Little Bobby Tables Just Registered a Company…

Sometimes along comes a tech story that diverges from our usual hardware subject matter yet which just begs to be shared with you because we think you will find it interesting and entertaining.

XKCD 327, Exploits of a Mom (CC BY-NC 2.5).
XKCD 327, Exploits of a Mom (CC BY-NC 2.5).

You will no doubt be familiar with the XKCD cartoon number 327, entitled “Exploits of a Mom”, but familiarly referred to as “[Bobby Tables]”. In it a teacher is ringing the mother of little [Robert’); DROP TABLE Students; –], whose name has caused the loss of a year’s student records due to a badly sanitized database input. We’ve all raised a chuckle at it, and the joke has appeared in other places such as an improbably long car license plate designed to erase speeding tickets.

It's nice to see that Companies House sanitise their database inputs.
It’s nice to see that Companies House sanitise their database inputs.

Today we have a new twist on the Bobby Tables gag, for someone has registered a British company with the name  “; DROP TABLE “COMPANIES”;– LTD“. Amusingly the people at Companies House have allowed the registration to proceed, so either they get the joke too or they are unaware of the nuances of a basic SQL exploit. It’s likely that if this name leaves Her Majesty’s civil servants with egg on their faces it’ll be swiftly withdrawn, so if that turns out to be the case then at least we’ve preserved it with a screenshot.

Of course, the chances of such a simple and well-known exploit having any effect is minimal. There will always be poor software out there somewhere  that contains badly sanitized inputs, but we would hope that a vulnerability more suited to 1996 would be vanishingly rare in 2016.

If by some chance you haven’t encountered it before we’d recommend you read about database input sanitization, someday it may save you from an embarrassing bit of code. Meanwhile we salute the owner and creator of this new company for giving us a laugh, and wish them every success in their venture.

33 thoughts on “Little Bobby Tables Just Registered a Company…

  1. Ṫ̡̞̤̗͍̦̭̟̳͔̦͍͉̄̓̑̾͑ͧͭͤ̏ͧ̂͐̈̿̉ͤ͒̓͢͠ͅH̦͎̰̹̥̹̭̹͈̝̣͎͚̤͗͑ͮ̄̑ͨ̌ͦ͢͝E̵̶̷̳̳̯̝͖̪̰͒̒ͨ͊̓̽̈͂͒͛ͣ̓ͮ͐̄̍̿ͧ̎̕͠ ̧ͪ̉̒̽̋͒ͮͩ͛͏̡͉̜̹̜͔̠̬̝̙͡Ȍ̵̩̗̣̼̬̠ͭ̈ͩͥṈ̶̘̫̲͐̋͗̊̑̌̽͊ͩ͝L͉̦̻̝̦̹͎ͧ̃ͯ̆ͬ͛̑ͪ̽͑ͫͦ̉̂̋͘͜͠Ŷ̶̨̛̥̲̩̜̖̂ͪ͛͊͠ ̛ͫͥ̐̑̍̀̀̂̈̋̄̃̈͆͆̚̚͏̢҉͔̯͙̝͎̺̟͈Ţ̶͉͓͕̜̣͙̞͓̝̲̗̘̩̗̱͇͖͉͍́̓̓̚͟͞R̵̢͕͙͍̤͉̟͔̰͉̞̯̮̫͈̺̙͇ͦͥ̒ͩ͛͂̆̀̚͘Ǔ̧̠̥̻͕̘͚̫̹̺͙̼̫ͮ̍ͤ̒ͯ̔͊́̔͊ͮͫE̓͛̂ͧ͛ͤ̃̏ͧ̇͢҉̶͎͔͎̯̝͞͠ ̷̡̪̰͍̝̪̰̯̹̩̔ͯ̓ͤ̍ͧͪͧͬͦ̏ͪ͛̕C̶̭̺̜͈͇͇͎̰̲͍̄̓ͮ̽ͣͯͨͮͣ͘͞O̷̭̠͖̹̫̫̭̥̫̙̳̔͆̀́̉̅̂̃̀ͅR̨̔̎͛͒͐͐̓͏̦͉͙͔R̴͈̯̠̰͉̤̣̤͊̆ͫ͌̊̇ͩ̏̇ͭ̓̀͝ͅU̷̡͓͙̱͇͙̦͍̲̣̦͎̺̺͍̠͓͕̦͐̂̊ͣͩͪ͑̊͛̾́̄̂P̷̦̳̭̦̗͇̞̫̜̟̩̪̯̰͚͊̃͂̃̔̆̿́̐ͨ̏͆̃ͨ͂̄̄̚̚͢͢͝ͅT̡̰̺̝̺͚̗͇͎͓̼̮̥̹̜̙̥̟̘ͭ͌̔ͣ̇̽ͭ̽̉ͯ̄̂̈́͆ͬ͊͆ͯ̄́͘I̴̸̧͔͖̮͈͙̺̘̲̰̦͗̾͐̈́͛̃̈̅̋̐ͩ̓̑͝ͅO̷̴̙̰̙̠͍̙̱͔̼͙͚͚̓ͤͮ̉̐́ͮͧ́͝N̫̯̝̺̣͆̄ͧ̍ͯ͐̏͋̓ͮ̇̌ͥ̽̓͊͂͠ ̵̷̨̮͖̤͕̯͉͕̟͍͚͇̹͈͋̔ͭ̈ͥ̍ͬ́I̛̔̓̐̿͂͏̺̯̹͕̪̟Š̷̷̥̫͈̬̟͎̱͕̻̙̱̬̗̩̯̹̱̝̈́͋͂́̓̆̂̄̔̊ͫ̔ͮ͂́̚ ̧̰̦̞̤͍͓͓̟̤̘̺͔̰͕̦̊ͪ̔ͭ͊̃̑ͣ̎ͬ̊̓̽̾Z̴̫̱͈͍̤͖̟̝͚̦͈͙̤̟̠͚̀̑͊̏ͨ̇̂ͥ̌̚͜͡ͅA̶̢̰̩̩̱͉̩̘̟̯ͫ̓͛̂̉ͦ͊̓ͩ͆͆͐̿͊̀̀͘͠L̴̵̛͕͖̳̙̬̻̲̯̮͕͉̼ͯͫͮͥ̀ͧͪ͊G͛̓ͧ̓̆ͨ͐ͬ̅̌̇̑́̀͏̧̬͖̗̞̻̫̗͈͖̯̹̬Ò̼͓̯͕̲̲̠̪͍̗̹̇ͩͣ̒̒͛͗̄̊́̌ͫ̓͒̓̍̉̌͝

