Little Bobby Tables

Every now and again I explain to people what “SQL Injection” is. I generally do this by writing a bit of an SQL string for them, using a string which can be manipulated (one which is vulnerable to this particular exploit, down at the database level of the application). And I then show them this XKCD comic:

So, for example, I’d define the following as an example of a vulnerable stored procedure:

create procedure SaveStudent
	@StudentName	nvarchar(256)

declare @sql nvarchar(max)

set @sql = 'insert into Students ( StudentName ) select '
set @sql = @sql + '''' + @StudentName + ''''


I would then put in the example name from the XKCD comic above to demonstrate just what ends up happening. Let’s say you were to call that stored procedure, passing in Little Bobby Tables’ name as the variable:

exec SaveStudent 'Robert''); DROP TABLE Students;--'

The stored procedure would then execute the following commands:

insert into Students ( StudentName ) select 'Robert'); DROP TABLE Students;--'

So … why is this a problem? One salient point is that the apostrophe character is used to enclose strings in quotation marks. The way Bobby’s name is constructed allows for a malicious command to be sent to the database (the Students table is erased by the command DROP TABLE Students;), and no error being necessarily returned, because Bobby’s name fits in perfectly with how SQL works – he’s got a proper semicolon, terminating the command that comes before, so he was added to the table … but then the table was dropped, using a valid command, and everything after that is commented out (the double-dash is a comment marker), so there wouldn’t necessarily be any errors at all coming out of this – it’s perfectly valid, it’s running in a privileged context (it has been “blessed” by being turned into a stored procedure, so it’s trusted to run).

All of this is the lead up to the punchline, which is this company, apparently registered in the UK (or, something used for testing, I suspect, as this is the beta for UK Government’s Companies House): ; DROP TABLE “COMPANIES”;– LTD. This, passed into the above sample procedure, will yield the following SQL string:

insert into Students ( StudentName ) select '; DROP TABLE "COMPANIES";-- LTD'

Now, this one’s going to throw an error, because it’s actually improper syntax no matter which database you pass it to (well – any of those I have used, anyway, which is … way too many). However, if this is indeed used for debugging or as a demonstration, it will 1) throw an error if you feed it to anything that’s vulnerable to this exploit, 2) hopefully not throw an error anywhere, because the UI is supposed to be sanitizing these inputs, so it should be properly formatted (“escaped”) so as not to cause this problem. I can see this value being used both to test the UI (put it in & see if some database code which is intentionally vulnerable to this exploit throws an error) and also to test the database code, for scenarios which do not use a user interface such as loading in data from another application or a programmatic interface.

This technique is not just dangerous because it allows things to be broken; this technique is routinely used to exfiltrate data such as usernames and passwords, credit cards, or whatever other juicy details are in the database. If an adversary can figure out just which poor programming technique was used, and can figure out how errors are presented to the webpage, then they can intentionally cause errors which return data which should remain secret, or they can simply replace the query that’s supposed to do something legitimate (pull back a list of toasters, for example) with a query that returns that sensitive data right onto the webpage.

In any event, once you understand this humor as a programmer, your programming fundamentally changes, as there are only a handful of bad programming techniques which allow for this kind of vulnerability – so, you quickly eradicate those techniques from your practice (and hopefully go back and clean things up in older code). The fact that a huge number of websites are vulnerable to this tells you something (bad) about the competency of people who write and test code. I will not rant here about the many programmers who think about databases as being simply dumping grounds for data, rather than fully-functional programming environments.


A little National Poetry Month

You, neighbor god, if sometimes in the night

You, neighbor god, if sometimes in the night
I rouse you with loud knocking, I do so
only because I seldom hear you breathe
and know: you are alone.
And should you need a drink, no one is there
to reach it to you, groping in the dark.
Always I hearken. Give but a small sign.
I am quite near.

Between us there is but a narrow wall,
and by sheer chance; for it would take
merely a call from your lips or from mine
to break it down,
and that without a sound.

The wall is builded of your images.

They stand before you hiding you like names.
And when the light within me blazes high
that in my inmost soul I know you by,
the radiance is squandered on their frames.

And then my senses, which too soon grow lame,
exiled from you, must go their homeless ways.

