
Nightmare On Database Street: 5 Database Security Horror Stories - vectorbunny
http://www.darkreading.com/database-security/167901020/security/news/240009983/nightmare-on-database-street-5-database-security-horror-stories.html
======
klausjensen
"...they converted SQL commands into bar codes, printed them out and scanned
them.

When placed under the scanner we were able to perform SQL injection against
the price check Web application..."

SQL injection via printed barcodes. Epic.

~~~
ajtaylor
I laughed when I read this too! That's true "outside the box" thinking.

~~~
dguaraglia
Funnily enough, someone suggested something similar at work a few days ago and
I had to shoot him off the air. He wanted to use URLs encoded in a QR to
trigger an action (say, "use coupon"). No authentication, nothing. The idea
has _some_ merit, as we wanted this feature to work on any kind of phone and
we only have Android and iOS clients, but the whole idea of having a GET
request trigger a change on the server made my skin crawl.

