Wednesday, August 9th, 2006

When good AJAX training goes horrifically wrong.

Category: Editorial

Not everyone out there teaching Ajax methods knows quite what they’re doing sometimes – as Dan Morrill found out. The training session he had been going to was coming along just fine until they began talking about “properly formatted XML” and their query to grab the database info for it.

I am in AJAX training this week learning the process of “properly formatted XML”. They have us going through, writing code, getting data out of databases, all the things that you would normally do with tabulated code. Just one problem (spot the errors with this code set).

  1. strConnstring = "server=(local); Driver=(SQL server); database=(DbCustomers); UID="name"; PWD="secret"
  2. strSearch = "SELECT * FROM tblCustomers WHERE ustid=' " & strSearch & "'"

Honestly and no kidding this was the code set they were using for the select statement read string for the AJAX application.

There are at least a few errors in there – 1 cross-site scripting issue, 2 SQL injection points, and a problem with the resulting URL where the user can access things he shouldn’t. Add that together with the database running on the same machine, and it spells trouble. He also comments on the quality of some of the training out there:

AJAX is only as good as the examples that the developers have, while it is great to have properly formatted XML and HTML as the output, the basics of information security still have to apply to the process. AJAX is a really great way of embedding dynamic data into a web page without having to go through the entire page load process that we otherwise work with on a Web Server.

But AJAX is not an excuse for following very poor coding practices that have been pretty well deprecated over the last couple of years since cross site scripting and SQL injection have become pretty familiar terms to many in the IT industry.

Posted by Chris Cornutt at 7:52 am
6 Comments

+++--
3.4 rating from 19 votes

6 Comments »

Comments feed TrackBack URI

Hm… but was the Ajax part of the course good? Sure, the things they did was wrong, but it doen’t have anything to do with Ajax, so what is the problem?

Mats

Comment by Mats Henricson — August 9, 2006

Retarded post. If the training was on AJAX, I would expect the database example code to be sparse because those backend security issues HAVE NOTHING TO WITH AJAX. If teaching the class I probably would have done the same thing to save time and then said “…and here is where’d you actually want to do this and this, but for the sake of this AJAX TRAINING COURSE, I’m going to skip that stuff so we can move back on to the AJAX SPECIFIC MATERIAL”

…retarded post

Comment by Ryan Gahl — August 9, 2006

Right on (as usual), Ryan. If you’re ever in the neighbourhood of Holland, please give me a ring and we’ll drink a beer. You sound like a fun guy. And I admire you battling this comment-thing again and again.

Next retarded post please…

Comment by lon — August 9, 2006

Good comments Ryan. What one needs to focus while sitting in a training class is the concepts and use their own common sense on certain things. Training classes are usually packed with a lot of topics and usually there is a time crunch. With 10 or 12 people , a trainer not only has to deliver the technical content in a simple fashion, but also has to do a LOT OF TIME MANAGEMENT without the students even feeling it. So, sometimes the examples they pick may not be the best of the designs, but are good enough to explain the concepts.

If somebody feels that they are smart enough to know whats going on, they should not be in training in the first place. Learn it yourself, its not a tough concept to learn anyways.

Comment by karan — August 12, 2006

so, there’s nothing wrong with an instructor teaching techniques that could get you fired?

meanwhile, the cracking continues.

Comment by mdm-adph — August 15, 2006

mdm-adph: If the course was about how to write code to connect to a DB, then it would be a pretty lame course. As it is, there’s a number of ways to deal with the DB connection, which are language specific.

Given that the instructor was talking about “properly formatted XML”, I think it is within the realm of acceptability that the instructor does not embark upon a 15 minute digression on SQL injection techniques.

Your post is sensationalist bullshit of the Tabloid Mentality; panic and hyperbole, FUD and Awe. If you were to develop some code for me, which sent credit card details to an Access DB in the clear because you picked it up at a seminar on UI programming, I’d fire you. Not because of the quality of the code, but because you would be a complete retard.

Comment by TDS — September 5, 2006

Leave a comment

You must be logged in to post a comment.