[–] NassTee 0 points 20 points (+20|-0) ago  (edited ago)

A smartass walks into the bar and orders a '); drop table users; --.

[–] TwistedSista 0 points 7 points (+7|-0) ago 

Poor little Bobby Tables :'(

[–] Naked_Dave 0 points 1 points (+1|-0) ago  (edited ago)

Newb here, So I'm kind of getting this, you're closing the string with ";)", and then "drop table users" is something server related, maybe SQL? What's the "--"?

[–] wakkablam 0 points 4 points (+4|-0) ago 

SQL syntax.

So imagine your website has such (very naïve) server logic:

sql_stmt = "SELECT UserID, Username FROM Users WHERE Username = '"
                + form.fields["username"]
                + "' AND Password = '"
                + hash_password(form.fields["password"])
                + "';";

execute_sql(database, sql_query)

If you put '; DROP TABLE Users; -- as a username in the form, then the statement gets compiled as the following:

SELECT UserID, Username FROM Users
WHERE Username = ''; DROP TABLE Users; -- ' AND Password = '###########…';

Since -- marks the beginning of a comment line, it effectively neuters the statement and makes it drop (delete) the Users table.

Some people would gain admin privilege by adding stuff like UPDATE TABLE Users SET IsAdmin = 1 WHERE Username = 'wakkablam'; thus promoting user Wakkablam to administrator status or so.

Some poking around might be necessary to guess the structure of tables or such.

[–] NassTee 0 points 2 points (+2|-0) ago 

The -- makes anything after it into a comment which is ignored by the database. This prevents the remainder of the original command from making the whole thing invalid.

[–] fedevela [S] 0 points 1 points (+1|-0) ago 

Basic SQL injection

[–] BakedMofoBread 0 points 13 points (+13|-0) ago 

God I wish I didn't relate to this.

[–] ThirteenthZodiac 0 points 8 points (+8|-0) ago 

I laughed a whole bunch on the outside, but inside, I'm screaming.

[–] PresidentSkroob 0 points 3 points (+3|-0) ago 

I'm on the other side going "Yup, that's about right. At least they QA'd this time."

[–] SIayfire122 1 points 11 points (+12|-1) ago 

@PuttItOut and @Atko. It's just like the good ol' days when Voat was in it's infancy. Now it's one of the most reliable websites I've been on.

[–] sore_ass_losers 0 points 8 points (+8|-0) ago  (edited ago)

You mean SNAHU, Situation Normal: All Hugged Up, don't you, comrade?

[–] fedevela [S] 0 points 3 points (+3|-0) ago 

I must ask the committee BEFORE I can answer.

[–] mralexson 0 points 4 points (+4|-0) ago 

This is a personal attack

[–] TimberWolfAlpha 0 points 3 points (+3|-0) ago 

But did he get his lizard?

[–] ThisIsMyRealName 0 points 3 points (+3|-0) ago 

This is why unit tests aren't all that great.

[–] wakkablam 0 points 2 points (+2|-0) ago 

Unit tests are especially good at preventing regressions, e.g. Adam Customer uses the calculator utility inside your application; the unit test is unable to launch the calculator, therefore the build is broken and shall not be delivered to Adam Customer.

[–] ThisIsMyRealName 0 points 0 points (+0|-0) ago 

How do you test if Mr. Customer can launch the calculator utility? What if it launches, but the user only sees dicks? I joke, but GUIs are hard to work with sometimes and can do weird things, and I don't know how you can test that outside of whether or not it crashed. "It worked fine on my machine."

[–] fedevela [S] 0 points 0 points (+0|-0) ago 

They provide the most basic net. E2E tests are better but more brittle.

Tautological testing.

[–] BillyLuath 0 points 2 points (+2|-0) ago 

I'm right in the middle of that.

[–] fedevela [S] 0 points 1 points (+1|-0) ago 

I feel ya bruh.

load more comments ▼ (3 remaining)