Jason Bosco

Full Stack Web Developer ; Generalist

Prime Candidate for SQL Injection!

I happened to stumble on this site which embeds the SQL query in their URL! 


Clickable Link

As you can imagine, the first thing that occured to me was to change that SQL query to something fitting, may be replace the SELECT query with a DELETE? Nah.. I shouldn’t be malicious I thought. And so I tried a simple UPDATE of one of the attributes, something which if it went through, I could easily revert back and not cause any damage. And so I tried an UPDATE query. Good for them, they atleast restricted the DB user to only perform SELECTs on the table. 

Here I am thinking “I should sanitize all my input” worrying about SQL injection and stuff. And I see this. Made my day or should I say year. Happy New Year!