Today, I was giving a one-on-one PHP training course covering databases (we were trying to get mssql to work with PHP on Windows, but various factors seemed to conspire against us - possibly permissions related, as it seemed to refuse to allow us to select from a table that fricking well did exist.). Anyway, the amusing story was.....

I have a habit of "probing" most web sites to see whether they're vulnerable to SQL injection - normally inserting a simple single quote into a URL will show one way or another. Unfortunately, for the delegate, he hadn't come across SQL Injection, but had written a website for his local village, in .asp.....

Cue login as "admin" with a password of "' OR '' = '".

Suffice to say, we then had a good laugh at the classic XKCD strip about poor Robert and he now knows how someone hacked into the site a few months ago.

Technorati Tags: sql injection php training