10:53 Verified by visa and ssl not a panacea | |
Two weeks had been at sea, only now in the evening returned home (exhausted long flights). Calls of familiar and urgent requests to send him the documents by mail. The Internet is not paid, to the nearest terminal QIWI go for about 15 minutes. Remember that the provider has recently provided an opportunity to make payments using bank cards. I go into the private office on the site provider, turn on the correct link, I am glad that the web page open, despite the lack of internet. Pay attention to the familiar name of the bank, the https in the address bar, the logo «Verified by Visa» (yes, it's just the name of an additional security measure, but still "verified by Visa"). Can I trust this site card number and CVV2? It seems that, yes. Fill out the form, I press "pay" ... I see a white page with a string of text. Could not insert: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'ya Ivanov','', '0 ','',' 127.0.0.1 ',' https: / / web3ds.bank-name.ru: 3443/cgi-bi 'at line 1 Great. What were they thinking bank employee who are drawing me a map when hammered unnecessary apostrophe in the field of «Card Holder's Name». And what they think a programmer, are substituted into the SQL-request data sent by the user, without screening (it seems that not a SQL-injection). I remembered the comic xkcd, close the page, got dressed, went outside and poshagal to the nearest terminal QIWI. P. S. Never ask your users to enter something "no gaps". Easier once the developer to write a regular expression for processing the input data, than each user to read and comprehend the captions under the fields. | |
|
Total comments: 0 | |