|
Oh my FREAKING God....
That makes me twitch. That's such a horrible security flub.
|
|
|
|
|
All you've got are table names (and for the movie table only) - you can't actually get access. It's dumb and stupid but not a humungous breach
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
As has already been pointed out... We now know that they use inline SQL, so the first input page you come too makes it ripe to do the injection attack with a 'drop tables' in it.
|
|
|
|
|
The real WTF is ADODB!
Pits fall into Chuck Norris.
|
|
|
|
|
Brady Kelly wrote: real WTF is ADODB
Yep.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
Daily WTF material right here... this is fantastic
|
|
|
|
|
|
yeah,Opera could see it
but,why IE not??
|
|
|
|
|
Rather odd. Go to index.asp and it renders correctly. Someone hasn't set the default pages up correctly in IIS up properly.
|
|
|
|
|
Bad code behind, I guess...
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
|
|
|
|
|
It's inline server tags, not code behind. And, in fact, their other pages are in classic ASP, not ASP.NET (extension is .asp, not .aspx)
|
|
|
|
|
This points out another coding horror/problem (whatever).
It gets past IE 7.
Sad but yes IE 7 lets it past while Opera and Firefox don't.
The most we can hope is that IE 7 was made to ignore the problem.
I seen a page where the title is in the body instead of the header so it is shown on the actual page.
|
|
|
|
|
I have crap like the following scattered all over my code base!!!! I am spending more time rewriting absurd code than getting stuff done!
Int32 YearNow = Convert.ToInt16(DateTime.Now.Year.ToString().Substring(2, 2));
Int32 MonthNow = Convert.ToInt16(DateTime.Now.Month.ToString());
|
|
|
|
|
The month one should be a simple search/replace: Convert.ToInt16(DateTime.Now.Month.ToString()) -> DateTime.Now.Month
I'm not sure off the top of my head if there's a 2 year date or not? If not just mod100 it.
As always confirm each change manually to make sure the IDE doesn't change something you don't want fooled with.
Otherwise [Microsoft is] toast in the long term no matter how much money they've got. They would be already if the Linux community didn't have it's head so firmly up it's own command line buffer that it looks like taking 15 years to find the desktop.
-- Matthew Faithfull
|
|
|
|
|
I know what the correct way of doing these
My problem is that a lot of the code is written in the ToString() style This was a simple sample. I am tempted to submit some longer snippets to TheDailyWTF.
|
|
|
|
|
Depending on how the values are used, "Omit needless local variables" may apply as well.
At worst, you may need one local DateTime, but probably not a separate variable for each field.
<I'mJustSayin'>
This is where the C pre-processor really comes into its own;
# define YearNow (System.DateTime.Now.Year % 100)
</I'mJustSayin'>
But, of course one should not use two-digit years anyway.
|
|
|
|
|
PIEBALDconsult wrote: This is where the C pre-processor really comes into its own;
# define YearNow (System.DateTime.Now.Year % 100)
How about:
int YearNow {get { return DateTime.Now.Year % 100; }}
Dont need a macro
|
|
|
|
|
D'oh! Of course, silly me.
|
|
|
|
|
PIEBALDconsult wrote: But, of course one should not use two-digit years anyway.
This code is a part of a 'just as bad' bigger section. It compares the expiry date of a credit card with today's date. Needless to say it uses the same style of Reductio ad absurdum[^] logic.
|
|
|
|
|
There was a problem I had to fix in similar code a few years ago.
The credit card validation code compared the year, and if it was greater than the current year it didn't bother checking the month. Seems reasonable, right? But some of the cards we encountered had 00 for the month...
|
|
|
|
|
PIEBALDconsult wrote: But some of the cards we encountered had 00 for the month...
Ouch! I will have to investigate (dont think we even have that option in the dropdown )
|
|
|
|
|
These were values from the card swipe, not entered in a GUI.
|
|
|
|
|
Amazing, indeed.
leppie wrote:
Int32 YearNow = Convert.ToInt16(DateTime.Now.Year.ToString().Substring(2, 2));
OK, someone doesn't know what modulo is.
leppie wrote:
Int32 MonthNow = Convert.ToInt16(DateTime.Now.Month.ToString());
Sorry, I don't get it. It's just... strange?
Greetings - Gajatko
Portable.NET is part of DotGNU, a project to build a complete Free Software replacement for .NET - a system that truly belongs to the developers.
|
|
|
|
|
Oh dear
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
leppie wrote: Int32 YearNow = Convert.ToInt16(DateTime.Now.Year.ToString().Substring(2, 2));
Int32 YearNow = Convert.ToInt16("20" + DateTime.Now.Year.ToString().Substring(2, 2));
Fixed
|
|
|
|