xkcd

[superkat]

A chinese couple named their child "@" because a't sounds like "love him" in Mandarin or something.

@@rpmit.edu? WTF?

Actually, it's reasonably close. "Love him" would literally be "爱他", or "ai ta." Still bizarre, though.

And this comic wins. It's just...awesome.

[Tengfred]

... This joke was done before on http://bash.org/?747235

But still, nice to see it in a comic.

Which probably originated here: http://worsethanfailure.com/Comments/No ... spx#128181 (usually the comments are the real WTF (tm) but sometimes they are actually funny).

[aprogressivist]

How do I meet women like her? :p

[kyb]

Cool comic. I wrote about something similar http://kybernetikos.com/2006/07/18/names-of-power/ a little while ago. I wonder if anyone has really done this. You could just make it your middle name, so it wouldn't get in the way too much. Deed poll calls.

[the human perl script]

Epic, epic win.

Makes me wonder what the restrictions actually are on real world human names. I mean, if you try to name your kid xX_Jason_Xx, does the birth certificate application come back with some red text next to the name line?

Name: xX_Jason_Xx
Your child's name may contain only letters from the Latin alphabet, apostrophes, spaces, Chinese characters, Japanese character, Korean characters, Hebrew characters, Arabic characters, Cyrillic characters, Greek characters, hyphens, question marks, equals signs, ampersands, and the Prince "Love Symbol".
Not allowed: underscores, dollar signs, pound signs, euro signs, exclamation marks, quotation marks, asterisks, parenthesis of any kind, numbers, commas, periods, Unicode-flipped characters, corporate logos, and the letter 'q'.

[KeithIrwin]

This is now officially SQL-injection attack day for me.

I don't generally do database development, so I don't deal with SQL-injection attacks with any regularity. Prior to today the last time I had to pay attention to one was about a year ago. But today, when I was signing up for a website, I accidentally discovered a vulnerability due to my password-maker-generated password having a quote in it. When I used the password it generated, I got a "query failed" page. Once I signed up with a strictly alphanumeric password I sent a message to the site's owner explaining to him that he had an SQL-injection vulnerability and giving him a link to the wikipedia SQL-injection attack page.

Fortunately, I got back from him just the reply I was hoping for: something along the lines of "thanks for letting me know. I'm working to fix it now." This is much better to get than the worst-case response: "Why are you trying to hack my site? I'm calling the cops on you!"

Anyhow, once I finished reading the happy response, I went and read the new XKCD and what do you know, more SQL-injection attacks. So, today is officially SQL-injection attack day for me. If I were the sort of person who did not believe in coincidences, I'm not sure what I would make of this. Of course, I am the sort of person who believes in coincidences, and, as such, I know just what to make of it.

Keith

[Domovoi]

First post has redundant [url] tags around the comic.

Anyway: this was great. One of the best ones in recent months. I love how someone would name their child just so they could teach some poor school IT person a lesson about SQL injection. Heck, even -getting- a child in the first place just to teach someone in a school that lesson would be amazing.

and also didn't allow him to name her Abcdefghijklmnopqrstuvwxyz.

I'd personally think it would be funnier to name the child Abcdefghijklnmopqrstuvwxyz. Then you could tell everybody "No, you're spelling it wrong!".

[zdude255]

Hello, My name is Ryan Oot. I need to know my password.

[Ace_NoOne]

Brilliant comic, once again!
So brilliant, in fact, that Twitter is going crazy over it (I'm tracking "xkcd").

and also didn't allow him to name her Abcdefghijklmnopqrstuvwxyz.

I'd personally think it would be funnier to name the child Abcdefghijklnmopqrstuvwxyz. Then you could tell everybody "No, you're spelling it wrong!".

My thoughts exactly!

[alexthesoso]

its too bad its too long to enter into the name field on testing documents, that way it gets scanned in and then added to the testing database.

as for names, my fiance, whos pretty sure we are going to have twins one day, has forbidden me from naming one of them control. not even the middle name.

[toolej]

Oh bravo, BRAVO. Best SQL Injection related strip ever. Definately my favourite Xkcd in quite a while


Escape, people, escape.

[bcherry]

here i am, toiling away all night on a class project, trying to prevent sql injections and getting mad at wierd sql syntax not working right. once i've got it working as i get ready to go to bed i notice i still have some wine left, so i decide to read tomorrow's comics.

and whaddaya know!? My god, this comic is incredible. I wish I had the power to tap into people's thoughts everyday.

IRC conversation with my project partner:
[02:39] <bcherry> but im going to bed
[02:39] <bcherry> ill work more tomorrow and then we can work on it in lab
[02:39] <bcherry> great progress tonight
[02:40] <bcherry> lol http://xkcd.com/
[02:40] <bcherry> perfect
[02:42] <Wogrim> holy shit
[02:43] <Wogrim> that comic is right-on

-going to bed

[Toeofdoom]

hehehe... this conversation came up in databases class a few months back... that was funny

[DragonHawk]

I'm not sure I get how the alt text relates to this comic, except being a very unusual name. Is it a reference to something?

