16 of 30 Google results contain SQL injection vulnerabilities
source link: https://waritschlager.de/sqlinjections-in-google-results.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
16 of 30 Google results contain SQL injection vulnerabilities
Today, out of curiosity, I googled for php mysql email register
. This returns tutorials, how-tos, code snippets. Most results include flawed DB statements. This usually means something like
// Don't do this!
mysqli_query("SELECT * FROM user WHERE id = '" . $_POST["user'] . "'");
Here is the detailed breakdown. The articles are listed in the order they were suggested to me. I omitted unrelated articles or ones behind a paywall.
Possible statuses:
- All parameters in SQL queries are escaped categorically
- Incoming data is only escaped where absolutely necessary
- Author attempted some escaping but vulnerability found
- No escaping logic whatsoever
"SELECT * FROM users WHERE email='$email' LIMIT 1";
2
1
link
envatotuts+
3
1
link
Code Boxx
4
1
link
Aaraf Academy
5
3
link
Webslesson
WHERE user_activation_code = '".$user_activation_code."'
6
2
link
CodingNepal
7
3
link
YouTube
Timestamp provided
8
3
link
YouTube
This is part 1 of a series of 3. Part 1 is fine, but there are problems in part 2, as well as part 3 here and here and here
9
4
link
morioh
Redirects you to tutsmake.com where the code is to be found
10
3
link
Webs Codex
"SELECT * FROM users WHERE otp = '$postOtp'
11
1
link
CodeShack
12
1
link
webtipstricks
13
4
link
studentstutorial
14
4
link
positronX.io
15
1
link
Mage Mastery
16
1
link
phppot
17
4
link
TalkersCode
18
3
link
OurSourceCode
$query = "update users set status='1' where token='$token'";
19
1
link
DZone
20
3
link
Sourcecodester
mysqli_query($conn,"select * from user where userid='$user'")
, Also, using htmlspecialchars()
for SQL escaping everywhere
21
4
link
coding cyber
22
2
link
developphp
Uses custom RegExes mostly
23
4
link
ProgrammerSought
24
1
link
Grepper
25
1
link
CodeAndCourse
26
4
link
w3tweaks
27
1
link
Speedy Sense
28
1
link
Technopoints
29
4
link
Techno Smarter
30
4
link
FormGet
I skipped to the next article as soon as I found at least one injection-prone line. There are of course more issues to be found across all 30 results, this is just the result of me quickly skimming them all specifically for sql injection.
Main takeaway for me personally is the dreadful quality of the majority of Google's search results. Several of these results were, simply put, SEO-optimized baloney.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK