Hacking Websites with SQL Injection - Computerphile

This is the St Pancras Renaissance hotel in London - great that they let us film after our original location fell through - shame they wouldn't let me use lights though! >Sean

He speaks SO LOUD... lol... I think the entire cafe knows how to hack websites by now...

One of the better 'funny pictures' I have seen, was a numberplate on a pretty fast car, which had an SQL instruction to drop some tables... hello speed cameras ...

"; DROP ALL DATABASES;
dammmit.

Simply: don't ever ever trust user input.

>"You can read people's passwords..."
Well hopefully they're hashed anyway

"It's a hack on top of a hack.... That's a hack, and we've had to put more on top of that, and more on top of that, and more on top of that."
It's a hack stack!

One finger: "Facebook was originally written in PHP"
Second finger: All other things.
Nice one.

Tom Scott is awesome! "If you can't explain it to an eight year old, you don't fully understand it yourself!" -Unknown Smart person

"It works, but it's clunky." - PHP in nutshell.

"Shouldn't work any more but still does."
Just ask TalkTalk's IT department...

Oh Tom Scott, you always manage to make us feel just a tad bit more paranoid.

Amazing that he knows I'm a camera, I'm impressed!

I literally came to the video to see if he pronounced it as "sequel" or S.Q.L.
I got my answer instantly! :D

I am familiar with SQL injections but it doesn't work on any websites that are worth messing with

Description amended to be less PHP specific - he does explain using PHP though, however little the PHP specific content >Sean

Good ol' Bobby Tables.

This video is good but makes it sound if a website is poorly coded (so SQL injection is possible) that the database server has no security and is an open platter i.e if a malicious user attempts to run a DELETE, DROP DATABASE command they will be able to do this. If the security on the database side has been granted appropriately the user specified in the connection string of the web application will not be able to execute these commands. All users should only be granted permissions required to do the tasks they are going to use. There is no need for a web application needing to have the DROP ALL DATABASES or similar commands. Not trying to water down the risk just making it clear that the problem lies on the developer (code) and administrator side (permissions).

Love the non ordinary video background. Nicely explained topic. Thank you.

Really enjoy the lighting and setting of this one. Informative person as well. Seeing a large increase in quality on this channel and it's much appreciated.

Tom is so passionate about this stuff. It is truly amazing to watch him explain stuff.

The correct way to think about this: when you are writing code that generates SQL, you need to generate it according to the SQL syntax. When you inject a string into an SQL statement, you need to convert that string into an "SQL string literal". This is done by adding the quotation marks at the beginning and end and escaping any character that has a different meaning in an SQL string literal than in a plain string (backslashes, quotes, etc...). The SQL syntax specification shows you where these string literals are allowed in a statement. If you are putting an integer into your SQL, you need to convert it to an "SQL integer literal", which is usually done just by converting it to a string. (Not an SQL string literal-just a string.)

Oh this should be some nostalgic fun, I remember back in highschool when injecting some code into a text field and... this video is from 2013. This video is from 2013? This video is from 2013! How in holy hell could ANYONE leave such a vulnerable area of security wide open this long?

Actually I love his passion for the language and the whole subject itself. You can practically see the fire in his eyes. great work helped a bunch

Great video. Had a web interview a few weeks ago where I needed to know what an SQL injection is, and while I did try and explain it with my limited knowledge, I learned a lot more about it from watching this video. Thanks for the upload, and I'd also love to see more of Tom.

"It really shouldn't work anymore, but still does" is the best description of SQL injection I've ever heard.

Robert'); DROP TABLE Students;--

This guy is one of the best on your channel! Get more videos from him!

Thanks for these videos... In my experience of web programming as an amateur, Security issues have never been something I have come across all that often. It's good to learn more about them.

Really liked Tom's way of explaining, I too would like to see more of him!

I love your channel name and the videos are great! It really satisfies my love of technology, but makes me wanna learn more!

funnily enough, I got a SQL course ad for this video.

This guy is the most entertaining and easy to learn from guy on computerphile! More please!

Just got out of jail because i tried this 5 years ago. THANKS ALOT FOR THE WARNING TOM

Yay Tom is back! Great video as always!

Why does every comment on this video have no reply’s.

Love how this turned into a PHP promotional video with our host feeling the need to justify his usage of PHP! :D

I quite like the moody lighting, gives it a nice atmosphere, Tom was a joy to listen to aswell.

moar videos with this guy pls, he's amazing; he manage to output such concise information with ease

Python has taught me really well with strings and escaping. Of course Ive learned more than escaping and learn strings, but I still am thankful for learning it.

The lighting in this video is really good.

Extremely well explained. Great job!

Great video! i really enjoy listening to Tom!

This is a really tough thing to explain to non-technical people, and this guy did a great job of it.

More of this guy.
I always wonder if the other people in the restaurant (?) cant help but listen in on the riveting conversation going on.

PHP is only fun at the beginning.

or use an api that discourages raw text queries -- which is good practice both for security as well as for interoperability between different database software.

Going to show this video to our apprentice. He is going to learn SQL in school soon. Best wishes from germany!

I seriously love this guys enthusiasm

Great explanation, more videos with Tom please.

