The History of SQL Injection

craigvn · on Nov 25, 2015

I am sure there is a lot of code out their vulnerable to SQL Injection, namely ASP code. But I have never seen anyone write new code that way for years. I think it is written about so much mainly because it is easy to explain to non-techies.

technion · on Nov 26, 2015

This "tutorial" was written in the last few days, and then blog spammed in several places.

http://www.cloudways.com/blog/custom-php-mysql-contact-form/

And I can almost guarantee, some developer somewhere is learning from it.

anonymousDan · on Nov 25, 2015

From yesterday: https://news.ycombinator.com/item?id=10619578

singold · on Nov 25, 2015

I get a 404 from the page posted there, what was it?

teh_klev · on Nov 25, 2015

This:

https://archive.is/8z5yZ

billpg · on Nov 25, 2015

"Another is to “use SQL libraries that take care of input sanitization for them,” Al-Bassam suggested. This, in short, scrubs any data entered by the user to remove any potential malicious parts of it."

This is bad advice. Some people have apostrophes in their name. Deal with it.

Shameless plug: http://blog.hackensplat.com/2013/09/never-sanitize-your-inpu...

seanwilson · on Nov 25, 2015

Pretty sure he would have meant sanitization as in escaping characters like quotes and not just deleting quotes.

anton_gogolev · on Nov 25, 2015

Escaping won't help. Parameterized queries all the way.

seanwilson · on Nov 25, 2015

Sure, I really meant always use some library that will do whatever is needed to pass potential unsafe characters over to SQL and that sanitization doesn't mean you have to delete these characters. Obviously relying on yourself to properly escape everything is going to fail.