Page 1 of 1

I don't know where to post this

Posted: Tue Jun 17, 2014 9:18 pm
by dinowuff
Not sure if this should be in Security or Joke or the Bar. But check this out. I came across this while fixing a php database.

Code: Select all

 http://something.com/somepage.php?sql=SELECT+password%20as%20user+FROM+users+WHERE+user+=+%27administrator%27
I do like stupidity. It's one thing not to sterilize your input, but to have admin rights to the database in the actual URL - Fuck ME! I've never seen that before!

Re: I don't know where to post this

Posted: Wed Jun 18, 2014 11:50 am
by SirDice
That's probably the dumbest thing I've seen in years. What kind of ID-ten-T puts their entire SQL query in a GET method?

Re: I don't know where to post this

Posted: Wed Jun 18, 2014 12:42 pm
by DaFoxx
not a programmer guy in any way shape or form, so wouldn't have been able to find that, but once it is pointed out .................
even I can see that is just poor, can only hope it is a test line, but as Dino was working the system, probably not :(

but to show I DO understand the basics, I got XKCD to the rescue :mrgreen:

http://xkcd.com/327/

Re: I don't know where to post this

Posted: Wed Jun 18, 2014 6:05 pm
by dinowuff
SirDice wrote:What kind of ID-ten-T puts their entire SQL query in a GET method?
Believe it or not, Corporate America! 10+ million a year company! Just trying to save a buck by using sub standard (idiot) consulting firms.

Re: I don't know where to post this

Posted: Mon Jun 23, 2014 3:57 am
by chaosclown
LMAO....wow...just wow :mad: