118:
telephone number to ensure that it contains only digits (and possibly spaces and punctuation to a limited extent) or checking that a person's name has a forename and a surname (and is appropriately capitalised). An exception is made for the magic string in the validation code so that it will not be rejected by validation. It is expected that, since a user would likely quickly notice the strict enforcement of formatting, it would likely not occur to the user to try inputting a string not conforming to the format. Therefore, it is very unlikely for the user to try the magic string.
163:
91:
input with special security/operational allowances to deal with such circumstances. This can be particularly ironic since it will sometimes become obvious that a more robust design from the beginning would likely have left room to handle the flaw. However this would perhaps have taken too much time to implement and it might have conflicted with the fundamental engineering concept of
83:. The errors/warnings produced are often general or a 'best fit' default error whose message does not actually describe what's going on. If the developer can't get enough clues to track the issue down through debugging, taking a short cut, and coding in a 'default' string, may be the only way to keep the project on schedule. One solution to this may be the application of the
205:. In affected ticketing systems, when police officers would fill out a traffic ticket for a car with no registration plate, they would write "NOPLATE", "NOTAG", "MISSING", or similar. This caused issues when motorists were granted actual registration plates with these values, and thus began receiving numerous traffic tickets intended for these plateless vehicles.
107:
accessible. So the magic string by itself would be dealt with by the program as any other input. The user has to then reproduce the setting as well as produce some collection of other events, that the user interface discreetly allows, for the flag to accept the setting; a far more unlikely scenario,
74:
doesn't compare bitwise to a supposedly identical type. This is an issue that can even occur within the same development environment (same programming language and compiler). This problem has a long history for numerical and boolean types and most compilers handle this well (with applicable warnings
90:
Programmed into a corner. Sometimes a design seems straightforward and even simple but turns out to have a logical flaw, dependent upon the possible user inputs, due to an often unforeseen circumstance towards the end of planned development. Thus a developer might feel the need to implement a user
52:
For example, when testing a program that takes a user's personal details and verifies their credit card number, a developer may decide to add a magic string shortcut whereby entering the unlikely input of "***" as a credit card number would cause the program to automatically proceed as if the card
117:
Restricting the format of the input is a possible maintenance (bug fixing) solution. Essentially, this means validating input information to check that it is in the correct format, in order to reduce the possibility of the magic string being discovered by the user. Examples include validating a
40:
is an input that a programmer believes will never come externally and which activates otherwise hidden functionality. A user of this program would likely provide input that gives an expected response in most situations. However, if the user does in fact innocently provide the pre-defined input,
102:
flag. Over-confidence that a global flag can never be set accidentally or maliciously (often a quite reasonable assumption) justifies such implementation for testing and debug purposes, especially for small applications with simple interfaces. If the distribution of the program is considerable
53:
were valid, without spending time verifying it. If the developer forgets to remove the magic string, and a user of the final program happens to enter "***" as a placeholder credit card number while filling in the form, the user would inadvertently trigger the hidden functionality.
215:
People with the last name Null have reported a variety of problems using online systems, such as being unable to book plane tickets, use government tax websites, or pay utility bills. The issue stems from these systems confusing their name for a
220:. Depending on the system, this may cause the system to not show their name, to ask the user to enter a different name (sometimes with a message claiming that the name field had been left blank), or to show an error message.
121:
As with any input validation process, it is important to ensure that the format is not restrictive in a way that unintentionally restricts the use of the application by some users. An example of this is restricting
66:
Often there are significant time constraints out of the developer's control right from the beginning of their involvement in a project. Common issues that might lead to this anti-pattern as a result:
49:
Typically, the implementation of magic strings is due to time constraints. A developer must find a fast solution instead of delving more deeply into a problem and finding a better solution.
103:
however, it is usually just a matter of time before somebody sets the flag. An obvious solution is to never use a global variable in such a manner. A developer might also make the flag
150:. Furthermore, there are cases when users invent magic strings, and systems that have not coded to accept them can produce unexpected results such as missing license plates.
