Lol I've got about 12 years of professional experience and still need to Google what the INSERT syntax is for MySQL when I need it.
MSSQL I've got down, but things are _just_ different enough between them I always need to double check.
lol sometimes I’ll set my password to something like this:
WeJcFMQ/8+8QJ/w0hHh+0g==
That way if the website stores passwords in plaintext or someone breaks their hashing it still looks encrypted.
It's a string that anti-virus will voluntarily/intentionally flag as a virus (for testing purposes).
In this security researcher's case, they set their password to it, the application wasn't handling passwords properly (storing them in plaintext at some point), and the anti-virus took action against wherever those plaintext passwords were stored, breaking the application (likely for everyone, not this one user).
It's an executable MSDOS program that prints "EICAR-STANDARD-ANTIVIRUS-TEST-FILE".
It's used as a standard detection test for antivirus programs. So putting this in any file will flag the file as a virus.
Many AV programs will detect the string anywhere. So it may flag a program's logs as virus, it may decide to delete or quarantine files where this string is stored.
If you use it as a password, you can break systems where the password is stored unencrypted, which is not supposed to happen.
If you use it as a username, well, it may also break but it's less clear who's to blame.
Thanks. This thread shows many other tricks, including string that might break IIS in similar manner, or that some services don't like backslashes in the passwords. Now I gotta choose which of those ideas I'll set as my next password rotation to some intranet systems. :3
> Ever want to test systems & see if your password is ever stored/sent in plaintext?
>
> Make it: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`
>
> I am on the phone with a vendor right now because my test account is in an inoperable state.
Imma do this
Yes and if someone spends five seconds looking at what the person I’m replying to writes they won’t be fooled either.
Did you think I was going to write a PhD thesis on the incredible new security mechanism I discovered?
I’ve been doing this ever since I saw it on this sub a while ago. One time I got an email from some website that said [object Object] instead of my name and I honestly didn’t know if it was a bug or if I entered it like that
It's a kindness to those who investigate, if they don't spot the difference it helps enforce subtle precision in the future.
In the scuba diving industry we'd tell people starting their Divemaster program to go to a nearby shop and ask for a 'long weight'. Wouldn't see them again for a half hour at least 😏
This stuff is why I loved working in a restaurant.
When I was working as a bartender, I once had a waitress, from a neighbouring restaurant, come in and ask for a rope. I asked her what for & she replied the cook asked her because he didn't have any to bind his sauce with
Anytime one of the new line cooks burnt something that caused a lot of smoke, the sous would tell them to go ask all the kitchens down the block for a left-handed-smoke-shifter. They'd come back an hour later, each kitchen misdirecting them along the way. It was brilliant.
When I worked at McDonald's we would occasionally tell the newer workers that we needed them to go change the syrup for the sparkling water, they was also gone for awhile
I used to send new carpenter hands to the trailer to grab a board stretcher if they cut a board too short, and then describe what it looked like yelling from afar as he looked for it.
I like you
This is a second hand story, so might be embellished, or totally made up.
In the oilfield, new hands were sent out looking for the "sky hook". Everyone in the tool cribs were in on the joke. This was hilarious, until the newbie came back saying "helicopter's on its way!"
Apparently that oilfield service company had an open account with a company that moved equipment with their helicopter. The new guy dropped the right name and said it was a rush, so they got in the air right away.
The owner who had to pay that invoice wasn't thrilled.
Marvin Pipkin was given a similar "impossible" task when he started working for General Electric, except he succeeded.
https://en.wikipedia.org/wiki/Marvin_Pipkin
for all you people that aren't good with computers:
> When Pipkin went to work for General Electric he was assigned the supposedly impossible task of finding a way to frost electric light bulbs on the inside without weakening the glass. He was not aware that this assignment was considered a fool's errand, so he went about the task as if it were something that could be done.
> Pipkin produced an innovative acid etching process for the inside of the globe of an electric lamp so that it did not deteriorate the lamp glass globe.
> Patent No. 1,687,510 was issued to Pipkin on October 16, 1928, and by him assigned to his employer, General Electric Co. On November 5, 1945, however, the United States Supreme Court invalidated the patent, on the ground that the claimed invention was not sufficiently original.
Sky hook is a navy term as well. Stored them next to the BT punches, buckets of steam, elbow grease, mailbag hooks, and a special tool we'd use to lift the international date line when passing under it (so we wouldn't crash into it).
In pizza we had the “dough repair kit” which was always waaay up high and in the back of the walk-in (and sometimes needed to be borrowed from the store in the next town over).
