Magic string

Last updated

In computer programming, a magic string is an input that a programmer believes will never come externally and which activates otherwise hidden functionality. A user of this program would likely provide input that gives an expected response in most situations. However, if the user does in fact innocently provide the pre-defined input, invoking the internal functionality, the program response is often quite unexpected to the user (thus appearing "magical"). [1]

Contents

Background

Typically, the implementation of magic strings is due to time constraints. A developer must find a fast solution instead of delving more deeply into a problem and finding a better solution.

For example, when testing a program that takes a user's personal details and verifies their credit card number, a developer may decide to add a magic string shortcut whereby entering the unlikely input of "***" as a credit card number would cause the program to automatically proceed as if the card were valid, without spending time verifying it. If the developer forgets to remove the magic string, and a user of the final program happens to enter "***" as a placeholder credit card number while filling in the form, the user would inadvertently trigger the hidden functionality.

Resolution

Situations/issues of cause

Often there are significant time constraints out of the developer's control right from the beginning of their involvement in a project. Common issues that might lead to this anti-pattern as a result:

Strict formatting

Restricting the format of the input is a possible maintenance (bug fixing) solution.[ clarification needed ] Essentially, this means validating input information to check that it is in the correct format, in order to reduce the possibility of the magic string being discovered by the user. Examples include validating a telephone number to ensure that it contains only digits (and possibly spaces and punctuation to a limited extent) or checking that a person's name has a forename and a surname (and is appropriately capitalised). An exception is made for the magic string in the validation code so that it will not be rejected by validation. It is expected that, since a user would likely quickly notice the strict enforcement of formatting, it would likely not occur to the user to try inputting a string not conforming to the format. Therefore, it is very unlikely for the user to try the magic string.

As with any input validation process, it is important to ensure that the format is not restrictive in a way that unintentionally restricts the use of the application by some users. An example of this is restricting telephone number or postal code [6] input based on one country's system (e.g. requiring every user to give a five-digit ZIP code), causing problems for legitimate users who are based in other countries.

Purposeful implementation

As is often the case with anti-patterns, there exist specific scenarios where magic strings are a correct solution for an implementation. Examples include cheat codes [7] and Easter eggs. Furthermore, there are cases when users invent magic strings, and systems that have not coded to accept them can produce unexpected results such as missing license plates. [8]

Incidents

The following is a list of some known incidents where use of a magic string has caused problems.

See also

Related Research Articles

<span class="mw-page-title-main">String (computer science)</span> Sequence of characters, data type

In computer programming, a string is traditionally a sequence of characters, either as a literal constant or as some kind of variable. The latter may allow its elements to be mutated and the length changed, or it may be fixed. A string is generally considered as a data type and is often implemented as an array data structure of bytes that stores a sequence of elements, typically characters, using some character encoding. String may also denote more general arrays or other sequence data types and structures.

Defensive programming is a form of defensive design intended to develop programs that are capable of detecting potential security abnormalities and make predetermined responses. It ensures the continuing function of a piece of software under unforeseen circumstances. Defensive programming practices are often used where high availability, safety, or security is needed.

In formal language theory and computer programming, string concatenation is the operation of joining character strings end-to-end. For example, the concatenation of "snow" and "ball" is "snowball". In certain formalisations of concatenation theory, also called string theory, string concatenation is a primitive notion.

A string literal or anonymous string is a literal for a string value in the source code of a computer program. Modern programming languages commonly use a quoted sequence of characters, formally "bracketed delimiters", as in x = "foo", where "foo" is a string literal with value foo. Methods such as escape sequences can be used to avoid the problem of delimiter collision and allow the delimiters to be embedded in a string. There are many alternate notations for specifying string literals especially in complicated cases. The exact notation depends on the programming language in question. Nevertheless, there are general guidelines that most modern programming languages follow.

<span class="mw-page-title-main">SQL injection</span> Computer hacking technique

In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

Uncontrolled format string is a type of code injection vulnerability discovered around 1989 that can be used in security exploits. Originally thought harmless, format string exploits can be used to crash a program or to execute harmful code. The problem stems from the use of unchecked user input as the format string parameter in certain C functions that perform formatting, such as printf . A malicious user may use the %s and %x format tokens, among others, to print data from the call stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf and similar functions to write the number of bytes formatted to an address stored on the stack.

<span class="mw-page-title-main">Delimiter</span> Characters that specify the boundary between regions in a data stream

A delimiter is a sequence of one or more characters for specifying the boundary between separate, independent regions in plain text, mathematical expressions or other data streams. An example of a delimiter is the comma character, which acts as a field delimiter in a sequence of comma-separated values. Another example of a delimiter is the time gap used to separate letters and words in the transmission of Morse code.

Code injection is a class of computer security exploits in which a vulnerable computer program is tricked into misinterpreting external data as part of its code. An attacker thereby introduces code into the program and changes the course of its execution. The result of successful code injection can be disastrous, for example, by allowing computer viruses or computer worms to propagate.

In computer science, the Boolean is a data type that has one of two possible values which is intended to represent the two truth values of logic and Boolean algebra. It is named after George Boole, who first defined an algebraic system of logic in the mid 19th century. The Boolean data type is primarily associated with conditional statements, which allow different actions by changing control flow depending on whether a programmer-specified Boolean condition evaluates to true or false. It is a special case of a more general logical data type—logic does not always need to be Boolean.

