4

Just sat through a demo of some clicky-draggy data visualisation stuff.

The guy showed us how you can write a custom script that takes a user input and pokes it into a sql command using string concatenation, so a very obvious injection vulnerability.

Ok, so it's only a demo. But you wouldn't do a demo with an example user called Captain Cock, so why do a demo with a screamingly obvious security hole?

Whole thing was basically pivot tables in a short skirt anyway.

Comments
  • 2
    Hear me when I say FUCK pivoting and unpivoting in SQL
  • 1
    @AlgoRythm Why stop there? I say fuck SQL!
  • 1
    @Lensflare some of SQL is nice. Basic commands before you get into 9-ways-sideways joins with quadruple nested subqueries
  • 1
    SQL is Shit. The world changes, and SQL is next on the Tech-Darwin list
  • 1
    @Chewbanacas no it's not. There were attempts to replace it, eg Flux, but the vendors themselves dropped it, because while reading is nice, learning curve is steep and the execution performance is shit.

    I believe SQL is a tried over time and trusted, solid solution. Not exactly used as it was meant initially [by business people], but it found its place. Like tcp, dns, snmp, dhcp, nat, java, http, etc. Sql is here to stay, and it's actually a cool language once you get a good grip of it. Annoying sometimes, when written in hacky ways, but still cool. The way it makes one's mind twist and bend.. Feels gooood :)
Add Comment