SQL Injection as a Feature
9 months ago
- #software-development
- #sql-injection
- #tech-horror-story
- The article describes the evolution of a poorly designed application that started as a simple report page and turned into an SQL Injection As A Service (SIAAS) over a decade.
- Initial commits show a standard report page with date range and keyword filters, which gradually transformed into a raw SQL query text box due to continuous feature requests.
- Developers added dropdowns for report types, leading to dozens of reports with confusing names, eventually moving to database-driven report names.
- A secret page was created for super admins to write custom SQL queries, which later replaced the original report page.
- Security measures were added to block INSERT, UPDATE, and CREATE commands, and query timeouts were introduced to manage slow queries.
- The author inherited the tool, discovered a critical flaw in table joins, and fixed a DELETE command issue before being unexpectedly escorted out of the company.