Hard coding is the software development practice of embedding data directly into the source code of a program or other executable object, as opposed to obtaining the data from external sources or generating it at runtime.

<span class="mw-page-title-main">Dependency injection</span> Software programming technique

In software engineering, dependency injection is a programming technique in which an object or function receives other objects or functions that it requires, as opposed to creating them internally. Dependency injection aims to separate the concerns of constructing objects and using them, leading to loosely coupled programs. The pattern ensures that an object or function that wants to use a given service should not have to know how to construct those services. Instead, the receiving 'client' is provided with its dependencies by external code, which it is not aware of. Dependency injection makes implicit dependencies explicit and helps solve the following problems:

<span class="mw-page-title-main">Null (SQL)</span> Marker used in SQL databases to indicate a value does not exist

In SQL, null or NULL is a special marker used to indicate that a data value does not exist in the database. Introduced by the creator of the relational database model, E. F. Codd, SQL null serves to fulfil the requirement that all true relational database management systems (RDBMS) support a representation of "missing information and inapplicable information". Codd also introduced the use of the lowercase Greek omega (ω) symbol to represent null in database theory. In SQL, NULL is a reserved word used to identify this marker.

scanf, short for scan formatted, is a C standard library function that reads and parses text from standard input.

An entity–attribute–value model (EAV) is a data model optimized for the space-efficient storage of sparse—or ad-hoc—property or data values, intended for situations where runtime usage patterns are arbitrary, subject to user variation, or otherwise unforeseeable using a fixed design. The use-case targets applications which offer a large or rich system of defined property types, which are in turn appropriate to a wide set of entities, but where typically only a small, specific selection of these are instantiated for a given entity. Therefore, this type of data model relates to the mathematical notion of a sparse matrix. EAV is also known as object–attribute–value model, vertical database model, and open schema.

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.

<span class="mw-page-title-main">Comment (computer programming)</span> Explanatory note in the source code of a computer program

In computer programming, a comment is a programmer-readable explanation or annotation in the source code of a computer program. They are added with the purpose of making the source code easier for humans to understand, and are generally ignored by compilers and interpreters. The syntax of comments in various programming languages varies considerably.

Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped—special characters are prefixed with a backslash—before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping. It was later described as intended to prevent inexperienced developers from writing code that was vulnerable to SQL injection attacks.

The null coalescing operator is a binary operator that is part of the syntax for a basic conditional expression in several programming languages, such as : C# since version 2.0, Dart since version 1.12.0, PHP since version 7.0.0, Perl since version 5.10 as logical defined-or, PowerShell since 7.0.0, and Swift as nil-coalescing operator.

Secure coding is the practice of developing computer software in such a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.

PL/SQL is Oracle Corporation's procedural extension for SQL and the Oracle relational database. PL/SQL is available in Oracle Database, Times Ten in-memory database, and IBM Db2. Oracle Corporation usually extends PL/SQL functionality with each successive release of the Oracle Database.

References

  1. Chris Falter (March 6, 2008), A Good Solution for Magic String Data, Egghead Cafe Tuturiols, retrieved May 11, 2009
  2. Wang Lam (May 21, 2003), The Behavior of NULL's in SQL, Stanford University, retrieved May 13, 2009
  3. Eric Freeman, Elisabeth Freeman, Kathy Sierra, Bert Bates; 2004, Head First Design Patterns, 1st ed., O'Reilly, Chapter 6, pg. 214, The Command Pattern, ISBN   0-596-00712-4, ISBN   978-0-596-00712-6
  4. James McCaffrey (2009), Test Automation for ASP.NET Web Apps with SSL, Microsoft, retrieved May 13, 2009
  5. Andrew Cumming; 2007, SQL Hacks, 1st ed., O'Reilly, pg. 174, Prevent an SQL Injection Attack, ISBN   0-596-52799-3, ISBN   978-0-596-52799-0
  6. Brian Knight, Allan Mitchell, Darren Green, Douglas Hinson, Kathi Kellenberger; 2005, Professional SQL server 2005 integration services, 1st ed., John Wiley and Sons, Chapter 5, pg. 129, Handling Dirty Data, ISBN   0-7645-8435-9, ISBN   978-0-7645-8435-0
  7. Sezen, Tonguc Ibrahim; Isikoglu, Digdem (April 27, 2007). "From Ozans to God-Modes: Cheating in Interactive Entertainment From Different Cultures" (PDF). p. 8. Retrieved January 24, 2009.
  8. 1 2 "What Happens when Your License Plate Says 'NO PLATE'?". October 30, 1999.
  9. Glave, James (August 30, 1999). "Hotmail Hackers: 'We Did It'". Wired . Condé Nast. Retrieved July 16, 2024.
  10. Baraniuk, Chris (March 25, 2016). "These unlucky people have names that break computers". BBC.com . Retrieved January 30, 2022.
  11. Null, Christopher (November 5, 2015). "Hello, I'm Mr. Null. My Name Makes Me Invisible to Computers". Wired . Retrieved January 30, 2022.