Learn More
Resend Email
9
RANTSMCPANTS
5y

If you think parametised queries will save the day think again.

I occasionally test sites I visit throwing a few quotes at inputs and query params.

I also always test logging in as % with user or pass.

Not only are plaintext passwords a thing but so is this:

WHERE username LIKE ? AND password LIKE ?.

Once I saw an OR.

rant

foolproof

sql fucktards
Favorite
Ranter
Comments
  • 1
    5y
    I’ll make note of the “%”. That never occurred to me, thanks for the heads up
  • 4
    5y
    Like...?

    Excuse me,
    LIKE ?!?!?

    WTF???
  • 0
    5y
    @netikras parameterized queries placeholder for arguments is a question mark
  • 3
    5y
    @swablu I know the question mark. What troubles me is 'LIKE'
  • 0
    5y
    I agree with @netikras

    @swablu although it’s parametrised, if you are not validating your input, then that LIKE ? will get replaced with LIKE “%” matching all records which could be massively damaging in more ways at one
  • 1
    5y
    @netikras of course. Haven't you ever remembered only part of your password? I know it's kinda like this. Maybe. At least you can still log in. How nice of them...

    Ahemm....

    Admin
    %

    Nothing to see here. Move along....
  • 0
    5y
    @err-occured yes I agree with you. What we have here is an implicit circular dependency.
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment