Talk:931: Lanes

2017-12-14T07:13:13Z

162.158.167.24:

;Typo?
Not positive enough to change, but..."Randall's now wife"? Is that supposed to be 'Randall's NEW wife'? --[[Special:Contributions/68.200.188.141|68.200.188.141]] 02:00, 28 January 2013 (UTC)
:No. At the time, she was his fiancee. She is now his wife. His then-fiancee, now-wife. [[Special:Contributions/184.144.254.165|184.144.254.165]] 01:32, 28 October 2013 (UTC)
::This explain now covers this issue very well. Thanks for your hints. --[[User:Dgbrt|Dgbrt]] ([[User talk:Dgbrt|talk]]) 22:35, 6 February 2014 (UTC)

;My edit to the transcript
I've noticed that when the only characters in a comic are two stick figures, explainxkcd usually calls them "Cueball" and "Friend". So I changed this transcript to reflect that. I tried to clarify what "off-panel" meant, and I added the fact that the second Cueball-only panel shows only the top half of his body. Lastly, I changed "roughly fifty" to "fifty-two", since an exact count of the lanes was given in the explanation. I hope no one disagrees with these changes, but if you do, please don't just revert without an explanation. [[User:NealCruco|NealCruco]] ([[User talk:NealCruco|talk]]) 19:06, 13 January 2015 (UTC)

Here's to Randall's Now Wife. Good on you my dear!

[[User:Weatherlawyer| I used Google News BEFORE it was clickbait]] ([[User talk:Weatherlawyer|talk]]) 16:29, 23 January 2015 (UTC)

Fuck cancer. [[Special:Contributions/108.162.219.143|108.162.219.143]] 02:02, 13 April 2015 (UTC)

Just read Jimmy Carter's got cancer. I echo the sentiments of the IP poster above me.[[User:PsyMar|PsyMar]] ([[User talk:PsyMar|talk]]) 20:54, 12 August 2015 (UTC)

Might be worth mentioning too that this resembles a Sankey Diagram [[Special:Contributions/162.158.167.24|162.158.167.24]] 07:13, 14 December 2017 (UTC)

327: Exploits of a Mom

2016-09-02T12:30:25Z

162.158.167.24:

{{comic
| number = 327
| date = October 10, 2007
| title = Exploits of a Mom
| image = exploits_of_a_mom.png
| titletext = Her daughter is named Help I'm trapped in a driver's license factory.
}}

==Explanation==
[[Mrs. Roberts]] receives a call from her son's school. The caller, likely one of the school's administrators, asks if she really named her son <code>[[Robert'); DROP TABLE students;--]]</code>, a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables". As the full name is read into the school's system's databases without {{w|Data sanitization#SQL injection|data sanitization}}, it causes the student table in the database to be deleted.

The title of this comic is a pun—''exploit'' can mean an accomplishment or heroic deed, but in computer science the term refers to a program or technique that takes advantage of a vulnerability in other software. In fact, one could say that her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). The title can also refer to her choice of name for her son, which is rather extraordinary.

In {{w|SQL}}, a database programming language, commands are separated by semicolons <code>;</code> and strings of text are often delimited using single quotes <code>'</code>. Parts of commands may also be enclosed in parentheses <code>(</code> and <code>)</code>. Data entries are stored as "rows" within named "tables" of similar items (e.g. <code>Students</code>). The command to delete an entire table (and every row of data in that table) is <code>DROP TABLE</code>, as in <code>DROP TABLE Students;</code>.

The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been parsed as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. Mrs. Roberts thus reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.

For example, to add information about Elaine to a data table called 'Students' the SQL query could be:

<code>INSERT INTO Students (firstname) VALUES ('Elaine');</code>

However, using the odd name <code>Robert');DROP TABLE Students;-- </code> where we used "Elaine" above, the SQL query becomes:

<code>INSERT INTO Students (firstname) VALUES ('Robert');DROP TABLE Students;-- ');</code>

By insertion of the two semi-colons in the odd name this is now three well formed SQL commands:

<code>
INSERT INTO Students (firstname) VALUES ('Robert');

DROP TABLE Students;

-- ');
</code>

The first line is valid SQL code that will legitimately insert data on a Student called Robert.

The second line is valid injected SQL code that will delete the whole Student data table from the database.

The third line is a valid code comment ( --  denotes a comment) which will be ignored by the SQL server.

For this to work, it helps to know a little about the structure of the database. But it's quite a good guess that a school's student management database might have a table named <code>Students</code>.

Of course, in real life most exploits of this kind would be performed not by socially engineering a person's name such that it would eventually be entered into a school database query, but rather by accessing some kind of input system (such as a website's login screen or search interface) and guessing various combinations by trial and error until something works, perhaps by first trying to inject the <code>SHOW TABLES</code> command to see how the database is structured.

To correctly and harmlessly include the odd name in the Students table in the school database the correct SQL is:

<code>INSERT INTO Students (firstname) VALUES ('Robert\');DROP TABLE Students;-- ');</code>

Note that the single quote after Robert is now sanitized by a backslash, which changes it from malicious code to harmless data.

It should be noted that while data sanitization can mitigate the risks of SQL injection, the proper prevention technique is to use {{w|Prepared statement}}s.

==Daughter's name==
The XKCD title text references that Mom's daughter is named "Help I'm trapped in a driver's license factory". This is a play on how if someone is stuck and forced to work in a manufacturing factory/plant then they will write on the product "Help I am trapped in a ____ factory" in order to tell people on the outside. Having this name would cause any police officer that pulls her over to show some concern, as well as getting the license in the first place would be difficult. The idea of inserting a help message like this was already used in [[10: Pi Equals]].


This xkcd comic has become rather famous, spawning at a site about preventing SQL injection named http://bobby-tables.com and also at the official [https://docs.python.org/2/library/sqlite3.html Python SQLite documentation]. Noted security expert {{w|Bruce Schneier}} (who often quotes xkcd) [https://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html mentioned a similar attack] which happened in the 2014 Swedish general elections.

==Transcript==
:[Mrs. Roberts receives a call from her son's school.]
:Caller: Hi, This is your son's school. We're having some computer trouble.

:Mrs. Roberts: Oh, dear - did he break something?
:Caller: In a way -

:Caller: Did you really name your son <code>Robert'); DROP TABLE Students;--</code> ?
:Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.

:Caller: Well, we've lost this year's student records. I hope you're happy.
:Mrs. Roberts: And I hope you've learned to sanitize your database inputs.

{{comic discussion}}
[[Category:Comics featuring Mrs. Roberts]]
[[Category:Comics featuring Little Bobby Tables]]
[[Category:Comics featuring Elaine Roberts]]
[[Category:Comics featuring Miss Lenhart]]

explain xkcd - User contributions [en]

Talk:931: Lanes

327: Exploits of a Mom