Running an SQL Injection Attack - Computerphile

Published on Jun 15, 2016 2,095,535 views

Just how bad is it if your site is vulnerable to an SQL Injection? Dr Mike Pound shows us how they work.

Cookie Stealing: https://youtu.be/T1QEs3mdJoc
Rob Miles on Game Playing AI: https://youtu.be/5oXyibEgJr0
Secure Web Browsing: https://www.youtube.com/watch?v=E_wX4...
Deep Learning: https://youtu.be/l42lr8AlrHk
Tom Scott on SQL Injection: https://youtu.be/_jKylhJtPmI


This video was filmed and edited by Sean Riley.

Computer Science at the University of Nottingham: http://bit.ly/nottscomputer

Computerphile is a sister project to Brady Haran's Numberphile. More at http://www.bradyharan.com

  • John Doe
    John Doe 2 года назад Instructions unclear, NSA is outside my house.
  • TruthNerds
    TruthNerds 3 недели назад NSA agent: We found an evil hacker! NSA supervisor: Great, let's send a recruiter…
  • Tony Solar
    Tony Solar 2 месяца назад I (IRL) got offered a job (in 2008) by the FBI for Cyber Security position. I turned it down because I smoke weed and I would not have passed their drug tests. So much awesome talent (Others in the same situation) rejected because of THC. FYI: A lot of hackers, developers and sysadmins do smoke marijuana.
  • Jérémy
    Jérémy 3 месяца назад Just outside then you are fine =)
  • Deon Leggett
    Deon Leggett 3 месяца назад KtośNieZnajomy lol
  • KtośNieZnajomy
    KtośNieZnajomy 3 месяца назад jokes on you i have them inside
  • Deon Leggett
    Deon Leggett 3 месяца назад j240x No actually it is not a joke cannot believe how you came to this conclusion.
  • Deon Leggett
    Deon Leggett 3 месяца назад There's No Such Agency. (Get it??)
  • John Carr
    John Carr 4 месяца назад The NSA isn't a law enforcement agency. Nice try, though.
  • Jose Lopez
    Jose Lopez 5 месяцев назад lol
  • Aidan Sykes
    Aidan Sykes 6 месяцев назад NSA Doesn't come after you for SQL Injections.
  • 1abba1 / MHF_Developer
    1abba1 / MHF_Developer 7 месяцев назад That One Goose woooosh 🙃
  • Jake Roberts
    Jake Roberts 7 месяцев назад @blackham7 Yes, He is taking it up the shitter
  • Donkey
    Donkey 7 месяцев назад @blackham7 r/wooosh
  • 1000 subs with no videos challange
    1000 subs with no videos challange 8 месяцев назад That One Goose i think he wooosh wooooshed you xddd
  • Violence embedded in flesh
    Violence embedded in flesh 8 месяцев назад FBI OPEN UP. STOP RESISTING, U ARE SURROUNDED
  • Benjamin Soyka
    Benjamin Soyka 8 месяцев назад Really? The FBI came to me.
  • DehKayGeeBee
    DehKayGeeBee 9 месяцев назад blackham7 r/whoooosh
  • Cameron Sheppard
    Cameron Sheppard 9 месяцев назад Ha.
  • Damian Moss
    Damian Moss 9 месяцев назад John Doe
  • Joke Hogenbirk
    Joke Hogenbirk 9 месяцев назад That One Goose
  • Stampyattack
    Stampyattack 10 месяцев назад Black ham r/woooosh
  • Ashes
    Ashes 10 месяцев назад pet the dogs, they won't (probably) bite
  • CrazyMalay
    CrazyMalay 10 месяцев назад lol
  • Ty LeCreux
    Ty LeCreux 10 месяцев назад r/wooosh
  • MinhazMurks
    MinhazMurks 10 месяцев назад Sounds like the instructions were very clear
  • Dillinger R.
    Dillinger R. 10 месяцев назад I had the FBI and the secret service at my door once.
  • Echoz
    Echoz Год назад They're already inside your house though.
  • Hairy French Ass
    Hairy French Ass Год назад The Creeper King Ok my bad then buddy.
  • The Creeper King
    The Creeper King Год назад Régis Loyauté you have misunderstood the point of my reply.
  • Hairy French Ass
    Hairy French Ass Год назад The Creeper King just shut up stop being a douchbag
  • The Creeper King
    The Creeper King Год назад (изменено) John Doe actually it would be the fbi Edit: Not trying to be a douche bag
  • Yuichi Inumaru
    Yuichi Inumaru Год назад i hate when it happens
  • Max Echendu
    Max Echendu Год назад (изменено) Grunt TheRunt ... Is it weird that, when looking at your picture while reading your comment, I now feel like the NSA is run by dogs sat around a round table?
  • __
    __ Год назад (изменено) xD omg that is hilarious!!! too funny, if you have NSA outside then you def did something right
  • Grunt TheRunt
    Grunt TheRunt Год назад Please answer the door... We don't want to wake your family up... Just let your big brother in
  • Friemeltjes
    Friemeltjes Год назад Nah cuz ur john doe
  • j240x
    j240x Год назад It's a joke.
  • Golz 60
    Golz 60 Год назад They want to offer you a job, no worries.
  • That One Goose
    That One Goose Год назад blackham7 wooosh
  • blackham7
  • DieselD199's Adventures
    DieselD199's Adventures Год назад 😂😂😂
  • bahadır Durmaz
    bahadır Durmaz 2 года назад John Doe FAV hahahahaa
  • Notice
    Notice 2 года назад 😂😂😂
  • Juuso Vilmunen
    Juuso Vilmunen 2 года назад Can we seriously trust this man? He is clicking 'submit' instead of just hitting 'enter'.
  • Liam Maarhuis
    Liam Maarhuis 4 дня назад Or a man who leaves his rubik's cube at its final step just teasing its completion.
  • Jayanam
    Jayanam Неделю назад It's even worse: Owns a book about WPF in C# 2010.
  • Bashn Dafash
    Bashn Dafash 2 месяца назад U jelly of his mad apm?
  • Oskar Petunovs
    Oskar Petunovs 3 месяца назад You have to create a code to press enter...
  • Yasyas Marangoz
    Yasyas Marangoz 3 месяца назад @nanotech2080 xD
  • Taun-Chi Gaming
    Taun-Chi Gaming 3 месяца назад He may not have programmed the button to submit on key press..
  • MeihanaBee
    MeihanaBee 4 месяца назад haha ive noticed all the oldies do that
  • Loading 0319
    Loading 0319 4 месяца назад Very great observation
  • Brad Yalo
    Brad Yalo 5 месяцев назад Maybe he didn't define enter in his JavaScript code.
  • Ilovemy sachiko
    Ilovemy sachiko 6 месяцев назад I
  • Aleksey Stetsenko
    Aleksey Stetsenko 7 месяцев назад Nice joke
  • Modus Pwnens
    Modus Pwnens 7 месяцев назад it's the suspense of waiting for the result. he's an actor rn, giving us performance. know how to contextualize! :P
  • Henry T.
    Henry T. 7 месяцев назад Well, it depends on whether or not his input is a part of an HTML form element. If it is, enter will work, otherwise, it won't.
  • Juan Carlos Alvarez
    Juan Carlos Alvarez 7 месяцев назад hahahahaha!
  • kent leonhart
    kent leonhart 8 месяцев назад Hey, don't make fun of the submit button or else they will take it away from you.
    PRIYANK DALAL 8 месяцев назад Hehhehe lol
  • Glenn Mesel
    Glenn Mesel 9 месяцев назад Must be tha police. Yes.-
  • J's Day Out
    J's Day Out 9 месяцев назад Juuso Vilmunen
  • Ahmed Abdi
    Ahmed Abdi 10 месяцев назад Juuso Vilmunen Jokes are not allowed here.
  • Kartik Khullar
    Kartik Khullar Год назад Simo1548 Absolutely
  • Simo1548
    Simo1548 Год назад Maybe he doesnt have an event for key clicked for the text zone
  • xBlue - Fighting TechSupport Scammers
    xBlue - Fighting TechSupport Scammers Год назад Well lets just forget about the fact he is freaking teaching at a university.
  • Steve Infinix
    Steve Infinix 2 года назад How does it differ while they are both submit parameters to feed a get request ?
  • Callum Atwal
    Callum Atwal 2 года назад +Juuso Vilmunen it's probably an input submit so the enter key would work. guess it's just for illustration
  • Juuso Vilmunen
    Juuso Vilmunen 2 года назад @TheManUtdGuy Mostly it just works but you might be right. Tab -> spacebar is a thing I use.
  • TheManUtdGuy
    TheManUtdGuy 2 года назад Also, considering the crappiness of the website, it probably doesn't support pressing enter to search.
  • Juuso Vilmunen
    Juuso Vilmunen 2 года назад yes, of course. I was just joking.
