Unintended 2nd Order SQL Injection

Why I am not afraid of the AI / Big Data / Cloud powered robot apocalypse.

SQL order injection means to run custom SQL queries through web interfaces because the input to the intended query is not sanitized, like appending the infamous ‘ OR ‘1’=’1 to a user name or search term. It is 2nd order when the offending string comes from the database, not from user input. So you would for example register a new user that is named admin ‘ OR ‘1’=’1. If you want to play with that register at hackthebox.eu, download sqlmap, write your Python scripts.

I have accepted a benign version of 2nd order SQL injection as a fact of life. Our company name has an ampersand in it, and now and then the company name gets truncated at the ampersand. Very cautious IT systems don’t even accept this hacker company name.

But it seems the (AI / Big Data / cloud powered) security filters get better and better. A parcel service messed up delivery in an interesting way:

Item 1 was delivered to a wrong address – not related to us in way any, but contact’s first name was in the street name.

Item 2 was delivered to us, but the company name was  truncated to a single word – contact’s last name right before the ampersand.

Was this the time some backend systems got an update of their security filters? I also got a purchase order e-mail without an actual PO attachment, but the company name was  truncated at the ampersand.

Maybe it also helps that our location’s code changed three years ago. Hardly any organization could deal with the change without support tickets and hacks – big US-based data krakens as well as local suppliers. This will take a while – our IT department will have to setup your new zip code! … Says the company whose core business is shipping things, months after the release of the new zip code.

Google support was helpful, but it took me a lot of back and forth to get the zip code corrected in Google Maps. In the beginning they added to the new zip code to the street address as a workaround. The location shows the old code to this day – we are the only place with the ‘new’ ZIP code.

Making fun of these glitches is unfair. You rather recognize the exceptional error than the many digital processes that run flawlessly. As a network administrator you know this: People only notice you if things go wrong.

However, I’d appreciate if companies would be more humble. Every time I fight with a weird glitch in Big Corp’s systems I see their marketing messages on social media about this superior digital experience.

But …

Software and cathedrals are much the same – first we build them, then we pray
— Samuel T. Redwine Jr. [ref]

 

We build our computer (systems) the way we build our cities: over time, without a plan, on top of ruins.
— Ellen Ullman [ref]

 

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.