Running an SQL Injection Attack - Computerphile

  Рет қаралды 4,521,016

Computerphile

Computerphile

Күн бұрын

Пікірлер: 2 100
@martinpet100
@martinpet100 5 жыл бұрын
How to avoid jail: "I`ve given myself the permission"
@elisttm
@elisttm 4 жыл бұрын
officer i swear what i did wasnt illegal, i gave myself permission to rob him!
@georgek4416
@georgek4416 4 жыл бұрын
@@elisttm ok ur free
@ajinkc1031
@ajinkc1031 3 жыл бұрын
XDDD
@revenevan11
@revenevan11 3 жыл бұрын
@@elisttm this reads like a privilege escalation exploit lol
@bxnkroll
@bxnkroll 3 жыл бұрын
I'm using it
@soweliLuna
@soweliLuna 6 жыл бұрын
the intro had "" and the outro ""... smart... love the attention to detail
@rixogtr
@rixogtr 6 жыл бұрын
what that means ?
@rixogtr
@rixogtr 6 жыл бұрын
oh now that makes sense :D Thanks
@andy.robinson
@andy.robinson 6 жыл бұрын
Being the pedantic developer I am, it's more like XML since HTML doesn't support a tag.
@sirturnables
@sirturnables 6 жыл бұрын
What are u doing here if u don't know that?? lol
@toyotaae86truenogt-apex97
@toyotaae86truenogt-apex97 6 жыл бұрын
@@sirturnables learning.
@clementella
@clementella 7 жыл бұрын
Me: Can I SQL Injection Attack your website Me:Sure
@katherinegonzales4916
@katherinegonzales4916 5 жыл бұрын
That's what he did
@kubadzejkob332
@kubadzejkob332 5 жыл бұрын
Imagine he has schizofrenia and fires a lawsuit against himself.
@kubadzejkob332
@kubadzejkob332 5 жыл бұрын
Or simply changes his mind.
@Shubhankar31
@Shubhankar31 4 жыл бұрын
*Mr. Robot intesifies*
@1kennylo
@1kennylo 4 жыл бұрын
😂
@barkeeper7887
@barkeeper7887 4 жыл бұрын
imagine not giving yourself permission to do this on your own website and then you sue yourself, win the lawsuit and then land in prison
@costafinkel
@costafinkel 4 жыл бұрын
Well, at least you would be able to win your own money. Thats more than what can be said for some married / divorced folks.
@barkeeper7887
@barkeeper7887 4 жыл бұрын
You’re pretty damn right m8
@aviddavid8793
@aviddavid8793 4 жыл бұрын
mmmMM the court fee and if you have 1000 iq your lawyar takes about 30%
@heeheehawhawheehee
@heeheehawhawheehee 3 жыл бұрын
Then become mr robot
@imho2278
@imho2278 3 жыл бұрын
Write it off as a tax deduction.
@karldavis7392
@karldavis7392 3 жыл бұрын
Decades ago, my brother named his bowling team "select *". This was in the early days of computers, so there wasn't modern security. The bowling alley printed the statistics, and when his team arrived, the employee presented an entire ream of paper and demanded they choose a different name.
@bsvenss2
@bsvenss2 3 жыл бұрын
Hehehe... funny. It's like the first Unix systems where you couldn't have a user named "Ed".
@karldavis7392
@karldavis7392 3 жыл бұрын
@@bsvenss2 Would it start the editor?
@Deeeve
@Deeeve Жыл бұрын
@@karldavis7392 it would lol
@MrDeeb8
@MrDeeb8 8 жыл бұрын
Thank you Peter Parker
@tomascanevaro4292
@tomascanevaro4292 7 жыл бұрын
He's the cool version of Peter Parker, from Spiderman 3
@ashharryman19
@ashharryman19 6 жыл бұрын
Underrated post
@RedditNovelties
@RedditNovelties 6 жыл бұрын
I thought I was the only mofo thinking he looked like Peter Parker from Spider-Man 😂
@warpman345
@warpman345 6 жыл бұрын
Or Frodo from the lordof the rings
@DanIel-fl1vc
@DanIel-fl1vc 6 жыл бұрын
FRODO!
@tommytomtomtomestini3894
@tommytomtomtomestini3894 8 жыл бұрын
Instructions unclear, NSA is outside my house.
@Drummerdude998
@Drummerdude998 8 жыл бұрын
😂😂😂
@baho644
@baho644 7 жыл бұрын
John Doe FAV hahahahaa
@adamwood1706
@adamwood1706 7 жыл бұрын
😂😂😂
@blackham7
@blackham7 7 жыл бұрын
WTF HOW DID YOU GET NSA OUTSIDE YOUR HOUSE OBVIOUSLY YOU UNDERSTOOD THE INSTRUCTIONS ARE YOU IN PRISON NOW?
@thatonegooze
@thatonegooze 6 жыл бұрын
blackham7 wooosh
@bennyboy968
@bennyboy968 8 жыл бұрын
I love how he explains things non-pretentiously. It seems a lot of people in the computing field really like to think they're better than everyone else.