Next time you have Chinese food with fortune cookies, open yours and make a show of reading the fortune aloud as "Help, I'm a prisoner in a Chinese bakery!". The joke is slightly older than time. The late, great comedian Alan King used it as the title of one of his books in the 1960s, and it was an old Chestnut then. But like most old Chestnuts, it's hilarious if you haven't heard it before.

Oh, and the younger brother's name is probably Timmy'; sudo rm -rf / #

Ohhhhh. LOL! That's getting saved! (I'm much more of a Unix geek -- I know enough SQL to get by, but that's it.)

For some reason, someone I had to email had an address like
rss@lightspeed.com.

Probably named "Robert Samuel Smith" or something like that.

True story: My legal name is "Benjamin Scott". I have no middle name. At a job I once had, the QA system used initials to track who submitted failure reports. It would only accept three letter IDs -- first, middle, and last initials. So I got put into the system as "BXS". Damn I got tired of people asking what my middle name was to have it begin with "X".

[Jarl]

True story: My legal name is "Benjamin Scott". I have no middle name. At a job I once had, the QA system used initials to track who submitted failure reports. It would only accept three letter IDs -- first, middle, and last initials. So I got put into the system as "BXS". Damn I got tired of people asking what my middle name was to have it begin with "X".

That's classic. Also happened to David Cohen of Simpsons and Futurama fame:

When the primetime animated shows unionized in 1998, David was forced to change his name as there was already another David S. Cohen and the Writers Guild of America does not allow members to have the same name. He chose X because it sounded "sci-fi-ish", and has jokingly said that the X would make him "the David Cohen people would remember". (Wikipedia)

[Soap]

I had a teacher whose middle name was Xochitl.

Hello, My name is Ryan Oot. I need to know my password.

lol. I didnt get that at first.

[bbctol]

With all these comics, I dare myself that the alt text couldn't possibly be funnier than the comic. I always lose.

[squealer]

Great comic. Definitely going up on my wall at work.

[dawidi]

"Franz Xaver" are common first and middle names here. (I don't have a middle name either though)
As for assigned usernames made from initials - at my university I was always "hot32621"

Anyway... great timing for the comic (as always with xkcd, reading the geeks' collective mind). Just yesterday my colleague and I were talking about SQL injections, and I said

...excuse me while I go publish a paper titled "SQL Magazine'; Drop Table BASObj;--" just to break your import code

Guess this is the "high tech" version of using the first name "nobody". "Who did that?" yeah.

In one of the Delphi projects we're currently updating to C#, we found an unhelpfully named function (about a screenful of lines) that takes a char[] and loops through it, resizing the array (!) to escape any single quotes it finds and then return it as an "sql-safe" string.
I admit I do still use string concatenation to build my SQL statements, but I ALWAYS add a handy .Replace("'","''") to any string parameters and do not pass through numeric field values that failed to Int.Parse().

[Happler]

...

If a database is destroyed by someone who has changed their name in such a way, has that person broken the law? I can see ways that such a case could be argued, at least in the US, but the legal arguments could prove rather amusing and interesting. In fact, a whole host of such situations could be considered: if, for example, one changes one's name to "Fire!", and someone calls one's name in a crowded room, who is at fault?...

Are you not just waiting for someone to change their name to "Da Bomb" and then try to fly anywhere in the US?

[Ace_NoOne]

...excuse me while I go publish a paper titled "SQL Magazine'; Drop Table BASObj;--" just to break your import code

Actually, this would even be feasible - go for it!

[schrodingersduck]

I hope that once he turns 18 he changes his name by deed poll. To "Robert'); DROP TABLE Customers ;--", of course...

Even better would be to put his email address down as "robert@example'); DROP TABLE addresses ;--", just to take revenge on the spammers.

[Autocracy]

Now this is the XKCD I know and love.

*bows*

I wish I had more friends who would laugh as hard as I have at this.

[BioSpark]

Just had to register to say that I'm not rightly sure if I've ever laughed that hard at something I've read all year.
Sir, you are a prince among men. Well, if the Internet is a monarchy, at least.

[dmoney]

Aren't you guys forgetting a 'commit;' statement in there somewhere?

SQL is divided into two subsets. I think they're called DML (data manipulation language) and DDL (data definition language). select, insert, update, and delete are DML and require a commit, because they can be rolled back. DDL (drop table, etc..) don't require a commit, because they can't be rolled back (or at least they couldn't when I learned about it).

The script might run as a user that doesn't have permissions for DDL. In that case it would be better to name the student Robert'); delete from students; commit; --

[Moo]

lol @ Happler's avatar

[rhebus]

In the game "Nethack" a silly trick to play is to name your pet "Invisible Asmodeus hits! The dog". This means that when some poor soul comes across your dead body in a later game, they meet your pet and get messages like:
"Invisible Asmodeus hits! The dog eats a fortune cookie."

[Kythyria]

It's been a while since I laughed that hard at anything!
Of course, Bobby will need to change his name when he leaves school .

[lihan161051]

Of course, the table doesn't have to be named "students" .. .. so she just happened to guess right. Which is social engineering on top of an SQL injection hack. (I've been known to use slightly=less-obvious variable and table naming schemas for exactly that reason.)

