|
|
Okay what's wrong with that? It uses HTTPS and that should be good enough for everybody. 
|
|
|
|
|
So were 512k some decades ago. 
Also, look 2 threads below (incidentally, one that I've started). It mentions exactly this problem.
Full-fledged Java/.NET lover, full-fledged PHP hater.
Full-fledged Google/Microsoft lover, full-fledged Apple hater.
Full-fledged Skype lover, full-fledged YM hater.
|
|
|
|
|
|
 
That's gotta be the best laugh I've had all week. Since I was on a bender, thought I'd send this email to the company. Let their response time be a testament to how seriously they take security.
Gday Sir/Madam,
Have just read a forum post that lambastes your website for it's poor security. There are at least 2 problems with it as it stands
1) You've used a HTTP GET to pass variables to this page (the order number is present in the URL)
2) You've not authenticated the viewer as being the customer that placed the order.
For instance, I can enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=17900" and straight away see that Mary Cruz did attend the tour on 27 Sep 2005, leaving from Pier 33 at 11.15am
I can then enter the URL "https://www.alcatraztrips.com/Confirmation.asp?order=169000" and similarly I can see that Silvia Bollati is scheduled to attend a tour on the 25th August 2012 (13 days from now) Also departing pier 33, this time at 10am.
What if I or somebody else wanted to harm Silvia? Simple, run a program to harvest all the orders on your website, scan through them for the name of a purchaser of interest
It certainly doesn't take somebody that's particularly bright to understand that
(a) This is a massive security hole
(b) If somebody scheduled to attend the tour was located as a result of the service and subsequently murdered, your company would be held liable!!!
Kind of ironic for a website that deals in tours to a decommissioned Prison, don't you think?
You can view the lambasting here: http://www.codeproject.com/Messages/4335687/Alcatraz-the-tourist-website.aspx
Cheers,
Simon.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
That was funny
Also, I've seen myself quoted in your sig (can't 5 twice), and although I'm flattered, you should know that it's not my invention, I've heard it on the interwebz somewhere 
Full-fledged Java/.NET lover, full-fledged PHP hater.
Full-fledged Google/Microsoft lover, full-fledged Apple hater.
Full-fledged Skype lover, full-fledged YM hater.
|
|
|
|
|
 Hope their customers data isn't left out on display for all to see. Also hoped someone else may get a giggle.
I'd be happy to attribute it to anon if you'd prefer.
I've found your posts to be both intelligent and helpful - the quote is also a good maxim - just one I'd never been clever enough to condense.
It's how things are often done - a good example is one that uses per-pixel manipulation. At first, it's a million times easier to just use SetPixel/GetPixel - with time after the algo is working one will often alter such ungainly access to something much harder to read and similarly quicker to execute.
I saw the quote in a post of yours and just HAD to steal it - (unquoted, hence the attributation to you)
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
Well, what can I say, thanks!
Full-fledged Java/.NET lover, full-fledged PHP hater.
Full-fledged Google/Microsoft lover, full-fledged Apple hater.
Full-fledged Skype lover, full-fledged YM hater.
|
|
|
|
|
Dear Sir/Madam,
It has recently been brought to our attention that your IP address has been viewing orders placed by customers with different IP addresses. This is a federal crime and you will be prosecuted if you do not cease and desist.
Sincerely,
Alcatraz Tours Security Official
|
|
|
|
|
Nice 
I'll see your taunt and raise you another..
Dear Mr Agent,
As with all police issued notices I receive reporting to be from the US, I will again take the time to remind you that I'm 12,650 kms away - that's 7,860 miles to the metrically challenged.
You've obviously been told by fellow scammers colleagues that you'l get better response rates when you claim to be US law enforcement than you'd enjoy with the old "We are related, I just need to use your bank account to wire $50,000,000 out of this country, you will receive a generous 5%"
Think I'll file this with my IRS note, my LAPD issued traffic infringement and my New York issued demand to attend the courthouse.
If only you realized I've never had a passpport, let alone left this country.
Why don't you head back into the capital city, Abuja? I hear there are many opportunities for those willing to work for them..
Make it work. Then do it better - Andrei Straut
modified 13-Aug-12 12:22pm.
|
|
|
|
|
enhzflep wrote: I just need to use your bank account to wire $50,000,000 out of this country, you will receive a generous 5%
There was a report not too long ago that studied why Nigerian scammers always say they are from Nigeria rather than some place not so famous for scamming. The reason was that if somebody is gullible enough to believe a scam that says it is from Nigaria, they are the most likely people to actually believe the scam. Essentially, being so obvious about their scam is their method to avoid talking to smart people, which would waste their time and cost them money.