@AngrySkipperGC
@AngrySkipperGC 6 жыл бұрын
Prince Benny it’s usually not their fault. Having worked with Tech Mobs for the Gold Coast commonwealth games, it’s just how IT dudes are and there is actually a job for people to take what the IT guy says and explains it to the project manager in a way that makes sense.
@morten1
@morten1 6 жыл бұрын
Yeah he's a great teacher too
@americancitizen748
@americancitizen748 6 жыл бұрын
Or with a foreign accent so heavy you can't even tell they are speaking English.
@froyorex4856
@froyorex4856 6 жыл бұрын
Yeah we do 😎
@MrX-nc8cm
@MrX-nc8cm 5 жыл бұрын
Yes we are
@randomuser-vs3oe
@randomuser-vs3oe 5 жыл бұрын
alright youtube, this has been in my recommended for 2 years now, ill watch it, you win.
@universenerdd
@universenerdd 4 жыл бұрын
Underrated
@jamesmccabe2286
@jamesmccabe2286 4 жыл бұрын
Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"
@Кира-м2у3п
@Кира-м2у3п 3 жыл бұрын
lowkey joke
@sachinfulsunge9977
@sachinfulsunge9977 3 жыл бұрын
You just wasted 2 years
@Кира-м2у3п
@Кира-м2у3п 3 жыл бұрын
@@sachinfulsunge9977 hahaha
@mattshnoop
@mattshnoop 5 жыл бұрын
It’s crazy how different my understanding of this video is since the first time I watched it. I watched it back in high school, now I’m halfway through a university degree and have taken web development courses... Funky.
@sadimehti9934
@sadimehti9934 4 жыл бұрын
Got Same feelings haha
@BaconTrainss
@BaconTrainss 3 жыл бұрын
i feel attacked
@shrimps69
@shrimps69 3 жыл бұрын
Just came back after 5 years and I'm second year into IT
@travispetit2410
@travispetit2410 8 жыл бұрын
Imagine naming your child "LIKE'%' UNION SELECT * FROM TABLEBASE" so that when they register its name, you'll get the information on all of the country's database
@ilyasssaadi9594
@ilyasssaadi9594 7 жыл бұрын
Travis Petit probem is, you should rather imagine that names of people would contain else than alphabet (numbers and symbols)
@1wOOrking1
@1wOOrking1 6 жыл бұрын
Why is PHP better then Python please?
@Minecraftsomebody
@Minecraftsomebody 6 жыл бұрын
^^^^^^^^^^
@siisihqdaa
@siisihqdaa 6 жыл бұрын
US government sites use Drupal which uses PHP, so US government actually uses PHP
@ithinkitsaurus
@ithinkitsaurus 6 жыл бұрын
my birth name is actually ':-- DROP DATABASE
@habiks
@habiks 8 жыл бұрын
..what is illegal? running sql attack or making shitty web apps? Coz my real name is "'; DROP table users; SELECT '"
@atomheartother
@atomheartother 8 жыл бұрын
Both.
@modernkennnern
@modernkennnern 8 жыл бұрын
releasing the information is illegal.
@jan_harald
@jan_harald 8 жыл бұрын
attacking someone without their permission is illegal by law making shitty apps is illegal by community
@Padarom
@Padarom 8 жыл бұрын
Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal. @jan harald: What is "illegal by community" supposed to mean?
@harrisonharris6988
@harrisonharris6988 8 жыл бұрын
I wonder if you could change your legal name to that.
@SuperManitu1
@SuperManitu1 8 жыл бұрын
The hacking videos are the best and most interesting for me as comp science student. Keep them coming!
@Ownage4lif31
@Ownage4lif31 8 жыл бұрын
Just wait until you learn MySQL and Javascript. Then you'll be able to learn some very interesting things.
@SuperManitu1
@SuperManitu1 8 жыл бұрын
BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.
@Stigsnake5
@Stigsnake5 8 жыл бұрын
>Javascript When I'm feeling like a masochist perhaps.
@SuperManitu1
@SuperManitu1 8 жыл бұрын
Blaze I really hate Javascript, but you should try typescript. I have made my peace with javascript that way
@Ownage4lif31
@Ownage4lif31 8 жыл бұрын
SuperManitu1 Then you should be able to exploit things easily. I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.
@pandasworld4168
@pandasworld4168 5 жыл бұрын
The interviewer thought the text editor was already the hacking part
@davidprice6462
@davidprice6462 5 жыл бұрын
I noticed his excitement as well.
@arielfenomenon9233
@arielfenomenon9233 5 жыл бұрын
I loved when he nervously asked...so where are u typing that now....as if the whole world was going to blow up >^
@paulaxa1
@paulaxa1 4 жыл бұрын
you know he probably knows but he just asks for the content right?
