by Alex Papadimoulis in Feature Articles on 2006-05-16 Edit

Matthias Winkelmann's company decided to go the ole' outsourcing route and hand off all development work for a fixed-bid project to a certain overseas company. As it turned out, the hourly rate for certain overseas programmers were less than half that of the in-house folks, so management did the math and figured they could profit that much more.

The in-house programmers were told to spend "only a little bit of time" on the project -- no technical advice, no coding assistance, and no even looking at the code. They were only to assist testers in "effectively communicating technical issues" to the overseas team. As it turned out, there were a lot of technical issues, and a lot of issues communicating the technical issues, so that job ended up taking quite a bit more than "only a little bit of time."

One issue that the testers noticed was that one could logon to any account using the password '' or 1=1 --. The in-house developers explained to the overseas folks that this was "SQL Injection" and that they would need to fix it. The overseas folks seemed very uneasy about this -- how possibly could one thwart a sophisticated attack where the user inputs a single-quote character? As it turned out, the in-house team was very familiar with preventing this, so they passed along an article that one of the guys wrote and the overseas team assured them they'd fix it.

Several weeks of test-break-explain-explain-explain-fix went by and the testers ran into another tricky problem. They would randomly get "Invalid text was entered. Please correct." errors, but could not figure out why. The in-house developers took a look and were baffled, too -- the system just seemed to hate certain test data, and especially the names Seth, Amanda, and George -- but now they had a chance to actually fix it. As it turned out, the overseas team had billed more than three times the estimated hours, so management instructed the in-house developers to fix it and all other bugs.

After a few hours of digging through the code for the first time, the in-house team spotted where the problem was. As it turned out, the overseas team didn't read the SQL injection article, so they invented their own protection scheme that discriminates against Seth, Amanda, and George ...

function checkForBadSql($sqlcode) { global $CONTEXT, $ERROR_TEXT;

$badSqlCode[] = 'create'; $badSqlCode[] = 'database'; $badSqlCode[] = 'table'; $badSqlCode[] = 'insert'; $badSqlCode[] = 'update'; $badSqlCode[] = 'rename'; $badSqlCode[] = 'replace'; $badSqlCode[] = 'select'; $badSqlCode[] = 'handler'; $badSqlCode[] = 'delete'; $badSqlCode[] = 'truncate'; $badSqlCode[] = 'drop'; $badSqlCode[] = 'where'; $badSqlCode[] = 'or'; $badSqlCode[] = 'and'; $badSqlCode[] = 'values'; $badSqlCode[] = 'set';

//test if sql code is bad if (preg_match('/\s['.implode('|',$badSqlCode).']+\s/i', $sqlcode)) { //bad sql found -- hack attept! Abort $ERROR_TEXT = "Invalid text was entered. Please correct."; return 0; }

return 1; }

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!