dburrows/ blog/ entry/ from-blogspot/ How *not* to impress your customers.

So, today I tried to sign up for a service online (unidentified for reasons that will become obvious briefly). This is a service that, had I successfully signed up, would be withdrawing monthly subscription fees from my bank account and handling some data that's fairly important to me. But when I hit the button to start the registration process, I got back...

[TCX][MyODBC]You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ''7GDiSp=E8-Mgvgo\', Now() )' at line 9 SQL = "INSERT INTO [REDACTED] ([REDACTED], FieldName, FieldValue, update_dt ) VALUES ( 10724, 'PASSWORD', '7GDiSp=E8-Mgvgo\', Now() )"

The password I tried to enter, for the record, was 7GDiSp=E8-Mgvgo#dEwb8m7Ec_e~z0myAAj. This is at best inexcusable sloppiness and at worst a security hole, and I don't want a company that does either anywhere near my money and data. (sadly, there probably are already many such companies near my money and data, but I try to avoid the ones I know about)

Comment by Anonymous at 11:30 AM:

The passwords that i usually use hide away in shame... (=


Comment by chithanh at 1:10 PM:

Apparently, passwords are truncated at 16 characters. Doesn't look very exploitable. Maybe try a password containing the ' character and see what happens.