Difference between revisions of "Robert'); DROP TABLE Students;--"
(→Appearances) |
|||
(43 intermediate revisions by 15 users not shown) | |||
Line 1: | Line 1: | ||
− | {{Infobox character | + | __NOTOC__{{Infobox character |
| image = Little Bobby Tables.PNG | | image = Little Bobby Tables.PNG | ||
− | | imagesize = | + | | imagesize = 200px |
− | | caption = | + | | caption = ' |
| first_appearance = [[327: Exploits of a Mom]] | | first_appearance = [[327: Exploits of a Mom]] | ||
+ | | fix = yes | ||
}} | }} | ||
− | ''' | + | <noinclude>:''For a list of comics, see [[:Category:Comics featuring Robert'); DROP TABLE Students;--|Comics featuring Robert'); DROP TABLE Students;--]].'' |
+ | :''For Robert'); DROP TABLE Students;--'s sister, see [[Help I'm trapped in a driver's license factory Elaine Roberts]].'' | ||
+ | :''For Robert'); DROP TABLE Students;--'s mother, see [[Mrs. Roberts]].''</noinclude> | ||
− | + | '''Robert'); DROP TABLE Students;-- Roberts''', also known as '''Little Bobby Tables''', is a [[stick figure]] character in [[xkcd]]. He is the youngest son of elite hacker [[Mrs. Roberts]] and [[Help I'm trapped in a driver's license factory Elaine Roberts]] is his older sister. His full name is known to cause problems with some computers. When he was first enrolled in school in [[327: Exploits of a Mom]], it exploited a vulnerability in the parsing of students' names into the school's student database resulting in the school losing all the student records for the year. | |
− | + | ==Appearances== | |
+ | [[File:Adult Bobby Tables.PNG|thumb|200px|Robert'); DROP TABLE Students;-- as an adult from [[884: Rogers St.]]]] | ||
+ | Within the five comics he is referenced, he is only drawn three times. The first two are in the [[:Category:1337|1337 series]] where he is drawn as a Cueball-like kid. But then he also appears as a young man with long curly hair in [[884: Rogers St.]]. Here it is only the title text that reveals that this is Bobby, that, and the fact that [[Randall]] in the official transcript does not mention the gender, but only that it is a person. | ||
+ | Here is how he looks in that comic: | ||
− | + | There have been suggestions that the Robert in the table in [[596: Latitude]] was Bobby but given that [[Black Hat]] has never had any relation to him in the other comics, and that [[Rob]] has, it seems more likely that the Robert is Rob. | |
− | == | + | ==Name== |
− | In the | + | In {{w|SQL}}, commands are terminated by semicolons <code>;</code> and data is often quoted using single quotes <code>'</code>. Commands may also be enclosed in parentheses <code>(</code> and <code>)</code>. Data is stored in tables of similar items (e.g., <code>Students</code>) and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command <code>DROP</code> (e.g., <code>DROP TABLE Students</code>). The <code>--</code> represents the start of a {{w|Comment_(computer_programming)#SQL|SQL comment}} which ensures that the rest of the command is ignored so an error will not occur. |
− | == Example of SQL injection == | + | The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}. |
+ | |||
+ | The name Bobby Tables inspired a website, [http://bobby-tables.com/ bobby-tables.com], a guide for beginning programmers to learn the right way to avoid SQL injection in their code. It appears in [[1253: Exoplanet Names]] as one of the suggested planet names. | ||
+ | |||
+ | ===Example of SQL injection=== | ||
A typical, unsecured SQL command vulnerable to SQL injection would be something like: | A typical, unsecured SQL command vulnerable to SQL injection would be something like: | ||
− | database.execute("INSERT INTO | + | database.execute("INSERT INTO Students (name) VALUES ('" + name + "');"); |
where <code>name</code> is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be sent to the database system: | where <code>name</code> is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be sent to the database system: | ||
− | INSERT INTO | + | INSERT INTO Students (name) VALUES ('Elaine'); |
However, with Little Bobby Tables's full name, the SQL command would be: | However, with Little Bobby Tables's full name, the SQL command would be: | ||
− | INSERT INTO | + | INSERT INTO Students (name) VALUES ('Robert'); DROP TABLE Students;--'); |
Or, if split after each <code>;</code>: | Or, if split after each <code>;</code>: | ||
− | INSERT INTO | + | INSERT INTO Students (name) VALUES ('Robert'); |
− | DROP TABLE | + | DROP TABLE Students; |
--'); | --'); | ||
− | The first command inserts the name <code>Robert</code> into the database as in the first example. The second command however completely deletes the table <code> | + | The first command inserts the name <code>Robert</code> into the database as in the first example. The second command however completely deletes the table <code>Students</code>. The remainder <code>--</code> is a comment to prevent syntax errors with the apostrophe and the closing parenthesis from the target command that the exploit code otherwise would have no use for. |
+ | |||
+ | ===Real life occurrences=== | ||
+ | In 2016, the British company <code>; DROP TABLE "COMPANIES"; --</code> was founded, and their name is still visible in the filings in [https://find-and-update.company-information.service.gov.uk/company/10542519/filing-history Companies House]. The name is deliberately misformed (not containing a closing quote at the start) in order to avoid actual problems for data users. | ||