@georgek4416
@georgek4416 4 жыл бұрын
He knows
@andrewhennessy620
@andrewhennessy620 4 жыл бұрын
at least he's willing to learn
@PaulBunkey
@PaulBunkey Жыл бұрын
This is the best explanation of SQL injection video ever. I've recommended it to a non-technical friend and he got the info-sec job.
@zanzlanz
@zanzlanz 8 жыл бұрын
This is a very well done demonstration! I liked being able to see how it worked in an actual example. Someone ran one of those scripts on my site to try to hack my database a couple years ago. The only thing it helped me realize is that I needed stronger spam protection, because it left thousands of failed injection comments on one of my pages, haha.
@ZweiSpeedruns
@ZweiSpeedruns 8 жыл бұрын
That sounds more like xss than sql injection
@jarmo_kiiski
@jarmo_kiiski 8 жыл бұрын
You need some of that htmlspecialchars(), a stripslashes() and str_replace()
@empiter3359
@empiter3359 8 жыл бұрын
htmlspecialchars() for the output as xss protection. in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values. but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes. in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.
@empiter3359
@empiter3359 8 жыл бұрын
meh, forgot about the ; in the example injection - but you get the point... use prepared statements / stored procedures :-)
@AchrafAlmouloudi
@AchrafAlmouloudi 8 жыл бұрын
No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.
@AriannaEuryaleMusic
@AriannaEuryaleMusic 7 жыл бұрын
So the best defense is to disable the "Search" box
@Ioganstone
@Ioganstone 6 жыл бұрын
Only criminals need search boxes.
@saeedbaig4249
@saeedbaig4249 6 жыл бұрын
The best defence is to take down your own website, destroy your computer, isolate yourself from technology & civilisation and go live in the woods.
@ShokoCC
@ShokoCC 5 жыл бұрын
No client can't hack you if you have no clients #LifeHack @@saeedbaig4249
@adamatlas1113
@adamatlas1113 5 жыл бұрын
Nah, silly lol Just ban "UNION" from your search box...
@chadtowers8556
@chadtowers8556 5 жыл бұрын
From memory it's possible to use your browser search bar to run an SQL query
@Wolle704
@Wolle704 7 жыл бұрын
I always struggled with some parts of this. But I finally understand how it works so I'd have to say this is probably the best explaination of SQL injections I've ever come across. Thanks
@samuelokirby
@samuelokirby 4 жыл бұрын
Okay KZbin, I'll watch it. Recommending it to me for years.
@armonfrohlich6348
@armonfrohlich6348 5 жыл бұрын
The whole computerphile series is just great. Much that I can only see through here, although I speak only moderately English. Your enthusiasm and your fascination for the topic leaves even a slightly boring topic to last interesting. And that with every clip.
@TheMrYakobo
@TheMrYakobo 8 жыл бұрын
I thought I loved Scott. Then I discovered this man, the man that doesn't pronounce SQL like Sequel. He's brilliant
@denvernaicker8250
@denvernaicker8250 6 жыл бұрын
oh snap i've been pronouncing it incorrectly
@jackrogers1115
@jackrogers1115 6 жыл бұрын
Us in the UK dont tend to prononce it sequel...
@13am22
@13am22 6 жыл бұрын
@@jackrogers1115 Well isn't Tom Scott from the UK, though? You see, he's the one in question who tends to do so.
@jackrogers1115
@jackrogers1115 6 жыл бұрын
@@13am22 what
@jackrogers1115
@jackrogers1115 6 жыл бұрын
In the uk, we tend to say s q l, not sequel. Thats what i'm say. And yes hes from the uk
@antiHUMANDesigns
@antiHUMANDesigns 8 жыл бұрын
I made a website many years ago, and obviously made sure SQL injection wasn't possible, and I also logged stuff, and I did see some people trying to do SQL injection on my website.
@211212112
@211212112 4 жыл бұрын
peas give me website address and permission to practice pen test
@antiHUMANDesigns
@antiHUMANDesigns 4 жыл бұрын
@@211212112 This was well over 10 years ago. That website no longer exists.
@jmvr
@jmvr 4 жыл бұрын
anti/HUMAN Designs :(
@JDSileo
@JDSileo 3 жыл бұрын
This is defense against the dark arts for Computer Science
@BladeGamester
@BladeGamester 5 жыл бұрын
OKAY KZbin I FINALLY WATCHED IT! This video has been in my recommended for years now.
@dhananjaydj543
@dhananjaydj543 3 жыл бұрын
I'm only halfway through the video, Its easy to understand what he is trying to say due to those practical examples in a simplified way. Its half a decade old and still best videos to watch out for on this topic.
@Lmaoboat
@Lmaoboat 8 жыл бұрын
This guy is by far the best on this channel. Especially with his practical examples!
@Adam92326
@Adam92326 8 жыл бұрын
That's why I use prepared statements everywhere, even when I get something from my own database, and do a query on something else.
@baldeepbirak
@baldeepbirak 6 жыл бұрын
Useful to see as this does work on my website.
