Lesson learned
Exploit database error to leak users table informations ( writeup )
Eslam Salem Mahmoud

I would draw some different lessons learned. The core issue here is that the arguments coming from the search dialog were not verified before they were passed to the SQL query.

Another problem appears to exist with the SQL query processing.

In Java when a prepared statement is used for an SQL query, the query is pre-processed. SQL injection doesn’t work, since the expression fields are treated like literals.

Frameworks like Hibernate use prepared statements to avoid SQL injection attacks.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.