Monday, February 23, 2004

Being a living, breathing SQL Injection threat analyser When my son Ben gets a bit older, I'll have to tell him about the curse of the O'Neills. It's an affliction which has been handed down through the mists of time, and follows the O'Neills even when they travel far from Ireland. It's that apostrophe in the name. Try it out for yourself. On the website of the National Academies Press, search for "O'Neill" and you are told "please do not use " ' " in your search."  . Connect to http://www.cheap-sports-equipment.com and click on "O'Neill", and you are told "You have an error in your SQL syntax near 'Neill' ORDER BY name' at line 1".  This article, Users are Evil (or, How to Protect Yourself From SQL Injection) By Mike Hillyer discusses the apostrophe issue from a developer's point of view. "Your first thought may be to strip out the single-quote characters, but this also entails discriminating against any users who have an apostrophe in their name ("Sorry Mr. O'Neill, but you cannot use our software"). A better solution is to escape the single-quote character. By escaping a character, we send the character to the MySQL server preceded by a backslash (\) character to indicate that the character is not to be interpreted by the server but just included as part of a string." VBMySQL.com, January 3 2004 This works. Unfortunately, many programmers don't un-escape the backslash when returning the results, and so they return confusing text such as "Your search for O\'Neill returned the following results". In other cases, a search for "O'Neill" turns into a search for oneill or into a search for o neill. More care seems to be given to blocking the attempted SQL Injection attack, rather than allowing the search for "O'Neill" - effectively lumping the O'Neills in with attackers attempting a Web Application security breach. And I can't tell you how many forms I've filled out where I've had to remove the apostrophe because I'd entered "incorrect data in the surname field". Sigh. Of course, this curse afflicts not only the O'Neills - it's not even limited to Irish surnames (Giscard d'Estaing comes to mind). After a while, you come to live with it. [ For more about SQL Injection, and how Vordel's products block it and other threats for Web Services, see this page ]

No smoking So it's really going to happen - smoking will be banned in all workplaces in the Republic of Ireland. The "Smoke Free At Work" website, with its picture of a woman partly hidden behind what appear to be wisps of smoke [is that intentional?], says "From March 29th, most enclosed places of work will be smoke-free, in Ireland." [To a reader used to reading US-style newspaper headings which substitute "," for "and", this sentence implies that on March 29, Ireland will lay territorial claim to most enclosed places of work in order to make them smoke-free.] Banning smoking at work may not seem revolutionary, until you realise that a pub is a workplace, and that means smoking will be banned in all pubs in Ireland. If the Euro currency-changeover is anything to go by, the smoking ban in Irish pubs will go much smoother than people expect. My own non-scientific research tells me that most people in Ireland, smokers and non-smokers alike, are in favour of it. Most newspaper and TV commentators seem to be in favour of the smoking ban too. However, I did read one newspaper article with the headline "Smoking ban set to cost national pension fund over €2 billion", about the cost to the Irish taxpayer of people living longer. I think that article, cold and heartless as it is, is probably the most persuasive argument for the smoking ban.