− | + | In 2017, a Swiss group called their book <code><script>alert("!Mediengruppe Bitnik");</script></code> to make e-commerce websites display a hackneyed pop-up as soon as the book name loads. [https://i.imgur.com/Dd4XN7d.png It immediately worked on several sites] and to this day, [https://www.tomlinsons-online.com/p-16381221-scriptalertmediengruppe-bitnikscript.aspx some websites] are still affected. | |
− | In | + | In 2019, a person chose a vanity license plate that said <code>NULL</code> and subsequently [https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/ received thousands of dollars in fines from random vehicles] for which the license plate was unavailable. Some database programmers somewhere along the way failed to consider the difference between the string <code>NULL</code> and the value {{w|NULL}}. |
− | In 2020 the British corporate register accepted a registration for | + | In 2020, the British corporate register [https://forum.aws.chdev.org/t/cross-site-scripting-xss-software-attack/3355/8 accepted a registration] for <code> “><SCRIPT SRC=<nowiki>H</nowiki>TTPS://MJT.XSS.HT> LTD</code>, which was soon officially renamed to <code>THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD</code> to avoid a cross-site scripting problem. |
− | |||
− | |||
{{navbox-characters}} | {{navbox-characters}} | ||
[[Category:Characters]] | [[Category:Characters]] | ||
+ | [[Category:Minor characters]] |
Revision as of 20:08, 28 March 2024
Robert'); DROP TABLE Students;-- | |
---|---|
| |
First appearance | 327: Exploits of a Mom |
Appearances | Click to view |
- For a list of comics, see Comics featuring Robert'); DROP TABLE Students;--.
- For Robert'); DROP TABLE Students;--'s sister, see Help I'm trapped in a driver's license factory Elaine Roberts.
- For Robert'); DROP TABLE Students;--'s mother, see Mrs. Roberts.
Robert'); DROP TABLE Students;-- Roberts, also known as Little Bobby Tables, is a stick figure character in xkcd. He is the youngest son of elite hacker Mrs. Roberts and Help I'm trapped in a driver's license factory Elaine Roberts is his older sister. His full name is known to cause problems with some computers. When he was first enrolled in school in 327: Exploits of a Mom, it exploited a vulnerability in the parsing of students' names into the school's student database resulting in the school losing all the student records for the year.
Appearances
Within the five comics he is referenced, he is only drawn three times. The first two are in the 1337 series where he is drawn as a Cueball-like kid. But then he also appears as a young man with long curly hair in 884: Rogers St.. Here it is only the title text that reveals that this is Bobby, that, and the fact that Randall in the official transcript does not mention the gender, but only that it is a person. Here is how he looks in that comic:
There have been suggestions that the Robert in the table in 596: Latitude was Bobby but given that Black Hat has never had any relation to him in the other comics, and that Rob has, it seems more likely that the Robert is Rob.
Name
In SQL, commands are terminated by semicolons ;
and data is often quoted using single quotes '
. Commands may also be enclosed in parentheses (
and )
. Data is stored in tables of similar items (e.g., Students
) and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command DROP
(e.g., DROP TABLE Students
). The --
represents the start of a SQL comment which ensures that the rest of the command is ignored so an error will not occur.
The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as SQL injection.
The name Bobby Tables inspired a website, bobby-tables.com, a guide for beginning programmers to learn the right way to avoid SQL injection in their code. It appears in 1253: Exoplanet Names as one of the suggested planet names.
Example of SQL injection
A typical, unsecured SQL command vulnerable to SQL injection would be something like:
database.execute("INSERT INTO Students (name) VALUES ('" + name + "');");
where name
is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be sent to the database system:
INSERT INTO Students (name) VALUES ('Elaine');
However, with Little Bobby Tables's full name, the SQL command would be:
INSERT INTO Students (name) VALUES ('Robert'); DROP TABLE Students;--');
Or, if split after each ;
:
INSERT INTO Students (name) VALUES ('Robert'); DROP TABLE Students; --');
The first command inserts the name Robert
into the database as in the first example. The second command however completely deletes the table Students
. The remainder --
is a comment to prevent syntax errors with the apostrophe and the closing parenthesis from the target command that the exploit code otherwise would have no use for.
Real life occurrences
In 2016, the British company ; DROP TABLE "COMPANIES"; --
was founded, and their name is still visible in the filings in Companies House. The name is deliberately misformed (not containing a closing quote at the start) in order to avoid actual problems for data users.
In 2017, a Swiss group called their book <script>alert("!Mediengruppe Bitnik");</script>
to make e-commerce websites display a hackneyed pop-up as soon as the book name loads. It immediately worked on several sites and to this day, some websites are still affected.
In 2019, a person chose a vanity license plate that said NULL
and subsequently received thousands of dollars in fines from random vehicles for which the license plate was unavailable. Some database programmers somewhere along the way failed to consider the difference between the string NULL
and the value NULL.
In 2020, the British corporate register accepted a registration for “><SCRIPT SRC=HTTPS://MJT.XSS.HT> LTD
, which was soon officially renamed to THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD
to avoid a cross-site scripting problem.
|