| Latest revision |
Your text |
| Line 8: |
Line 8: |
| | | | |
| | ==Explanation== | | ==Explanation== |
| − | [[Mrs. Roberts]] receives a call from her son's school. The caller, likely one of the school's administrators, asks if she really named her son [[Robert'); DROP TABLE Students;--]], a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables." As the full name is read into the school's system's databases without {{w|Data sanitization#SQL injection|data sanitization}}, it causes the "Students" table in the database to be dropped, meaning it gets deleted.
| + | The title of this comic is a pun - an exploit can simply mean an accomplishment or heroic deed, but in computer science it means a program or technique that takes advantage of a vulnerability in other software. In fact her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). We can also assume that she regards the name she has given her son as an extraordinary deed. |
| | | | |
| − | This comic was a prequel for the [[:Category:1337|1337 series]] where the entire family is shown for the first time. The title of this comic is a pun: "exploit" can mean an accomplishment or heroic deed, but in computer science, the term refers to a program or technique that takes advantage of a vulnerability in other software. The title can also refer to her choice of name for her son, which is rather extraordinary. In {{w|SQL}}, a database programming language, commands are separated by semicolons <code>;</code>, and strings of text are often delimited using single quotes <code>'</code>. Parts of commands may also be enclosed in parentheses <code>(</code> and <code>)</code>. Data entries are stored as "rows" within named "tables" of similar items (e.g., <code>Students</code>). The command to delete an entire table (and thus every row of data in that table) is <code>DROP TABLE</code>, as in <code>DROP TABLE Students;</code>. In [[1253: Exoplanet Names]], someone (presumably Mrs. Roberts) attempts to perform a similar trick, submitting the name <code>e'); DROP TABLE PLANETS;--</code> to the IAU.
| + | [[Mrs. Roberts]] receives a call from her son's school. The caller asked if the she really named her son <code>Robert'); DROP TABLE students;--</code> and the mom claimed that they used the nickname "Little Bobby Tables". As the full name is read into the database without "{{w|Data sanitization#SQL injection|sanitization}}", the drop table SQL command is being injected and executed which in turn dropped the students table (the mom assumes that the school database would name the students table as "students") and committed it, making the deletion irreversible. At the end, the school informs the mom that her exploit was successful and the mom reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future. |
| | | | |
| − | The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been read as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of careful parsing is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. Mrs. Roberts thus reminds the school to make sure that they have added data filtering code to prevent code injection exploits in the future.
| + | In {{w|SQL}}, commands are separated by semicolons ";" and data is often quoted using single quotes -'-. Commands may also be enclosed in parentheses '(' and ')'. Data is stored in tables of similar items (e.g. "students") and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command "DROP" (e.g. "DROP TABLE students"). |
| | | | |
| − | For example, to add information about Elaine to a data table called 'Students', the SQL query could be:
| + | The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside some SQL statement, instead of being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; its exploit is referred to as {{w|SQL injection}}. |
| − | <br><code>INSERT INTO Students (firstname) VALUES ('Elaine');</code>
| |
| | | | |
| − | However, using the odd name <code>Robert');DROP TABLE Students;-- </code> where we used "Elaine" above, the SQL query becomes:
| + | There is site about preventing SQL injection named http://bobby-tables.com. |
| − | <br><code>INSERT INTO Students (firstname) VALUES ('Robert');DROP TABLE Students;-- ');</code>
| |
| − | | |
| − | By insertion of the two semi-colons in the odd name, this is now three well-formed SQL commands:
| |
| − | <br><code>
| |
| − | INSERT INTO Students (firstname) VALUES ('Robert');
| |
| − | | |
| − | DROP TABLE Students;
| |
| − | | |
| − | -- ');
| |
| − | </code>
| |
| − | | |
| − | The first line is valid SQL code that will legitimately insert data about a student named Robert. The second line is valid injected SQL code that will delete the whole Students data table from the database. The third line is a valid code comment (<code>-- </code> denotes a comment), which will cause the rest of the line to be ignored by the SQL server. For this to work, it helps to know the structure of the database. But it's quite a good guess that a school's student management database might have a table named <code>Students</code>.
| |
| − | | |
| − | Of course, in real life, most exploits of this kind would be performed not by engineering a person's name such that it would eventually be entered into a school database query, but rather by accessing some kind of input system (such as a website's login screen or search interface) and guessing various combinations by trial and error until something works, perhaps by first trying to inject the <code>SHOW TABLES;</code> command to see how the database is structured. In 2019, a person chose a vanity license plate that said "NULL" and subsequently [https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/ received thousands of dollars in fines from random vehicles] for which the license plate was unavailable. Some database programmers somewhere along the way failed to consider the difference between the string NULL and the value {{w|NULL}}.
| |
| − | | |
| − | In 2017, a Swiss group called their book "<script>alert("!Mediengruppe Bitnik");</script>" to make e-commerce websites display an innocuous pop-up as soon as the book name loads. [https://i.imgur.com/Dd4XN7d.png It immediately worked on several sites] and to this day, [https://www.tomlinsons-online.com/p-16381221-scriptalertmediengruppe-bitnikscript.aspx some websites] are still affected. In 2020, the British corporate register [https://forum.aws.chdev.org/t/cross-site-scripting-xss-software-attack/3355/8 accepted a registration] for ""><SRC=<nowiki>H</nowiki>TTPS://MJT.XSS.HT> LTD", which was soon officially renamed "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD" to avoid a cross-site scripting problem.
