How to avoid jail: "I`ve given myself the permission"

@elisttm

4 жыл бұрын

officer i swear what i did wasnt illegal, i gave myself permission to rob him!

@georgek4416

4 жыл бұрын

@@elisttm ok ur free

@ajinkc1031

3 жыл бұрын

XDDD

@revenevan11

3 жыл бұрын

@@elisttm this reads like a privilege escalation exploit lol

@bxnkroll

3 жыл бұрын

I'm using it

imagine not giving yourself permission to do this on your own website and then you sue yourself, win the lawsuit and then land in prison

@costafinkel

4 жыл бұрын

Well, at least you would be able to win your own money. Thats more than what can be said for some married / divorced folks.

@barkeeper7887

4 жыл бұрын

You’re pretty damn right m8

@aviddavid8793

3 жыл бұрын

mmmMM the court fee and if you have 1000 iq your lawyar takes about 30%

@heeheehawhawheehee

3 жыл бұрын

Then become mr robot

@imho2278

3 жыл бұрын

Write it off as a tax deduction.

Decades ago, my brother named his bowling team "select *". This was in the early days of computers, so there wasn't modern security. The bowling alley printed the statistics, and when his team arrived, the employee presented an entire ream of paper and demanded they choose a different name.

@bsvenss2

3 жыл бұрын

Hehehe... funny. It's like the first Unix systems where you couldn't have a user named "Ed".

@karldavis7392

3 жыл бұрын

@@bsvenss2 Would it start the editor?

@Deeeve

11 ай бұрын

@@karldavis7392 it would lol

The interviewer thought the text editor was already the hacking part

@davidprice6462

4 жыл бұрын

I noticed his excitement as well.

@arielfenomenon9233

4 жыл бұрын

I loved when he nervously asked...so where are u typing that now....as if the whole world was going to blow up >^

@paulaxa1

4 жыл бұрын

you know he probably knows but he just asks for the content right?

@georgek4416

4 жыл бұрын

He knows

@andrewhennessy620

4 жыл бұрын

at least he's willing to learn

Me: Can I SQL Injection Attack your website Me:Sure

@katherinegonzales4916

5 жыл бұрын

That's what he did

@kubadzejkob332

4 жыл бұрын

Imagine he has schizofrenia and fires a lawsuit against himself.

@kubadzejkob332

4 жыл бұрын

Or simply changes his mind.

@Shubhankar31

3 жыл бұрын

*Mr. Robot intesifies*

@1kennylo

3 жыл бұрын

😂

the intro had "" and the outro ""... smart... love the attention to detail

@rixogtr

5 жыл бұрын

what that means ?

@rixogtr

5 жыл бұрын

oh now that makes sense :D Thanks

@andy.robinson

5 жыл бұрын

Being the pedantic developer I am, it's more like XML since HTML doesn't support a tag.

@sirturnables

5 жыл бұрын

What are u doing here if u don't know that?? lol

@toyotaae86truenogt-apex97

5 жыл бұрын

@@sirturnables learning.

alright youtube, this has been in my recommended for 2 years now, ill watch it, you win.

@universenerdd

3 жыл бұрын

Underrated

@jamesmccabe2286

3 жыл бұрын

Interesting and informative, but the other guy is almost as basic as "So, what's that in front of you? Is it a computer?"

@user-ys9kg6ye8u

3 жыл бұрын

lowkey joke

@sachinfulsunge9977

2 жыл бұрын

You just wasted 2 years

@user-ys9kg6ye8u

2 жыл бұрын

@@sachinfulsunge9977 hahaha

It’s crazy how different my understanding of this video is since the first time I watched it. I watched it back in high school, now I’m halfway through a university degree and have taken web development courses... Funky.