— Rainer Maria Rilke, Poems from the Book of Hours

Some Jobs are Better than Others

Every now and again I remember a horrible job I’m happy to have left. It’s far rarer that I reflect upon a job I’m happy to have turned down. Let’s do so now.

Hanford 1

The picture above was taken from a parking lot on the Hanford Nuclear Reservation. I was there to basically have a tour of the site, finish up the paperwork, and meet the programming team I was to lead. Some of the contract terms didn’t line up as promised, so I backed out. As news about Hanford has trickled out over the past year or so I’ve found myself very happy it fell through. This is particularly true reading this article about plutonium contamination drifting over the region.

“…site was ringed by 8-foot-tall piles of radioactive debris with little to prevent dust from blowing off.”


Jazz Hands, Buttons & Irony

2013 Benicia 005

A chilly, damp, late winter morning, and already the doves are creating their mindless racket atop the neighbor’s house. The fake owls do absolutely nothing to convince the doves of their ferocity, so they’re nesting next to it. Doves in chorus sound a great deal like chickens volubly remarking upon the laying of an egg, so you know there’s all sorts of raucous nonsense going on. Whoever likened the cooing of doves to something pure and mild clearly never lived anywhere near them. Typical.

Fremont 98

Inasmuch as the time change has thrown us completely – when will someone take seriously the idea to do away with such indignities!! – it is, at least, a sign that this winter of diseases is crawling to a close. If you’ve been one of those who have ridden the coughing carousel, unable to dismount, you have our empathy. Fortunately, after the January/February illness phase, we’ve been healthier, if exhausted. Not so much from dreich, gray skies and the eternal fogbank in which our house sits, but because of … enforced levity. Who knew smiling could be so tiresome? Oh, yes – our comedy show is coming up this weekend, and in this household, we are heartily sick of a.) lines concluding with “fa-la-la-la,” b.) Gilbert and Sullivan, c.) songs ending with “jazz hands” d.) songs containing tubas, e.) kazoos. And did we mention fa-la-las?!

On one hand, we frequently remind ourselves that our director’s insistence that we MEMORIZE such gems is staving off the encroachments of Alzheimer’s. On the other hand, should one keep singing songs with fa-la-las, dementia is practically assured…

Pleasant Hill 170

All snark aside, T has had her six month meeting with her doctor regarding her autoimmune, and after numerous blood tests and kidney tests, appears to be as well as medical science can make her just now. Though the grinding grey exhaustion continues, and the medication only ameliorates some of the symptoms, because it is so toxic, we’ve decided to keep it as minimal of a dose as possible. This means that the excessive collagen buildups, which produce thick harpy fingernail/claws continues – but the autoimmune continues to attack the nailbeds, soooo… the nails fall off. Neat, huh? The breakdown of skin also affects hair follicles, so while hair grows quickly, it also fills the brush and dusts the shoulders in a continual silent fall.

…one never imagines oneself as particularly vain until one is female and facing massive hair loss. And then, one discovers, oh, suddenly, painfully, that one is VERY VAIN INDEED.

Life is just full of opportunities to learn one’s limits, is it not? Wouldn’t it have been fun to learn about this limit, oh, never?! But, alas.

Button Clips 1

One of T’s more random hobbies has been to take interesting old buttons and, adding them to various clips or jump beads or other findings, make some sort of hair jewelry or brooch or whatnot. It’s something mentally freeing to do whilst listening to podcasts, and has been a convenient means of creating small, handmade gifts for small people… and herself. Knowing T’s predilection for hair jewelry, for her birthday this year, her parents presented her with, among other things, a lovely set of bejeweled combs from Macy’s… the day after she’d hacked five inches from her hair and given up on doing more than wearing a headband.

O. Henry’s “The Gift of the Magi,” came to mind, both awful and amusing at the same time. T. quietly rewrapped the combs and returned them, not having the heart to mention it to her parents.

Hair comes, and hair goes, and seasons, ever-changing. Fa-la-la-la.

Knowing When NOT to Work Hard

Last night I dreamed that I was called upon to give a lecture and I was unprepared. Apparently, though, I have some lectures that I give often enough that I’m able to pull one up on the fly, and my dreaming mind knows that I can always give the standard one I give to junior developers at some point: Be Intelligently Lazy.