  • Xathian
    Xathian 2 года назад When demonstrating something, you should try and not use shortcut keys. It's better for learning and visualization if people can see every action you're making.
  • Juuso Vilmunen
    Juuso Vilmunen 2 года назад I guess he wanted to point at it.
  • nanotech2080
    nanotech2080 2 года назад He is obviously very proud of his submit button design.
  • MrDeeb
    MrDeeb 2 года назад Thank you Peter Parker
  • Diego González
    Diego González 3 месяца назад Lol
  • Grey Code
    Grey Code 5 месяцев назад @Citizen A.D. I love the 'web' part.
  • TheLollercaster
    TheLollercaster 6 месяцев назад @ThePaulohubert ouch
  • ThePaulohubert
    ThePaulohubert 6 месяцев назад MrDeeb he is doing some WEB engineering !! (Do you get it?? )
  • -_Unknown Legend_-
    -_Unknown Legend_- 6 месяцев назад Why do you have 666 likes?
  • TheLollercaster
    TheLollercaster 6 месяцев назад lol, I am glad I wasn't the only one
  • Citizen A.D.
    Citizen A.D. 7 месяцев назад In this Alternate Spiderverse, Peter Parker got fed up with chasing low-budget criminals in NY, quit his cr*ppy job and moved to the UK. There he developed an English accent, got a degree (and later a PhD) in cybersecurity to protect his new identity and it was a logical choice since he already had close relations with the Web ;) So, this would be shortly the origin story of Dr. Mike Pound.
  • Dan Iel
    Dan Iel Год назад FRODO!
  • Leon Weber
    Leon Weber Год назад Or Frodo from the lordof the rings
  • Dalton
    Dalton Год назад I thought I was the only mofo thinking he looked like Peter Parker from Spider-Man 😂
  • Ashley Harryman
    Ashley Harryman Год назад Underrated post
  • Tomas Canevaro
    Tomas Canevaro Год назад He's the cool version of Peter Parker, from Spiderman 3
  • Google+ SUCKS BALLS - the worst forced social network
    Google+ SUCKS BALLS - the worst forced social network 3 года назад ..what is illegal? running sql attack or making shitty web apps? Coz my real name is "'; DROP table users; SELECT '"
  • Daniel Yengle
    Daniel Yengle 1 месяц назад @modernkennnern no, stealing the information is illegal.
  • Thugasaurus Rex
    Thugasaurus Rex 1 месяц назад Kek
  • ian rarity
    ian rarity 1 месяц назад Love it hahaha.
  • 1 месяц назад Alright Bobby No Tables.
  • QuestWalker KO
    QuestWalker KO 1 месяц назад @Padarom the community doesn't like it
  • QuestWalker KO
    QuestWalker KO 1 месяц назад @jan harald yes, they are
  • jan harald
    jan harald 1 месяц назад @Troy Nall people don't actually care WHAT is illegal, they care about pointint out what IS, because they're so smart they have nothing better to do
  • Troy Nall
    Troy Nall 1 месяц назад everyone is all "this is illegal" blah blah blah. hillary clinton emailed sensitive information over an unencrypted connection, does anyone have any idea, how illegal that is ? but no one cares.
  • Troy Nall
    Troy Nall 1 месяц назад @@modernkennnern no its not. he is educating you.
  • jan harald
    jan harald 1 месяц назад @Master80059 no they're not
  • Master80059
    Master80059 1 месяц назад @jan harald all apps are shity
  • demrifnoC itanimullI
    demrifnoC itanimullI 1 месяц назад @Harrison Harris that'd be pretty hilarious
  • mrWho?
    mrWho? 2 месяца назад @atomheartother what if you use a VPN? wouldn't that be safe enough for using illegal names?
  • Tau
    Tau 2 месяца назад Harrison Harris That's when you find out that the databases for real persons names are injectable hahahaha
  • xorinzor
    xorinzor Год назад ah! little bobby tables, there you are!
  • fake harkaj
    fake harkaj Год назад having that name is illegal
  • MisterL2
    MisterL2 Год назад making insecure apps is illegal to some extent as you are responsible for information stored on them
  • Alexander.x4x
    Alexander.x4x 2 года назад HAHAHHAHAHA
  • Tim Gass
    Tim Gass 2 года назад Liked only for the best username I've ever read.
