Next: , Up: SQL Injection   [Index]

1.1.1 Storytime

Let’s start with a story. Mike is the system admin for a small private school. His main responsibility is maintaining the network and computers. Recently, he started automating various tasks around the school by building a web application for internal use. He has no formal training and minimal programming experience. Knowing the basics of PHP, he built a pretty stable customer relationship manager for the school and even received kudos from the superintendent for streamlining operations and saving the school money.

Everything was going well for Mike until a particular new student started. The student’s name is Little Bobby Tables. One day, Jon from the admin office called Mike to ask why the system was down. After inspection, Mike found that the table containing all the students’ information was missing entirely. You see, Little Bobby’s full name is actually “Robert’); DROP TABLE students;–”. There aren’t any backups of the database; it has been on Mike’s “to do” list for a while, but he hadn’t gotten around to it yet. Mike is in big trouble.