@Rosson311
@Rosson311 6 жыл бұрын
Baldeep Birak so what website you run.? Asking for a friend lol
@TeeKayMTrove
@TeeKayMTrove 6 жыл бұрын
Cheeky.
@gavbag1234
@gavbag1234 6 жыл бұрын
Hey now, let's none of us go Ball Deep on Baldeep.
@IAmESG
@IAmESG 6 жыл бұрын
mind if I take a look on your website?
@cosminxxx5287
@cosminxxx5287 5 жыл бұрын
@@Rosson311 but even as a joke you shouldnt try it cause when police will be at your door ,it wont hold honestly. like, i go with a knife at your house and you call police and i tell them 'oh ,its was just a joke,for fun,didn't mean to do anything'. not so sure someone will bite that even if it would be truth.so yea, don't even think to try just to see if it works.you would be the dumbest hacker in that jail yard.
@eminem2
@eminem2 5 жыл бұрын
Imagine explaining that to inmates in jail: "I... I... put the wrong text in a database on purpose". Inmates be like: "Somebody get me a restriction order, you ain't coming 5 cells away from me, what is wrong with you!"
@Jibblets
@Jibblets 4 жыл бұрын
Funny haha
@darshandani1
@darshandani1 4 жыл бұрын
I learnt more from this video than my entire DBMS coursework.
@PashaSiraja
@PashaSiraja 8 жыл бұрын
A 2rd degree attack would be me naming my children ";--"
@PashaSiraja
@PashaSiraja 8 жыл бұрын
LOL I miss-typed 2 instead of 3 hahaha
@ihrbekommtmeinenrichtigennamen
@ihrbekommtmeinenrichtigennamen 8 жыл бұрын
Bobby Tables would be proud of you!
@GlassCurtain
@GlassCurtain 8 жыл бұрын
Little Bobby Tables!! :)
@CuZoSky
@CuZoSky 8 жыл бұрын
2rd ? "secord" ? :))
@ihrbekommtmeinenrichtigennamen
@ihrbekommtmeinenrichtigennamen 8 жыл бұрын
CuZoSky twoerd
@Rippertear
@Rippertear 8 жыл бұрын
you gave yourself permission? is that in writing? is it notarized? who knows, maybe you'll change your mind and press charges on yourself!
@chasebrower7816
@chasebrower7816 8 жыл бұрын
You don't go to jail if you don't get caught.
@chasebrower7816
@chasebrower7816 8 жыл бұрын
Iceborn Gauntlet probably you.
@36nuts18
@36nuts18 8 жыл бұрын
Chase Brower no, not just me. EVERYONE.
@rasheedhadi2714
@rasheedhadi2714 6 жыл бұрын
Frank zapper
@malharjajoo7393
@malharjajoo7393 6 жыл бұрын
you don't go to jail if you never try to learn this stuff. * makes the meme face *.
@americancitizen748
@americancitizen748 6 жыл бұрын
That's what Hillary told me.
@Towzlie
@Towzlie 5 жыл бұрын
That's why you use PDO and bind requests. Also don't forget to sanitize user input before the query
@skyone9237
@skyone9237 2 жыл бұрын
I never understood SQL injection untill I watched this video...bow to you..🙇
@deejaykaye
@deejaykaye 7 жыл бұрын
This guy is quality, I could listen to him all day
@VexillariusMusicEDM
@VexillariusMusicEDM 8 жыл бұрын
Dude this guy is crazy I love watching vids with this dude
@GetCTOwned
@GetCTOwned 5 жыл бұрын
Reminds me of the days when I had to 'recover' lost wordpress credentials for customers. Luckily web security has gotten much better but this is still a very valid video.
@MrSkinkarde
@MrSkinkarde 3 жыл бұрын
Wordpress has never been secure in any way And it should never be used commercially
@abandoned7501
@abandoned7501 5 жыл бұрын
Quantity in stock: A D M I N
@Purely_Andy
@Purely_Andy 4 жыл бұрын
Product name: G E O R G E
@feliper.150
@feliper.150 4 жыл бұрын
Alternative title: Tyrell Wellick runs an SQL Injection attack.
@PongiPlaysGames
@PongiPlaysGames 4 жыл бұрын
XD
@vinkuu
@vinkuu 8 жыл бұрын
The password for user Joe is 'administrator'. ./john /vagrant/x --show ?:administrator 1 password hash cracked, 0 left
@CJBurkey
@CJBurkey 8 жыл бұрын
What was the salt?
@vinkuu
@vinkuu 8 жыл бұрын
The whole hash is $1$V32.4G/.$0PKnjhXYUmYLJZZ8vEt/b/ so i guess the salt is 'V32.4G/.'. I'm not familiar with the format of md5, but in bcrypt that would be the salt.
@CJBurkey
@CJBurkey 8 жыл бұрын
vinkuu So, essentially, if you get into the database, you can use the salt that is with the password to crack it by brute forcing it?
@vinkuu
@vinkuu 8 жыл бұрын
Yes correct. And that is the reason md5 is considered a bad choice of hashing algorithms to use for hashing passwords. It's very fast to brute force md5 hashes compared to eg. bcrypt with a cost setting of 15. It directly equates to cost (€) of the brute force cracking setup.
@ZombieCakeHD
@ZombieCakeHD 8 жыл бұрын
Or just type in administrator??????
@Nalopotato
@Nalopotato 6 жыл бұрын
One of my accomplishments at my first job was rewriting all of our (then) inline SQL queries and stored procs in C# to implement SQL injection prevention! It was a lot of fun :) And very rewarding when I was done
@SpencerDavis2000
@SpencerDavis2000 5 жыл бұрын
this was one of the most interesting videos I have seen in a while. gotta watch more now
@meptalon
@meptalon 5 жыл бұрын
Subcription at first video :) This is the best explanation of an SQL injection that I've ever heard. Pretty sure that even non-coders would understand
@raiker02
@raiker02 4 жыл бұрын
alert("hello world"); -I'm in.
@hrnekbezucha
@hrnekbezucha 8 жыл бұрын
Now this is art. I can totally imagine people do stuff like this cause it's fun. Like chess.
@orlagskapten9829
@orlagskapten9829 5 жыл бұрын
Juan2003gtr why are you calling him a noob?
@stylz1
@stylz1 4 жыл бұрын
Like gambling.
@DrRChandra
@DrRChandra 8 жыл бұрын
user name consisting of SQL? must be Little Bobby Tables
@tiggerbiggo
@tiggerbiggo 8 жыл бұрын
rchandraonline I know of that site, but this is a full in depth explanation as to exactly how it works.
@fluck6159
@fluck6159 8 жыл бұрын
I will name my son as Little Bobby Tables
@jcfawerd
@jcfawerd 7 жыл бұрын
I suddenly remember a man named "null"
@GioGziro95
@GioGziro95 7 жыл бұрын
Where's the "Students" table?
@CreamyRootBeer
@CreamyRootBeer 7 жыл бұрын
Oh, I love that comic. "Oh little Bobby Tables, we call him."
@Werdna12345
@Werdna12345 8 жыл бұрын
Would love to see a video on second order SQL injections!
@nicktech2152
@nicktech2152 5 жыл бұрын
WPF in C# 2010 Book on the background - Busted!
@jbyagenrok
@jbyagenrok Жыл бұрын
Felt like I was listening to an SQL injection tutorial as presented by James Acaster. And loved every second of it of course
@Rougeman0
@Rougeman0 8 жыл бұрын
I really love how Mike stepped up his game lately. Easily one of my regulars on Computerphile, keep it up!
@dustin_echoes
@dustin_echoes 8 жыл бұрын
Thanks! This video explains it better than my database subject lectures.
@club6525
@club6525 2 жыл бұрын
Just to clarify: It's not a malformed query. You're actually getting outside of the query that the website wants you to. Basically, you get to create your own little query which is pretty terrible cause then some dude can query for everyone's passwords.
@_martinedwards
@_martinedwards 5 жыл бұрын
That nearly finished Rubik's cube on his desk is playing havoc with my OCD
@Sharpless2
@Sharpless2 3 жыл бұрын
here to remind you of that unfinished cube lol
@_martinedwards
@_martinedwards 3 жыл бұрын
😭
@gonzalo4658
@gonzalo4658 5 жыл бұрын
the first person to put the word 'an' before consonants like 's' that start with a vowel. Thank you. An 'r', people. Say AN 's', AN 'h', AN 's', etc. I know I'm not the only one.
@SpencerFcp
@SpencerFcp 6 жыл бұрын
I used to work for a consulting company and you'd be surprised how shitty the majority of companies are at protecting your data. Mostly smaller businesses, but even some of the large ones lack basic security measures. It was pretty eye opening.
@tomchapman128
@tomchapman128 4 жыл бұрын
"Ah, I'm sure my website will be fine." *checks it* "ohno"
@emberdrops3892
@emberdrops3892 4 жыл бұрын
actually underrated 😂
@mariadb4627
@mariadb4627 4 жыл бұрын
Oof 😅
@Suicidekings_
@Suicidekings_ 4 жыл бұрын
SurprisedPikachu.jpg
@KacangNgoding
@KacangNgoding 3 жыл бұрын
"anyway..."
@an3ssh
@an3ssh 5 жыл бұрын
Thank you KZbin for suggesting me this video after my DBMS exam .....wouldve done great if i had watched this video
@madnessguy010101
@madnessguy010101 6 жыл бұрын
I had known and understood what sql injection was previously, but I had never heard of blind sql attacks and using database-specific syntax in order to obtain information on the underlying database. Very informative video
@chrisalister2297
@chrisalister2297 6 жыл бұрын
Amazing how this was posted in 2016 and these were concerns I had to address in 1996. Filtering, stored procedures and permissions are your friend.