  • Ivanro Ismael Gomes Jao
    Ivanro Ismael Gomes Jao 2 года назад ahah
  • Dom Troisi
    Dom Troisi 2 года назад obviously it depends on the country
  • DontBeMadBro
    DontBeMadBro 2 года назад or they were hackers and they knew he will be too
  • Jason Erdmann
    Jason Erdmann 2 года назад Your parents must've hated you when they named you. ;)
  • Mike Meyer
    Mike Meyer 3 года назад +Paradom it means you'll lose the trial by media.
  • desert123100
    desert123100 3 года назад shitty private game servers used to be destroyed by this
  • ryan edge
    ryan edge 3 года назад @Eric D In the US, credit card info is managed under the Payment Card Industry - Data Security Standards (PCI-DSS), and medical is covered under HIPAA. @fruitshuit is correct, I was talking about US law.
  • Eric D
    Eric D 3 года назад @fruitshuit In the US, I think the data would have to be credit card or banking info, not just any data but I'm no expert on the subject, I do know that it is illegal to insecurely store credit card info though.
  • fruitshuit
    fruitshuit 3 года назад In the UK (where the video was filmed), you can also face fines and imprisonment because letting a bunch of your users information leak out (i.e. failing to comply with the data protection act) is a criminal offence.
  • ryan edge
    ryan edge 3 года назад It is ILLEGAL to perform a sql injection attack without explicit permission BEFORE you do it. It is LEGAL to write shitty code. If you write shitty code, and a bunch of your users information leaks out, those users can sue you.
  • Eric D
    Eric D 3 года назад well, at least your name only deletes stuff, and then returns a bit more detail then tries to return everything instead just returning stuff.
  • Harrison Harris
    Harrison Harris 3 года назад @jan harald what If I ask a black hat hacker who doesn't prohibit it?
  • jan harald
    jan harald 3 года назад @Padarom prohibited by every single person you will ask and even some who you don´t ask
  • Harrison Harris
    Harrison Harris 3 года назад I wonder if you could change your legal name to that.
  • Padarom
    Padarom 3 года назад Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal. @jan harald: What is "illegal by community" supposed to mean?
  • jan harald
    jan harald 3 года назад attacking someone without their permission is illegal by law making shitty apps is illegal by community
  • modernkennnern
    modernkennnern 3 года назад releasing the information is illegal.
  • atomheartother
    atomheartother 3 года назад Both.
  • Travis Petit
    Travis Petit 2 года назад Imagine naming your child "LIKE'%' UNION SELECT * FROM TABLEBASE" so that when they register its name, you'll get the information on all of the country's database
  • Vader
    Vader 1 месяц назад am i the only one who thought this was funny?
  • Frammshamm
    Frammshamm 1 месяц назад I think its more interesting to imagine who refers to their child as "it"
  • Efrain Yauri
    Efrain Yauri 1 месяц назад varchar will not allow that
  • TheTStandsForThomas
    TheTStandsForThomas 2 месяца назад @zzz This is exactly what most people can't wrap their head around because they're shrouded in PHP's sort of notorious past. I've used anything from assembly to C++ and PHP and I can tell you that PHP allows some very cool application constructs, matching those of C. But the amount of inexperienced programmers usually causes this kind of injection to be possible.
  • Crab Synth
    Crab Synth 2 месяца назад Exceptional comment ! Made me fall out of my chair...You sir get a cookie.
  • Jiří Horák
    Jiří Horák 2 месяца назад @Satan no language is better than other. it just varies in the use purposes. Some would say PHP is a bunch of hacks sewn together ("still keeps floating tough" :D) yet it allows you to do simple (and hacky) things and unlike python, its created for server. Python is rather slow, but very easy to code in, with nice readability, suitable mostly for sripting and testing... so the answer is (as always) - depends
  • Satan
    Satan 3 месяца назад @BUFFDOENUT950 Never heard of running python on apache. Why would you do that? Every normal provider is running python [Django, Flask etc..] on gunicorn.
    BUFFDOENUT950 3 месяца назад @Satan python is very unstable on Apache servers. It's a little difficult to run a successful backend using it. Python is better for computer applications or interfacing with other programs. It can be done though. It's just a little too much work when all you gotta do is use php or perl which are designed for backend web programming.
