Challenge Idea : Fun Factor?

I have an idea for a challenge(s) where I provide the visitor with a TextAea, and a paragraph detailing tables available in a database. They have to submit a query that produces resultsets based upon the criteria in the paragraph.

I don't think they'll wind up being high ranking (really hard) challenges, but was curious if anyone would find them fun? I could do variations..."You're attached to a MySQL database and need to return a result joining these tables, sorted blah blah, with only 5 results, etc."

Their submissions would run against the tables (after I cleaned up injection vectors) and then check their results. I could encapsulate their queries in tries so as to not produce fugly errors, and strip out all the drops, delete, sp calls, etc. when I clean it for injection.

What you guys think? Worth it?

It definatelly worth it.. I find it very good idea!

Maybe some will not find it very fun to play with challenges like these but it will be very educational if the queries become more and more complex. And if i remember correctly i think there were a couple of challenges like these in some challenge site but i can't remember which one.

But as you already know it needs a very careful setup because there could be attack vectors that go beyond the challenge and could result in bringing down your site..That's why many result in simulating solution queries which i don't think would work in this case..

Quote from criple_ripper

Oct 21, 2012 - 15:06:40

But as you already know it needs a very careful setup because there could be attack vectors that go beyond the challenge and could result in bringing down your site..That's why many result in simulating solution queries which i don't think would work in this case..

As I think already nearly happened after talking to dloser
The challenge was up briefly then taken down after it was deemed unsafe - Wixxerd: I suggest having challenges beta tested before putting them online, but be sure your testers are up to the job.
Without meaning to volunteer anyone, you need to be looking to the like of dloser, tehron, criple_ripper and people of this calibre in order to get a thorough test done.
If you find time, head onto the irc (server: irc.idlemonkeys.net channel: #wechall) and ask around there, most of us are happy to help and we're available there a lot more than we are available here

As you know, I too am happy to help out where I can (depending on my work situation) so drop me a line, and good luck with getting this fixed

sabre

I've gotten a few really good suggestions already for securing it. (Don't worry was most definitely still in beta... Along with several other play versions... ) Definitely moving it to a different DB instance that doesn't have anything else on it... I don't want the focus of these "specific" ones to be injection, but I find it hard to believe it wont get tried... a lot.

Quote from sabretooth

Oct 21, 2012 - 15:13:14

Without meaning to volunteer anyone, you need to be looking to the like of dloser, tehron, criple_ripper and people of this calibre in order to get a thorough test done.

You forgot kwisatz and jjk…

Quote from space

Oct 21, 2012 - 18:37:36

You forgot kwisatz and jjk…

Quote from sabretooth

Oct 21, 2012 - 15:13:14

and people of this calibre

;)