Article 4SNYF CodeSOD: The Replacements

CodeSOD: The Replacements

by
Remy Porter
from The Daily WTF on (#4SNYF)

Nobody wants to have a Bobby Tables moment in their database. So we need to to sanitize our inputs. Ted C noticed a bunch of stored procedures which contained lines like this:

 @scrubbed = fn_ScrubInput(fn_ScrubInput(@input))

Obviously, they wanted to be super careful, and make sure their inputs were clean. But it got Ted curious, so he checked out how the function was implemented. The function body had one line, the RETURN line, which looked like this:

 RETURN REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(@input, '"', '"'), '*', '\*'),'~', '\~'), '@', '\@'), '#', '\#'), '$','\$'),'%','\%'),'^','\^'),'&','\&'),'(','\('),')','\)'),'_','\_'),'+','\+'),'=','\='),'>','\>'),'<','\<'),'?','\?'),'/','\/')

Whitespace added.

Ted REPLACE REPLACE REPLACEd this with a call to the built-in STRING_ESCAPE function, which handled the escaping they needed.

TheDailyWtf?d=yIl2AUoC8zACe6WF3GzqIE
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments