Just curious, with all the legalities on the net now, does that ever really happen, unless there is a complete failure of management? Are online stores obliged to fulfill a purchase, If there was some sort of hacking or other subtrefuge/clerical error involved? It's like those banks who send out million dollar checks in error....they always seem to recover the money. I can see a 20 or 30 dollar price error having to be honored, because the purchaser may very well believe that is a deal......but when it's $79,995 off,.....both parties must know something is wrong.

It all depends how automated your order fulfillment system is. And what information the people involved have.

If all the person in charge of completing a work order to fulfill the customer order only knows that Customer X needs to have Product Y shipped for delivery on Tuesday, then no one would know about the billing error for a while.

If the error is smaller, say a $20 item for $5, the error might not be caught unless there is a sudden surge in orders.

This kind of thing could get ugly.


TGI says moo

Management would probably figure out a way to cancel the error.

And fire the programmer who let it in.

I agree with everything you've just said.

I also believe in the due diligence required of coders to know where their data came from and where it's going. Too often I get the impression that programmers are taught that if they simply use place holders, then they've practiced safe data and they have nothing to worry about. Next thing you know, your application is performing evals on strings pulled from databases.

Place holders are an important part of the process, but by themselves they only protect your databases, not your application.

You make a good point, and my favorite word out of your whole node is "process". That's what security is. There's no one step that makes an application or a computer system secure.

Performing evals on strings pulled from a database isn't necessarily bad, so long as you're the one who populated the database. It's a good thing to mention, though. Using eval() on user-supplied data or data pulled from another source you don't control enables all kinds of attacks. Even writing user-supplied data out for another user, like the Perlmonks site does, can cause at least three widely publicized types of security flaws for the client end that have no need of SQL injection to work. That's why there's so much effort to limit the HTML and CSS that is accepted in nodes here, and why so many legitimate sites are in the news lately for attacking web user's computers through browsers.

Placeholders require such a small effort for such big strides in the security process, though, that they definitely should be part of that process whenever databases are involved.

Hey, funny that. There's a SQL injection (https://rt.cpan.org/Ticket/Display.html?id=41565 in the latest DBD::Pg that works even in the face of placeholders.

> > $s=$d->prepare(q[select ? where 1=?], { pg_server_prepare => 0 });
> > $s->bind_param(2,undef,SQL_INTEGER);
> > $s->execute(1,"2; drop table x;");
[download]

That's a scary one. Here's hoping it's fixed soon. I also hope that if the bind_param call is not made that "2; drop table x;" would be passed as a quoted string in the meantime.

Quite a few places have enough automation in place that the only involvement a human might have would be to pack a bunch of items from a pick list into a box and ship it. They probably wouldn't see the price paid for the items.

If they get to save $79995, then they'll probably be willing to put up with being called some pretty rude (or punctuated) things.

Of course, calling your female customers "Mr" is another issue entirely...

If the customer gets to save $79995, they might be happy, but the sales staff and accountants won't be. Not only are openly rude names an issue and gender as you said. Misspelling a name, using a nickname for someone who prefers their proper given name, disallowing punctuation in punctuated names, or truncating a common name because your DBA didn't think about how many characters to use for a field are pretty disrespectful, too.

"Mrs. Jones-O'Reilley" doesn't want to be greeted as "Mr. Jones-O'Reilley", but neither does she want "Mrs. O'Reilley", "Mrs, Jones-OReilley", "Mrs. Jones-O'Riley", or "Mrs. Jones-O'Re". My first name is Christopher, and I can tell you how frustrating it can be to call somewhere that the clerk insists the account holder's name is "Christophe" because the DBA thought ten characters was plenty. Let's not even start on how often my last name's spelling is "corrected" as if I filled it out incorrectly myself and the customer service representative knows better. As frustrating as this kind of oversight is in customer service, I'm not sure what attacker would be quite so subtle as to only change those things.