Twenty-three years ago, I was working a full-time job doing data entry for a payroll processing company. This involved opening mailed-in timecards, “coding” them (sorting them into piles, basically), and entering their data into a Peoplesoft payroll system, with data entry done on Windows 3.1. After a couple months of doing this, I realized that I was typing the same thing over and over (each district manager had a markup rate, a name, a zip code, a phone number … and the fields probably went right in that order, actually), and it was incredibly boring and stupid, particularly when there was Windows Macro Recorder.

I set about assigning the 12 function keys to my 12 area managers’ information, typing in the information and tabbing through the entry fields as quickly as I could. When I was done and I’d written down which manager was on which key, I could type in the person’s name and their hours worked and then press F5, say, to key in the rest and press “submit” to send the timecard into the database.

My manager noticed this (well, I was probably excited and told her about it) and asked me to do the same thing for the other entry clerks in the group. A few days after completing that, the database administrator came to visit us, to ask what on earth we were doing, because the data used to trickle in all day long and now only came in before lunch (yes: I had cut the data entry time from 8 hours down to 3, for the entire group). When my manager told him what I had done, that was the end of my days as a data entry clerk: I was assigned to work in IT, working on macros in Excel or something.

So, yes: I became a programmer because I was intelligently lazy. That is part of what makes a good programmer: knowing when something can be automated. To be a truly effective programmer, though, takes a whole lot more experience in figuring out automation and figuring out when to automate and – more importantly – when not to automate. This is actually the real point of the lecture.

Your average junior to mid-level programmer will spend a ton of time automating things which could be done via brute-force. This is the classic trap of spending more time building automation than it would have taken to do it by hand. Building the skills to be able to estimate this takes a whole career, honestly. Knowing that you need to do this, though, is something that you can give to one another: simply print out the comic below and show people how to read it.

For example, I read this chart and know that every time I visit someone with multiple monitors, I need to tell them how to use the Window+Shift+Arrow shortcut. Why? Because your average person with multiple monitors will generally spend about 5 seconds 1) restoring an application window, 2) dragging it over to the other monitor, 3) maximizing the window … and they’ll do that at least 5 times per day. When you read those values into the comic above (5/day on the top axis, 5 seconds on the left axis) you get 12 hours spent in that activity over 5 years. In other words: every person I teach this trick will save 12 hours of labor over 5 years. That starts to be some real savings for the whole company, it takes me nearly no time at all, and it makes people really happy to learn as well!

This can also be useful for deciding whether to do projects, and help in deciding the importance of those projects (for example, if one person in your organization spends a day a month doing something that could be automated, that’s 8 weeks of savings over 5 years if you can automate it). That’s a whole other discussion, though it’s the same skill: so, maybe learn that skill, because making those kinds of decisions are important in moving into decision-making roles.

The other thing I tell junior developers in this talk is usually to get over the idea that there’s a perfect tool for things; the perfect tool is the one that gets the job done, and it may be that it’s clunky and kludgy but that doesn’t matter. I give the example here of how I use Excel to load data (I use Excel formulas to build SQL strings), or how I use Excel formulas to write C# code (I wrote some VBA code behind Excel & wrote some SQL code to feed data into Excel, which I’ve used to generate literally hundreds of thousands of lines of repetitive C# code), or how I use Excel formulas to write repetitive HTML (like, oh, a bunch of emails with different names & hyperlinks to their downloads). Even more importantly is the example of figuring out when to brute-force something (“Only 200 photos to crop? We’ll just use a photo editor rather than programming it. 40,000 photos to crop? Let’s write some Python and use CV2 to find the faces for us, so we can crop automatically.”)

There are plenty of examples to give, and plenty of tools that I use on a regular basis… but it basically comes down to using the same old set of tools because I know how to use them and because I’m efficient in using them. Yes, it would likely be faster for me to learn how to use RegEx … that is, if I knew RegEx way better than I do, I could be even more efficient than I am in Excel … but we come back to that chart and decide that it wouldn’t save me more than it would cost me. Likewise, if it’s only a few things & they can be hammered out using something simple, just spend the 20 minutes doing that rather than wasting more than that on building a tool for it.

