#11 | Crow’s Treasure API: A SQL Injection Attack

Crow, sparrow and owl atop a tree, the tallest tree for miles, a nobly oak, snug in the crisp air.

Crow declares, “It will take many weeks to fly such great distance and gather my haul. The most precious items I will hide and some I will save for you my friends. Your featherfone has all you need, just enter the code you agreed with me and fly to the secret locations that you see.”

>>

The sun burned through the morning clouds. Owl could feel the heat on his gliding wings and as he approached the secret hiding place, he grew giddy thinking about what his friend Crow had left for him.

A note.

“Sorry Owl, I couldn’t resist…your friend, Sparrow.”

>>

Crow swooped down to the river and, gliding with the flow, he let his feet scratch the water. As the arches of a stone bridge approached he gained speed and with a deep breath rotated his wings and gave three big flaps to shoot upwards towards a gap in the limestone rock. Shillings, rattles, CDs all hidden in this precious space.

No, a note.

“Sorry Crow. Make sure to escape strings next time. Or even better use a parametrised query. See the code link above to avoid SQL injection in the future! Or use an ORM. Or next time don’t bother with the API and just send the locations over WhatsApp, that’s much simpler. Your friend, Sparrow”