@raf.nogueira
@raf.nogueira 7 жыл бұрын
This why we should use PreparedStatements in PHP , JSP, Servlets, C# and ASP.. :)
@13am22
@13am22 6 жыл бұрын
That wasn't alway a thing before sadly. As of today, it's the only way to go basically. :)
@philadams9254
@philadams9254 8 жыл бұрын
"; DROP ALL DATABASES; --
@josephthapa5848
@josephthapa5848 6 жыл бұрын
Thats bad
@cristalmen9104
@cristalmen9104 6 жыл бұрын
:D
@홍현기-s1o
@홍현기-s1o 6 жыл бұрын
OMG...
@chrisellis5860
@chrisellis5860 6 жыл бұрын
Only if the account has been granted DROP permissions. For a site that just shows records it should only be created and given SELECT permission.
@fireboltofdeath
@fireboltofdeath 6 жыл бұрын
+Chris Ellis Do you really think someone who isn't going to escape user input, would think about that? Because I honestly don't.
@leonhill8447
@leonhill8447 3 жыл бұрын
As a SQL beginner this was super helpful, thank you.
@Codetutor-DemystifyCoding
@Codetutor-DemystifyCoding 3 жыл бұрын
Just perfect!!! Rather than talking about how it's done, show how it's done.
@KiraPlaysGuitar
@KiraPlaysGuitar 2 жыл бұрын
"It should have used that single quote as a character, not as a control structure" damn that is really interesting and cool... Please (universe) give me the determination to get through HTML/CSS/JS/SQL... It just seems so neat and handy...
@Johan-st4rv
@Johan-st4rv 8 жыл бұрын
I got 15 years for sql injection one time absolute mad man
@zyxcalxyz2007
@zyxcalxyz2007 6 жыл бұрын
but did you though?
@akaashik
@akaashik 6 жыл бұрын
I got executed for MITM attack.
@JaaoPonte
@JaaoPonte 6 жыл бұрын
I got a two days torture for changing the input type from password to text
@sieghart0515
@sieghart0515 6 жыл бұрын
I got sentenced lethal injection for typing on console
@igniscorvata9562
@igniscorvata9562 5 жыл бұрын
@@sieghart0515 I did a year and a half for getting on my teachers computer, taking a screenshot of his desktop, saving that screenshot as a jpeg then making that his desktop background... then removing his shortcuts and lowering his task bar.. so no matter how much he clicked, he got no where.
@B20C0
@B20C0 8 жыл бұрын
The most scary fact about this is that it's still an issue in 2016. I did this kind of stuff 15 years ago and back then I already thought "this is way too easy". The bad news was that there were no such things as prepared statements, so you really had to do all the work with escaping.
@combatking0
@combatking0 8 жыл бұрын
When putting together a SQL driven site, I put all text input variables through a function which filters out all potentially hostile characters and replaces them with something which cannot be interpreted as SQL code. It could also be possible to get the PHP to check for multiple attempts to submit SQL injections. One or two could be accidental, but more than that could be viewed as an attack, so I could make the PHP block all traffic from that IP for an hour, or return some decoy tables, or even a fake page warning the hacker that a virus is being uploaded to their computer, complete with a progress bar :)
@13am22
@13am22 6 жыл бұрын
If you're still learning PHP, SQL and all that stuff and didn't already - please have a read on PDO and prepared statements. It's the "new" easy way of dealing with everything. :)
@elliotc4268
@elliotc4268 2 жыл бұрын
make it return what they would want to see, but the wrong information. a fake error or a fake full table
@joylox
@joylox 3 жыл бұрын
That program you had was literally something I had to make for a class in web development. I think it was the PHP class. Thankfully, we also have a mandatory information security course I'm in now and learning about these. We did talk about making sure quotes don't get in, which is important.
@bobbyboygaming2157
@bobbyboygaming2157 Жыл бұрын
this explanation is so far superior to the other guy's coffeeshop explanation. The visualization is very important.
@colee6133
@colee6133 5 жыл бұрын
the illegal part of this is having an unsolved cube on your desk with super easy PLL case :c
@JonSmith-cx7gr
@JonSmith-cx7gr 5 жыл бұрын
What was the price for the 7mm nails? I'm re-upholstering a chair currently and think 8mm would be too long. Thanks.
@FazleyRabbibd
@FazleyRabbibd 2 жыл бұрын
It’s 2022 and still a valid issue!!!
@Rhyden
@Rhyden 6 жыл бұрын
I learned more about databases in this one video than I did during a semester long class in Uni about databases.
@PlayGrum
@PlayGrum 5 жыл бұрын
just started doing a Cyber Security Course at college, enjoying your videos to supplement my learning :)
@BijanIzadi
@BijanIzadi 3 жыл бұрын
This should be basic education at this point, I’m so pissed nobody was learning or teaching this in school
@Julian.Gilexs
@Julian.Gilexs 3 жыл бұрын
Depends on the school were you at.
@joecurran2811
@joecurran2811 3 жыл бұрын
Totally agree.
@srider33
@srider33 4 жыл бұрын
15:15 "Thank you for saving us some time." - Malicious people.
@fyrchmyrddin1937
@fyrchmyrddin1937 5 жыл бұрын
Back when I was a "code monkey" AKA programmer, I was once officially admonished by my supervisor for wasting time putting in error trapping. "If the customer wants that, they can pay for it" was what he told me... That company is still around today - I looked them up. Apparently one of their core values is "Enthusiastic, Passionate and Fun" but the fact is, crappy programming is the norm, not the exception.
@chaozkreator
@chaozkreator 5 жыл бұрын
I like how the interviewer initially couldn't get around the fact that all the instructor was doing is just writing out the "code" in a text editor.
@thetooginator153
@thetooginator153 3 жыл бұрын
Ha! I encrypted user names and passwords back in 1992! The encryption wasn’t very sophisticated, but the bad guys didn’t know that. I feel so validated!
@kimlau4285
@kimlau4285 5 жыл бұрын
Me: Going through lecture slides to past my sql exam. You: Playing black magic with sql query.
@TheLollercaster
@TheLollercaster 6 жыл бұрын
5:42 - this was the first time I dropped my jaw
@hendrikw4104
@hendrikw4104 8 жыл бұрын
Fellow Sublime Text user
@CatnamedMittens
@CatnamedMittens 8 жыл бұрын
Amazing band
@AaronHelloWorld
@AaronHelloWorld 8 жыл бұрын
take my like hahahaha
@CatnamedMittens
@CatnamedMittens 8 жыл бұрын
I'm serious tho.
@joeabinassif7518
@joeabinassif7518 8 жыл бұрын
sublime text
@94vujke
@94vujke 8 жыл бұрын
Atom is better
@PaulStewartArck
@PaulStewartArck 5 жыл бұрын
I never sanitize form input. Livin' on the edge!!!
@n1c98
@n1c98 4 жыл бұрын
I love this channel, some videos I understand, and some I have no ******* idea what they are talking about. These guys are super epic and advanced. I'm an uber beginner LOL. Been learning the basics and enjoying it. Thank you for such incredible material, I really appreciate you guys, and of course, KZbin too is just simply awesome
@salatwurzel-4388
@salatwurzel-4388 5 жыл бұрын
Hint: Just use incognito mode in your browser to never get caught. You're incognito when you use it so they will never find out who you are. Easy solution.
@romankrivocheev4434
@romankrivocheev4434 5 жыл бұрын
Ur joking, right? :)
@salatwurzel-4388
@salatwurzel-4388 5 жыл бұрын
@@romankrivocheev4434 Yes. But i saw some people in the wild who actually think that way :D
@ItsAstie
@ItsAstie 5 жыл бұрын
Or just use Tor
@cameronjoseph5994
@cameronjoseph5994 4 жыл бұрын
@@ItsAstie `would that work tho?
@TahsinAhmed-yj9ns
@TahsinAhmed-yj9ns 4 жыл бұрын
On a serious note does using free vpn work?
@MrRolnicek
@MrRolnicek 8 жыл бұрын
Can you put this website somewhere out there on the internet? Because I'm SURE a lot of people watching this would love to try their own injections and have fun with it.
@bglobbi
@bglobbi 8 жыл бұрын
That would be pointless, first injection could be command to drop all tables and there would be nothing in the database and no fun for others. You can download XAMPP and create a simple database like this and do all queries like that inside web interface for PHPmyadmin on your own computer without even creating a separate website.
@sei-core
@sei-core 8 жыл бұрын
well if he would put it up somewhere, it could be taken down pretty easily in seconds: someone drops all tables, and voila, you can't even do anything anymore. This is like putting a bottle out on the street for everyone to break, if someone breaks it at first, then noone else can do it anymore because it's already broken.
@MrRolnicek
@MrRolnicek 8 жыл бұрын
Yeah I realized very soon after posting that comment that it would have to be "refreshed" very often or just done so that it doesn't break for everyone and basically would be a pain in the ass to do.
@sei-core
@sei-core 8 жыл бұрын
Actually you can write your own script to do it. It's really just basic coding.
@Schindlabua
@Schindlabua 8 жыл бұрын
Check out hackthissite.org, they have some easy and some hard websites for you to hack into!
@abbasssharara2393
@abbasssharara2393 5 жыл бұрын
this is weak attack it can simply prevented by escaping chars or by creating sql stored procedures if you know how to use them.
@Jaydon05
@Jaydon05 5 жыл бұрын
Abbass: you'r right! That cross my mind too! :)
@matlilly8795
@matlilly8795 6 жыл бұрын
At one point, I created and maintained a server. You have to know how to crack your own system to know how to defend it. I launched campaigns against my server on a somewhat regular basis. Great explanation.
@keeperkai999
@keeperkai999 6 жыл бұрын
that's why you use frameworks that do sql injection prevention for you, or simply just escape the input you throw to your database.
@MrMichaeledavis83
@MrMichaeledavis83 5 жыл бұрын
As a learning web developer that uses php and sql all the time, this is pretty creepy. Luckily I learned to sanitize my queries early on, but I need to learn more about how hackers might attack a website.
