Tuesday, November 18, 2008

Never Buy From Next Day Flyers.com

Next Day Flyers.com doesn't check for "escape characters" in their SQL queries, which allows users to execute arbitrary queries. In the programming industry this is called "SQL Injection". If your credit card information is stored on a database on their server, any programmer worth his salt can quite easily get a hold of it. I have two accounts with nextdayflyers.com that I did my best to scrub.

My programmer friend, Jon, called them and pleaded with them to fix it or get him in touch with their webmaster and their response was "...oh, 'that's' impossible, we're behind a 'secure wall'."

What the bucaaaak is a "secure wall"? You mean a firewall? That thing that lets traffic through to execute queries on your database?

Jon tells me this is an old type of attack and there is no reason to not account for it. Since nextdayflyers.com refused to listen to his multiple and polite attempts at warning them, I will take my business elsewhere and I recommend you do the same.

Exploits of a Mom

-xkcd.com

3 comments:

  1. Louis, we value your business and your privacy. As soon as it came to our attention that there was a potential issue with our site, we resolved it immediately. What we did not do in a timely manner, and should have done, was communicate that to you or your friend. For that, we sincerely apologize. Thank you for your feedback.

    Sarah Crawford
    NextDayFlyers - Marketing Manager

    ReplyDelete
  2. Hi Sarah - I double checked after seeing your comment, and the issue is still not resolved. Entering a value containing a single quote character ( the ' character) into any of the input fields on your site verifies it's not fixed. In order to protect your site from SQL injection, every value that comes from a web page has to be run through the mysql_real_escape_string function before it's used in a database query. To emphasize - just removing the ' character from input strings isn't enough, you have to use mysql_real_escape_string. It's built into PHP and needs to be used on any data you get from the user.

    ReplyDelete
  3. On a whim yesterday I checked out the NextDayFlyers.com again just to see if they still hadn't patched the issue. They now have.

    ReplyDelete

Note: Only a member of this blog may post a comment.