Mom:What are you studying?

Me:Types of SQL Injection

Mom:U r in engineering?Right?So why are u studying types of Injections?

Me:🤦‍♂️😂😂

4 years ago, during our college, a friend of mine was explaining us about hacking using simple SQL injections. He showed us some of the sites he hacked. Out of curiosity we tried it on college internal website it worked. We had access to all the details of all the students in university, and even the lecturer's information. We informed the management , they were shocked on seeing this. They had just spent 25 lakhs for this website couple of months ago.

Him: Relation databases are stupid; SQL injections, complex relationships, redundant syntax and so much more!

Me: so what should we use instead? Mongo, redis, some other fancy new db?

Him: no, I have this class in Java, it loads all the data into memory and handles transfers with http.

Me: ...... Bye!

Someone wanted to test if the I-Scout game was capable of preventing SQL injections 😂😂

The I-Scout game is by the way an indoor and outdoor game for scouts all over the globe..

If you discount all the usual sql injections the most blatant was not our but a system one customer switched to after complaining over cost.

The new system was a bit more bare bones featurewize but the real gem was the profile page for their customers.

The only security was an id param pointing to the users primary key, which was an auto incrementing integer :)

And not only could you access all customer data but you could change it to.

But since the new system was built by their it chief’s son we realized it was not much we could do.

Tell me you have never tried sql injections😁

I'm working this whole weekend to rewrite/move an old custom made shop extension to the new shop.

The amount of possible SQL injections is too damn high and this piece of shit the creator calls code is the most pitiable thing I have ever seen!
I don't how you can call yourself an experienced programmer if you create SQL queries by concatenating strings and variables in raw PHP, copying the same fucking includefiles to 10 different folders and use all of them in random places.

I'm not angry at all, I just want to castrate you with a blunt, fake swiss army knife so mankind is safe from you multiplying yourself.

!rant
Reddit comment on a thread about Joomla! sites being vulnerable to SQL-injections:

"Joomla sites are so infested they became sentient.

Joomla sites needs no webmaster, some one else will administer it for you.

Joomla sites have very good SEO, specially in "v1agra c1alis p3nis size"

Traffic count with Joomla is high, all the bots breaking all the vulnerabilities count for somethin'."

😂 Pure gold.

I have quite a few of these so I'm doing a series.
(2 of 3) Flexi Lexi

A backend developer was tired of building data for the templates. So he created a macro/filter for our in house template lexer. This filter allowed the web designers (didn't really call them frond end devs yet back then) could just at an SQL statement in the templates.

The macro had no safe argument parsing and the designers knew basic SQL but did not know about SQL Injection and used string concatination to insert all kinds of user and request data in the queries.
Two months after this novel feature was introduced we had SQL injections all over the place when some piece of input was missing but worse the whole product was riddled with SQLi vulnerabilities.

Never have I been so satisfied as I am right now after having implemented a login and user account system with the ability to update user preferences with databases n' shit in PHP after only knowing PHP for a day.

Speaking of all that, do you guys know of any good place to make sure all my stuff is secure? No SQL injections n' the like.

So I'm coming out of one that has a focus on this stack (JS [JQuery after weeks of Vanilla JS drilling in our heads, React], Java, MySQL, Python [Django, Bottle], HTML/CSS, and a few web security concepts (XSS, SQL injections).

The whole course has been 4 months learning, 3 weeks working on a final project. Next week is the presentation, so I think I can safely comment on the course.

We moved fast, but that's to be expected. Lecture in the mornings, exercises in the afternoons, assignments due at the beginning of each week. Constantly working towards it and improving. I have been working pretty hard. We were given some help, but had to get a lot of answers online (based God StackOverflow), but that's part of it.

We touched on some concepts like inheritance in JS, Python and Java, OOP and to be open to concepts we don't know so we should be thirsty for that knowledge.

In my off time, I've begun texting myself Node and really trying to double down on React because it seems useful. I realized I was more drawn to the backend, but I was comfortable in front end as well. (Just don't ask me to design anything, my eye for aesthetics/CSS sorcery is terrible.)

The overall experience has been pretty mixed, but we were mostly unsatisfied. We weren't given then help we were promised. The explanations weren't exactly crystal clear, so we would have to teach ourselves and each other quite a bit. We worked together a lot. Some people really fell behind, some caught up, some flew ahead and thrived. (I'm somewhere between caught up and thrived, I recognize where I stand.)

I'm happy I did a bootcamp, they aren't miracle programs, but they at least kick you into place that you are learning and need to continue to learn. (Just kinda wish I had done a different one.)

Feel free to ask about anything concerning it!

After over two days of debugging, lesson learnt don't assume your table's prefix nor depend on other APIs for SQL injections

I got assigned to work on a new project a couple of weeks ago. We got the POC code handed off from senior management, since he came up with the idea over the weekend. The project concept is hella exciting, but the dev manager and PO I have to deal with make life unbearable to say the least.

