114

This is real.

String query = "select password from users where username = " + username;

Comments
  • 10
    Every single login or db question I see on stackoverflow has shit like this, it's scary to think these people are out there coding things we might be using...
  • 15
    How else can you send the user his password when he has forgotten it? /s
  • 1
    Yeah, I have to confess my first C# code probably looked like that before I discovered entity framework and Nhibernate.

    ... And that if I ever do PHP again it's gonna look like that on purpose
  • 1
    I'm no backend, what is so bad? (Other that possibly not escaping SQL, which I assume would have been done earlier in the code)
  • 1
    @retnikt SQL Injection.
  • 2
    @Retnikt Like @PrivateGER said because of SQL Injection. Thats why most of Websites only allow to reset your password instead of sending it to you.
  • 2
    Prepared statements are not only more secure than this, but they are also easier to implement (no awkward string concatenation). So doing stuff like this isnt even lazy, its just totally negligent.
  • 17
    Hiiii! I'd like to log in, please? My username is "A'; select * from users; --". Thanks!
  • 1
    And its probably not hashed?

    I mean negligence sure... But screwing with my data(password cant be reused because of people like this...)
  • 0
    @retnikt lol, it says "select password from ...". It just returns password lol
  • 0
    It’s the exact reason why SQL injection has remained a top vulnerability for more than 15 years. I guess some lessons are perpetually ignored
  • 2
    I wouldn't harass newbies about this, because they're still learning. I would guess that many of us here have done something like this at least once. It would be best to warn them about SQL injection without calling them stupid.
  • 0
    worst nightmare
  • 3
    Does not matter when you have #amazingsecurity
  • 0
    @Codex404 you don't. That's why if you forget your password you can create a new one.
  • 2
    @Dollique the /s means sarcasm ;-)
  • 2
    @Codex404 ikr? 😂
  • 2
    @Gigex Thank goodness for that I was about to trigger so hard 😂
  • 1
    @finiteAutomaton But if you dont know how to protect yourself against something as painfully trivial as SQL injection, I doubt you have anything even vaguely resembling #amazingsecurity
  • 2
    @CrashOverride At least you can try to convince your customers on twitter that it is still amazingly good.
  • 0
  • 2
    How has nobody posted this yet?

    https://xkcd.com/327/
  • 0
    Newbies do this a lot
Add Comment