FD devs apparently don't read XKCD :(

Agony_Aunt

Agony_Aunt
I think many of us are aware of the cautionary tale of Robert Drop Tables.

exploits_of_a_mom.png


Well, it appears that FD also don't always sanitize their inputs.

I discovered today that someone on my frield list, whose name starts with <- does not have their name displayed on the contacts screen. Works on the chat screen, so presume someone got the code right there, but obviously running different code for the contacts screen.... naughty naughty FD! Why are you not reusing the same code for displaying CMDR names on all UI elements? Tut tut! You're just making extra work for yourselves.

So, who wants to send a ticket to FD support to change their CMDR name to ); DROP TABLE players?
 
Last edited:

Marklar_

Marklar_
Agony_Aunt said:
I think many of us are aware of the cautionary tale of Robert Drop Tables.

https://imgs.xkcd.com/comics/exploits_of_a_mom.png

Well, it appears that FD also don't always sanitize their inputs.

I discovered today that someone on my frield list, whose name starts with <- does not have their name displayed on the contacts screen. Works on the chat screen, so presume someone got the code right there, but obviously running different code for the contacts screen.... naughty naughty FD! Why are you not reusing the same code for displaying CMDR names on all UI elements? Tut tut! You're just making extra work for yourselves.

So, who wants to send a ticket to FD support to change their CMDR name to ); DROP TABLE players?
Click to expand...

Little Bobby Tables is an old joke around my office :)

The real problem there is that they're allowing "<" into the database at all. Maybe they are encoding it on that end and decoding it for display. Anyway, it's not unusual for this sort of display problem to crop up, I've been guilty of it myself, apologies to the Mr. O'Neils of the world . No one breaks databases like the Irish :)
 
You must log in or register to reply here.
Back
Top Bottom