Re: [sqlite] Always call a value-quoting routine

2018-05-08 Thread Peter Da Silva 
Nicely retro-feel website too:

https://droptablecompanies.co.uk/

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Always call a value-quoting routine

2018-05-07 Thread Rowan Worth 
On 7 May 2018 at 15:13, Scott Robison  wrote:

> On Sun, May 6, 2018 at 11:34 PM, Rowan Worth  wrote:
> > Its omission is interesting though. Does it indicate an incompetent
> > attacker, or is companieshouse.gov.uk using some bespoke approach like
> > "delete all single quotes" instead of actually quoting strings?
>
> It could just indicate someone with a sense of humor who crafted a
> name that looks like an injection attack for their company.
>

True, or crafted a name that makes it look like the registrar is using
unusual sanitation approaches ;)
Although a search for "it's"¹ reveals they do allow single quotes in
company names, so they're off the hook.

¹ or "its" - it seems single quotes are ignored for search purposes,
although other punctuation like ; and , are not.

LP and LLP are apparently also acceptable suffixes:

https://beta.companieshouse.gov.uk/company/LP004358
https://beta.companieshouse.gov.uk/company/OC387006

Not sure about these next ones -- did they just fall through the cracks?

https://beta.companieshouse.gov.uk/company/SL003914
https://beta.companieshouse.gov.uk/company/SC096234

-Rowan
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Always call a value-quoting routine

2018-05-07 Thread Peter Da Silva 
On 5/7/18, 2:14 AM, "sqlite-users on behalf of Scott Robison" 
 wrote:
It could just indicate someone with a sense of humor who crafted a
name that looks like an injection attack for their company.

Most likely, or else it's part of an honor system exploit.

http://humorix.org/10277

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Always call a value-quoting routine

2018-05-07 Thread Scott Robison 
On Sun, May 6, 2018 at 11:34 PM, Rowan Worth  wrote:
> Amusing -- but without the leading single-quote it would take intentional
> effort for a programmer to detonate this payload.
>
> Its omission is interesting though. Does it indicate an incompetent
> attacker, or is companieshouse.gov.uk using some bespoke approach like
> "delete all single quotes" instead of actually quoting strings?

It could just indicate someone with a sense of humor who crafted a
name that looks like an injection attack for their company.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Always call a value-quoting routine

2018-05-06 Thread Rowan Worth 
Amusing -- but without the leading single-quote it would take intentional
effort for a programmer to detonate this payload.

Its omission is interesting though. Does it indicate an incompetent
attacker, or is companieshouse.gov.uk using some bespoke approach like
"delete all single quotes" instead of actually quoting strings?

-Rowan

On 6 May 2018 at 06:57, Simon Slavin  wrote:

> This is a genuine company registered under the UK Companies Act:
>
> 
>
> The name of company is
>
> ; DROP TABLE "COMPANIES";-- LTD
>
> (Note: For legal reasons a UK company name must end in 'LTD' or 'plc',
> depending on the type of company it is.)
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Always call a value-quoting routine

2018-05-05 Thread José María Mateos 
On Sat, May 05, 2018 at 11:57:22PM +0100, Simon Slavin wrote:
> This is a genuine company registered under the UK Companies Act:
> 
> 
> 
> The name of company is
> 
> ; DROP TABLE "COMPANIES";-- LTD

Obligatory: https://xkcd.com/327/

Cheers, 

-- 
José María (Chema) Mateos
https://rinzewind.org/blog-es || https://rinzewind.org/blog-en
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Always call a value-quoting routine

2018-05-05 Thread Scott Robison 
Thanks for sharing that. It will undoubtedly be useful to me in a computer
security class I'm taking this semester.

On Sat, May 5, 2018, 4:57 PM Simon Slavin  wrote:

> This is a genuine company registered under the UK Companies Act:
>
> 
>
> The name of company is
>
> ; DROP TABLE "COMPANIES";-- LTD
>
> (Note: For legal reasons a UK company name must end in 'LTD' or 'plc',
> depending on the type of company it is.)
>
> Simon.
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Always call a value-quoting routine

2018-05-05 Thread Simon Slavin 
This is a genuine company registered under the UK Companies Act:



The name of company is

; DROP TABLE "COMPANIES";-- LTD

(Note: For legal reasons a UK company name must end in 'LTD' or 'plc', 
depending on the type of company it is.)

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users