Difference between revisions of "Robert'); DROP TABLE Students;--"

Explain xkcd: It's 'cause you're dumb.
Jump to: navigation, search
(Example of SQL injection: Corrected the description of the first example: A vulnerable SQL command, not the exploit itself (which is the next example).)
(Appearances)
(42 intermediate revisions by 31 users not shown)
Line 1: Line 1:
 
{{Infobox character
 
{{Infobox character
| image      =  
+
| image      = Little Bobby Tables.PNG
 
| imagesize  =  
 
| imagesize  =  
| caption    =  
+
| caption    = First drawn drawing in [[342: 1337: Part 2]].
 
| first_appearance = [[327: Exploits of a Mom]]
 
| first_appearance = [[327: Exploits of a Mom]]
 
}}
 
}}
  
'''<code>Robert'); DROP TABLE students;--</code>''', nicknamed '''Little Bobby Tables''', is the youngest son of elite hacker [[Mrs. Roberts]]. His elder sister is [[Elaine Roberts|Help I'm stuck in a driver's license factory Elaine Roberts.]]. His "full" name is known to cause problems with some computers. When he was first enrolled in school ([[327: Exploits of a Mom]]), it exploited a vulnerability in the parsing of student's names into the school's student database resulting in the school losing all the student records for the year.
+
'''<code>Robert'); DROP TABLE students;--</code>''', nicknamed '''Little Bobby Tables''', is the youngest son of elite hacker [[Mrs. Roberts]]. His elder sister is [[Elaine Roberts|Help I'm trapped in a driver's license factory Elaine Roberts]]. His "full" name is known to cause problems with some computers. When he was first enrolled in school ([[327: Exploits of a Mom]]), it exploited a vulnerability in the parsing of students' names into the school's student database resulting in the school losing all the student records for the year.
  
In {{w|SQL}}, commands are separated by semicolons '''<code>;</code>''' and data is often quoted using single quotes '''<code>'</code>'''.  Commands may also be enclosed in parentheses '''<code>(</code>''' and '''<code>)</code>'''.  Data is stored in tables of similar items (e.g. '''<code>students</code>''') and individual entries are "rows" in the table.  To delete an entire table (and every row of data in that table), you use the command '''<code>DROP</code>''' (e.g. '''<code>DROP TABLE students</code>''').  The '''<code>--</code>''' represents the start of a {{w|Comment_(computer_programming)#SQL|SQL comment}} which ensures that the rest of the command is ignored so an error will not occur.
+
In {{w|SQL}}, commands are terminated by semicolons '''<code>;</code>''' and data is often quoted using single quotes '''<code>'</code>'''.  Commands may also be enclosed in parentheses '''<code>(</code>''' and '''<code>)</code>'''.  Data is stored in tables of similar items (e.g. '''<code>students</code>''') and individual entries are "rows" in the table.  To delete an entire table (and every row of data in that table), you use the command '''<code>DROP</code>''' (e.g. '''<code>DROP TABLE students</code>''').  The '''<code>--</code>''' represents the start of a {{w|Comment_(computer_programming)#SQL|SQL comment}} which ensures that the rest of the command is ignored so an error will not occur.
  
 
The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software.  Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name.  Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}.
 
The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software.  Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name.  Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as {{w|SQL injection}}.
  
The name Bobby Tables inspired a website, [http://bobby-tables.com/ bobby-tables.com], a guide for beginning programmers to learn the right way to avoid SQL injection in their code..
+
The name Bobby Tables inspired a website, [http://bobby-tables.com/ bobby-tables.com], a guide for beginning programmers to learn the right way to avoid SQL injection in their code. A similarly named character, Mister Rogers, appears in [[884: Rogers St.]], with the same code injection in his middle name. It appears in [[1253: Exoplanet Names]] as one of the suggested planet names.
  
A similarly named character, Mister Rogers, appears in [[884: Rogers St.]], with the same code injection in his middle name. It appears in [[1253: Exoplanet Names]] as one of the suggested planet names.
+
== Appearances ==
 +
Within the five comics he is referenced, he is only drawn three times. The first two are in the [[:Category:1337|1337 series]] where he is drawn as a Cueball-like kid. See picture above. But then he also appears as a young man with long curly hair, looking very much like a woman in [[884: Rogers St.]] Here it is only the title text that reveals that this is Bobby, that and the fact that [[Randall]] in the official transcript does not mention the gender, but only that it is a person.  
 +
Here is how he looks in that comic:<br>
 +
[[File:Adult Bobby Tables.PNG]]
 +
 
 +
There have been suggestions that the Robert in the table in [[596: Latitude]] was Bobby, but given that [[Black Hat]] has never had any relation to him in the other comics, and that [[Rob]] has, it seems more likely that the Robert is Rob.
  
