this post was submitted on 05 Feb 2025
259 points (98.1% liked)

Programmer Humor

20442 readers
1898 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
259
SQL Injection (lemmy.ml)
submitted 6 days ago* (last edited 6 days ago) by HiddenLayer555@lemmy.ml to c/programmer_humor@programming.dev
15 comments fedilink hide all child comments
 

Alternate version:

you are viewing a single comment's thread
view the rest of the comments
[–] tdawg@lemmy.world 12 points 6 days ago (1 children)

What's the second one do?

[–] HiddenLayer555@lemmy.ml 26 points 6 days ago* (last edited 6 days ago) (2 children)

Bypassing authentication or checks by incorporating a statement that always returns true, and doing an 'or' operation with the statement being injected. It manipulates the return value of the SQL statement to make it always return true, so if the website is checking if the statement returned true to indicate, for example, the password is correct, it will now think that was the case.

[–] CanadaPlus 3 points 5 days ago (2 children)

So does that imply they already knew the candidate they were hiring, and were just checking if this is the guy?

[–] ulterno@programming.dev 1 points 3 days ago

Yeah, this seems like an exploit for those cases.

[–] HiddenLayer555@lemmy.ml 3 points 5 days ago

IDK I didn't think that much into it lol

[–] wise_pancake@lemmy.ca 5 points 6 days ago (1 children)

I remember the first time I shipped a website with that SQL injection.

It got taken over surprisingly quickly.

[–] CanadaPlus 5 points 5 days ago* (last edited 5 days ago) (1 children)

Crackers work hard.

Edit: Wait, does that mean you did it again? Haha.

[–] wise_pancake@lemmy.ca 3 points 5 days ago* (last edited 5 days ago) (1 children)

I just wiped the DB and put it back online again.

I did fix it, but had to rewrite a lot of the PHP backend, which took a couple days.

And yes, I did release another website with SQL injection... It was a personal website for my brother and the pagination was vulnerable. I had written a simple CMS for it, but Instead of a password I just generated an obscure URL with completely open access to edit the DB directly.

The pagination got hacked but I fixed it pretty quickly (by checking the page number was in fact a number).

Surprisingly the CMS never got hacked before I moved him over to WordPress.

Younger me learned a lot of web dev lessons the hard way.

ETA: This was all when I was a teen and I had nobody in my life to teach me these things. I was self taught from a PHP book from the library.

[–] CanadaPlus 1 points 4 days ago (1 children)

Ah yes, the honest days of development, when you just got your hands dirty and didn't have to worry about expensive formal education and stupid interview tactics.

[–] wise_pancake@lemmy.ca 1 points 4 days ago (1 children)

It was fun and I learned a lot. I mostly did small time jobs for local companies and used the money for my tuition. Most sites were just static HTML, and I could program flash, so there wasn’t much risk to it.

I am glad we have git instead of various backup folders on an ftp server, continuous integration, unit tests, and frameworks/accessible info to prevent the more basic errors.

[–] CanadaPlus 1 points 4 days ago

There is reasons it ended, and some of them good. Sorry, got caught up in nostalgia a bit there.

You can still write open source stuff without needing anything besides technical knowledge, if you are in a situation where you have extra time and energy after feeding yourself.