212:
that permitted anybody to log in to any
Hotmail account using the password 'eh'. At the time it was called "the most widespread security incident in the history of the Web".
142:
As is often the case with anti-patterns, there exist specific scenarios where magic strings are a correct solution for an implementation. Examples include
279:
434:
402:
346:
426:
394:
338:
235:
26:
170:
41:
invoking the internal functionality, the program response is often quite unexpected to the user (thus appearing "magical").
198:
519:
230:
22:
253:
143:
579:
33:
84:
193:
The following is a list of some known incidents where use of a magic string has caused problems.
147:
95:, keeping a design and implementation simple and meeting only the initial necessary requirements.
303:
447:
430:
422:
398:
390:
342:
334:
552:
123:
490:
495:
259:
99:
359:
448:"From Ozans to God-Modes: Cheating in Interactive Entertainment From Different Cultures"
241:
202:
92:
80:
413:
Brian Knight, Allan
Mitchell, Darren Green, Douglas Hinson, Kathi Kellenberger; 2005,
573:
130:
input based on one country's system (e.g. requiring every user to give a five-digit
79:
types such as strings have the difficulty of historically different definitions for
247:
217:
127:
475:
71:
134:), causing problems for legitimate users who are based in other countries.
197:
In several different cases, motorists with personalized strings on their
131:
76:
524:
209:
547:
244:(aka flag value, trip value, rogue value, signal value, dummy data)
325:
Eric
Freeman, Elisabeth Freeman, Kathy Sierra, Bert Bates; 2004,
548:"Hello, I'm Mr. Null. My Name Makes Me Invisible to Computers"
157:
446:
Sezen, Tonguc
Ibrahim; Isikoglu, Digdem (April 27, 2007).
476:"What Happens when Your License Plate Says 'NO PLATE'?"
174:
520:"These unlucky people have names that break computers"
417:, 1st ed., John Wiley and Sons, Chapter 5, pg. 129,
18:
Input which activates otherwise hidden functionality
415:Professional SQL server 2005 integration services
470:
468:
361:Test Automation for ASP.NET Web Apps with SSL
208:In 1999, hackers revealed a security flaw in
8:
238:, for problems that can be caused by magics
70:Null != null or any variation where a
250:, special value to detect buffer overflows
329:, 1st ed., O'Reilly, Chapter 6, pg. 214,
75:and errors, default resolution, etc...).
270:
546:Null, Christopher (November 5, 2015).
281:A Good Solution for Magic String Data
7:
518:Baraniuk, Chris (March 25, 2016).
14:
489:Glave, James (August 30, 1999).
236:Time formatting and storage bugs
161:
387:Prevent an SQL Injection Attack
491:"Hotmail Hackers: 'We Did It'"
385:, 1st ed., O'Reilly, pg. 174,
278:Chris Falter (March 6, 2008),
98:Allowing external access to a
27:Magic string (therapeutic aid)
1:
305:The Behavior of NULL's in SQL
199:vehicle registration plates
596:
327:Head First Design Patterns
256:which have the same origin
231:Magic number (programming)
62:Situations/issues of cause
23:Magic number (programming)
20:
302:Wang Lam (May 21, 2003),
138:Purposeful implementation
358:James McCaffrey (2009),
284:, Egghead Cafe Tuturiols
201:have received incorrect
21:Not to be confused with
254:Video games cheat codes
381:Andrew Cumming; 2007,
108:though still possible.
308:, Stanford University
175:adding missing items
34:computer programming
478:. October 30, 1999.