We have only 2 devs (including me) and 1 QA on this supposedly very important project. Of course, management announced the project to the clients already, so now we have to deliver ASAP cause it adds “sizzle”.

The MVP deadline is... no one knows when, either July 30th or September 1st. The MVP requirements are... unknown. I swear if someone saw the list of tasks and issues attached to “MVP” Epic, they would call us nuts trying to fit it all in.

To make things better, each PR requires 2 reviewers, so we end up adding manager as a reviewer just cause we need him to hit that “approve” button. So in attempt to make life easier, we requested to have a third developer. We are getting another developer, but that guy doesn’t know how to unit test a pure function...

Current priorities are... unit testing with coverage of 95% and if we want to refactor code, we have to add area to the list in a Google Doc. As a result, we are not tackling big things like risk of SQL injections not to mention big features like i18n (5-6 languages to support by the way and yes, it’s part of MVP as well as SSR no one knows why). Currently, I spend 2-3 hours a week in calls with the team just to figure out what the hell MVP is, what we have to do and why we have to do it. Last time we spent an hour refining 1 spike and breaking down one story into 3.

Oh, we also don’t have a deployment plan, not even to test environments since DevOps team was not aware of this project at all. Thus, QA cannot create any test suites and have to test everything manually which eats a lot of their time.

This whole project is a big hot mess and I’m considering leaving it all together especially since I’m working on two squads at the same time. I love the project, I love the idea, but management makes it unbearable, so I’m not even motivated to work on that.

I attempted on national competition in an IT field, where there were tens of great projects (in other fields as well, like chemistry and so..). We had to push everything to their portal, so they can study it in advance. While pushing the docs, I found that there were SQL injections that allowed me to list everyone's rating and to download every single doc / additional sources.
Worst part is, that even after I reported vulnerability, they obviously didn't had time to fix it.

Years ago there was a booom with counter-strike portals and I wanted to have one by myself. I uploaded php-fusion on ftp, download a free template and fill content. But, basic profile was not so interesting as on other sites. So I found a dev, sgo wrote me better profile (for free). I wanted to show user id but didn't want ask him, so I tried (echo in html) 4 hours of trying print a simple variable. When I already done it, that feeling was beautiful and I realized, that I can do changes by myself and try other things. Next was basic VIP plugin (with sql injections etc.) which I sell to other people and that was the moment I know I will be dev

ASP.NET Core (MVC) is frustrating me.

I’m a big fan of ASP so far but I’m just struggling to understand a lot.

First off to use it you have to fucking memorize every class in the fucking framework and the functions within them. It just expects that I automatically know which classes I need to implement or inherit from and why, but if I don’t? I can fuck off. But this is also just a C# problem in general.

And it does so much for you and that bothers me so much. I was so excited to actually implement protection against SQL Injections, using HTTPS, validating logins, interacting with the SQL for the database but FUCKING NOPE BECAUSE IT DOES IT FOR YOU.

I don’t want my hand held I want to feel like I’m actually doing things and I want to learn how shit works and how it’s made. It’s just disappointing. I appreciate that it wants me to focus on the app and I will appreciate it a lot more when I’m done learning how everything works but I won’t actually get to understand how those features work or how I can implement them myself because it’s spoiling me too fucking much.

I guess I’m just gonna have to practice more. And don’t bother telling me to look at the documentation, I’ve never seen such a fucking piece of shit mess before I laid eyes upon the docs for C# & ASP

When you deliver a site to a customer and find out that you forgot to prepare all the statements so that the website wouldn't be vulnerable to SQL injections. So yesterday I forgot to add that, had to close down all the connections to the website and rewrite all the statements. Everything is good now

It is sometimes shocking to see 10+ developers working on a fairly big project (online quiz). Missing data binding operations here and there, as a result, bunch of sql injections, which successfully led to the entire db full of questions and answers sitting on my desktop.

Vulnerabilities have been reported, took them 2 weeks to understand what happened and fix them.

Pretty sad :/

Just what is life
1st I love developing Web Apps
2nd I hate when it has bugs (Always does Everyone does)
3rd More hate for Security related bugs

So I started bug hunting so that even I can make developers hurt I thought I might find peace here

But here we fucking have SQL Injections which are not really that bad easy peasy

But we also have special kind of SQL Injections the Boolean Based ones (Medium Level Demons) and also The Time Based SQL Injections (Medium Level Demon with lots of health consumes too much time has a repetitive process and we have to wait a lot also if you have network lag you are doomed)

No its nice story till here but here it fucking ends the happiness I mean my luck is worst kind of fucking thing anybody ever can have.

I got a mix of both Demons;_;
A Time-Based Boolean SQL Injections yess fuckety amounts of fucking time wasted and redundant fucking process also to make matters worst the fucking famous tool #SQLMAP doesn't work in my case

How exactly can you protect your website from sql injections and ddos? The website used php and a mysql database.