  • CarlFortune Eslava
    CarlFortune Eslava 3 месяца назад Hahaha
  • Joshua Sweetvale
    Joshua Sweetvale 3 месяца назад I too read XKCD
  • Lasagne
    Lasagne 3 месяца назад Imagine falling over and you accidently ';DROP TABLE users;--
  • le derp
    le derp 3 месяца назад @GitarStu was about to reply the same thing :,D
  • animemonkey555
    animemonkey555 4 месяца назад someone hasn't heard the story of little billy tables aka Robert'); DROP TABLE students;--
  • Bady89
    Bady89 4 месяца назад @Simon Liljestrand xD Made my Day
  • Mr. X
    Mr. X 4 месяца назад I will need to try it
  • PI Guy
    PI Guy 4 месяца назад @zzz that was a Python diss, wasn't it?
  • Simon Liljestrand
    Simon Liljestrand 4 месяца назад (изменено) Do you expect the information output be displayed on your child then, or does it just make you happy that it may have been outputed somewhere?
  • Wolvinius
    Wolvinius 5 месяцев назад Little Bobby tables, check it out!
  • scientist100
    scientist100 5 месяцев назад @Satan PHP is easier to run and execute.
  • Manuel
    Manuel 6 месяцев назад Guys, you need to start the comment after the malicous code, not before it. Check the actual xkcd sketch, he did it the right way.
  • seb
    seb 6 месяцев назад ​@Raunak Chhatwal The White House website is a WordPress. Not even kidding.
  • Mokuton Kitsune
    Mokuton Kitsune 7 месяцев назад Ah yes Bobby;'-- DROP TABLE 'students'. We call him little Bobby Tables
  • RacingAtHome
    RacingAtHome 8 месяцев назад Oh yes, Little Bobby Tables we call him.
  • James Stewart
    James Stewart 8 месяцев назад Little Bobby Tables?
  • Nathan Johnson
    Nathan Johnson 8 месяцев назад @Raunak Chhatwal SQL injection can (and does) happen in applications written in any language, not just PHP.
  • MrAhmedUA
    MrAhmedUA 8 месяцев назад prepared statements ?
  • Sebastian Goyburu
    Sebastian Goyburu 8 месяцев назад Of course! Little Bobby Tables!
  • coderinclouds
    coderinclouds 8 месяцев назад Arjun Satarkar  When you get the post letter which tells, hello your name * has been registered into name database etc. There would be the whole database at your name tag. :D
  • Cycle Coma
    Cycle Coma 9 месяцев назад I mean that's not even considering heaven's database. We would potentially have the entirety of existence's heavenly usernames and passwords
  • ithinkitsaurus
    ithinkitsaurus 9 месяцев назад my birth name is actually ':-- DROP DATABASE
  • siisihqdaa
    siisihqdaa 10 месяцев назад US government sites use Drupal which uses PHP, so US government actually uses PHP
  • Nico Braun
    Nico Braun Год назад no the real problem is everybody knows pretty much to 100% how the php html sql stuff is structured for all the sites using those. We know the way the database works and which keywords to pass it. Allways the same like select from and so on. So its very easy to start quessing.
  • GitarStu
    GitarStu Год назад Google Johnny Tables joke
    EXTREME_FATBOI Год назад ^^^^^^^^^^
  • Satan
    Satan Год назад Why is PHP better then Python please?
  • zzz
    zzz Год назад LordOfRandomStuff PHP is not even that bad, it's still better than Python at least. Also, since PHP 7, it's even faster than Ruby (check the benchmark).The problem is that a significant number of inexperienced developer who can't write code properly use this language compared to, let's say, Ruby, Node.JS, .NET, Java, or Go.
  • Arjun Satarkar
    Arjun Satarkar Год назад The application which registers the name will receive that data, and maybe crash. You will be gain anything.
  • Ilyass Saadi
    Ilyass Saadi 2 года назад Travis Petit probem is, you should rather imagine that names of people would contain else than alphabet (numbers and symbols)
  • blane1257
    blane1257 Год назад (изменено) the intro had "<computerphile>" and the outro "</computerphile>"... smart... love the attention to detail
  • AnarchyCenter
    AnarchyCenter 1 месяц назад Andrew Robinson no, it’s more like computerphiletml
  • ProfesorYT
    ProfesorYT 1 месяц назад @Andrew Robinson It does if you give it a css
  • Nishant Bilkhiwal
    Nishant Bilkhiwal 3 месяца назад It's your attention to his detail.
  • Yasyas Marangoz
    Yasyas Marangoz 3 месяца назад Really?? Cool man...
  • Ng John
    Ng John 3 месяца назад @Andrew Robinson Don't take it seriously
  • cadfoot
    cadfoot 5 месяцев назад Andrew Robinson custom html elements)
  • WASSCE Tutorials
    WASSCE Tutorials 7 месяцев назад @Shaheer Aameer I guess. lol!
  • Luger P08 9x19 Parabellum
    Luger P08 9x19 Parabellum 7 месяцев назад @WASSCE Tutorials learning.
  • WASSCE Tutorials
    WASSCE Tutorials 7 месяцев назад What are u doing here if u don't know that?? lol
  • FBI Webcam Surveillance Manager
    FBI Webcam Surveillance Manager 8 месяцев назад Andrew Robinson Fair enough haha
  • Andrew Robinson
    Andrew Robinson 8 месяцев назад Being the pedantic developer I am, it's more like XML since HTML doesn't support a <computerphile> tag.
  • rixogtr
    rixogtr 8 месяцев назад oh now that makes sense :D Thanks
  • FBI Webcam Surveillance Manager
    FBI Webcam Surveillance Manager 8 месяцев назад rixogtr HTML opening and closing tags.
  • rixogtr
    rixogtr 8 месяцев назад what that means ?
  • Pasha
    Pasha 3 года назад A 2rd degree attack would be me naming my children ";--"
  • Skycloud
    Skycloud 1 месяц назад Pasha you can edit comments lol
  • demrifnoC itanimullI
    demrifnoC itanimullI 1 месяц назад 2rd
  • Kris Rosario
    Kris Rosario 1 месяц назад @CuZoSky no that would be T.. erd
  • DjMaster$4
    DjMaster$4 9 месяцев назад 😂😂😂😂
  • m-byte918
    m-byte918 10 месяцев назад 3nd
  • raza il king
    raza il king Год назад face-palm x 2/3?
  • FlameYT 9172
    FlameYT 9172 Год назад 2rd
    DANIEL MESKIN Год назад 2rd ( ͡° ͜ʖ ͡°)
  • Lambert Brother
    Lambert Brother Год назад Actually it's 3rd. You didn't read the comments.
  • MattiOG
    MattiOG 2 года назад Pasha secird? mate it isnt 2rd. its 2nd
  • Simon Bart
    Simon Bart 2 года назад +Ihrbekommtmeinen Richtigennamennicht sequrd
  • Ihrbekommtmeinen Richtigennamennicht
    Ihrbekommtmeinen Richtigennamennicht 2 года назад @CuZoSky twoerd
  • CuZoSky
    CuZoSky 2 года назад 2rd ? "secord" ? :))
  • GlassCurtain
    GlassCurtain 3 года назад Little Bobby Tables!! :)
  • Ihrbekommtmeinen Richtigennamennicht
    Ihrbekommtmeinen Richtigennamennicht 3 года назад Bobby Tables would be proud of you!
  • Pasha
    Pasha 3 года назад LOL I miss-typed 2 instead of 3 hahaha
  • SuperManitu1
    SuperManitu1 2 года назад The hacking videos are the best and most interesting for me as comp science student. Keep them coming!
  • RandomSilly
    RandomSilly 1 месяц назад ma kra I actually like Java. But I hate JavaScript lol
  • ma kra
    ma kra 1 месяц назад @RandomSilly Java is Lava
  • Jared Stemper
    Jared Stemper 3 месяца назад “20 languages” + “comp science student” = doubt
  • Kenny Dominguez
    Kenny Dominguez 8 месяцев назад "comp science student"
  • isopat
    isopat 2 года назад cough
  • RandomSilly
    RandomSilly 2 года назад @SuperManitu1 Then you should be able to exploit things easily. I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.
  • SuperManitu1
    SuperManitu1 2 года назад @Blaze I really hate Javascript, but you should try typescript. I have made my peace with javascript that way
  • Blaze
    Blaze 2 года назад >Javascript When I'm feeling like a masochist perhaps.
  • SuperManitu1
    SuperManitu1 2 года назад @BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.
  • RandomSilly
    RandomSilly 2 года назад Just wait until you learn MySQL and Javascript. Then you'll be able to learn some very interesting things.
  • anti/HUMAN Designs
    anti/HUMAN Designs 3 года назад I made a website many years ago, and obviously made sure SQL injection wasn't possible, and I also logged stuff, and I did see some people trying to do SQL injection on my website.
  • rchandraonline
    rchandraonline 3 года назад user name consisting of SQL? must be Little Bobby Tables
  • Taun-Chi Gaming
    Taun-Chi Gaming 3 месяца назад lol.. made me chuckle
  • Jay Fulton
    Jay Fulton Год назад Null is a family name that's real. Where I work, we have a tech named Null.