    1. This is awsome, i found a new way to mess with people.
      T͕̮͔̬̗ͦ̆̐ͭ͛̎͊ͧͭ̾̚ͅͅĤ̟̜̯̥̳̥̪̣͓̰̮̞̳̅ͫ͐̌̇̏̔ͥ̔ͅA͔̣͎̻̖̖̬̰͎̅̊͌ͣͥ̈̈͊ͧ̈̅̃̑̔̚N͎̹͈͉̥͇̤̗̘̱̈́ͩͥ̓ͮ͆̏́̋̿̈̀̈̈̓͐͋͆Ǩ̼̻̼̝̟̘̠̻͖̯͙͕̟͕̖͓͛ͭ̏̓ ̻̣̹̮̘̞͓͕͚͕̖̰͙̦͚͈̩ͪ̌͆͋̓͑ͤͅY͓̥̞̼̘̤̦̥͌͊ͥ͛̽̋ͩͫ̆̽̊̑ͬͧO̪͙̭̖̞̯͓̹̝͕̖͉̲͙̲ͧͪ̽̏ͥ̅͌ͭͣ̊̒ͅU̜̫̝̱̟̅͋͊ͫͬ̍ͥ̐̌ ̹͚̰̹̫͖̼͕̯̠͎̥̞̽͛̍̀̓ͤ̏̑͗̿̾̑͒́̉͂ͭ̚ͅͅZ̲̲̰̼͈̃ͯ̿̇͑ͩ͗̇ͨͅA̯̘̖͚̼̥̥̞̟̜̯̦̤̿ͯ̔ͯ̈́̉ͨ̔̆̍ͯ̉̅̓ͅĽ̩̰̲̜̙̙ͣ̍͊̂̄̉ͦ̌̎̓̂̓ͤͫͤ̚̚G̥̞̞̩̿̈̆ͤ͋̊̀͋̂O̬̤͉̰̖͙̱̪̞̙͓͉̯̮͈͔͑ͩ͂͗̎̐̎̒̆

