Editing 327: Exploits of a Mom
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 10: | Line 10: | ||
[[Mrs. Roberts]] receives a call from her son's school. The caller, likely one of the school's administrators, asks if she really named her son [[Robert'); DROP TABLE Students;--]], a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables." As the full name is read into the school's system's databases without {{w|Data sanitization#SQL injection|data sanitization}}, it causes the "Students" table in the database to be dropped, meaning it gets deleted. | [[Mrs. Roberts]] receives a call from her son's school. The caller, likely one of the school's administrators, asks if she really named her son [[Robert'); DROP TABLE Students;--]], a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables." As the full name is read into the school's system's databases without {{w|Data sanitization#SQL injection|data sanitization}}, it causes the "Students" table in the database to be dropped, meaning it gets deleted. | ||
− | + | The title of this comic is a pun. ''Exploit'' can mean an accomplishment or heroic deed, but in computer science, the term refers to a program or technique that takes advantage of a vulnerability in other software. In fact, one could say that her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). The title can also refer to her choice of name for her son, which is rather extraordinary. In {{w|SQL}}, a database programming language, commands are separated by semicolons <code>;</code>, and strings of text are often delimited using single quotes <code>'</code>. Parts of commands may also be enclosed in parentheses <code>(</code> and <code>)</code>. Data entries are stored as "rows" within named "tables" of similar items (e.g., <code>Students</code>). The command to delete an entire table (and thus every row of data in that table) is <code>DROP TABLE</code>, as in <code>DROP TABLE Students;</code>. | |
The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been read as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of careful parsing is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. Mrs. Roberts thus reminds the school to make sure that they have added data filtering code to prevent code injection exploits in the future. | The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been read as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of careful parsing is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. Mrs. Roberts thus reminds the school to make sure that they have added data filtering code to prevent code injection exploits in the future. | ||
Line 60: | Line 60: | ||
==Trivia== | ==Trivia== | ||
− | + | This comic has become rather famous, spawning a site at http://bobby-tables.com about preventing SQL injection and also at the official [https://docs.python.org/2/library/sqlite3.html Python SQLite documentation]. Noted security expert {{w|Bruce Schneier}} (who often quotes xkcd) [https://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html mentioned a similar attack] that happened in the 2010 Swedish general elections, and [https://blog.xkcd.com/2010/05/03/color-survey-results/ several people tried it on Randall's color survey]. | |
− | + | ||
− | * This comic | + | In [[1253: Exoplanet Names]], someone (presumably Mrs. Roberts) attempts to perform a similar trick, submitting the name <code>e'); DROP TABLE PLANETS;--</code> to the IAU. |
+ | |||
+ | It is later revealed in [[342: 1337: Part 2]] that the daughter's middle name is Elaine (Her full name is [[Help I'm trapped in a driver's license factory Elaine Roberts]]). This is thus the first time Elaine is mentioned. This comic was, presumably, a setup for the "[[:Category:1337|1337]]" series where both of the hacker mom's kids are shown for the first time. | ||
+ | |||
+ | * This comic is available as a signed print in the [https://store.xkcd.com/products/signed-prints xkcd store]. | ||
{{comic discussion}} | {{comic discussion}} |