Websites can still be hacked using SQL injection – Tom explains how sites written in PHP (and other languages too) can be vulnerable and have basic security …



  1. surely if you develop a routine that meticulously validates every character in every input field to gracefully reject anything that shouldn't be there and everyone developing code for your website uses it, then you're not going to let ANY malformed input through?

  2. Don't most websites send text through some secondary language's, like JS or something, function to clean the input before sending it to the actual database?

  3. The recent ‘Super Mario World (1990)’ speedrun uses code injection in very fascinating ways that I don't understand. There is even a way to play PONG on the game using in-game sprites and complicated code injection.

  4. Hm. Interesting. I do more of game-oriented programming than web-based (where this stuff doesn't really happen). But this is still interesting.

  5. hmmm select *…. who with a basic understanding of web programming would actually put something like this… well kind of strange.. good video though.

  6. I've seen SQLinjection in real action, is a letal weapon. PreparedStatement block it, but it's annoying to use it for everything, so the temptation of the "easy way" is always there…

  7. Last time, I just killed every user input that wasn't one of our 26 letters or 10 numbers. Stops SQL injection as well, though I think that would fall under "prepared statements".

  8. Tom Scott is awesome! "If you can't explain it to an eight year old, you don't fully understand it yourself!" -Unknown Smart person

Leave A Reply

Please enter your comment!
Please enter your name here