Magic string

Last updated August 22, 2023

In computer programming, a magic string is an input that a programmer believes will never come externally and which activates otherwise hidden functionality. A user of this program would likely provide input that gives an expected response in most situations. However, if the user does in fact innocently provide the pre-defined input, invoking the internal functionality, the program response is often quite unexpected to the user (thus appearing "magical").^[1]

Background

Typically, the implementation of magic strings is due to time constraints. A developer must find a fast solution instead of delving more deeply into a problem and finding a better solution.

For example, when testing a program that takes a user's personal details and verifies their credit card number, a developer may decide to add a magic string shortcut whereby entering the unlikely input of "***" as a credit card number would cause the program to automatically proceed as if the card were valid, without spending time verifying it. If the developer forgets to remove the magic string, and a user of the final program happens to enter "***" as a placeholder credit card number while filling in the form, the user would inadvertently trigger the hidden functionality.

Resolution

Situations/issues of cause

Often there are significant time constraints out of the developer's control right from the beginning of their involvement in a project. Common issues that might lead to this anti-pattern as a result:

Null != null^[2] or any variation where a data type doesn't compare bitwise to a supposedly identical type. This is an issue that can even occur within the same development environment (same programming language and compiler). This problem has a long history for numerical and boolean types and most compilers handle this well (with applicable warnings and errors, default resolution, etc...). Nullable types such as strings have the difficulty of historically different definitions for NULL. The errors/warnings produced are often general or a 'best fit' default error whose message does not actually describe what's going on. If the developer can't get enough clues to track the issue down through debugging, taking a short cut, and coding in a 'default' string, may be the only way to keep the project on schedule. One solution to this may be the application of the Null Object pattern.^[3]
Programmed into a corner. Sometimes a design seems straightforward and even simple but turns out to have a logical flaw, dependent upon the possible user inputs, due to an often unforeseen circumstance towards the end of planned development. Thus a developer might feel the need to implement a user input with special security/operational allowances to deal with such circumstances. This can be particularly ironic since it will sometimes become obvious that a more robust design from the beginning would likely have left room to handle the flaw. However this would perhaps have taken too much time to implement and it might have conflicted with the fundamental engineering concept of KISS, keeping a design and implementation simple and meeting only the initial necessary requirements.
Allowing external access to a global flag.^[4] Over-confidence that a global flag can never be set accidentally or maliciously (often a quite reasonable assumption) justifies such implementation for testing and debug purposes, especially for small applications with simple interfaces. If the distribution of the program is considerable however, it is usually just a matter of time before somebody sets the flag. An obvious solution is to never use a global variable in such a manner. A developer might also make the flag circumstantially accessible. So the magic string by itself would be dealt with by the program as any other input.^[5] The user has to then reproduce the setting as well as produce some collection of other events, that the user interface discreetly allows, for the flag to accept the setting; a far more unlikely scenario, though still possible.

Strict formatting

Restricting the format of the input is a possible maintenance (bug fixing) solution.^{[ clarification needed ]} Essentially, this means validating input information to check that it is in the correct format, in order to reduce the possibility of the magic string being discovered by the user. Examples include validating a telephone number to ensure that it contains only digits (and possibly spaces and punctuation to a limited extent) or checking that a person's name has a forename and a surname (and is appropriately capitalised). An exception is made for the magic string in the validation code so that it will not be rejected by validation. It is expected that, since a user would likely quickly notice the strict enforcement of formatting, it would likely not occur to the user to try inputting a string not conforming to the format. Therefore, it is very unlikely for the user to try the magic string.

As with any input validation process, it is important to ensure that the format is not restrictive in a way that unintentionally restricts the use of the application by some users. An example of this is restricting telephone number or postal code ^[6] input based on one country's system (e.g. requiring every user to give a five-digit ZIP code), causing problems for legitimate users who are based in other countries.

Purposeful implementation

As is often the case with anti-patterns, there exists specific scenarios where magic strings are a correct solution for an implementation. Examples include cheat codes ^[7] and Easter eggs. Furthermore, there are cases when users invent magic strings, and systems that have not coded to accept them can produce unexpected results such as missing license plates.^[8]

Incidents

The following is a list of some known incidents where use of a magic string has caused problems.

In several different cases, motorists with personalized strings on their vehicle registration plates have received incorrect traffic tickets. In affected ticketing systems, when police officers would fill out a traffic ticket for a car with no registration plate, they would write "NOPLATE", "NOTAG", "MISSING", or similar. This caused issues when motorists were granted actual registration plates with these values, and thus began receiving numerous traffic tickets intended for these plateless vehicles.^[8]
In 1999, hackers revealed a security flaw in Hotmail that permitted anybody to log in to any Hotmail account using the password 'eh'. At the time it was called "the most widespread security incident in the history of the Web".^[9]
People with the last name Null have reported a variety of problems using online systems, such as being unable to book plane tickets, use government tax websites, or pay utility bills.^[10] The issue stems from these systems confusing their name for a null pointer. Depending on the system, this may cause the system to not show their name, to ask the user to enter a different name (sometimes with a message claiming that the name field had been left blank), or to show an error message.^[11]

Related Research Articles

In computer programming, a string is traditionally a sequence of characters, either as a literal constant or as some kind of variable. The latter may allow its elements to be mutated and the length changed, or it may be fixed. A string is generally considered as a data type and is often implemented as an array data structure of bytes that stores a sequence of elements, typically characters, using some character encoding. String may also denote more general arrays or other sequence data types and structures.

Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unforeseen circumstances. Defensive programming practices are often used where high availability, safety, or security is needed.

In formal language theory and computer programming, string concatenation is the operation of joining character strings end-to-end. For example, the concatenation of "snow" and "ball" is "snowball". In certain formalisations of concatenation theory, also called string theory, string concatenation is a primitive notion.

A string literal or anonymous string is a literal for a string value in the source code of a computer program. Modern programming languages commonly use a quoted sequence of characters, formally "bracketed delimiters", as in x = "foo", where "foo" is a string literal with value foo. Methods such as escape sequences can be used to avoid the problem of delimiter collision and allow the delimiters to be embedded in a string. There are many alternate notations for specifying string literals especially in complicated cases. The exact notation depends on the programming language in question. Nevertheless, there are general guidelines that most modern programming languages follow.

The printf family of functions in the C programming language are a set of functions that take a format string as input among a variable sized list of other values and produce as output a string that corresponds to the format specifier and given input values. The string is written in a simple template language: characters are usually copied literally into the function's output, but format specifiers, which start with a % character, indicate the location and method to translate a piece of data to characters. The design has been copied to expose similar functionality in other programming languages.

Uncontrolled format string is a type of software vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf . A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf and similar functions to write the number of bytes formatted to an address stored on the stack.

<span class="mw-page-title-main">Code injection</span> Computer bug exploit caused by invalid data

Code injection is the exploitation of a computer bug that is caused by processing invalid data. The injection is used by an attacker to introduce code into a vulnerable computer program and change the course of execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

In computer science, the Boolean is a data type that has one of two possible values which is intended to represent the two truth values of logic and Boolean algebra. It is named after George Boole, who first defined an algebraic system of logic in the mid 19th century. The Boolean data type is primarily associated with conditional statements, which allow different actions by changing control flow depending on whether a programmer-specified Boolean condition evaluates to true or false. It is a special case of a more general logical data type—logic does not always need to be Boolean.

Hard coding is the software development practice of embedding data directly into the source code of a program or other executable object, as opposed to obtaining the data from external sources or generating it at runtime. Hard-coded data typically can only be modified by editing the source code and recompiling the executable, although it can be changed in memory or on disk using a debugger or hex editor. Data that are hard-coded is best for unchanging pieces of information, such as physical constants, version numbers and static text elements. Softcoded data, on the other hand, encode arbitrary information through user input, text files, INI files, HTTP server responses, configuration files, preprocessor macros, external constants, databases, command-line arguments, and are determined at runtime.

XMLHttpRequest (XHR) is a JavaScript class containing methods to asynchronously transmit HTTP requests from a web browser to a web server. The methods allow a browser-based application to make a fine-grained server call and store the results in XMLHttpRequest's responseText attribute. The XMLHttpRequest class is a component of Ajax programming. Prior to Ajax, an HTML form needed to be completely sent to the server followed by a complete browser page refresh.

<span class="mw-page-title-main">Null (SQL)</span> Marker used in SQL databases to indicate a value does not exist

In SQL, null or NULL is a special marker used to indicate that a data value does not exist in the database. Introduced by the creator of the relational database model, E. F. Codd, SQL null serves to fulfil the requirement that all true relational database management systems (RDBMS) support a representation of "missing information and inapplicable information". Codd also introduced the use of the lowercase Greek omega (ω) symbol to represent null in database theory. In SQL, NULL is a reserved word used to identify this marker.

A scanf format string is a control parameter used in various functions to specify the layout of an input string. The functions can then divide the string and translate into values of appropriate data types. String scanning functions are often supplied in standard libraries.Scanf is a function that reads formatted data from the standard input string, which is usually the keyboard and writes the results whenever called in the specified arguments.

An entity–attribute–value model (EAV) is a data model optimized for the space-efficient storage of sparse—or ad-hoc—property or data values, intended for situations where runtime usage patterns are arbitrary, subject to user variation, or otherwise unforseeable using a fixed design. The use-case targets applications which offer a large or rich system of defined property types, which are in turn appropriate to a wide set of entities, but where typically only a small, specific selection of these are instantated for a given entity. Therefore, this type of data model relates to the mathematical notion of a sparse matrix.

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.

<span class="mw-page-title-main">Comment (computer programming)</span> Explanatory note in the source code of a computer program

In computer programming, a comment is a programmer-readable explanation or annotation in the source code of a computer program. They are added with the purpose of making the source code easier for humans to understand, and are generally ignored by compilers and interpreters. The syntax of comments in various programming languages varies considerably.

In object-oriented computer programming, a null object is an object with no referenced value or with defined neutral (null) behavior. The null object design pattern, which describes the uses of such objects and their behavior, was first published as "Void Value" and later in the Pattern Languages of Program Design book series as "Null Object".

Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped—special characters are prefixed with a backslash—before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to SQL injection attacks.

The null coalescing operator is a binary operator that is part of the syntax for a basic conditional expression in several programming languages, including C#, PowerShell as of version 7.0.0, Perl as of version 5.10, Swift, and PHP 7.0.0. While its behavior differs between implementations, the null coalescing operator generally returns the result of its left-most operand if it exists and is not null, and otherwise returns the right-most operand. This behavior allows a default value to be defined for cases where a more specific value is not available.

<span class="mw-page-title-main">Secure coding</span> Software development methodology

Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

PL/SQL is Oracle Corporation's procedural extension for SQL and the Oracle relational database. PL/SQL is available in Oracle Database, Times Ten in-memory database, and IBM Db2. Oracle Corporation usually extends PL/SQL functionality with each successive release of the Oracle Database.

References

↑ Chris Falter (March 6, 2008), A Good Solution for Magic String Data, Egghead Cafe Tuturiols, retrieved May 11, 2009
↑ Wang Lam (May 21, 2003), The Behavior of NULL's in SQL, Stanford University, retrieved May 13, 2009
↑ Eric Freeman, Elisabeth Freeman, Kathy Sierra, Bert Bates; 2004, Head First Design Patterns, 1st ed., O'Reilly, Chapter 6, pg. 214, The Command Pattern, ISBN 0-596-00712-4, ISBN 978-0-596-00712-6
↑ James McCaffrey (2009), Test Automation for ASP.NET Web Apps with SSL, Microsoft, retrieved May 13, 2009
↑ Andrew Cumming; 2007, SQL Hacks, 1st ed., O'Reilly, pg. 174, Prevent an SQL Injection Attack, ISBN 0-596-52799-3, ISBN 978-0-596-52799-0
↑ Brian Knight, Allan Mitchell, Darren Green, Douglas Hinson, Kathi Kellenberger; 2005, Professional SQL server 2005 integration services, 1st ed., John Wiley and Sons, Chapter 5, pg. 129, Handling Dirty Data, ISBN 0-7645-8435-9, ISBN 978-0-7645-8435-0
↑ Sezen, Tonguc Ibrahim; Isikoglu, Digdem (April 27, 2007). "From Ozans to God-Modes: Cheating in Interactive Entertainment From Different Cultures" (PDF). p. 8. Retrieved January 24, 2009.
1 2 "What Happens when Your License Plate Says 'NO PLATE'?". October 30, 1999.
↑ Glave, James (August 30, 1999). "Hotmail Hackers: 'We Did It'". Wired . Condé Nast. Retrieved November 3, 2007.
↑ Baraniuk, Chris (March 25, 2016). "These unlucky people have names that break computers". BBC.com . Retrieved January 30, 2022.
↑ Null, Christopher (November 5, 2015). "Hello, I'm Mr. Null. My Name Makes Me Invisible to Computers". Wired . Retrieved January 30, 2022.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[CFalter1-1] Chris Falter (March 6, 2008), A Good Solution for Magic String Data, Egghead Cafe Tuturiols, retrieved May 11, 2009

[WLam-2] Wang Lam (May 21, 2003), The Behavior of NULL's in SQL, Stanford University, retrieved May 13, 2009

[Freeman-3] Eric Freeman, Elisabeth Freeman, Kathy Sierra, Bert Bates; 2004, Head First Design Patterns, 1st ed., O'Reilly, Chapter 6, pg. 214, The Command Pattern, ISBN 0-596-00712-4, ISBN 978-0-596-00712-6

[JMcCaffrey-4] James McCaffrey (2009), Test Automation for ASP.NET Web Apps with SSL, Microsoft, retrieved May 13, 2009

[ACumming-5] Andrew Cumming; 2007, SQL Hacks, 1st ed., O'Reilly, pg. 174, Prevent an SQL Injection Attack, ISBN 0-596-52799-3, ISBN 978-0-596-52799-0

[BKnight-6] Brian Knight, Allan Mitchell, Darren Green, Douglas Hinson, Kathi Kellenberger; 2005, Professional SQL server 2005 integration services, 1st ed., John Wiley and Sons, Chapter 5, pg. 129, Handling Dirty Data, ISBN 0-7645-8435-9, ISBN 978-0-7645-8435-0

[CC-7] Sezen, Tonguc Ibrahim; Isikoglu, Digdem (April 27, 2007). "From Ozans to God-Modes: Cheating in Interactive Entertainment From Different Cultures" (PDF). p. 8. Retrieved January 24, 2009.

[noplate-snopes-8] 1 2 "What Happens when Your License Plate Says 'NO PLATE'?". October 30, 1999.

[eh-9] Glave, James (August 30, 1999). "Hotmail Hackers: 'We Did It'". Wired . Condé Nast. Retrieved November 3, 2007.

[10] Baraniuk, Chris (March 25, 2016). "These unlucky people have names that break computers". BBC.com . Retrieved January 30, 2022.

[11] Null, Christopher (November 5, 2015). "Hello, I'm Mr. Null. My Name Makes Me Invisible to Computers". Wired . Retrieved January 30, 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]