  • Collin Read
    Collin Read 2 года назад Oh, I love that comic. "Oh little Bobby Tables, we call him."
  • Giorgi Gzirishvili
    Giorgi Gzirishvili 2 года назад Where's the "Students" table?
  • Joseph Chong
    Joseph Chong 2 года назад I suddenly remember a man named "null"
  • Finian Blackett
    Finian Blackett 2 года назад XKCD for the win!
  • Fluck
    Fluck 2 года назад I will name my son as Little Bobby Tables
  • tiggerbiggo
    tiggerbiggo 2 года назад @rchandraonline I know of that site, but this is a full in depth explanation as to exactly how it works.
  • Zanzlanz
    Zanzlanz 3 года назад This is a very well done demonstration! I liked being able to see how it worked in an actual example. Someone ran one of those scripts on my site to try to hack my database a couple years ago. The only thing it helped me realize is that I needed stronger spam protection, because it left thousands of failed injection comments on one of my pages, haha.
  • vinny142
    vinny142 Год назад "If you've never seen signs of this in log files you either have only been in the business a few years or you don't look at your log files..." Or you don't log your failed queries.
  • Bando Bandit
    Bando Bandit Год назад If you've never seen signs of this in log files you either have only been in the business a few years or you don't look at your log files...
  • bujashaka
    bujashaka Год назад Don't forget it's always easier explain how to do it rather than actually doing it. It's not like he says, try it. You ain't getting anything.
  • xorinzor
    xorinzor Год назад all these responses here.. no, just no. Just use Prepared statements for insertion, and htmlspecialchars for outputting anything from the database to prevent XSS and html injection.
  • Project Overturn aka RareBeeph
    Project Overturn aka RareBeeph Год назад +Zanzlanz The inner machinations of my php code are an enigma...
  • Kanae Akiyama
    Kanae Akiyama Год назад >>>(;)<<<< is really improtant .. learned that the hard way ..
  • Kanae Akiyama
    Kanae Akiyama Год назад lucky you but from what happened to me all my data was dumped 60% of my files is compromised and 30% is stolen/deleted you are really a lucky guy sir ..
  • Jack de Coco
    Jack de Coco 2 года назад just dont use php, use java / nodejs and a proper orm library
  • Harish Vanjari
    Harish Vanjari 2 года назад use parameterization technique in case of asp.net
  • Achraf Almouloudi
    Achraf Almouloudi 2 года назад No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.
  • Empiter
    Empiter 2 года назад meh, forgot about the ; in the example injection - but you get the point... use prepared statements / stored procedures :-)
  • Empiter
    Empiter 2 года назад htmlspecialchars() for the output as xss protection. in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values. but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes. in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.
  • jovaska
    jovaska 2 года назад You need some of that htmlspecialchars(), a stripslashes() and str_replace()
  • ZweiSpeedruns
    ZweiSpeedruns 3 года назад That sounds more like xss than sql injection
  • Hrnek Bezucha
    Hrnek Bezucha 3 года назад Now this is art. I can totally imagine people do stuff like this cause it's fun. Like chess.
  • Euryale Music
    Euryale Music 2 года назад So the best defense is to disable the "Search" box
  • Graynoble
    Graynoble 2 недели назад Use SQL params
  • couldn't think of a good name 123
    couldn't think of a good name 123 2 месяца назад No cause they can still hack you by doing another method in the URL
  • Saidjon Safarov
    Saidjon Safarov 2 месяца назад Don't use any type of input
  • Thor Odinson
    Thor Odinson 3 месяца назад no lol just clean input to the php and dont be lazy
  • Yasyas Marangoz
    Yasyas Marangoz 3 месяца назад @Saeed Baig This would really help...
  • Unleashed
    Unleashed 3 месяца назад 1 year later : youtube disables comment section as their best defense .
  • Chad Towers
    Chad Towers 4 месяца назад From memory it's possible to use your browser search bar to run an SQL query
  • Adam Atlas
    Adam Atlas 4 месяца назад Nah, silly lol Just ban "UNION" from your search box...
  • Shoko
    Shoko 5 месяцев назад No client can't hack you if you have no clients #LifeHack @Saeed Baig
  • Saeed Baig
    Saeed Baig 8 месяцев назад The best defence is to take down your own website, destroy your computer, isolate yourself from technology & civilisation and go live in the woods.
  • Ioganstone
    Ioganstone Год назад Only criminals need search boxes.