@harrisonharris6988
@harrisonharris6988 8 жыл бұрын
+Computerphile could you do a video on hashing/breaking hashes?
@michaelpound9891
@michaelpound9891 8 жыл бұрын
Coming soon - using a 4x Titan X GPU server ;)
@jimkennedy4509
@jimkennedy4509 8 жыл бұрын
Usually you need to find out what type of hash they use. Then you could try a dictionary attack. Have a program try each word until the hashed value = the one you got.
@Chomboidas
@Chomboidas 8 жыл бұрын
md5 :)
@4pThorpy
@4pThorpy 8 жыл бұрын
I think you're misunderstanding what salting does, you can reverse lookup a hash by having a list of hashed common words/used passwords, lists of billions upon billions of possible passwords...what salting does is change each hash with a "salt". So having two of the same passwords would produce two different hashes, thus making reverse lookup a less likely decryption method.
@billy653
@billy653 8 жыл бұрын
Is this the actual Michael from the video. If it is I'm happy you're reading the comments. These videos have been quite refreshing on computerphile.
@jongeduard
@jongeduard 3 жыл бұрын
Yep, this is what we have SQL parameter solutions for, in many programming languages. To prevent that trouble.
@Salmontres
@Salmontres 2 жыл бұрын
I never knew Elijah Wood was so knowledgeable!
@christophernetherton9389
@christophernetherton9389 8 жыл бұрын
Insightful..Thank you for taking the time to go through it..Not a database guy but found it very interesting.
@deinemamainhd
@deinemamainhd 8 жыл бұрын
prepared statements ftw
@satviknema8629
@satviknema8629 5 жыл бұрын
"Iam doing this on my own website. So Iam giving myself premission". LMAFAOO
@stylz1
@stylz1 4 жыл бұрын
per
@Sharpless2
@Sharpless2 3 жыл бұрын
yeah it may seem like a joke but in reality breaking into your own house can land you in jail.
@satviknema8629
@satviknema8629 3 жыл бұрын
@@Sharpless2 wait wtf
@stefanjud6345
@stefanjud6345 6 жыл бұрын
-> Dual is in fact an existing table, with just one column and row. The column is called dummy, while the content is just X. -> The INFORMATION_SCHEMA tables are shared with many other rdbms systems, to have a common schema for handing out information about the database.
@jamesoxford4260
@jamesoxford4260 5 жыл бұрын
Besides proper handling of user inputed text, SQL user and table permissions on the backend would help. For example, not querying with an account that has access to information_schema
@mericet39
@mericet39 5 жыл бұрын
Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"
@costafinkel
@costafinkel 4 жыл бұрын
Whats that, a text editor? And the letters that you type on this key device appears on it ? Fantastic !
@mbarekzacri4973
@mbarekzacri4973 3 жыл бұрын
Maybe the best thing to do is to ignore the comment. Though, more better way of dealing with it is , maybe, to thank that "basic" guy for the work he is doing.
@R0bot4
@R0bot4 3 жыл бұрын
@@mbarekzacri4973 he could do better thats what the comments wants to say
@almostcertainlynotapotato6528
@almostcertainlynotapotato6528 3 жыл бұрын
Are you talking about Tom Scott?
@alokbaluni8760
@alokbaluni8760 3 жыл бұрын
He asked it for the audience. He run this channel. Obviously he would know about Sublime text.
Hacking Websites with SQL Injection - Computerphile
8:59
Computerphile
Рет қаралды 2,4 МЛН
How to Choose a Password - Computerphile
11:33
Computerphile
Рет қаралды 1,2 МЛН
Don't underestimate anyone
00:47
奇軒Tricking
Рет қаралды 25 МЛН
Creative Justice at the Checkout: Bananas and Eggs Showdown #shorts
00:18
Fabiosa Best Lifehacks
Рет қаралды 26 МЛН
LogJam Attack - Computerphile
18:47
Computerphile
Рет қаралды 182 М.
Has Generative AI Already Peaked? - Computerphile
12:48
Computerphile
Рет қаралды 1 МЛН
SQL Injection For Beginners
13:28
Loi Liang Yang
Рет қаралды 1,5 МЛН
Cracking Enigma in 2021 - Computerphile
21:20
Computerphile
Рет қаралды 2,5 МЛН
Running a Buffer Overflow Attack - Computerphile
17:30
Computerphile
Рет қаралды 2 МЛН
The Attack That Could Disrupt The Whole Internet - Computerphile
9:50
Computerphile
Рет қаралды 1,5 МЛН
Log4J & JNDI Exploit: Why So Bad? - Computerphile
26:31
Computerphile
Рет қаралды 500 М.
The Problem with Time & Timezones - Computerphile
10:13
Computerphile
Рет қаралды 4 МЛН
SQL Injection | Complete Guide
1:11:53
Rana Khalil
Рет қаралды 259 М.
How TOR Works- Computerphile
14:19
Computerphile
Рет қаралды 1,7 МЛН