Around DA

I found a way around the ' bug in DA.

You make a text file, throw your text in, and then use the replace function. Replace the ' marks by ´ accents. English readers won't mind... and you don't need to type much more either!

There's a replace function?

I didn't know that either.

Thanks... Though I thought the bug had gone now. It no longer seems to be affecting me, anyway.

I used to deal with it in one of two ways. Either open another browser to read the page (Firefox has no ' bug); or copy/paste the text from dA into Word (or something similar) and then use the "search & replace all" function to replace every ' with an apostrophe.

Those solutions only work for reading a text, though, not for submitting one.

The fact that DA is having problems with single quotes (also known as apostrophes ( ' )) is very troubling to me as a programmer. This is because the single quote is used in SQL queries (a language used for databases, like the one behind DA's web-interface). There is a known type of attack called a SQL Injection attack, and what is, is that if the attacker has access to even a part of the SQL query string they can, though clever use of their own single quotes, run any command that they so choose, including "delete everything in the database" and "get me everyone's password hashes" (which which they can, after some more work, probably break the weaker passwords and thus "own" those accounts.) An attacker gets access to even a part of the SQL query though any user submitted text field; things like "Name", "Location", or apparently "Story Text".

The reason this is all so troubling is that them having problems with single-quotes means that they are probably still trying to prevent attacks by "single quote escaping", a buggy method of attack prevention. There is a much better way (parametrized queries, which basically allow you to say to the database stuff like "The next 120 characters are data only, don't process them as a command", and which completely eliminate SQL injection attacks) that has been around since 1992(!)

So in other words, the single quote problems they are having implies to me that their code is full of security holes and that they are incompetent, considering that they've had years (and several DA versions) in which to fix it.


/End somewhat off topic "angry programmer" rant.

You should notify them of this. I'm sure they are aware of it, but expressing intelligent concern for it (as opposed to someone who has no idea what he's talking about rant to them) then they'll probably listen.

I agree with Bael here, if there's a better solution, which there apparently is, they should be notified of it.

Anime-Junkie wrote:

I agree with Bael here, if there's a better solution, which there apparently is, they should be notified of it.

Oh, they are well aware of it. It is impossible that they have not heard of this problem and its solution; every SQL book talks about it; every online article about SQL injection attacks mentions parameters as a way to prevent attacks.

But I can hear you saying "But if everyone knows about it, why is it still a problem?" The reason problems like this are still around are because of situations like the following.

Bob is a programmer. Bob codes up a simple demo of an idea; he codes quickly and pays little attention to things like security and potential bugs because this is just a demo to see if the concept is sound. The demo will be built and analyzed for design problems that weren't obvious when he started building it, so that when he builds the real thing he can fix those design flaws.

At some point a critical error is made; someone, for some reason, decides to not start over from scratch, but instead decides to try to improve the quality of the demo program they have written. Sometimes this is a management decision, deciding that they don't really want to pay to recode something. Sometimes this is a programmer's decision, either because of laziness or time constraints. This is always a mistake, and an example of false savings (in my opinion at least.) With possibly only one exception, it is not generally possible to take a demo and fix its structural defects in less time than it would take to analyze the demo and simply build a new, better program from scratch. (The one possible exception would be a project running under a "Test First" policy (tests are "micro programs" that automatically test you code for certain things, and helps prevent bugs because you make tests to cover any bug you find, thus meaning that once you fix a particular bug, you will know the instant it shows up again (because the test covering it will fail if it does show up again.) Projects running under a "test first" policy just might have a flexible enough structure that you can fix it faster than it would take to rebuild it... maybe.

Once the decision is made to not rebuild it, it becomes harder and harder to ever rebuild it, because there are more and more features built into the (originally) demo code, and each one of those features is patched into the original structure in a (probably) haphazard manner because of the structural flaws inherent in the design. Each new feature will likely interact in strange ways with existing ones, hiding some bugs and creating strange, twisting paths to others. You end up with situations like one I saw once: a multi-megabyte HTML file that had to be entirely downloaded across the internet, just so that about 100k of it would actually be shown to any one user.... and over half of its 400+ pages were like that. (And no, I didn't write it, I just had to maintain a small part of it, thank God.)

The Windows ME/ Windows 98 series of Microsoft Windows Operating Systems is a good example of this type of code bloat. Windows ME is Windows 98 with code tacked on. Windows 98 is actually mostly Windows 95 with new code tacked on. Windows 95 is actually mostly Windows 3.11 with new code tacked on. Windows 3.11 is actually DOS 4.0 (or something) with code tacked on. What this all means is that Windows 98 was restricted by design decisions made almost a decade earlier for a system radically different than what Windows 98 was trying to be; it also had bugs caused by all the strange interactions between the different systems. (Windows XP is from a different line, one that was handled much more cleanly, and Windows Vista and Windows 7 are a totally new line in and of themselves, and it shows: Windows 7 beats Windows XP in speed and features even when running on the same computer.

tl;dr Someone at deviantART seems to have decided to do it cheap and quick, rather than right.

/Angry Programmer Rant... I am doing too many of these lately; I should make myself a blog to post them on so that they can be properly ignored without inconveniencing others.