"Bobby" joins the QA team

When we promote code to either the beta (i.e. testing) or production (i.e. live broadcast during prime-time) servers, standard operating procedure is to make a spot-check before turning things over to QA. Today, I pushed something into production and made a quick check to see whether an including an apostrophe in input field of a web page could cause the page to error out.

When I moved the fix onto testing, I seriously toyed with the idea of reporting that I had validated the fix with the following input inspired by one of my all-time favorite xkcd web comics:

something'); DROP TABLE zzz; --

where "zzz" would have been the name of a database table that would bork our flagship application But Good if its data were lost. (Btw: If you bring up "Little Bobby Tables" in a room full of programmers, it's pretty much a cinch that at least 3/4 of them will know what you're talking about. Most of the 3/4 will probably laugh, too.)

If the "Bobby Tables" code-snipped above looked like gibberish to you, let me break it down. It's known as a SQL injection attack, and the would-be attacker is attempting to subvert the code you intended to run by:

1. Prematurely terminating the database access code you intended to execute
2. Attempting to completely delete a table's worth of data (assuming the table name is known or can be guessed)
   
3. Voiding any additional code that you would have execute, so as to prevent it from generating the syntax error that would have stopped their attack short in its tracks
   

The sad news is that I didn't learn about all that in programmer school. The happy news, of course, is that I didn't learn it the hard way. That being said, any web programmer worth her/his keyboard knows to expect those sorts of tricks and bulletproofs the code accordingly. Of course they do. Because somehow half of everybody brags about hiring (or at least keeping) "only the best."

But. Would half of everybody be willing to have every last input field of every single screen/page of absolutely every application tested by Bobby Tables? Probably not, so it's a question that has considerable value, whether you ask it of yourself or others. For instance: I don't tend to pull my punches during job interviews, so that was just added to the quiver I'd use during the technical part. Because I'm looking for how the question is answered, more so than the answer itself. (Hint: A blank look is bad; glib assurances that "it couldn't happen" are rather worse. Ignorance can be cured. Hubris is usually terminal.)

And for anything I'd write (or manage), Mr. Tables is henceforth part of my QA team. I figure that one or two frantic database restorations (hopefully on the QA server, not the live one), is the short, sharp shock kind of lesson that will stick with a programmer for years (including me, who have already found alternative ways of hosing a database). Who knows? The lesson might even linger for an entire career, depending on how much grovelling before (or bribery of) the Sys. Admin. is required to rectify matters.