Comment I learnt this lesson a long time ago. (Score 5, Insightful) 208
In high school for economics class we got to play a mock stock martket game (on the web). Well my stock market team consisted of myself and another CS student.
On the website you would enter in the amount of stock, stock symbol, and BUY or SELL in a form. That form would POST to a confirmation page and from there you would click "TRADE" and it would post to some server side page to execute the trade. The fools that designed the site thought it would be a good idea to validate all the data on the confirmation page and NOT on the server side page. We created a local version of the initial confirmation page, changed the action of the form to "http://www.tradingsite.com/cgi-bin/trade.pl". We then proceeded to buy -100000 shares of MSFT for about 40 bucks a pop.
The server had a formula of something like:
(STOCKPRICE * SHARES) + COMMISION = SUM
The sum was then checked against your accounts cash balance.
Something like:
IF (SUM > CASHBALANCE)
ERROR;
ELSE
EXECUTE TRADE;
Well we had a big negative number for our SUM so it passed.
The server then procceeded to:
CASHBALANCE = CASHBALANCE - SUM
Well anyone who has taken 5th grade math knows what happens when you subtract a negative number.
To make a long story short....we come into school about 2 weeks later and there is a big list of all the teams playing the stock market game in NY state. Our team is number 1 by about 2 million bucks, 2nd place is at about 105k. We confessed to whole the thing explained to the site what they did wrong and didn't get in any trouble.
The morale of this story:
Validate all user input before you perform ANY actions with it.
On the website you would enter in the amount of stock, stock symbol, and BUY or SELL in a form. That form would POST to a confirmation page and from there you would click "TRADE" and it would post to some server side page to execute the trade. The fools that designed the site thought it would be a good idea to validate all the data on the confirmation page and NOT on the server side page. We created a local version of the initial confirmation page, changed the action of the form to "http://www.tradingsite.com/cgi-bin/trade.pl". We then proceeded to buy -100000 shares of MSFT for about 40 bucks a pop.
The server had a formula of something like:
(STOCKPRICE * SHARES) + COMMISION = SUM
The sum was then checked against your accounts cash balance.
Something like:
IF (SUM > CASHBALANCE)
ERROR;
ELSE
EXECUTE TRADE;
Well we had a big negative number for our SUM so it passed.
The server then procceeded to:
CASHBALANCE = CASHBALANCE - SUM
Well anyone who has taken 5th grade math knows what happens when you subtract a negative number.
To make a long story short....we come into school about 2 weeks later and there is a big list of all the teams playing the stock market game in NY state. Our team is number 1 by about 2 million bucks, 2nd place is at about 105k. We confessed to whole the thing explained to the site what they did wrong and didn't get in any trouble.
The morale of this story:
Validate all user input before you perform ANY actions with it.