And I just found it: http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf
|
|
|
|
|
And that my friend, is the most interesting piece of literature I've read all month.
Have a +5 for the article link.
Makes me wonder how much too little credit I've apportioned the writers of such emails.
It makes perfect sense.
Cheers, and thanks.
Make it work. Then do it better - Andrei Straut
|
|
|
|
|
Even worse. It is open to SQL injection attacks. A few days ago, someone asked in Q&A how a "UNION SELECT ALL null..." attack works, and someone pointed to Evil SQL[^]. Just tried a https://www.alcatraztrips.com/Confirmation.asp?order=179000%20having%201=1--[^]
which results in
Microsoft OLE DB Provider for SQL Server error '80040e14'
Column 'orders.OrderNumber' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
/Confirmation.asp, line 13
and some more bad injections... So easy to get the name of their db user etc.
But: please do not destroy their web site, just have fun!
It is such a great place to demonstrate the vulnerabilities of badly written code to our students here at CP.
|
|
|
|
|
     
Bill Gates is a very rich man today... and do you want to know why? The answer is one word: versions.
Dave Barry
Read more at BrainyQuote[ ^]
|
|
|
|
|
Can anyone tell me what this code does? I found it in a project I inherited:
public static string ConvertToReadableNumber(decimal num)
{
bool isNegative = num<0;
num = Math.Floor(num);
string numTxt = Math.Abs(num).ToString();
string numReadable = "";
int counter =0;
for (int i = numTxt.Length-1; i >=0; i--)
{
if (counter > 0 && counter % 3 == 0)
numReadable = "," + numReadable;
numReadable = numTxt[i] + numReadable;
counter++;
}
if(isNegative)
numReadable = "-"+numReadable;
return numReadable;
}
I'm guessing that a ToString() would have done the job.
|
|
|
|
|
A blind programmer who reinvented the wheel (in a pretty much bad manner) without ever looking at the rich API the underlying framework has to offer. The best thing about using framework provided APIs is that we can safely assume (to some extent) that the code is tried and tested for all scenarios.
Reminds me of this[^], had the programmer used Date.AddYears() method, it would have saved a lot of headaches for Microsoft's customers, lot of customers to Microsoft and most importantly, would not have cost him/her job. At least, the programmer could have done a sanity check on the resultant date to ensure that it is valid.
|
|
|
|
|
Its an abomination, for which the author should be sumarily executed.
It takes a decimal, floors it, and outputs it with commas as the thousand saparator:
http://rextester.com/CAYFY90912[^]
It boils down to this one-liner:
var result = Math.Floor(num).ToString("#,#");
|
|
|
|
|
Cool site! And I agree!
Bill Gates is a very rich man today... and do you want to know why? The answer is one word: versions.
Dave Barry
Read more at BrainyQuote[ ^]
|
|
|
|
|
If you really want to be precise and duplicate his function, it's actually this:
var result = Math.Floor(num).ToString("#,#", System.Globalization.CultureInfo.InvariantCulture);
Perhaps the author hard coded the thousand separator for some reason...
|
|
|
|
|
The real wtf is the enormous variation in the paramters of the conversion function. When you know how to do it correctly with VB6, it won't work with C++, C#, Oracle SQL, MySQL, Microsoft SQL Server, ...
I guess the guy who wrote the code was a victim of that diversity, and wrote it after switching to C# from something else.
|
|
|
|
|
ToString would have done a better job as it's not depending on the culture.
Lot's of companies that have utility-functions like this in their "toobox", often rebuilding what's already there.
To me, that proves that most of these companies are too rich. If they had to be careful on what they'd spend, sh*t like this would be gone.
Bastard Programmer from Hell 
if you can't read my code, try converting it here[^]
|
|
|
|
|
Arpikusz wrote: numReadable = "," + numReadable;
What happens if the culture is one that uses . instead of , for the separator? Not only is this bad code, it's lazy bad code because it's not taking localisation into account.
Also, as I look over the code, what happens if num is 3000.27? I can't see anywhere in this code that actually adds the portion after the decimal on to numReadable.
|
|
|
|
|
And that's why it is a readable number. Use whole numbers to avoid confusions like '.' or ','.
"Fear no factor", Prime Numbers.
|
|
|
|
|
Agreed, clearly the assumption here is that a decimal number is not readable
|
|
|
|
|
Um, isn't Math.Floor(-12.45) == -13?
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