Applying this kind of thinking to your own coding practice and knowledge acquisition is when you reach mastery: when you can look at a tool or language, determine how long it would take to master, determine how much time it would save you in the tasks you regularly perform, and decide whether or not to invest in learning it. That calculation is something which truly proficient programmers make on an intuitive basis, and which contributes to them sticking to the same things that have worked previously. If you’re conscious and intentional about it, though, it will lead you to some better decisions than, “oh, this is showing up on Hacker News, I should learn it!” That’s not to say that you shouldn’t learn new things (I’m dabbling in Python and convolutional neural networks these days), but that you should be aware that there’s a trade-off and it’s perfectly logical to decide not to learn the cool new tool / language.

So. That’s my usual talk on how to be intelligently lazy.


Critical Thinking

I happened across a great passage about critical thinking and thought I’d share. It’s in a Christopher Anvil short, about aliens bearing gifts.

“I seldom watch television. I get my news from the papers, where I can take it in at my own pace, and pick out the bones, instead of swallowing it all whole. No, I don’t trust the Shaloux. What’s their motive? Why do they offer us this ‘life-serum’? What do they get out of it?”

“Open-mind! Everybody’s supposed to have an ‘open mind’. Humbug! Open it far enough, and who knows what will come in? The whole thing’s a trap. Leave the door open, to prove you trust everyone. Then the thieves can strip the house and put a knife in you while you sleep.”

Cautiously, he began to read the paper, conscious of the article’s bias, opening his mind just a little slit at a time to bash the unwelcome ideas over the head as they entered: Washington — Miliram Diastat, the benevolent (How the devil do they know he’s benevolent?) plenipotentiary (Hogwash. He may be just a messenger boy.) of the Shaloux Interstellar (They could come from Mars, for all we know.) Federation, met with the President today, and in solemn rapport (What’s “rapport” really mean? Maybe it’s hypnotism.) concluded the mind-exchange (Or brainwashing) which is a precondition for entry into (defeat by) the Federation. Mr. Diastat (Why call him “Mr.”? The damned things are neuter.) assured reporters afterward that all had gone well (For the Shalouxs, that is.) in the mind-exchange (brain-washing). He said (It said), raising his (its) hands (extremities of upper tentacles) to heaven (over its head–that is, over the end of the thing with teeth in it.), that our peoples will be joined as one (eaten up) with (by) theirs, in a final ceremony next year. At that time, travel throughout the vast extent (They claim it’s vast.) of the Federation will be free to all (Economically impossible.), and Earth’s excess-population problem will be solved (Everybody will be killed.), while at the same time (never) personal immortality will have been granted by universal (Humbug. There must be some people with sense enough to keep out.) inoculation with the serum (slow poison).

This passage seems to me to really exemplify the kind of thinking which should be applied to most things, to be honest.


Stirling 132

A Mostly Pictorial Panko Lemon Garlic Tofu Recipe

Okay, so some people just HATE tofu. T, who grew up with it from childhood, LOATHED it until at some point in her twenties when… she got over it. It’s … just like any other ingredient, in that it’s a Thing to which you add Other Things and then it has flavor. Of course, meat allegedly has its own flavors even without additions, but that’s the blood, and we’re ignoring that. Meat (sans sangre) is flavorless, just as tofu is flavorless. As an ingredient, tofu is fine, and, even better, is lacking weird stringy bits and wobbly things you don’t want to identify. It’s a perfectly reasonable food, you just have to season it.

Crispy Lemon Garlic Tofu 1

This recipe is adapted from Doesn’t Taste Like Chicken‘s.

We realized that, like most people, we’d fallen into a meal rut, with winter casseroles and heavy, savory things like beans. Our attempt at something piquant and unique was this dish, which is both crunchy and tangy. It turned out surprisingly well, it was (mostly) easy and quick to prepare, and a good use of odds and ends for side dishes and whatnot. And, if you love someone vegan or vegetarian? It’s well worth preparing during this ridiculous Hallmark holiday… celebrating the tang of lemon as an antidote to the saccharine of the holiday. *cough* Or something.