 
== Example of SQL injection ==
 
== Example of SQL injection ==
Line 20: Line 25:
 
A typical, unsecured SQL command vulnerable to SQL injection would be something like:
 
A typical, unsecured SQL command vulnerable to SQL injection would be something like:
  
  database.execute("INSERT INTO students (name) VALUES ('" + name + "')");
+
  database.execute("INSERT INTO students (name) VALUES ('" + name + "');");
  
where <code>name</code> is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be send to the database system:
+
where <code>name</code> is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be sent to the database system:
  
  INSERT INTO students (name) VALUES ('Elaine')
+
  INSERT INTO students (name) VALUES ('Elaine');
  
 
However, with Little Bobby Tables's full name, the SQL command would be:
 
However, with Little Bobby Tables's full name, the SQL command would be:
  
 
+
  INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');
  INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--')
 
  
 
Or, if split after each <code>;</code>:
 
Or, if split after each <code>;</code>:
Line 35: Line 39:
 
  INSERT INTO students (name) VALUES ('Robert');
 
  INSERT INTO students (name) VALUES ('Robert');
 
  DROP TABLE students;
 
  DROP TABLE students;
  --')
+
  --');
  
The first commands inserts the name <code>Robert</code> into the database as in the first example. The second command however completely deletes the table <code>students</code>. The remainder is a comment to prevent syntax errors with the apostrophe and the closing parenthesis.
+
The first command inserts the name <code>Robert</code> into the database as in the first example. The second command however completely deletes the table <code>students</code>. The remainder is a comment to prevent syntax errors with the apostrophe and the closing parenthesis.
  
 
== Real Life occurrence ==
 
== Real Life occurrence ==
  
In French-speaking countries, apostrophes are a common character in street names. More often than not, Frenchmen (or Luxembourgers, or Belgians, ...) unwittingly trigger SQL injection bugs when trying to order something from a US shop. In Italy, they are often part of town names, too (e.g. [[wikipedia:L'Aquila|L'Aquila]]).
+
In French-speaking countries, apostrophes are a common character in street names. More often than not, French speakers unwittingly trigger SQL injection bugs when trying to order something from a US shop. In Italy, they are often part of town names, too (e.g. {{w|L'Aquila}}). Apostrophes are also found in a great many Irish surnames, often resulting in similar problems and/or data validation errors.
 +
 
 +
In 2020 the British corporate register accepted a registration for "&quot;&gt;&lt;SRC=HTTPS://MJT.XSS.HT&gt; LTD", which was soon renamed "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD" to avoid a cross-site scripting problem. [https://forum.aws.chdev.org/t/cross-site-scripting-xss-software-attack/3355/8 Discussion on the Companies House Developer Forum]
 +
 
 +
==See also==
 +
*[[:Category:Comics featuring Little Bobby Tables|Comics featuring Little Bobby Tables]]
  
 
{{navbox-characters}}
 
{{navbox-characters}}
 
[[Category:Characters]]
 
[[Category:Characters]]

Revision as of 12:33, 8 May 2023

Robert'); DROP TABLE Students;--

First drawn drawing in 342: 1337: Part 2.
First appearance 327: Exploits of a Mom
Appearances Click to view

Robert'); DROP TABLE students;--, nicknamed Little Bobby Tables, is the youngest son of elite hacker Mrs. Roberts. His elder sister is Help I'm trapped in a driver's license factory Elaine Roberts. His "full" name is known to cause problems with some computers. When he was first enrolled in school (327: Exploits of a Mom), it exploited a vulnerability in the parsing of students' names into the school's student database resulting in the school losing all the student records for the year.

In SQL, commands are terminated by semicolons ; and data is often quoted using single quotes '. Commands may also be enclosed in parentheses ( and ). Data is stored in tables of similar items (e.g. students) and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command DROP (e.g. DROP TABLE students). The -- represents the start of a SQL comment which ensures that the rest of the command is ignored so an error will not occur.

The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as SQL injection.

The name Bobby Tables inspired a website, bobby-tables.com, a guide for beginning programmers to learn the right way to avoid SQL injection in their code. A similarly named character, Mister Rogers, appears in 884: Rogers St., with the same code injection in his middle name. It appears in 1253: Exoplanet Names as one of the suggested planet names.

Appearances

Within the five comics he is referenced, he is only drawn three times. The first two are in the 1337 series where he is drawn as a Cueball-like kid. See picture above. But then he also appears as a young man with long curly hair, looking very much like a woman in 884: Rogers St. Here it is only the title text that reveals that this is Bobby, that and the fact that Randall in the official transcript does not mention the gender, but only that it is a person. Here is how he looks in that comic:
Adult Bobby Tables.PNG

There have been suggestions that the Robert in the table in 596: Latitude was Bobby, but given that Black Hat has never had any relation to him in the other comics, and that Rob has, it seems more likely that the Robert is Rob.

Example of SQL injection

A typical, unsecured SQL command vulnerable to SQL injection would be something like:

database.execute("INSERT INTO students (name) VALUES ('" + name + "');");

where name is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be sent to the database system:

INSERT INTO students (name) VALUES ('Elaine');

However, with Little Bobby Tables's full name, the SQL command would be:

INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');

Or, if split after each ;:

INSERT INTO students (name) VALUES ('Robert');
DROP TABLE students;
--');

The first command inserts the name Robert into the database as in the first example. The second command however completely deletes the table students. The remainder is a comment to prevent syntax errors with the apostrophe and the closing parenthesis.

Real Life occurrence

In French-speaking countries, apostrophes are a common character in street names. More often than not, French speakers unwittingly trigger SQL injection bugs when trying to order something from a US shop. In Italy, they are often part of town names, too (e.g. L'Aquila). Apostrophes are also found in a great many Irish surnames, often resulting in similar problems and/or data validation errors.

In 2020 the British corporate register accepted a registration for ""><SRC=HTTPS://MJT.XSS.HT> LTD", which was soon renamed "THAT COMPANY WHOSE NAME USED TO CONTAIN HTML SCRIPT TAGS LTD" to avoid a cross-site scripting problem. Discussion on the Companies House Developer Forum

See also