Example #645,257,329 of why one must always sanitize every piece of user input that your code has to process. Doesn’t matter how foolproof or dead simple you think the action will be, or how safe or sane your users — someone will try to buffer overrun, break out of the current SQL statement and inject their own code, or just generally find any way imaginable to deface or destroy your work. Especially if your work is a direct confrontation of a particularly entrenched bit of misogyny amongst a terribly entitled and relatively tech-savvy audience, and that audience is inclined toward trollishness to begin with.
A group of social justice advocates in the video gaming community put together a pledge website called Gamers Against Bigotry (WARNING: Chrome reports malware!), asking people to sign onto the following statement:
As a gamer, I realize I contribute to an incredibly diverse social network of gamers around the world, and that my actions have the ability to impact others. In effort to make a positive impact, and to create a community that is welcoming to all, I pledge to not use bigoted language while gaming, online and otherwise.
Bigoted language includes, but is not limited to, slurs based on race, ethnicity, gender, sexual orientation, and disability.
Read more about the pledge, including what is and isn’t included, and the overall purpose here.
Read why you shouldn’t use the word “rape” casually here.
All in all, it’s a simple statement, and a rather unobjectionable one at that. The only way one can end bigotry within a community is to “be the change you want to see” — to never engage in bigoted behaviour, and to challenge it when one is able.
The response, however, was in no way proportionate to the pledge, especially given its entirely voluntary nature.
Before the project was really ready to go, Wil Wheaton linked to it, and it kicked off overnight. And with the publicity came the trolls — and given that this was a direct challenge to these entitled assholes, it’s absolutely no surprise. First, the page was defaced with that most iconic of squick-memes, the Goatse Guy. The defacement was successful because input was apparently not checked for HTML, so people could insert images into the signatures table and throw the whole thing out of whack. Then, when that defacement was cleaned up, people used other bits of code to hide the signatures table altogether.
When that was repaired, trolls with more tech skill realized what code was behind the pledge sheet: phPetition, a relatively immature and simple codebase that was apparently pretty easy to hack. Remember though — no matter how easy to hack a system is, one must still actively participate in morally questionable activities. Not that the moral compasses on these hackers were functional in the first place! This codebase had SQL injection exploits like crazy, so the trolls escalated from mere website defacement by attempting to destroy the existing signatures.
And they succeeded in short order. Nearly 1500 signatures were lost, though a few of them were recovered from an old backup. The page is presently at 640 signatures at time of writing, many of which are obviously further defacement or attempts at same:
0000000285 \’) go drop table go \’) go drop table go \’) go drop table go US
0000000286 \’) go drop table go \’) go drop table go \’) go drop table go US
0000000287 \’) go drop table go select * from pledge \’) go drop table go select * from pledge \’) go drop table go select * from pledge US
Ad when deleting the database again failed, they moved on to more intellectual arguments:
0000000348 EAT DICKS eatmoredicks CX
0000000349 Ben Dover A gorrilion dicks US
0000000481 nigger joe niggerland US
0000000482 You Suck Chinatown US
0000000483 dicks mcchinky asstown US
Or lying about the site and its purpose:
0000000486 Claims this is a nonprofit project Begs for money instead of signatures This does not need money the creator is a sca US
This last one references the Indiegogo fundraiser the project has put together so they can hire someone to prevent these hacks from happening. Apparently, they hadn’t been asking for money before those bigots began treating the site as their litter box, so the request for funds came as a direct result of these trolls’ actions. I am reminded of Anita Sarkeesian and her Feminist Frequency kickstarter, where she asked for two grand to put together a movie about misogyny in video games, ended up on the receiving end of weeks of targeted abuse, and as a direct result of people seeing and recognizing that abuse, ended up with $150,000 in funding donations instead.
Let’s go donate, if you can. If you have spare cash so they can hire a pro to make this pledge sheet bulletproof, great. If you can’t, signing the pledge now isn’t a bad idea either judging by what’s already been done to fix the issue, especially if your name disappeared from a previous attempt as my own apparently has.