Week 6 - Little Bobby Tables

View this classic XKCD cartoon:

https://xkcd.com/327

For the purposes of this problem you may assume that at some point the school’s system performs the query

SELECT *
    FROM Students
    WHERE (name = '%s' AND year = 2024);

where a student’s name, as input by a user of the system, is directly substituted for the %s. Explain exactly how Little Bobby Tables’ “name” can cause a catastrophe. Also, explain why his name has two dashes (--) at the end.

Bonus problem!

Hack your bird database! Let’s imagine that your Shiny application, in response to user input, executes the query

SELECT * FROM Species WHERE Code = '%s';

where a species code (supplied by the application user) is directly substituted for the query’s %s using Python interpolation. For example, an innocent user might input “wolv”. Craft an input that a devious user could use to:

  • Add Taylor Swift to the Personnel table
  • Yet still return the results of the query SELECT * FROM Species WHERE Code = 'wolv' (devious!)

This work is licensed under CC BY 4.0

UCSB logo