50 Ways to Inject Your SQL

I did a Parody of Paul Simon’s “50 Ways to Leave Your Lover.” It’s very geeky, though. It’s “50 Ways to Inject Your SQL.” Yes, that’s me singing.

I got the idea after explaining some really crappy code to my wife and how it did a ridiculous job protecting against SQL injection. I said “there must be 50 ways to inject SQL into that code.” That’s when she sang a couple bars and I realized it would be a great idea. Now, my singing it might not have been such a great idea, but the parody was a good idea.

I downloaded the music from a MIDI site, and then arranged it in GarageBand. Here are the lyrics:

I see your input’s not validated properly
You have to check it at all tiers: 1, 2 and 3
Give me a browser and quite soon you will agree. There must be
50 ways to inject your SQL

You see it really is my business to intrude
The CTO wants to see this web app broke into
Turn on my proxy and all doubt will be removed. There must be
50 ways to inject your SQL
50 ways to inject your SQL

Try a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL query

Evade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query

Break the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the query

Use “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the query

He said our application is secure against your kind
There are no simple vulnerabilities to find
I said your coders write their code like they are blind, there must be
50 ways to inject your SQL

He said our logs show unexpected funds were sent
Its probably time we started using Prepared-Statements
I said I’m glad you’re seeing what I meant, there were
50 ways to inject your SQL
50 ways to inject your SQL

Break the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the query

Use “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the query

Try a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL query

Evade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query

3 Comments

  1. Thanks for this great moment of pure geeky musik 🙂 Did you wrote it inspired by the “50 ways to defeat your xxx” writtent by Fred Cohen,
    ( http://all.net/journal/50/index.html )
    the “father” of the word “virus” ? or is it a complete hazard ?
    If it is… well, send him the text… I’m sure he’ll appreciate it 😮
    Regards

    1. I was inspired by Paul Simon. Fred doesn’t sing (though it’s arguable that I don’t either) 🙂 I don’t actually have “50 ways” to do anything, anyways. It’s not instructive like Fred’s text.

  2. Pingback: Bruno Kerouanton » 50 Ways to Inject Your SQL

Comments are closed.