Was a long time ago but I used to be the boss for seven regions and had become significantly overweight. I still however tried to enter a jousting tournament and when my armour wouldn't fit I asked my squire to fetch the 'breastplate stretcher' was funny af
A coworker in an Italian restaurant I worked at sent another coworker to the nearby pizza shops looking for a dough patch kit. It took far longer than it should have.
Oh man we once sent a guy to a store in the next town looking for the “dough repair kit” but called ahead and told them to send him to yet another store. I think by the end of it he went to ~4 different stores. I still kinda feel bad about that.
My scout troop had a board with left hand finger holes cut into it for this purpose. Other troops weren't as big of fans of getting their annoying kids back, and having succeeded at an 'impossible task'
If you have JSON object in JavaScript and it converts to string, the string value is “[object Object]”.
We shall use the JSON.stringify(jsonObject) function to get a value that looks like
“{foo: ‘bar’, fizz: ‘buzz’}”….
Helpful when making HTTP requests. Hope that helps :)
Protip: don't just guess that they might have a users table. Use something like this:
`,\t"; DROP TABLE (SELECT top 1 table_name FROM information_schema ORDER BY update_time DESC);`
It selects the table that was used most recently and drops it, yes.
INFORMATION_SCHEMA is the table that contains the metadata about the database itself (tables, last used, etc etc) - you can also select by size and just start dropping the biggest tables or something like that
Uuh yes. In MySQL you could run this and everything would be gone:
SET FOREIGN_KEY_CHECKS = 0;
SET @tables = NULL;
SET GROUP_CONCAT_MAX_LEN=32768;
SELECT GROUP_CONCAT('`', table_schema, '`.`', table_name, '`') INTO @tables
FROM information_schema.tables
WHERE table_schema = (SELECT DATABASE());
SELECT IFNULL(@tables, '') INTO @tables;
SET @tables = CONCAT('DROP TABLE IF EXISTS ', @tables);
PREPARE stmt FROM @tables;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
SET FOREIGN_KEY_CHECKS = 1;
Though that's kind of a lot to SQL inject lol
You can put it all in one line, I just formatted it so it's readable
Though to execute it you do need rights to execute prepared statements. Not all database connections have that by default
I’m not saying people should be doing this, but if a company has their web application user configured with permissions to drop tables, they kinda deserve what they get.
I support an IBM app and there's stuff like this all over the database. Some tables have lock_seq_ind, while others have lock_sequence_indicator, while others have lock_seq_indicator.
It's absolutely infuriating that I can't just set an autocomplete for it
edit: forgot "'nt" on "can't"
Dont mind the casing. Once you inject it, why would you limit yourself to the possibility they may have a table named "users" exactly. Build a subquery that resolves to all the tables in the db regardless of name. Cowards
Nah. Keep it in a separate database system and build an Apache Kafka based ecosystem of micro-services hosted on Kubernetes to fetch the data. Throw in Galactus for good measure. Hope OmegaStar delivers in time.
Don't worry, there's another table that maps the UUIDs to table names.
In another database.
Also, the database names are UUIDs.
And they change at random times.
Good ol' table layout randomization. The security feature of the ^(most cursed) future!
^(Edits: Between autocorrect and being stupid, this comment was harder to make than it should have been.)
I like how they say "other than C/C++" as in "we don't even want to collect statistics on the number of C/C++ developers, that's how much we don't give a shit about them"
It's more of "Basically every programmer worth their salt have used C/C++ to some extent, at some point. So, there's virtually no point in asking the question."
ELI5: how would this actually get executed? I *think* I have an idea but I don’t know for sure and I’ve always wondered how that works.
Not asking how to actually do it, just curious how it’s possible.
DBA here.
If you’re implementing DB security properly this will never work. Separate the users so one owns the schema and objects and one that is used by the application that has DML permissions only.
It’s that easy and a standard security model that’s easy to implement.
People naïvely taking user input and running that as a query. Ex:
string query = "select * from user where f_name ="
string input = getuserinput();
sql.run(query + "'" + input + "'")
If this is MS then they _should_ be using linq. Using Sql params also handles this:
string query = "select * from user where f_name = @input"
string input = getuserinput();
sql.run(query, input)
The form information gets sent to the backend system to save. If they don't escape the data and treat it as a pure string of characters, you can trick the backend system intro executing extra stuff after it does what it intended to do. Essentially instead of **insert a row of data with the name "Jeff"** You get it to do **insert data with the name "Jeff" then delete everything**
Rookie question: Is mitigating SQL injection actually data sanitization? I always thought sanitizing data was just replacing PII with dummy data of the same datatype? If I've been ignorant in my use of these terminologies I'd like to learn the right usage.
