Replicating the Google Chrome Facebook Crash Bug

farvour — Thu, 27 Aug 2009 22:09:57 +0000

Ok, so a couple of a weeks ago I had started using Google Chrome regularly. It really is a nice, fast, stable browser … well, stable until you use Facebook a lot.

Chrome would crash any time I’d finish typing out a really long comment on a wall, or a wall post anywhere for that matter, and then try to strike the “Comment” button. I could not figure out why the browser crashes when doing this. Finally it happened to me again today, and I noticed a pattern. It only seemed to happen when I clicked off the text editor onto a specific area elsewhere on the page. Basically I was missing the comment button itself, but barely.

Here’s a step by step example of how to reproduce the Facebook Google Chrome crash bug:

1.) Begin by clicking the Comment link on any status you desire (or wall post on a group page, etc)

2.) Type something, or leave the field blank, and attempt to click in any of the “forbidden areas” highlighted in the second image below. Doing so will cause the current Google Chrome browser tab to crash.

So there you have it, a replicatable crash that can be submitted to the Google Chrome team. Please note, I am using the latest stable Chrome version 2.0.172.39 as of this writing. I hope the Facebook team can address this issue. While it may seem minor, accidents happen and sometimes you aren’t always able to strike the “Comment” button 100% of the time and it’s quite a disaster when an entire 40 sentence wall post basically needs to be re-typed. I hope the Facebook team will look into this issue and that this blog has provided useful information to the community.

Best Regards!

MySQL Injection attacks are always fun (not)

farvour — Tue, 07 Jul 2009 17:50:03 +0000

So I am working today and receive an e-mail from the boss man about one of our clients websites getting “hacked” by a Palestinian hacking group. Apparently they used some MySQL query injections on one of our old sites. Gotta love legacy code. Well the site wasn’t escaping the strings properly passed from the URL GET or the POST variables and they managed to reset the admin section usernames and passwords. They then proceeded to log into the admin interface for the site and upload a “Your site has been haxX0red!!!” image. Lovely.

In either case, the solution is to properly re-write your SQL queries as to not leave a gaping hole if someone decides to pass non-typical form data to the script. The following code is bad:

// username and password sent from signup form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; $sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql);

So I guess it’s another handful of old sites to fix since a bunch of others are using the same code. /sigh/ The correct way this code should have been written:

// username and password sent from signup form $myusername=mysql_escape_string($_POST['myusername']); $mypassword=mysql_escape_string($_POST['mypassword']); $sql="SELECT * FROM members WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql);

Farvour's Blog » Programming

Replicating the Google Chrome Facebook Crash Bug

MySQL Injection attacks are always fun (not)