419:Handling Dirty Data
331:The Command Pattern
85:Null Object pattern
173:; you can help by
435:978-0-7645-8435-0
403:978-0-596-52799-0
347:978-0-596-00712-6
191:
190:
113:Strict formatting
587:
565:
564:
562:
560:
543:
537:
536:
534:
532:
515:
509:
508:
506:
504:
486:
480:
479:
472:
463:
462:
460:
458:
452:
443:
437:
411:
405:
379:
373:
372:
371:
369:
355:
349:
323:
317:
316:
315:
313:
299:
293:
292:
291:
289:
275:
186:
183:
165:
164:
158:
124:telephone number
105:circumstantially
595:
594:
590:
589:
588:
586:
585:
584:
570:
569:
568:
558:
556:
545:
544:
540:
530:
528:
517:
516:
512:
502:
500:
488:
487:
483:
474:
473:
466:
456:
454:
450:
445:
444:
440:
412:
408:
380:
376:
367:
365:
357:
356:
352:
324:
320:
311:
309:
301:
300:
296:
287:
285:
277:
276:
272:
268:
260:XYZZY (command)
227:
203:traffic tickets
187:
181:
178:
162:
156:
140:
115:
64:
59:
47:
30:
19:
12:
11:
5:
593:
591:
583:
582:
572:
571:
567:
566:
538:
510:
481:
464:
438:
406:
374:
350:
318:
294:
269:
267:
264:
263:
262:
257:
251:
245:
242:Sentinel value
239:
233:
226:
223:
222:
221:
213:
206:
189:
188:
168:
166:
155:
152:
139:
136:
114:
111:
110:
109:
96:
88:
63:
60:
58:
55:
46:
43:
17:
13:
10:
9:
6:
4:
3:
2:
592:
581:
580:Anti-patterns
578:
577:
575:
555:
554:
549:
542:
539:
527:
526:
521:
514:
511:
498:
497:
492:
485:
482:
477:
471:
469:
465:
449:
442:
439:
436:
432:
428:
427:0-7645-8435-9
424:
420:
416:
410:
407:
404:
400:
396:
395:0-596-52799-3
392:
388:
384:
378:
375:
363:
362:
354:
351:
348:
344:
340:
339:0-596-00712-4
336:
332:
328:
322:
319:
307:
306:
298:
295:
283:
282:
274:
271:
265:
261:
258:
255:
252:
249:
246:
243:
240:
237:
234:
232:
229:
228:
224:
219:
214:
211:
207:
204:
200:
196:
195:
194:
185:
176:
172:
169:This list is
167:
160:
159:
153:
151:
149:
145:
137:
135:
133:
129:
125:
119:
112:
106:
101:
97:
94:
89:
86:
82:
78:
73:
69:
68:
67:
61:
56:
54:
50:
44:
42:
39:
35:
28:
24:
16:
557:. Retrieved
551:
541:
529:. Retrieved
523:
513:
501:. Retrieved
499:. Condé Nast
494:
484:
455:. Retrieved
441:
418:
414:
409:
386:
382:
377:
366:, retrieved
360:
353:
330:
326:
321:
310:, retrieved
304:
297:
286:, retrieved
280:
273:
248:Canary value
218:null pointer
192:
182:January 2022
179:
141:
120:
116:
104:
65:
51:
48:
38:magic string
37:
31:
15:
559:January 30,
531:January 30,
457:January 24,
453:. p. 8
364:, Microsoft
148:Easter eggs
144:cheat codes
128:postal code
266:References
171:incomplete
57:Resolution
45:Background
383:SQL Hacks
154:Incidents
72:data type
574:Category
503:July 16,
225:See also
132:ZIP code
77:Nullable
525:BBC.com
368:May 13,
312:May 13,
288:May 11,
210:Hotmail
433:
425:
401:
393:
345:
337:
100:global
553:Wired
496:Wired
451:(PDF)
561:2022
533:2022
505:2024
459:2009
431:ISBN
423:ISBN
399:ISBN
391:ISBN
370:2009
343:ISBN
335:ISBN
314:2009
290:2009
146:and
93:KISS
81:NULL
36:, a
177:.
126:or
32:In
25:or
576::
550:.
522:.
493:.
467:^
429:,
421:,
397:,
389:,
341:,
333:,
563:.
535:.
507:.
461:.
184:)
180:(
87:.
29:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.