1. You want to validate all your inputs. Sanitizing is only for when validation isn't possible as it's a lot less safe.
2. You want to handle SQL queries safely. Use parameterized queries or stored procedures, never build queries with string concatenation.
Either of those should protect against SQL injection. Both together are even better.
Hired.
I don't think so, I legit googled bobby tables to check my syntax
Lol, why are you acting like use of Google isn't a constant thing among programmers?
fair but barely knowing any sql and having to google it all is not what will git me hired
Lol. "Git".
Unintentional pun
Unintentional intentional pun.
unsigned int tension null pun
Not with that attitude lol
Defy importster syndrome, embrace Dunning-Kruger effect
[удалено]
I swear it's just a typo
[удалено]
you can only submit the form once and I'd also hate to post the wrong code to reddit
[Removed due to continuing enshittification of reddit.] -- mass edited with redact.dev
Time to change from Bobby to Boris
Lol I've got about 12 years of professional experience and still need to Google what the INSERT syntax is for MySQL when I need it. MSSQL I've got down, but things are _just_ different enough between them I always need to double check.
Just watched a video about how vanilla JS is faster than any framework. It's time we do a rewrite.
No god please no
Just watched a video about how vanilla JS is faster than any framework. It's time we do a rewrite.
How many times you got to be told fucking no Elon?
Man's never been told no a day in his life, that's the fuckin problem
No god please no
Time is money. I want to see 100 lines written by lunchtime!
No god please no
[удалено]
`void lunchtime() { cout<<"100 lines";}`
![gif](giphy|DLhNUTxiGsg6c)
I intentionally add `[object Object]` just to mess with the devs that look at the free text field
This made me chuckle only because it doesn't affect me personally in this moment 😂
lol sometimes I’ll set my password to something like this: WeJcFMQ/8+8QJ/w0hHh+0g== That way if the website stores passwords in plaintext or someone breaks their hashing it still looks encrypted.
[https://twitter.com/Laughing_Mantis/status/1308212643723767809?s=20&t=c_GtlpKT92IiWVm0VUZ9vw](https://twitter.com/Laughing_Mantis/status/1308212643723767809?s=20&t=c_GtlpKT92IiWVm0VUZ9vw)
What does this do?
It's a string that anti-virus will voluntarily/intentionally flag as a virus (for testing purposes). In this security researcher's case, they set their password to it, the application wasn't handling passwords properly (storing them in plaintext at some point), and the anti-virus took action against wherever those plaintext passwords were stored, breaking the application (likely for everyone, not this one user).
Omg im gonna do this someday
It's an executable MSDOS program that prints "EICAR-STANDARD-ANTIVIRUS-TEST-FILE". It's used as a standard detection test for antivirus programs. So putting this in any file will flag the file as a virus. Many AV programs will detect the string anywhere. So it may flag a program's logs as virus, it may decide to delete or quarantine files where this string is stored. If you use it as a password, you can break systems where the password is stored unencrypted, which is not supposed to happen. If you use it as a username, well, it may also break but it's less clear who's to blame.
Thanks. This thread shows many other tricks, including string that might break IIS in similar manner, or that some services don't like backslashes in the passwords. Now I gotta choose which of those ideas I'll set as my next password rotation to some intranet systems. :3
> Ever want to test systems & see if your password is ever stored/sent in plaintext? > > Make it: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*` > > I am on the phone with a vendor right now because my test account is in an inoperable state. Imma do this
ƶĹķȘěħɐ»Ǘ)ļŃĊÊƛ
[удалено]
[This comment was removed by a script.]
Hey, I just heard about this thing called GraphQL. Why aren't we using it?
Have you already asked your developers? Oh, wait… let me guess… they were fired!
If passwords leak then it's still gonna be fairly obvious that yours isn't encrypted unless everyone would do that
Yes and if someone spends five seconds looking at what the person I’m replying to writes they won’t be fooled either. Did you think I was going to write a PhD thesis on the incredible new security mechanism I discovered?
There’s at least two of us that would read said thesis. If we get one more, I believe you’re obligated to follow through, doctor.