| |
| − | | |
| − | To include the odd name correctly and harmlessly in the Students table in the school database the correct SQL is:
| |
| − | <br><code>INSERT INTO Students (firstname) VALUES ('Robert<nowiki>''</nowiki>);DROP TABLE Students;-- ');</code>
| |
| − | | |
| − | Note that the single quote after Robert is now sanitized by doubling it, which changes it from malicious code to harmless data, and the full first 'name' of the student <code>Robert');DROP TABLE Students;--</code> is now stored correctly. It should be noted that while data sanitization can mitigate the risks of SQL injection, the proper prevention technique is to use {{w|Prepared statement}}s. Noting the difference between the "actual" name using the word TABLE and the child's nickname being Bobby Tables, one could argue that there's an implied reference to one of the most argued topics of database naming conventions - should table names be singular or plural.
| |
| − | | |
| − | The title text references that Mrs. Roberts' daughter is named "Help I'm trapped in a driver's license factory". This is a play on how if someone is stuck and forced to work in a manufacturing factory/plant, then they will write on the product {{tvtropes|HelpHelpTrappedInTitleFactory|"Help I'm trapped in a ____ factory"}} in order to tell people on the outside. Having this name would cause any police officer who pulls her over to show some concern. And getting the license in the first place would likely be difficult. The idea of inserting a help message like this was already used in [[10: Pi Equals]].
| |
| − | <!-- Help I'm trapped in a Wiki markup code editing facility! -->
| |
| | | | |
| | ==Transcript== | | ==Transcript== |
| − | :[Mrs. Roberts receives a call from her son's school on her wireless phone. She is standing with a cup of hot coffee or tea (shown with a small line above the cup) facing a small round three-legged table to the right. The voice of the caller is indicated to come from the phone with a zigzag line.] | + | :[Mrs. Roberts receives a call from her son's school.] |
| − | :Voice over the phone: Hi, This is your son's school. We're having some computer trouble. | + | :Caller: Hi, This is your son's school. We're having some computer trouble. |
| | | | |
| − | :[In this frame-less panel Mrs. Roberts has put the cup down on the table turned facing out.]
| + | :Mrs. Roberts: Oh, dear - did he break something? |
| − | :Mrs. Roberts: Oh, dear – did he break something? | + | :Caller: In a way - |
| − | :Voice over the phone: In a way – | |
| | | | |
| − | :[Mrs. Roberts is now drinking from the cup again looking right. The table is not shown.] | + | :Caller: Did you really name your son <code>Robert'); DROP TABLE students;--</code> ? |
| − | :Voice over the phone: Did you really name your son <code>Robert'); DROP TABLE Students;--</code> ?
| |
| | :Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him. | | :Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him. |
| | | | |
| − | :[Mrs. Roberts holds the cup down.] | + | :Caller: Well, we've lost this year's student records. I hope you're happy. |
| − | :Voice over the phone: Well, we've lost this year's student records. I hope you're happy.
| |
| | :Mrs. Roberts: And I hope you've learned to sanitize your database inputs. | | :Mrs. Roberts: And I hope you've learned to sanitize your database inputs. |
| | | | |
| | ==Trivia== | | ==Trivia== |
| − | * This comic has become rather famous, spawning a site at http://bobby-tables.com about preventing SQL injection and also at the official [https://docs.python.org/2/library/sqlite3.html Python SQLite documentation]. Noted security expert {{w|Bruce Schneier}} (who often quotes xkcd) [https://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html mentioned a similar attack] that happened in the 2010 Swedish general elections, and [https://blog.xkcd.com/2010/05/03/color-survey-results/ several people tried it on Randall's color survey]. | + | *[[10: Pi Equals]]'s setting is similar to the title text of this comic. |
| − | * This is the first xkcd comic featuring [[Mrs. Roberts]], [[Help I'm trapped in a driver's license factory Elaine Roberts]], and [[Robert'); DROP TABLE Students;--]].
| |
| − | * This comic used to be [https://web.archive.org/web/20220125023401/https://store.xkcd.com/products/signed-prints available as a signed print] in the xkcd store before it was [[Store|shut down]].
| |
| | | | |
| | {{comic discussion}} | | {{comic discussion}} |
| − | | + | [[Category:Comics featuring Little Bobby Tables]] |
| | [[Category:Comics featuring Mrs. Roberts]] | | [[Category:Comics featuring Mrs. Roberts]] |
| − | [[Category:Comics featuring Robert'); DROP TABLE Students;--]]
| |
| − | [[Category:Comics featuring Help I'm trapped in a driver's license factory Elaine Roberts]]
| |
| − | [[Category:Programming]]
| |
| − | [[Category:Computer security]]
| |
| − | [[Category:Comics with xkcd store products]]
| |
| − | [[Category:Comics with lowercase text]]
| |