@sadimehti9934

3 жыл бұрын

Got Same feelings haha

@BaconTrainss

2 жыл бұрын

i feel attacked

@shrimps69

2 жыл бұрын

Just came back after 5 years and I'm second year into IT

Imagine naming your child "LIKE'%' UNION SELECT * FROM TABLEBASE" so that when they register its name, you'll get the information on all of the country's database

@ilyasssaadi9594

7 жыл бұрын

Travis Petit probem is, you should rather imagine that names of people would contain else than alphabet (numbers and symbols)

@1wOOrking1

6 жыл бұрын

Why is PHP better then Python please?

@Minecraftsomebody

6 жыл бұрын

^^^^^^^^^^

@siisihqdaa

5 жыл бұрын

US government sites use Drupal which uses PHP, so US government actually uses PHP

@ithinkitsaurus

5 жыл бұрын

my birth name is actually ':-- DROP DATABASE

I love how he explains things non-pretentiously. It seems a lot of people in the computing field really like to think they're better than everyone else.

@AngrySkipperGC

5 жыл бұрын

Prince Benny it’s usually not their fault. Having worked with Tech Mobs for the Gold Coast commonwealth games, it’s just how IT dudes are and there is actually a job for people to take what the IT guy says and explains it to the project manager in a way that makes sense.

@morten1

5 жыл бұрын

Yeah he's a great teacher too

@americancitizen748

5 жыл бұрын

Or with a foreign accent so heavy you can't even tell they are speaking English.

@froyorex4856

5 жыл бұрын

Yeah we do 😎

@MrX-nc8cm

5 жыл бұрын

Yes we are

The whole computerphile series is just great. Much that I can only see through here, although I speak only moderately English. Your enthusiasm and your fascination for the topic leaves even a slightly boring topic to last interesting. And that with every clip.

This is defense against the dark arts for Computer Science

Thank you Peter Parker

@tomascanevaro4292

6 жыл бұрын

He's the cool version of Peter Parker, from Spiderman 3

@ashharryman19

6 жыл бұрын

Underrated post

@RedditNovelties

6 жыл бұрын

I thought I was the only mofo thinking he looked like Peter Parker from Spider-Man 😂

@warpman345

6 жыл бұрын

Or Frodo from the lordof the rings

@DanIel-fl1vc

6 жыл бұрын

FRODO!

Instructions unclear, NSA is outside my house.

@Drummerdude998

7 жыл бұрын

😂😂😂

@baho644

7 жыл бұрын

John Doe FAV hahahahaa

@adamwood1706

6 жыл бұрын

😂😂😂

@blackham7

6 жыл бұрын

WTF HOW DID YOU GET NSA OUTSIDE YOUR HOUSE OBVIOUSLY YOU UNDERSTOOD THE INSTRUCTIONS ARE YOU IN PRISON NOW?

@thatonegooze

6 жыл бұрын

blackham7 wooosh

I had known and understood what sql injection was previously, but I had never heard of blind sql attacks and using database-specific syntax in order to obtain information on the underlying database. Very informative video

this was one of the most interesting videos I have seen in a while. gotta watch more now

So the best defense is to disable the "Search" box

@Ioganstone

6 жыл бұрын

Only criminals need search boxes.

@saeedbaig4249

5 жыл бұрын

The best defence is to take down your own website, destroy your computer, isolate yourself from technology & civilisation and go live in the woods.

@ShokoCC

5 жыл бұрын

No client can't hack you if you have no clients #LifeHack @@saeedbaig4249

@adamatlas1113

5 жыл бұрын

Nah, silly lol Just ban "UNION" from your search box...

@chadtowers8556

5 жыл бұрын

From memory it's possible to use your browser search bar to run an SQL query

This is a very well done demonstration! I liked being able to see how it worked in an actual example. Someone ran one of those scripts on my site to try to hack my database a couple years ago. The only thing it helped me realize is that I needed stronger spam protection, because it left thousands of failed injection comments on one of my pages, haha.

@ZweiSpeedruns

8 жыл бұрын

That sounds more like xss than sql injection

@jarmo_kiiski

8 жыл бұрын

You need some of that htmlspecialchars(), a stripslashes() and str_replace()

@empiter3359

8 жыл бұрын

htmlspecialchars() for the output as xss protection. in case of php & mysql it would be mysql_real_escape_string() against sql injections in quoted values. but people shouldn't think they would be save when just using these functions. someone can do an sql injection without using any control chars at all if you didn't put quotes around the variable in the query: for example "SELECT * FROM posts WHERE postId = $postId"... the value of $postId could just be "1 UNION (SELECT 1, 2, 3)-- " without any quotes. in this case you would be save with casting the variable to an int, but best practice in general is using prepared statements.

@empiter3359

8 жыл бұрын

meh, forgot about the ; in the example injection - but you get the point... use prepared statements / stored procedures :-)

@AchrafAlmouloudi

8 жыл бұрын

No, it is a SQL injection attempt, not an XSS attack, the hacker was using the comments form as a gateway to the database, just like Michael in the video used the search box to send malicious queries. The difference is a comments form will store those requests as comments while a search box doesn't store search queries.

Okay KZread, I'll watch it. Recommending it to me for years.

alert("hello world"); -I'm in.

The hacking videos are the best and most interesting for me as comp science student. Keep them coming!

@Ownage4lif31

8 жыл бұрын

Just wait until you learn MySQL and Javascript. Then you'll be able to learn some very interesting things.

@SuperManitu1

8 жыл бұрын

BlackenGames lol, I can program in over 20 languages, including those two. The point is not to learn them, but to learn against them. Possible weaknesses you have to remember when programming.

@Stigsnake5

8 жыл бұрын

>Javascript When I'm feeling like a masochist perhaps.

@SuperManitu1

8 жыл бұрын

Blaze I really hate Javascript, but you should try typescript. I have made my peace with javascript that way

@Ownage4lif31

8 жыл бұрын

SuperManitu1 Then you should be able to exploit things easily. I don't know how to program in a lot of languages. Only 2 and I know how to do some nice exploits.

..what is illegal? running sql attack or making shitty web apps? Coz my real name is "'; DROP table users; SELECT '"

@atomheartother

8 жыл бұрын

Both.

@modernkennnern

8 жыл бұрын

releasing the information is illegal.

@jan_harald

8 жыл бұрын

attacking someone without their permission is illegal by law making shitty apps is illegal by community

@Padarom

8 жыл бұрын

Making your application insecure towards attacks and putting your user's sensitive informations at risk of being stolen and released is illegal. @jan harald: What is "illegal by community" supposed to mean?

@harrisonharris6988

8 жыл бұрын

I wonder if you could change your legal name to that.

This is the best explanation of SQL injection video ever. I've recommended it to a non-technical friend and he got the info-sec job.

That's why you use PDO and bind requests. Also don't forget to sanitize user input before the query

I thought I loved Scott. Then I discovered this man, the man that doesn't pronounce SQL like Sequel. He's brilliant

@denvernaicker8250

5 жыл бұрын

oh snap i've been pronouncing it incorrectly

@jackrogers1115

5 жыл бұрын

Us in the UK dont tend to prononce it sequel...

@13am22

5 жыл бұрын

@@jackrogers1115 Well isn't Tom Scott from the UK, though? You see, he's the one in question who tends to do so.

@jackrogers1115

5 жыл бұрын

@@13am22 what

@jackrogers1115

5 жыл бұрын

In the uk, we tend to say s q l, not sequel. Thats what i'm say. And yes hes from the uk

I always struggled with some parts of this. But I finally understand how it works so I'd have to say this is probably the best explaination of SQL injections I've ever come across. Thanks

Subcription at first video :) This is the best explanation of an SQL injection that I've ever heard. Pretty sure that even non-coders would understand

That program you had was literally something I had to make for a class in web development. I think it was the PHP class. Thankfully, we also have a mandatory information security course I'm in now and learning about these. We did talk about making sure quotes don't get in, which is important.

I made a website many years ago, and obviously made sure SQL injection wasn't possible, and I also logged stuff, and I did see some people trying to do SQL injection on my website.

@211212112

4 жыл бұрын

peas give me website address and permission to practice pen test

@antiHUMANDesigns

4 жыл бұрын

@@211212112 This was well over 10 years ago. That website no longer exists.

@jmvr

4 жыл бұрын

anti/HUMAN Designs :(

Would love to see more videos like this about possible software attacks. This was eye-opening

I'm only halfway through the video, Its easy to understand what he is trying to say due to those practical examples in a simplified way. Its half a decade old and still best videos to watch out for on this topic.

OKAY KZread I FINALLY WATCHED IT! This video has been in my recommended for years now.

A 2rd degree attack would be me naming my children ";--"

@PashaSiraja

8 жыл бұрын

LOL I miss-typed 2 instead of 3 hahaha

@ihrbekommtmeinenrichtigennamen

8 жыл бұрын

Bobby Tables would be proud of you!

@GlassCurtain

8 жыл бұрын

Little Bobby Tables!! :)

@CuZoSky

8 жыл бұрын

2rd ? "secord" ? :))

@ihrbekommtmeinenrichtigennamen

8 жыл бұрын

CuZoSky twoerd

You don't go to jail if you don't get caught.

@chasebrower7816

7 жыл бұрын

Iceborn Gauntlet probably you.

@36nuts18

7 жыл бұрын

Chase Brower no, not just me. EVERYONE.

@rasheedhadi2714

6 жыл бұрын

Frank zapper

@malharjajoo7393

5 жыл бұрын

you don't go to jail if you never try to learn this stuff. * makes the meme face *.

@americancitizen748

5 жыл бұрын

That's what Hillary told me.

Quantity in stock: A D M I N

@noskillpureandy

3 жыл бұрын

Product name: G E O R G E

I love this channel, some videos I understand, and some I have no ******* idea what they are talking about. These guys are super epic and advanced. I'm an uber beginner LOL. Been learning the basics and enjoying it. Thank you for such incredible material, I really appreciate you guys, and of course, KZread too is just simply awesome

That's why I use prepared statements everywhere, even when I get something from my own database, and do a query on something else.

I really love how Mike stepped up his game lately. Easily one of my regulars on Computerphile, keep it up!

Imagine explaining that to inmates in jail: "I... I... put the wrong text in a database on purpose". Inmates be like: "Somebody get me a restriction order, you ain't coming 5 cells away from me, what is wrong with you!"

@Jibblets

3 жыл бұрын

Funny haha

One of my accomplishments at my first job was rewriting all of our (then) inline SQL queries and stored procs in C# to implement SQL injection prevention! It was a lot of fun :) And very rewarding when I was done

This guy is by far the best on this channel. Especially with his practical examples!

Dude this guy is crazy I love watching vids with this dude

I learnt more from this video than my entire DBMS coursework.

Alternative title: Tyrell Wellick runs an SQL Injection attack.

@PongiPlaysGames

3 жыл бұрын

XD

you gave yourself permission? is that in writing? is it notarized? who knows, maybe you'll change your mind and press charges on yourself!

Would love to see a video on second order SQL injections!

I really enjoyed this video! Very informative and the professor speaks really well

Amazing how this was posted in 2016 and these were concerns I had to address in 1996. Filtering, stored procedures and permissions are your friend.

Thanks! This video explains it better than my database subject lectures.

Useful to see as this does work on my website.

@Rosson311

6 жыл бұрын

Baldeep Birak so what website you run.? Asking for a friend lol

@TeeKayMTrove

6 жыл бұрын

Cheeky.

@gavbag1234

6 жыл бұрын

Hey now, let's none of us go Ball Deep on Baldeep.

@IAmESG

5 жыл бұрын

mind if I take a look on your website?

@cosminxxx5287

5 жыл бұрын

@@Rosson311 but even as a joke you shouldnt try it cause when police will be at your door ,it wont hold honestly. like, i go with a knife at your house and you call police and i tell them 'oh ,its was just a joke,for fun,didn't mean to do anything'. not so sure someone will bite that even if it would be truth.so yea, don't even think to try just to see if it works.you would be the dumbest hacker in that jail yard.

just started doing a Cyber Security Course at college, enjoying your videos to supplement my learning :)

i’ve been looking for this, computer related channels that have the same or similar delivery as history channels and economics channels just stuff i can watch while relaxed

This guy is quality, I could listen to him all day

user name consisting of SQL? must be Little Bobby Tables

@tiggerbiggo

8 жыл бұрын

rchandraonline I know of that site, but this is a full in depth explanation as to exactly how it works.

@fluck6159

8 жыл бұрын

I will name my son as Little Bobby Tables

@jcfawerd

7 жыл бұрын

I suddenly remember a man named "null"

@GioGziro95

7 жыл бұрын

Where's the "Students" table?

@CreamyRootBeer

7 жыл бұрын

Oh, I love that comic. "Oh little Bobby Tables, we call him."

I learned more about databases in this one video than I did during a semester long class in Uni about databases.

Felt like I was listening to an SQL injection tutorial as presented by James Acaster. And loved every second of it of course

This man is is an amazing teacher.

I'm so glad I stumbled upon this channel. So interesting. Excellent and informative use of CGI woven into the videos as well. Thanks Computerphile!!

It was so much fun watching this. Well instructed.

WPF in C# 2010 Book on the background - Busted!

Insightful..Thank you for taking the time to go through it..Not a database guy but found it very interesting.

I used to work for a consulting company and you'd be surprised how shitty the majority of companies are at protecting your data. Mostly smaller businesses, but even some of the large ones lack basic security measures. It was pretty eye opening.

Great explanation!!!, Glad youtube finally recommends me something I am really interested. Keep iy up!

Very interesting. Thanks Doctor Mike !

"Ah, I'm sure my website will be fine." *checks it* "ohno"

@emberdrops3892

4 жыл бұрын

actually underrated 😂

@mariadb4627

4 жыл бұрын

Oof 😅

@Suicidekings_

4 жыл бұрын

SurprisedPikachu.jpg

@KacangNgoding

3 жыл бұрын

"anyway..."

Reminds me of the days when I had to 'recover' lost wordpress credentials for customers. Luckily web security has gotten much better but this is still a very valid video.

@MrSkinkarde

2 жыл бұрын

Wordpress has never been secure in any way And it should never be used commercially

Nice video, easy to understand. Well demonstrated examples too....

Very well explained. I liked a lot this explainatory video.

Now this is art. I can totally imagine people do stuff like this cause it's fun. Like chess.

@orlagskapten9829

4 жыл бұрын

Juan2003gtr why are you calling him a noob?

@stylz1

4 жыл бұрын

Like gambling.

Me: Going through lecture slides to past my sql exam. You: Playing black magic with sql query.

awesome, back in few years ago I tried to study the topic but I was so confused, no idea why it makes sense now but awesome video, liked.

Incredibly informative!

As a SQL beginner this was super helpful, thank you.

The most scary fact about this is that it's still an issue in 2016. I did this kind of stuff 15 years ago and back then I already thought "this is way too easy". The bad news was that there were no such things as prepared statements, so you really had to do all the work with escaping.

At one point, I created and maintained a server. You have to know how to crack your own system to know how to defend it. I launched campaigns against my server on a somewhat regular basis. Great explanation.

Inspiring, you must do more videos, thank you

Just to clarify: It's not a malformed query. You're actually getting outside of the query that the website wants you to. Basically, you get to create your own little query which is pretty terrible cause then some dude can query for everyone's passwords.

That nearly finished Rubik's cube on his desk is playing havoc with my OCD

@Sharpless2

3 жыл бұрын

here to remind you of that unfinished cube lol

@_martinedwards

3 жыл бұрын

😭

This is all such great stuff.

These videos are very helpful

Thank you KZread for suggesting me this video after my DBMS exam .....wouldve done great if i had watched this video

the illegal part of this is having an unsolved cube on your desk with super easy PLL case :c

Excellent content, thank you!

Amazing demonstration.

"; DROP ALL DATABASES; --

@josephthapa5848

6 жыл бұрын

Thats bad

@cristalmen9104

6 жыл бұрын

:D

@user-bp5fk9ln2h

5 жыл бұрын

OMG...

@chrisellis5860

5 жыл бұрын

Only if the account has been granted DROP permissions. For a site that just shows records it should only be created and given SELECT permission.

@fireboltofdeath

5 жыл бұрын

+Chris Ellis Do you really think someone who isn't going to escape user input, would think about that? Because I honestly don't.

The password for user Joe is 'administrator'. ./john /vagrant/x --show ?:administrator 1 password hash cracked, 0 left

@CJBurkey

8 жыл бұрын

What was the salt?

@vinkuu

8 жыл бұрын

The whole hash is $1$V32.4G/.$0PKnjhXYUmYLJZZ8vEt/b/ so i guess the salt is 'V32.4G/.'. I'm not familiar with the format of md5, but in bcrypt that would be the salt.

@CJBurkey

8 жыл бұрын

vinkuu So, essentially, if you get into the database, you can use the salt that is with the password to crack it by brute forcing it?

@vinkuu

8 жыл бұрын

Yes correct. And that is the reason md5 is considered a bad choice of hashing algorithms to use for hashing passwords. It's very fast to brute force md5 hashes compared to eg. bcrypt with a cost setting of 15. It directly equates to cost (€) of the brute force cracking setup.

@ZombieCakeHD

7 жыл бұрын

Or just type in administrator??????

Very interesting and informative content, love the work, instant sub and like.

Thanks!! Really informative and entertaining video !!

As a learning web developer that uses php and sql all the time, this is pretty creepy. Luckily I learned to sanitize my queries early on, but I need to learn more about how hackers might attack a website.

This why we should use PreparedStatements in PHP , JSP, Servlets, C# and ASP.. :)

@13am22

5 жыл бұрын

That wasn't alway a thing before sadly. As of today, it's the only way to go basically. :)

This was fun, can you do more of these vids where you show what this is actually like?

Lovely demonstration.

"Iam doing this on my own website. So Iam giving myself premission". LMAFAOO

@stylz1

4 жыл бұрын

per

@Sharpless2

3 жыл бұрын

yeah it may seem like a joke but in reality breaking into your own house can land you in jail.

@satviknema8629

3 жыл бұрын

@@Sharpless2 wait wtf

This should be basic education at this point, I’m so pissed nobody was learning or teaching this in school

@Julian.Gilexs

3 жыл бұрын

Depends on the school were you at.

@joecurran2811

3 жыл бұрын

Totally agree.

learnt about this in my computer science class today and now i feel like an absolute badass

Just perfect!!! Rather than talking about how it's done, show how it's done.

What was the price for the 7mm nails? I'm re-upholstering a chair currently and think 8mm would be too long. Thanks.

@ZaHandle

4 жыл бұрын

admin

When putting together a SQL driven site, I put all text input variables through a function which filters out all potentially hostile characters and replaces them with something which cannot be interpreted as SQL code. It could also be possible to get the PHP to check for multiple attempts to submit SQL injections. One or two could be accidental, but more than that could be viewed as an attack, so I could make the PHP block all traffic from that IP for an hour, or return some decoy tables, or even a fake page warning the hacker that a virus is being uploaded to their computer, complete with a progress bar :)

@13am22

5 жыл бұрын

If you're still learning PHP, SQL and all that stuff and didn't already - please have a read on PDO and prepared statements. It's the "new" easy way of dealing with everything. :)

@elliotc4268

2 жыл бұрын

make it return what they would want to see, but the wrong information. a fake error or a fake full table

Thanks for an excellent tutorial.

Excellent video...