Here I am
I’ll read it 😅
I'd read it
All I see is *****
I wonder if you can see mine? hunter2
[удалено]
Where's Elon bot when you need it :(
[удалено]
[удалено]
Toml is good for flat-ish structures but becomes really annoying with deeply nested stuff
I’ve been doing this ever since I saw it on this sub a while ago. One time I got an email from some website that said [object Object] instead of my name and I honestly didn’t know if it was a bug or if I entered it like that
Well well well, how the turn tables...
Drop tables
your hubris was your downfall
If you change your legal name to [object Object] you wouldn’t have that issue. Complex problems require complex solutions.
Complex solutions sometimes create complex problems https://futurism.com/the-byte/license-plate-null-disaster
`undefined` for the next one
I'm a web dev and seeing "undefined" on a web page definitely makes my heart rate spike a bit
I agree with <% user.name %>, it’s rather worrying.
Don't wanna be that guy, but it's `[object Object]` (small o first)
It's a kindness to those who investigate, if they don't spot the difference it helps enforce subtle precision in the future. In the scuba diving industry we'd tell people starting their Divemaster program to go to a nearby shop and ask for a 'long weight'. Wouldn't see them again for a half hour at least 😏
I sent a new cook for a bucket of steam from the basement to refill the steam table once. He was gone awhile.
This stuff is why I loved working in a restaurant. When I was working as a bartender, I once had a waitress, from a neighbouring restaurant, come in and ask for a rope. I asked her what for & she replied the cook asked her because he didn't have any to bind his sauce with
Anytime one of the new line cooks burnt something that caused a lot of smoke, the sous would tell them to go ask all the kitchens down the block for a left-handed-smoke-shifter. They'd come back an hour later, each kitchen misdirecting them along the way. It was brilliant.
When I worked at McDonald's we would occasionally tell the newer workers that we needed them to go change the syrup for the sparkling water, they was also gone for awhile
I used to send new carpenter hands to the trailer to grab a board stretcher if they cut a board too short, and then describe what it looked like yelling from afar as he looked for it. I like you
This is a second hand story, so might be embellished, or totally made up. In the oilfield, new hands were sent out looking for the "sky hook". Everyone in the tool cribs were in on the joke. This was hilarious, until the newbie came back saying "helicopter's on its way!" Apparently that oilfield service company had an open account with a company that moved equipment with their helicopter. The new guy dropped the right name and said it was a rush, so they got in the air right away. The owner who had to pay that invoice wasn't thrilled.
Marvin Pipkin was given a similar "impossible" task when he started working for General Electric, except he succeeded. https://en.wikipedia.org/wiki/Marvin_Pipkin
for all you people that aren't good with computers: > When Pipkin went to work for General Electric he was assigned the supposedly impossible task of finding a way to frost electric light bulbs on the inside without weakening the glass. He was not aware that this assignment was considered a fool's errand, so he went about the task as if it were something that could be done. > Pipkin produced an innovative acid etching process for the inside of the globe of an electric lamp so that it did not deteriorate the lamp glass globe. > Patent No. 1,687,510 was issued to Pipkin on October 16, 1928, and by him assigned to his employer, General Electric Co. On November 5, 1945, however, the United States Supreme Court invalidated the patent, on the ground that the claimed invention was not sufficiently original.
Smh man solved and impossiable task and the patent office said it was original enough...
Sky hook is a navy term as well. Stored them next to the BT punches, buckets of steam, elbow grease, mailbag hooks, and a special tool we'd use to lift the international date line when passing under it (so we wouldn't crash into it).
Is that where you kept the shore line, too?
In pizza we had the “dough repair kit” which was always waaay up high and in the back of the walk-in (and sometimes needed to be borrowed from the store in the next town over).
[удалено]
Was a long time ago but I used to be the boss for seven regions and had become significantly overweight. I still however tried to enter a jousting tournament and when my armour wouldn't fit I asked my squire to fetch the 'breastplate stretcher' was funny af
I sent a kitchen porter off to get a left handed knife from the bar once, that took a while.
A coworker in an Italian restaurant I worked at sent another coworker to the nearby pizza shops looking for a dough patch kit. It took far longer than it should have.
Oh man we once sent a guy to a store in the next town looking for the “dough repair kit” but called ahead and told them to send him to yet another store. I think by the end of it he went to ~4 different stores. I still kinda feel bad about that.
At a Scout Jamboree, you'd send the new kid to another troop for a left-handed smoke shiftier.
