Drop What Now?

DROP TABLE Companies? Why the odd name?

Drop What Now?
Photo by Ales Maze / Unsplash

In short: I am a software engineer, so I wanted my company name to be a software engineering joke. The name is recognizable to developers as a playful nod to hacking attempts and a wink to the geeky comic XKCD. It has nothing to do with flipping tables (╯°□°)╯︵ ┻━┻ or putting them back ┬─┬ノ( º _ ºノ)

On this page I will give a crash course into databases and query languages to explain how my company name might actually hack a website, and if it already has. Spoiler: it hasn't.

Hacking databases with a company name

If you know a bit about software, or have been near a database, I'm sure you've heard of SQL, often pronounced "sequel". SQL is a language used by software and software developers to communicate with databases. It comes in many flavours, such as MySQL, PostgreSQL and SQLite, but they are all very similar in their syntax. And, they come with the same vulnerabilities.

Searching through a database

Let's say you are the manager of an SQL database and you are keeping a list of companies. You might be the Chamber of Commerce, for example. If' you'd want to look up some data in your database, it would look like this:

This gets all the data (the "*") from a table called "Companies". The red parts are words from the SQL dictionary, understood by the database. The ";" at the end closes it of nicely, and tells the database we're done. This is all we want to know. Sending the database this query, would give us all the data of all companies.

We might want to narrow that down a bit. What if we want all data from a single company? We'd let the database know like this:

This is pretty much as easy to read for humans as it is for databases. The quotation marks are not for sarcasm, they tell the computer where the name starts and ends. For a company like Apple, this works nicely. Because the name Apple does not contain a double quote mark. What if it did? Would it still work? Can we use this for evil? Sure we can!

SQL injection

This is called SQL injection, when malicious SQL code is injected into a query. One way to do that, is by putting the safety quote-marks in the name itself. With a company name like "; DROP TABLE Companies; – it would look like this:

Oh dear. The " in the name is understood to mean 'the end of the company name'. So our database stops the purple streak right there. Next, it sees a semicolon, understood to mean 'the end of the query'. After that? A new query! DROP TABLE Companies, it commands, and you're right in thinking that that deletes the entire Companies table! Ouch.

Our company name then closes it off nicely: a second semicolon to end the second query, and a double dash, which turns off everything that might follow. Just to be sure, if there was more SQL after our name, that that doesn't give any errors.

Drop it like it's hot

There we have it. We tried to look for the details of a company, but instead we deleted all the data we had. And it all started with an innocent quote mark.

"Back in the day", yes, because I am old, this was an actual way of hacking websites that could commonly work. Many websites were hand made, often rushed during the dotcom bubble, and did not protect against these types of attacks. Imagine you can insert your own SQL code into a login screen or search box. Instead of deleting a table of companies, you could do many other thing: update someones password, for example, and then use that password to log in. Better yet, update the administrators password and get full control.

But what about the parenthesis?

Good catch! The name has another sign in it near the start: ");

I've skipped the explanation in our SQL quickstart tutorial above, but when changing data in a database, some queries contain an opening parenthesis that needs to be closed. As an example, this is how you could add a new company to a table:

INSERT INTO Companies (name, country) SET ("Apple", "USA")

As the first use of my company's trade name was to be added to the database of the Chamber of Commerce, it made sense to include a statement like the above, and include the ).

This also helps "hacking" registration forms, or crawlers and scraper bots that scrape this website to build a database of... things.

Nowadays, many websites are based on frameworks upon frameworks and most developers don't write SQL code anymore that is directly sent to the database. SQL code is properly sanitised for you, so it becomes harmless.

Here is an example of what a sanitised query looks like:

Here, a simple backslash in front of the quote makes the entire thing safe again. It tells the computer: don't stop here, this is NOT and end-quote, it is part of the company name.

XKCD

As with most things in life, there is always a relevant XKCD:

Her daughter is named Help I'm trapped in a driver's license factory. XKCD 327

Results

To my knowledge, no, my company name hasn't hacked anyone yet. I'd be surprised if it did. I have encountered some errors with websites that don't accept special characters in company names. So often in fact, that I've stopped entering the full name when I order things online.

When I received the confirmation, it was a relieve not to have hacked the Chamber of Commerce

The most notable recent issue was with the Google Play store. On every app listing, the "more apps by this developer" link would result in an error page. I had to remove the quotes for this page to work. Bummer.

Google didn't like my company name

What is the risk?

Negligible, for multiple reasons:

  1. Like stated before: most websites nowadays are built with frameworks that protect against attacks like my company name.
  2. Protecting against SQL-injection is a basic skill every developer knows. If they are vibe coding and have no idea what they are doing, yet publish their work to the public regardless, than my company name is the least of their problems.
  3. SQL-injections are very easy to automate and to try out. Millions of bots are doing this every day, knocking on every door to try out if it is locked or not. If a website is public and vulnerable to attacks like these, it will automatically be hacked within hours.
  4. The stars have to align for this to work. A website needs to use an SQL database, take unsanitised inputs, have a table called Companies, and perform exactly a query that works with our name. They might be using single quotes instead of double quotes, for example, rendering our "); trick harmless.

So no, I don't worry about this name ever becoming an issue. Although I do admit I was a tiny bit nervous to register the name at the Chamber of Commerce. Typing into an online web form is one thing, but this was a paper request that was manually entered by an employee inside the Chamber of Commerce, which, theoretically, bypasses all kinds of firewalls. You know, almost pretty much entirely exactly like how Silva hacked MI6 in Skyfall because Q just plugged his laptop into the local network without thinking.

DROP TABLE Companies is the freelance software development company of me, Mathijs Lagerberg. If you want to know if your website is vulnerable to attacks like these? Contact me!