Crispy Lemon Garlic Tofu 2

The marinade calls for two lemons, zest and juice; three cloves of garlic, agave, water, salt, and pepper. T left out the agave, and added a tablespoon of tapenade leftover from something, far more garlic than called for, and then she microwaved the lemons, which made them delightfully juicy. (And messy.) (She also did a frankly terrible job of zesting the lemons, because though frozen lemons preserve their great skin, after defrosting, the lemons are too juicy to work with, and the skin on Meyers especially is too thin and delicate, so, a word to the wise: zest the frozen lemons before defrosting, or better yet, before you freeze them…) It’s said that the tofu can marinate for up to three days in this blend, but we find that if we remove the water its packed in, tofu doesn’t need more than a half hour to marinate. We laid out our tofu chunks on a cookie sheet, stacked the sheets, and weighed them down with a cast-iron skillet. After an hour, we poured off all the water, unstacked the pans, and poured on our marinade. After about twenty minutes, we put the tofu in a series of zip-top bags, all of which proceeded to leak. (ANNOYING.)

Crispy Lemon Garlic Tofu 3

We’d forgotten how much of a chore the multi-step dredging food in flour and panko can be… since we’d not made anything which required these steps in about a year and a half, the last time we made faux crab cakes (squeeze-dried shredded zucchini, panko, Old Bay – tasty). Fortunately, after all the plate-of-flour-and-seasonings, plate-of-wet-binding, messy-sticky-hands thing, we discovered that this tofu dish works nicely baked – and there’s less a chance that your chef will get bored and forget she has something on the stove. Ahem.


It’s easy to leave dish as vegan, as is, or, if you’re feeling particularly beleaguered that you’re ACTUALLY EATING TOFU and it’s NOT EVEN IN AN ASIAN DISH, you can use an egg whipped with water to make the recipe safely animal-product-y. The flour dredging is a place to layer in the flavors, to give your tofu the taste you prefer. We entirely forgot the nutritional yeast in the breading, but added pretty much everything else, including random herbs not called for, old packets of Parmesan from pizzerias, a sprinkle of Old Bay, even more garlic (because since when is three cloves enough????), and ground cayenne (because: we add it to EVERYTHING). Each time we ran short of the dredging blend, we remade it differently, and T didn’t follow any measurements at all. (It’s a wonder anything she makes ever turns out.) We did a test run of this dish after making something else, just in case, but it’s good enough to serve as a main dish with a couple of sides. The lemon shines through, and the exterior crunch is a nice contrast to the soft tofu insides. (It’s not as soft as it would have been, as firm tofu gets even MORE firm when you’ve a.) frozen it and b.) pressed out all of the water. If you dislike tofu for texture reasons, you might try that.) The recipe inventor finishes this with parsley and sliced lemons, but tonight, we’re going to make a buttery lemon sauce, which will really bring out that lovely tang. Pair this with steamed veg like green beans or asparagus, a lemon-infused rice, or lemon pasta, or savory roasted sprouts.

This was a surprisingly delicious meal, and perfect for the suddenly chilly evening. Here’s to home cooking, and the attractive nuisance that is a bored person in a kitchen.


Newark 104

Years ago, when we lived in Santa Rosa, late January-February was when we cut back the rosemary to stumps, in preparation for it to begin to grow again in April and May. We usually cut the rose back then, too. It’s funny how we try and use one calendar anchor to apply to everywhere. Saturday was a balmy 70°F/21°C, while Sunday was a nippy 55°F/12°C. It’s hard to know when to prune anything anymore. With the weather all over the place, our internal calendars are a total mess.

Still, there are signs of the season – from the itching of our ears to the earlier rising of the sun. We watch the trees change like stop-motion photographs, each morning as we step out for our brief, brisk walk through the waking neighborhood. As the sun is normally barely an idea yet during our walks, we don’t often see the shift in full color, but we got a late start for our weekend walk, and enjoyed seeing the nests, buds, and blooms in full color.

Peachtree 87

It’s been an all over the place sort of weekend. Inasmuch as the weather appears unsure what time of year this is, we’re fairly confident that it’s Spring from the amount of dust that’s drifted in, and the way our houseplants have overgrown their pots. One of the nicer things about our little house is its big, deep tub in the master bath, and the the deep garden windows in the kitchen. Both of these things, however, are absolutely an annoyance to clean. The window, especially, into which we put new screens just last summer, is a single pane, and the window is made of unfinished marble. It tends to let in dust, immigrating spiders, and it collects water stains like a pro. After removing all the plant clutter, we washed all of the windows and tried to put a shine on the marble. T. is grateful to D for taking on the body origami which made this tidying up possible.