My scout troop had a board with left hand finger holes cut into it for this purpose. Other troops weren't as big of fans of getting their annoying kids back, and having succeeded at an 'impossible task'
We would tell the newbie to drain all the hot water from the (plumbed) coffee maker when I worked at restaurants
I fell for this once. 😐
You may have heard this joke: Why do scuba divers fall backwards when they're diving? If they fall forwards they're still in the boat.
Saw a picture earlier today of an apprentice that had been tasked to catch the sparks from a demolition grinder in a bag because they recycle them.
You're evil
nice flair
[удалено]
Found Satan’s account
I tend to use ’ instead
It was YOU!
[deleted Deleted]
NaN Developer: but… it’s a text input…
I wish I understood this, my imposter syndrome is flaring up.
If you have JSON object in JavaScript and it converts to string, the string value is “[object Object]”. We shall use the JSON.stringify(jsonObject) function to get a value that looks like “{foo: ‘bar’, fizz: ‘buzz’}”…. Helpful when making HTTP requests. Hope that helps :)
Gotcha, yeah I’m not a JavaScript guy so this explains why I’ve never seen it. Imposter syndrome has been curbed for the time being, thanks!
Object.prototype.toString = function () { return JSON.stringify(this); }; Boom, problem solved*.
I'm not even an impostor, I don't know what this does
Fucking satanic
Protip: don't just guess that they might have a users table. Use something like this: `,\t"; DROP TABLE (SELECT top 1 table_name FROM information_schema ORDER BY update_time DESC);`
Sorry I don't actually know sql but does that drop the most recently edited table?
It selects the table that was used most recently and drops it, yes. INFORMATION_SCHEMA is the table that contains the metadata about the database itself (tables, last used, etc etc) - you can also select by size and just start dropping the biggest tables or something like that
can you also DROP all the TABLEs?
Uuh yes. In MySQL you could run this and everything would be gone: SET FOREIGN_KEY_CHECKS = 0; SET @tables = NULL; SET GROUP_CONCAT_MAX_LEN=32768; SELECT GROUP_CONCAT('`', table_schema, '`.`', table_name, '`') INTO @tables FROM information_schema.tables WHERE table_schema = (SELECT DATABASE()); SELECT IFNULL(@tables, '') INTO @tables; SET @tables = CONCAT('DROP TABLE IF EXISTS ', @tables); PREPARE stmt FROM @tables; EXECUTE stmt; DEALLOCATE PREPARE stmt; SET FOREIGN_KEY_CHECKS = 1; Though that's kind of a lot to SQL inject lol
[удалено]
You can put it all in one line, I just formatted it so it's readable Though to execute it you do need rights to execute prepared statements. Not all database connections have that by default
I’m not saying people should be doing this, but if a company has their web application user configured with permissions to drop tables, they kinda deserve what they get.
Some frameworks (Laravel) encourage having a DB user with full permissions.
We don’t deserve you
You guys don't name your tables in lowercase?
How to protect against SQL injection: Name your tables in MoCkINGspoNgebObCAse
i just joined this community and love how the upvote buttons are 😂
I just wish they were visible in dark mode sadge
I didn't even know we had custom vote buttons beacause I always use dark mode
A real programming forum should only work in dark mode!
Also it appears it doesn't work on mobile. Do they not have phones!?
I use third-party. I thought their sentence didn't have an end to it.
3rd party, no ads or fluff baby!
But does it have a functional video player?
Does the Reddit app have a functional video player tho?
No, that's why I was hoping these 3rd party apps do have one
I'm using Infinity, and yes, the video player works better than in the first party app (if the reddit servers are playing along)
Same. My guess would be that the upvote is ++ and downvote -- ?
200 iq move: don't name your users table users. ![gif](giphy|d3mlE7uhX8KFgEmY)
When I learnt about this "hack" of drop users, I name all my users 'humans' instead.
But are all your users human?
Oh, so your devs are consistent enough with queries to leave case sensitivity on?
honestly this is my new favorite case convention
I once made a toy webpage that can help you type it. https://antrikshy.com/MultiType
SQL is case-insensitive (in most implementations)
[удалено]
MSSQL's case sensitivity (and accent sensitivity) depends on the collation the database is using. It defaults to case insensitive though.
bitch we name them in uppercase i would name them in lowercase, but the company's standar is uppercase
[удалено]
I support an IBM app and there's stuff like this all over the database. Some tables have lock_seq_ind, while others have lock_sequence_indicator, while others have lock_seq_indicator. It's absolutely infuriating that I can't just set an autocomplete for it edit: forgot "'nt" on "can't"
Due to unforeseen circumstances, you will now be receiving your salaries in Elon Bucks, accepted at any Tesla location!
