in a <item> factory", or similar, as appropriate to the object concerned. This suggests that someone is trapped (or perhaps even enslaved to work) within such a place and their only hope of escape is to make 'messages in a bottle' out of the product that leaves the facility. This is often extended to various fantastical situations, like the (British only?) joke about the stick of sea-side rock.
- (Of course, the writing in sticks of rock generally starts to become unreadable (for normal-sized sticks) for any name larger than "Bridlington", although with care I suppose they've made them with a semi-legible "Western-super-Mare" set through them. But one aspect of this version of the joke could definitely well be that the theoretical SOS message wouldn't legibly fit.)
- So, anyway, Mrs Roberts (who waited for a number of years for Little Bobby Tables to grow up to school-age, for the illustrated exploit) is patiently waiting for her daughter to get to somewhere in her mid-teens, or later, all the while intending that she will get to spoof such a message from the local DMV's license-printing facility at some point. (Turns out that could be as 'soon' as her reaching 14-16 years of age for her first Learner license, depending on state.) Momma Roberts likes playing the long-game, it appears. 22.214.171.124 16:02, 19 June 2013 (UTC)
- The mouseover text might also be a reference to an easter egg in classic Mac OS, in which the text "Help! Help! We're being held prisoner in a system software factory!" was embedded in the system suitcase. 126.96.36.199 20:02, 13 April 2014 (UTC)
- Someone should probably put something like this on the actual page instead of just the discussion... 188.8.131.52 02:23, 11 March 2015 (UTC)
Wasn't there another comic that had the digits of pi with "Help I'm trapped in a universe factory!" included in it? 184.108.40.206 (talk) (please sign your comments with ~~~~)
- Yes, the earlier 10: Pi Equals. 220.127.116.11 20:32, 29 January 2015 (UTC)
The example talks about a SELECT query (for looking up information in a database), but I think an INSERT query (for inserting new information in the database) makes more sense, because of the closing bracket. A SELECT query is usually of the following form: SELECT column1, coulm2 FROM table WHERE username='somethingsomething'.
An INSERT query is usually of the following form: INSERT INTO table (column1, columns2) VALUES (value1, value2)
In the case of the comic, I think it's reasonable to assume it's the start of the school year and someone is adding the name of a new student (Bobby) to the database, which triggers the exploit.18.104.22.168 21:23, 23 March 2015 (UTC) David
I've made an explanation for the title text, if anyone wants to change it to make it less ambiguous or anything, edits are welcome. StairwayToHenry (talk) 15:35, 8 April 2015 (UTC)
It seems to me that Bobby doesn't necessarily share her technical savvy or sense of humour, but caused the incident simply through having the name she gave him. 22.214.171.124 23:47, 23 May 2015 (UTC)
Anyone want to comment on the missing outline from panel 2? 126.96.36.199 23:48, 27 July 2015 (UTC)someGuy
The explanation says that Bobby Tables got his technical savvy from his mom, however we have no reason to believe that he has any technical savvy at all- this prank was entirely his parents'. He is most likely having his first day of kindergarten, and has no technical savvy at all. Bbruzzo (talk) 13:15, 4 September 2015 (UTC)
Is no one going to notice that his name is Robert Roberts? Abbyclem (talk) 22:04, 12 September 2015 (UTC)
- ... I read all the way down here waiting to see someone mention that, only to find you did it ... about a month ago. On what is now a very old strip. Weird o_O 188.8.131.52 18:56, 28 October 2015 (UTC)
- Real Life
It might be worth adding under "trivia" that situations similar to the one in the comic actually seem to happen in real life.--184.108.40.206 17:50, 22 November 2015 (UTC)
And possibly a warning not to try this on a live system.. a colleague just got fired after XKCD inspired stupidity. ~100% his own fault, but might be worth mentioning. Xseo (talk) 09:49, 29 November 2015 (UTC)
The explanation is incorrect. It keeps putting single quotes around the variable $name when it is the input stored in $name which will have the single quotes. It even mentions how the single quotes around $name are the reason for the exploit as opposed to the single quotes in the input stored in the variable $name.
On another note, the explanation seems to indicate that Bobby is responsible for the SQL injection and later suggests instead the mother is responsible. My interpretation was that this is entirely attributed to the mother since it is called "Exploits of a Mom". I do not believe she actually named her son with an SQL injection, but rather input that as his first name in the school's online registration form.
Flewk (talk) 17:15, 26 December 2015 (UTC)