There are always some chores which seem to be reserved for “spring” cleaning. (Question: why do there seems to be no specified clean-outs for the other seasons? Perhaps in spring, there is the assumption that one has to clean out all the things it wasn’t possible to clean out or dispose of during winter – and so come Spring, detritus was burned, graves were dug, linens washed and houses were turned out, and those weren’t such issues during summer or autumn, maybe? Possibly? Sounds legit, no?) While we normally are annoyed with windows which are speckled and spotty when the sun shines, the heavy fog hasn’t allowed for much to look at before this past week, so we’ve let that chore slide. We caught up this weekend. Additionally, though we generally sharpen knives as needed, we discovered that in the last while, they all seem to have gone dull, so that was another chore for the morning. As always, when one begins thinking of specific things one ought to do, the list multiplies…! The bird bath! The hummingbird feeder! And on and on and on…

Peachtree 92

Few people have a specific time of year to re-pot plants, but with the way our Saintpaulia (the scientific name of what some people call “African” violets, though they’re more specifically Tanzanian violets, as they don’t grow all over Africa, but people are generally lazy or else don’t know Africa isn’t one country) has responded to being in the little garden window, it’s already been necessary once in the seven months since we’ve moved closer to the Bay. T is always gratified with how well her little violets grow, because she once thought they were the most finicky, easy to kill plant she’d ever had — and as they succumbed, D kept getting them for her (!!!). She realized why about two years ago during a rare trip to D’s parent’s house in Southern Cal, watching D’s mother prune her two dozen or so Saintpaulia plants. Now, we say “prune” but what we mean is “take a chef’s knife and violently cleave a plant in half while making desultory small talk.”


It was some next-level, mafiosi-style intimidation, if that’s what his mother intended. As the cleaver came down T took a GIANT step back and asked weakly, “Um, what are you doing?” (“Um,” because, even after twenty-plus years of marriage, neither T nor D know have found comfortable names to call their inlaws. In the rare conversation, “Um” so far has worked.) “Oh, this is how you cut them back,” D’s mother said blithely. “You can start a whole new plant from a single leaf, just like this!”

Well, okay, then!

At our house, T prefers to hand D a TINY knife, because she’s still sure she’s going to kill the plants every time she has to divide them, but so far, so good… and so far, the mafiosi hasn’t dropped by, so that’s a plus as well.

Sing Out Niles 1

Sunday afternoon, we attended a community sing, sponsored by our chamber group, which was dedicated to love songs. It occurred to us that we hadn’t really done anything like this since we’d returned from Glasgow, where groups getting together for a “sing-song and a cuppa” is much more common. While there was no tea this time, there were quite a number of people out and about, in the historical tiny town-within-a-town of Niles. As this had been advertised throughout the community, we expected a lot of at least choir folk, but were amused to see one of D’s bosses there, as well.

The program was held in the historic Niles church, historic, because there has apparently been an operating church in that location since 1889, before Niles was incorporated as part of Fremont in 1956. For all its historical nature, the church is quite modern inside, a small, tidy space with soaring ceilings, which lent itself well to the music of the grand piano mid-stage.

The program was a combination of goofy and endearing, as the songs ranged from all the verses of “You Are My Sunshine” (none of which, regrettably, was the verse we learned at summer camp about the pig) to Neil Diamond’s “I’m A Believer” (or, as most people said, “No, that’s a Monkees song!” Yeah, yeah, but Neil wrote it), then to a melancholy Queen song which few people knew (and which no one could sing, because, it was pitched for tenors who never pitch things for the average person). In the single hour we we sang rounds, then two, and four-part rounds; ooold oldies from generations back (“Kisses Sweeter Than Wine) and even older ooold “olde” English folk songs (“I Gave My Love A Cherry”). We then ended with a newly composed, four part song from the Justice Choir Songbook called We Choose Love, written by a Colorado composer and musician who was inspired last summer by peaceful civic protests in her area. As the chamber will be performing in a May concert titled “And Justice for All,” we fully expect that song will be seen again.

Newark 103

After such a fun community-oriented afternoon, the wind came up and blew the temperature into the low forties, and we gladly bundled into a hot bath and into bed. We hope all of your planning this weekend – and your cleaning and organizing – lead to a fruitful and well-prepared you this week – or at least some semblance thereof of an organized, better you. Ciao!