It’s a common misconception that you will get the first record when adding LIMIT 1 to a SELECT statement. You will get 1 record, but unless you specify the ORDER BY, it’s up to the database to provide you with any record.
Yeah, recently had that at work. Postgres for example orders by an internal row named "ctid" by default. Thats the location of the row within the table. I initially thought the ctid would only change when a row is updated. My usecase was to store data from the last x days in the table and never update rows, but just add new ones and delete old ones with a cron trigger. I then discovered that ctid can change, even if the rows are not updated. Postgres sometimes automatically runs a "vacuum" (cleanup) that frees up space after rows are deleted. That can change the ctids of the existing rows even tho they are not updated. I then added a real index number to sort the rows for each day
The reason it always expects you to use id='0' or just '' is because you have to remove the original query's output to make your added result the first row. In a real-world situation, only the first row is returned as the article content on the web page. Subsequent rows are ignored. So they made that form look like a browser window.
dont know about the guys mentioned but i would personally find it funny if randomly after multiple years of career an expert would tweet that they just finished the beginners course.
@DavidAlvesWeb I didn't say that, funny doesn't mean bad. Funny means funny, if you have trouble with the definition I suggest going to elementary school before using TH-cam.
i just started watching your videos couple weeks ago and it's really making me want to learn how to code or program but I feel dum XD but want to learn
If anyone is learning SQL from this please note that from a developer perspective, at least with MySQL, LIMIT 1 OFFSET 1 is the proper way to perform pagination since it's far more expressive than LIMIT 1,1
As another poster pointed out, you kept getting answers occasionally wrong because you would return article data in those attempts in the first row. The faux web page was only showing the first row, so you were not showing any secret data at all. To remove the article data being returned you need to set id to a non-match, such as 0 or empty string, anything but 1 in this case.
2:08 in that video shot i thought it was a man with a loud print shirt sitting in front of a table. then i later realised there is a laptop right there. 😂 the print in the laptop almost makes it camouflaged... that would be funny to make laptop skins that match tshirts you are wearing and coordinate your outfit with your laptop.
Hey @John Hammond, I remember there was a CTF making competition where we can submit our challenges and they will be reviewed and awarded later. I created one challenge and submitted but never heard back ?? Im curious what happened?
Is it just me or is SQL a bad language that's easy to exploit in this manner? These exploits seem so obvious that it's criminal they're even possible to begin with
It’s a common misconception that you will get the first record when adding LIMIT 1 to a SELECT statement. You will get 1 record, but unless you specify the ORDER BY, it’s up to the database to provide you with any record.
Yeah, recently had that at work. Postgres for example orders by an internal row named "ctid" by default. Thats the location of the row within the table. I initially thought the ctid would only change when a row is updated. My usecase was to store data from the last x days in the table and never update rows, but just add new ones and delete old ones with a cron trigger. I then discovered that ctid can change, even if the rows are not updated. Postgres sometimes automatically runs a "vacuum" (cleanup) that frees up space after rows are deleted. That can change the ctids of the existing rows even tho they are not updated. I then added a real index number to sort the rows for each day
Good to know!
The reason it always expects you to use id='0' or just '' is because you have to remove the original query's output to make your added result the first row. In a real-world situation, only the first row is returned as the article content on the web page. Subsequent rows are ignored. So they made that form look like a browser window.
Yes, I'm surprised he didn't get this to explain it better. Showing the actual query results were hindering him from teaching the lesson actually.
Just being very blunt and honest here. US $80 for a single module is quite an ask.
Nooo, that’s for the whole course which includes the SQLi module , and there’s a 50% discount.
dont know about the guys mentioned but i would personally find it funny if randomly after multiple years of career an expert would tweet that they just finished the beginners course.
what's wrong with that? shouldn't we revisit the fundamentals every once in a while? it's always nice to get a refresher on fundamental concepts!
@DavidAlvesWeb I didn't say that, funny doesn't mean bad. Funny means funny, if you have trouble with the definition I suggest going to elementary school before using TH-cam.
@@ai-spacedestructor Lmfao
we need merchs !! :D
quite a steep price, when compared to THM
I have tried to do so much courses but I haven't completed lets see from start
i just started watching your videos couple weeks ago and it's really making me want to learn how to code or program but I feel dum XD but want to learn
Don't feel dumb. Just get started. It just takes time to learn, but you can do it! I promise!
If anyone is learning SQL from this please note that from a developer perspective, at least with MySQL, LIMIT 1 OFFSET 1 is the proper way to perform pagination since it's far more expressive than LIMIT 1,1
far less
As another poster pointed out, you kept getting answers occasionally wrong because you would return article data in those attempts in the first row. The faux web page was only showing the first row, so you were not showing any secret data at all. To remove the article data being returned you need to set id to a non-match, such as 0 or empty string, anything but 1 in this case.
You have a typo on the instructions of part 7 - "in descening order", missing the "d" in "descending"
2:08 in that video shot i thought it was a man with a loud print shirt sitting in front of a table. then i later realised there is a laptop right there. 😂 the print in the laptop almost makes it camouflaged... that would be funny to make laptop skins that match tshirts you are wearing and coordinate your outfit with your laptop.
Hahaha, that’s me, I never noticed until now that it does blend in a little too much haha😂
At 2:03 the leaderboard icon is the same as the logo of gemairo
I missed this kind of content keep it up Hammond this is refreshing to watch🎉
OHH John hammond I never thought u didn't knew password is first encrypted and then saved to the database
Depends on the implementation?
@@nordgaren2358 I mean it's best practice though it's even in the OWASP
Please take us through the last test in another video please
You guys are GANGSTA!
Hey @John Hammond, I remember there was a CTF making competition where we can submit our challenges and they will be reviewed and awarded later. I created one challenge and submitted but never heard back ?? Im curious what happened?
24:24, any Missouri government work..
does owasp and asvs help as std? or there any better way
Will prepared statements protect from this?
Nice bro
John my favorite cyber security person, you the GOAT
I got 2 questions:
how much does it cost to make it from start to finish
Does it teach from total noob to certified expert
Nice
Seeing no backticks is testing my OCD 😏🤪
We ned merch
Nice!
We ned merch😊
My brother what is that UI 😢
Careful looking up Little Bobby Table’s user info by name. ;)
Can I help with this UI, it needs help lol
Is it possible to ban unions? That would solve some problems.
enroll is spelt wrong at 1:53. it is spelt enrol
Both are acceptable spelling
In the U.K it’s usually enrol, we fought about this one haha😂
❤
HELLO "FRIEND" !! 🤣🤣🤣🤣
Just sproc all the things.
"new"?
That AI generated image as the thumbnail looks terrible.
Is it terrible because it’s AI or terrible because it’s terrible
@@chemicalvideobee2993 terrible because its terrible mostly. Could be biased tho
I think he fixed it, it's just code now
@@mrp6k490 poor John took your comment personally and replaced the thumbnail with SQL queries 😭
@@DetectiveNoir_ hey, only super honest feedback over here ;)
Bro I love it❤
😃👍
SQL Injection
Hi
Is it just me or is SQL a bad language that's easy to exploit in this manner? These exploits seem so obvious that it's criminal they're even possible to begin with
First