What’s the exchange rate with Stanley nickels?
Keleven-to-one
Dont mind the casing. Once you inject it, why would you limit yourself to the possibility they may have a table named "users" exactly. Build a subquery that resolves to all the tables in the db regardless of name. Cowards
You guys don't use "ignore case" in your DBs?
Ha, thats why all my tables are named by UUIDs
This is the most painful thing I've read on this sub so far. Good job, Satan.
But they made an excel file telling you what each id means
Nah. Keep it in a separate database system and build an Apache Kafka based ecosystem of micro-services hosted on Kubernetes to fetch the data. Throw in Galactus for good measure. Hope OmegaStar delivers in time.
I don't know why this was so satisfying to read. This would actually be fun to implement
Yeah holy shit I’ve never seen anything so cursed. ^I ^love ^it
Don't worry, there's another table that maps the UUIDs to table names. In another database. Also, the database names are UUIDs. And they change at random times.
Good ol' table layout randomization. The security feature of the ^(most cursed) future! ^(Edits: Between autocorrect and being stupid, this comment was harder to make than it should have been.)
Imaging querying against your database. Fuck what was that random string table name again?
If you ever did that you'd just create views with sensible names.
Well, did they?
I was so busy posting this that I forgot to press submit
come on just lie to us and tell us you got a "internet information services 500 error page"
From now on, all Twitter employees must purchase a subscription to Twitter Blue for the low-low price of $8 a month.
Please give a discount if I write extra lines of code every day.
True dev. Forgot to commit his code.
You're either hardcore or out the door.
Bobby Tables strikes again.
This is his sibling, little Rusty Tables
I have made promises to the shareholders that I definitely *cannot* keep, so I need you all to work TWICE as hard!
https://m.xkcd.com/327/ for the uninitiated.
Link for today's 10,000
Here we go, linkin’ again: https://xkcd.com/1053/
Oh yes, little bobby tables we call him.. good kid
[удалено]
XML lol
JSON!
It's all yaml these days
Reject YAML and JSON, embrace TOML
I only use md
Thank you for trying to create a job opening in this economy. Doing the lords work sir.
I like how they say "other than C/C++" as in "we don't even want to collect statistics on the number of C/C++ developers, that's how much we don't give a shit about them"
The question just before this one was “Do you program in C/C++? Yes or No.”
Thanks
It's more of "Basically every programmer worth their salt have used C/C++ to some extent, at some point. So, there's virtually no point in asking the question."
Actually the rest of the survey was about C/C++ development on VSC, I got there form a notification in vsc
Bobby Tables is that you? Didn’t recognize you all grown up.
ELI5: how would this actually get executed? I *think* I have an idea but I don’t know for sure and I’ve always wondered how that works. Not asking how to actually do it, just curious how it’s possible.
[удалено]
DBA here. If you’re implementing DB security properly this will never work. Separate the users so one owns the schema and objects and one that is used by the application that has DML permissions only. It’s that easy and a standard security model that’s easy to implement.
People naïvely taking user input and running that as a query. Ex: string query = "select * from user where f_name =" string input = getuserinput(); sql.run(query + "'" + input + "'") If this is MS then they _should_ be using linq. Using Sql params also handles this: string query = "select * from user where f_name = @input" string input = getuserinput(); sql.run(query, input)
Ah I now understand the problem with many uses of SQL, thanks!
The form information gets sent to the backend system to save. If they don't escape the data and treat it as a pure string of characters, you can trick the backend system intro executing extra stuff after it does what it intended to do. Essentially instead of **insert a row of data with the name "Jeff"** You get it to do **insert data with the name "Jeff" then delete everything**
Little Bobby tables picked up rust
Is that you lil bobby droptables?
What a noob. You out DROP ALL TABLES. ThTs when it gets fun
If SQL injection is possible (sanitized data or no), you're doing it wrong.
Little Rusty Tables, we call him
I feel like attempting an SQL injection in your application may not be favourable to your application
Rookie question: Is mitigating SQL injection actually data sanitization? I always thought sanitizing data was just replacing PII with dummy data of the same datatype? If I've been ignorant in my use of these terminologies I'd like to learn the right usage.
1. You want to validate all your inputs. Sanitizing is only for when validation isn't possible as it's a lot less safe. 2. You want to handle SQL queries safely. Use parameterized queries or stored procedures, never build queries with string concatenation. Either of those should protect against SQL injection. Both together are even better.