Yes, another CZcams user suggested the same. I checked it out recently and it's really nice. Thanks.

I'd love to see more about security from Tom, he just does a wonderful job explaining things.

thank you so much for uploading this

as hacks go there are worse ones *heavy sigh* - There speaks someone who has had to deal with them! I know that sigh all too well.

so is SQL injection similar to XSS or am i completely wrong here?

Thanks for the video, I have a much much better understanding of how this works now.

bobby drop table students anyone

I don't understand who dislikes these videos, no matter what there are people who will dislike every video on youtube

Loved the video, great work!

Great vid !!
There is a lot of confusion about prepared statements at the moment.
It's more than string building for onwards processing.
The SQL statement is parsed and optimised for execution by the RDBMS.
The variable is inserted prior to execution by the optimiser.
In general, it's a good thing to prepare when you can. Just trust me.
Most DBAs will have a large list of their commonly executed statements.
It's safer and they gain some element of control over the SQL being executed.

"Prepared statements" - this is also called parameterized queries, right?

Thank you. The analogy in the beginning is genius.

I really like this guy, very enthusiastic, reminds me of my lecturer for databases

On some websites it's intended for you to not be able to save some images or get a popup or have a chance to be redirected instead, when you click on a link. On some lower end websites you can go around all that by looking at the source code. Often there are links in the code that reveal the url of the images or you can figure out how to change the text of the link address (right click -> copy link address) to open it without extra popups.

This is one of those videos that have few comments but all from 6 years ago. And no replies, for some reason.

This guy is phenomenal; more of him please!

"...someone who uses Windows." The expression at 8:31 is priceless! :D

This video is going to be the response to so many stackoverflow questions.

Love the colorgrading on this one.

There's some missing context for this video that would be really interesting. Even though I've used computers for most of my life, I never actually knew what a relational database was or how it works until a few years ago when I asked my instructor about them while taking a class that was only tangentially related to them. I think it's a very interesting topic that more people should know about, because it's pretty much at the conceptual root of everything a modern computer does. Do that video!

Does limiting the amount of access that the user has using sql permissions, say, in an oracle DB also solve the issue on its own? Say the user that logs in can only select data from the db, and only from certain tables and you deny them the 'drop', 'delete', 'alter' and other dangerous commands. Would that nullify the threat that injections pose? A hacker trying an injection would get back a 'you don't have permission to perform this operation' message, right? In the real world I'm assuming you use setting permissions in conjunction with the other techniques described in the video to make sure your data is 'safe,' not just relying on permissions alone.

I am really liking this guy. more please!

Great info! SQL injection is a classic security flaw

I really like this guy, he speaks with passion and intelligence

Tom, have you read "PHP: a fractal of bad design" on veekun? I think you may find the article very enlightening.

This guy is great at teaching.

I freaking love Tom Scott, everyone should.

Sequel? I prefer squirrel injection. Sounds a lot cooler.

am I the only one who got recommendation in 2021 ?

Don't most websites send text through some secondary language's, like JS or something, function to clean the input before sending it to the actual database?

How did you isolate his voice from the surrounding noise?

He clearly said it wasn't just a PHP specific problem. Great video!

thanks tom, awesome explanation

SQL was designed under the name SEQUEL (Structured English QUEry Language), but Sequel just so happened to be a trademarked name of a UK company called Hawker Siddeley Aircraft so it had to be changed.
From that, we can assume both ways of saying are correct since Sequel was the name originally intended but "Es-Kyoo-El" is the amended one.

Gonna change all my code to prepared statements right now. Thank you!

Me and my friend always joked about naming a kid "DropTable" in our IS SQL intro course.
But I guess now I realized it should be something along the lines of: Frank";Droptable

These sorts of practices make me cringe inside. I salute you for your continued efforts.

I love that he writes things on old continuous-feed paper.

I'd like to hear more detail about other methods of injections. I've always been under the impression that properly escaping your inputs was enough to be safe...

Thanks, Sai Vineet, I appreciate the help. :)

Amazing video!

great video. was it recorded on a boat? im getting seasick.

In php and all other modern programming languages the classes and functions to communicate with database are made so well I don't really have to worry about escaping the value. (pdo for example. no idea why would anyone still use mysql or mysqli even)

SEQUEL was different to SQL and used for ~12 years before the 1986 ANSI spec for SQL, in which the correct pronunciation is specified.
It may be that the pronunciation was only even defined to avoid copyright infringement, but since it's in the spec the pronunciation is just as well defined as the "SELECT" keyword, for example. Just as you can't swap "choose" or "find" or "get" for "select" in a query, there is a pronunciation that is defined as correct and other pronunciations are non-spec.

i have site in PHP and for database interaction I am using PDO to prevent SQL injection. So does it solve the problem?

reminds me of xkcd 327
where a mom names her child
"Robert'); DROP Table Students;"

Wow, he is so enthusiastic, i love it!

Awesome video! Personally, I think that HTML, Javascript and PHP should be taught in every high school worldwide, if for no other reason than the problem solving skills and understanding of how the internet works gained in the process. No offense to the other client-side and server-side scripting languages.

There's a fix for this. It's called not using PHP

this technique was used by the characters in jk rowlings "a casual vacancy" to great effect!