LIkewise, not surprised that whoever set up the DB wasn't careful about data validation and picked the laziest option for naming the table. She didn't seem too surprised either .. LOL

[Swineherd]

I signed up just to say, I had this discussion at work not too long ago, I came to the conclusion that in order to aid anonymity in governmental databases, it'd be best to name my child NULL.

[jsd1982]

Sanitizing input is so last-century. Parameterized queries FTW!

Code: Select all

using( SqlCommand cmd = connection.CreateCommand() )
{
    cmd.CommandText = "INSERT INTO students (name, phone) VALUES (@name, @phone)";
    cmd.Parameters.AddWithValue("@name", name);
    cmd.Parameters.AddWithValue("@phone", phone);
    cmd.ExecuteNonQuery();
}

No possibility of SQL injection, ever.

(That's C# for those who don't know it).

Absolutely wrong. Consider (for C# and MS SQL Server 200[05]):

Code: Select all

using( SqlCommand cmd = connection.CreateCommand() )
{
    cmd.CommandText = @"
DECLARE @code nvarchar(800);
SET @code = N'INSERT INTO students (name, phone) VALUES (' + @name + N', ' + @phone + N')';
EXEC sp_executesql @code";
    cmd.Parameters.AddWithValue("@name", name);
    cmd.Parameters.AddWithValue("@phone", phone);
    cmd.ExecuteNonQuery();
}

While this is a naive approach to coding dynamic SQL inside a parameterized query, it is nonetheless still possible to have SQL injection attacks even with parameterized queries. A more legitimate example would be something where a table (or any database object) name is dynamically passed in to the query/stored procedure and the object's name is injected into the dynamically generated SQL code.

[mjswart]

I loved the SQL Injection reference and I have to admit it took me a while before I got the license factory gag. But the thing that had me really really laughing is the nickname "Bobby Tables".

And by the way, in practice, most DML statements don't need a COMMIT since most statements don't use transactions.

[jsd1982]

Aren't you guys forgetting a 'commit;' statement in there somewhere?

SQL is divided into two subsets. I think they're called DML (data manipulation language) and DDL (data definition language). select, insert, update, and delete are DML and require a commit, because they can be rolled back. DDL (drop table, etc..) don't require a commit, because they can't be rolled back (or at least they couldn't when I learned about it).

The script might run as a user that doesn't have permissions for DDL. In that case it would be better to name the student Robert'); delete from students; commit; --

With MS SQL Server 200[05], the COMMIT is only used in the context of a transaction. Statements of DML or DDL nature are immediately executed without need of a COMMIT. And what's worse is that failed statements do not stop the execution from proceeding further.

[jsd1982]

I signed up just to say, I had this discussion at work not too long ago, I came to the conclusion that in order to aid anonymity in governmental databases, it'd be best to name my child NULL.

Unfortunately, NULL <> 'NULL' in any SQL database I've seen yet...

Also, post in the introductions thread as many others will surely tell you. Lurking soliciting raptors abound...

[predatormc]

I'm in ur relational databases dropping ur tables.
Well, Robert is.

Today's comic is fantastic, made me chuckle this morning.

[schrodingersduck]

The only problem I can see with this comic is that I'd imagine the school probably uses Access to run its database, rather than mucking around creating a custom front end, and half-an-hour of poking around with Access to try to trick it into dropping a table has been fruitless; when writing queries, Access wraps all strings in the criteria with double-quotes (rather than the single quotes by normal SQL, so the name given in the comic wouldn't work anyway) and layers and layers of nested parens, erroring if you try to remove them, so short of manually loading up SQL mode and adding the string manually (something most users who are likely to fall for this are unlikely to do), there's no way to force Access to delete the table without the user's permission - of course, we can imagine that maybe there was some sort of form to register with the school online, in which case all becomes well again.

(Crikey, that was a long sentence!)

[space_raptor]

Perhaps I should change my name to my phone number, thereby giving me an excuse to ask any girl for her phone number, since as soon as I introduce myself she knows mine.

That might be trying too hard though.

The alt text was great

[woktiny]

True story: My legal name is [...]. I have no middle name. At a job I once had, the QA system used initials to track who submitted failure reports. It would only accept three letter IDs -- first, middle, and last initials. So I got put into the system as "BXS". Damn I got tired of people asking what my middle name was to have it begin with "X".

We have a guy here whose legal name is only one word, no "last name". Besides being generally funny how all of our "advanced"/"modern" systems freak out when there is nothing to put int he lname field, seeing his one name used for both in our system always gives me a little chuckle.

Hello, My name is Ryan Oot. I need to know my password.

lol. I didnt get that at first.

I didn't get that until someone pointed out there was something to get. I suppose I didn't give it enough thought. Now, though, its pretty funny.

[Ace_NoOne]

Hello, My name is Ryan Oot. I need to know my password.

lol. I didnt get that at first.

I still don't...

[woktiny]

I still don't...

Under the common first-initial-last-name username convention, his username would be root, which is the administrative account on unix(like) systems. So he is not really named R. Oot, he's just trying to get the administrative password.