  • Luke Faez
    Luke Faez Год назад UNINSTALL PHP
  • Chase Brower
    Chase Brower 2 года назад You don't go to jail if you don't get caught.
  • Sarath Sajan
    Sarath Sajan Неделю назад ( ͡° ͜ʖ ͡°)
  • Oskar Petunovs
    Oskar Petunovs 3 месяца назад This encourages me to watch netflix without parents permission and going to sleep when my parents tell my twice
  • Power_Play_6
    Power_Play_6 4 месяца назад HACKERMAN
  • Peter Wright
    Peter Wright 6 месяцев назад Well done, genius.
  • Kosta Kuzmanovic
    Kosta Kuzmanovic 6 месяцев назад (изменено) I misread your last name as 'Browser' and thought I should just let you know about that
  • American Citizen
    American Citizen 6 месяцев назад That's what Hillary told me.
  • malhar jajoo
    malhar jajoo 9 месяцев назад you don't go to jail if you never try to learn this stuff. * makes the meme face *.
  • Rasheed Hadi
    Rasheed Hadi Год назад Frank zapper
  • 36 and a half foot weinered frog
    36 and a half foot weinered frog 2 года назад @Chase Brower no, not just me. EVERYONE.
  • Chase Brower
    Chase Brower 2 года назад @Iceborn Gauntlet probably you.
  • General Makaba
    General Makaba 2 года назад Understanding How To Attack A Database or network make you a better administrator or analyst. You must know what a bank robber looks like before you can protect the bank. You guys and gals are doing the lords work.
  • Amanda J
    Amanda J 5 месяцев назад They're called Penetration Testers or Ethical Hackers, they try to hack the system not for bad but to find the weak points and improve it.
  • LANstorm
    LANstorm 9 месяцев назад Hmm. Then he is a gas robber?
  • MelonPlayzYT
    MelonPlayzYT 9 месяцев назад @LANstorm a gas mask
  • LANstorm
    LANstorm Год назад My guess is that he has a mask
  • Basic Gamer
    Basic Gamer Год назад General Makaba what does a bankrobber look like?
  • meptalon
    meptalon 1 день назад Subcription at first video :) This is the best explanation of an SQL injection that I've ever heard. Pretty sure that even non-coders would understand
  • Phil Adams
    Phil Adams 3 года назад "; DROP ALL DATABASES; --
  • Stephan Brun
    Stephan Brun 3 месяца назад @Mozart Databases really give you all the tools you need to shoot yourself in the foot, lol.
  • Mozart
    Mozart 3 месяца назад I have actually done that on a production database because of a rather confusing cluster name. It wasn't a pleasant day.
  • Danny Ryan
    Danny Ryan 4 месяца назад That's why you'd have a web_read account with read-only access.
  • Jorge D. Lopez
    Jorge D. Lopez 4 месяца назад @Chris Ellis and querying the products table does not mean you have access to information schema database
  • ralf
    ralf 5 месяцев назад Imagine destroying YouTube by posting that comment
  • Norman Gezha
    Norman Gezha 6 месяцев назад hahaha you wont go to heaven bro
  • ScemEnzo
    ScemEnzo 7 месяцев назад But they got backups, and you got no money from selling private informations
  • Fireboltofdeath
    Fireboltofdeath 7 месяцев назад +Andrew Robinson More plausible than the other dude, but depending on the size of the company they probably won't if they didn't think about sql injection.
  • Andrew Robinson
    Andrew Robinson 7 месяцев назад And you just know that any system susceptible to SQL injection isn't going to have a backup.
  • Fireboltofdeath
    Fireboltofdeath 8 месяцев назад +Chris Ellis Do you really think someone who isn't going to escape user input, would think about that? Because I honestly don't.
  • Chris Ellis
    Chris Ellis 8 месяцев назад Only if the account has been granted DROP permissions. For a site that just shows records it should only be created and given SELECT permission.
  • 홍현기
    홍현기 8 месяцев назад OMG...
  • Cristal Men
    Cristal Men Год назад :D
  • Joseph Thapa
    Joseph Thapa Год назад Thats bad
  • Baldeep Birak
    Baldeep Birak Год назад Useful to see as this does work on my website.
  • James-Ryan Stampley
    James-Ryan Stampley 2 недели назад Cosmin Xxx this post gave me cancer
  • Alexander Tambovsky
    Alexander Tambovsky 2 недели назад Rosson311 No. 99.9% of sites aren’t like that. Idk even what sort of website this would work on.