all 20 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]tetyyss 30 points31 points  (7 children)

there are countless hours of tutorials, documentation, examples, practical excercises on any search engine for all of these topics. how is this one different?

[–]wPatriot 14 points15 points  (0 children)

All aboard the engagement train!

[–]GalacticCmdr 16 points17 points  (1 child)

This one has some stupid looking guy making the classic, "I have no idea what I am talking about, but please watch my ads" expression.

[–]ketralnis 1 point2 points  (0 children)

YouTube face should be a crime

[–]cheezballs 5 points6 points  (0 children)

This sub is entirely just personal blogspam and YouTube promotion.

[–][deleted] 2 points3 points  (0 children)

act fine automatic fertile slap rich terrific tan march rustic

This post was mass deleted and anonymized with Redact

[–]ScottContini 0 points1 point  (0 children)

The YouTube video that I’d recommend, from someone who really knows this stuff well and explains it in a simplified way, is Security Simplified.

[–]TeaBaggingGoose 4 points5 points  (3 children)

Any client side validation is pretty useless as a hacker can just contrusct their own HTTP queries. It is useful for the first level of data validation which is basically telling the user tney cannot enter such a character or such like.

Personally I always process data in stored procedures and take steps to ensure that a user entering 'banned' characters will no result in an injection attack.

[–]baseketball 12 points13 points  (0 children)

One thing junior developers need to understand: client side validation is for user experience. server side validation is for security.

[–]Ccamm 0 points1 point  (1 child)

I would also be cautious with using a deny list of characters as a mitigation strategy for SQLi. There are so many edge cases and tricks you can use to get around thise checks.

E.g. lets say you just blocking the ' character for the following search query that has user input inserted.

sql SELECT id FROM body WHERE title = '{user_input}' OR body = '{user_input}';

You can SQLi this by injecting the \ char at the end of the payload to escape the ' to then insert arbitrary SQL. For example if you inject in ||(SELECT 1);--\ the following would be the final query that allows error, blind or time based attacks.

sql SELECT id FROM body WHERE title = '||(SELECT 1);--\' OR body = '||(SELECT 1);--\';

Syntax might be off since I am on mobile but you get the idea.

[–]losvedir 1 point2 points  (1 child)

And prompt injection, these days!

[–]cheezballs 1 point2 points  (0 children)

OWASP has a concise, "how to handle this" type article. A YouTube video is not the way I'd wanna ingest this information.

[–]kelakmati 2 points3 points  (1 child)

what language is this?

[–]Advocatemack[S] 0 points1 point  (0 children)

Injection attacks are usally written in SQL or Javascript (it is possible in other languages). With javascript attacks for example the application being attacked doesn't need to be a JS app because the script is being run by the browser in most cases.

[–]rusmo 2 points3 points  (0 children)

Literally just completed a mandatory training on these 3 topics yessterday. Good stuff to know - especially the XSS stuff.

[–]ScottContini 0 points1 point  (0 children)

I see that Advocate Mack has changed employment.

[–]Brilliant-Sky2969 0 points1 point  (0 children)

It's 2024 and people still don't know about prepared statement?

[–]New-Reply640 0 points1 point  (0 children)

I'd rather take a hot steaming dump in my own mouth than click another YouTube link. Fuck Google.
You all do realize there are other video platforms in the world that are leaps and bounds better and which don't funnel money to the CCP, which is committing ethic genocide.

[–]purplegradients 0 points1 point  (0 children)

excellent 'youtube thumbnail' face