Programmer Humor

20736 readers

1363 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

265

SQL Injection (lemmy.ml)

submitted 2 weeks ago* (last edited 2 weeks ago) by [email protected] to c/programmer_humor

18 comments fedilink hide all child comments

Alternate version:

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 12 points 2 weeks ago (13 children)

What's the second one do?

[–] [email protected] 28 points 2 weeks ago* (last edited 2 weeks ago) (12 children)

Bypassing authentication or checks by incorporating a statement that always returns true, and doing an 'or' operation with the statement being injected. It manipulates the return value of the SQL statement to make it always return true, so if the website is checking if the statement returned true to indicate, for example, the password is correct, it will now think that was the case.

[–] [email protected] 4 points 2 weeks ago (5 children)

So does that imply they already knew the candidate they were hiring, and were just checking if this is the guy?

[–] MadhuGururajan 1 points 5 days ago (1 children)

No the interviewer is personification of the naive backend that checks only that a specific row is present in the DB, or that's how I read it.

[–] [email protected] 1 points 5 days ago (1 children)

So I guess the interview is handled by a non-vulnerable intermediate process, which adds the hire to the the main table of employees when at some point in a successful interview, and then calls a notification process that just searches it?

[–] MadhuGururajan 2 points 4 days ago

yeah something like "if new candidate in employee DB == hired"

load more comments (3 replies)

load more comments (9 replies)