      1. P̭͔͓̹̉͂ͭ̈̈́̓R̟̻̮̬̫̞̒ͪͩ̎́͂͑̄̌͂ͮ̾Ă̭͓̲̮͈̬̊̐̅ͮ̅ͤ̃͛ͥ͛̔ͤ̈́ͅÍ̠͈̟̩̭̞͍̻̯͔͚̼̋ͥ̏̊̂̽̎̊̉͆ͨ͑̈ͩ̚S̘̜̘̤͚͔̮͚̘̯͕͇͇͖ͮͬ͒ͨͅE͓̗̹̝͇̳̩̙̱̥ͧ̂ͬ͒̀̔̈̓ͥ̎͗̎̓͛̎ͫͣ ̥̗̖̟ͤ̊ͫ̀̍̃ͣ͂̍̌ͮ͋ͩ̏̉́̓ͩ͆Z̖̺̦̖͋̊̏ͪͩ̊̊̊͗ͅẠ̙̖͙̱͍̍͒̇L̳͉̪̺̰͙̥̹͕͎̗̩͉̥̩̝͎̖̺ͭ̈́ͪ́̿̈́ͮ̿͌ͤ͊̉ͮͥ̿̓͐G̻͈͔̱ͩͭͫ̾̑̎O̳̦̮̼͙̘̥͖͙̯̳̘̦̻͇̹͍̻ͩͣ̉ͣ̿̈̈͛̍

    2. &̬͘l͉͉̲͠t̛;́a̲̮͈͚̺̝̲n̮ǵ̞ĺ͔̟͔̟̰e͏͉̬̥̰ ̧b̹̗͚͈r̦̭̱a̘̥c͖̫̭̼͔ḳ̖͙̟eț̰̘̟͕s̴̝&̟͙̠̱̖̻̹͢ģt͇̗͚̤̺̖̙;̧͉̻W̙h͕̺̻͇̗̗̳͝a̫̻͍͈̠͙̬͡t̼̼̗͖͉͙͉ ̯͙̝̞̰hąp̶̱̞p͜e̜͡n̵͔̭̳͈̝e͇͈̖͙d̙̥́?̫͖͉͇ͅ&̸͇̳̼͔̮l͖͜t̳̕;̧͎/̞͇̲͕̙̬͠ͅa̯̝̺͇͍͙̬n̞͈̬g̺͎l̝̦̲̖̳̭̘e̖̮̖̗ͅ ̼̻̞̘̝̫͎̀b̩̬̰̣ͅr̫̥̹͖͠ą̞͙̳̱͙̹̹c̦̮̭k̺͍̠͉̞͇e̸͕̤̫͙͍̰t̹̮̟̻͎̺s&̢̙̭̙̠̰̖ͅǵ̮̥͙t̟̤̥̲̟;͞

  2. I’m wondering what’s happening to all those marketing companies that scrape data from company house. I bet a few of them would assume the data coming in is clean and sane: let’s see if any of them come forward after trashing their databases.

  3. On an aircraft, the place where you put your meal / laptop is usually called a “drop tray”
    If this new company is selling such a product, they could call it a “drop table”. And as such, they should be allowed to keep the name.

    That’s how I see the argument going, anyway.

  4. i accidentally made myself an administrator of a website and web-based app i was signing up for and was therefore unable to use said site as my device was unable to load dev files and did not give resonable error message as to why is was not working. tech support was unaware of ANY error messages of the software they were selling access to and therefore were unable to recognise WHY it was that i was unable to access my account EVEN FROM THE COURTESY COMPUTER PROVIDED FOR USEAGE DEMONSTASTIONS OF SAID SOFTWARE.

    it was only after waiting hours each visit (until closing time) for days with customer support that i figured it out. i walked in and told them: I ACCIDENTALLY MADE MYSELF A DEVELOPER ANDOR ADMINISTRATOR OF YOUR WEBSITE AND THAT IS WHY YOUR SITE WONT WORK FOR ME AS I DO NOT HAVE YOUR DEV FILES, 24 hours later i was able to “get in” to said paid website, where i proceeded to copy the entire lump of info (against the rules) and then proceeded to print EVERY SINGLE PAGE… over 600 pages.

    they never got any useage-statistics or money from me ever again.

    the secret fake-name that activated dev mode?
    firstname: firstname
    lastname: lastname

    i wont tell you the site because chances are they only fixed my account and the system is still broken. also, they know my real name ect.
    if you dont understand why its a security issue you need to understand one thing: (dev)code can be easily copied, but dev or admin logins are hard to come-by.

    let this be a lesson to everyone who thinks the boss will never find out just how lazy andor uncreative you are, eventually ALL Firstname’s get found out to all be related to the Lastname family. XD

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s