You might read the title and be confused, how can search be deadly? Well it can, especially if you do it wrong. This article we will discuss SQL injections and why I’ve procrastinated adding search to the remake (although it is highly likely to be in the release version).
SQL is a query language for interacting with databases, you can create, read, update, or delete data. Now imagine your on a login page, you enter your username and password, click submit, then you’re logged in. That’s cool and all but what actually happens? SQL is the answer. Pretend your username is Stanley427 and your password is City17, the SQL query might look something like this:
SELECT * FROM users WHERE username = 'Stanley427' AND password = 'City17'This checks the users table if there is a user of that name with that password, if so it logs you in, perfectly intended behavior. But this can be easily exploited, what happens if admin’ — is entered into the username box? In SQL — is a comment, meaning the rest of the line is ignored.
SELECT * FROM users WHERE username = 'admin' --' AND password = ''Now if there is a user named admin, you’re logged in without a password (because the comment skips the password check).
Because this is so dangerous, most sites NEVER let a users input be directly used in a SQL query. And it’s very easy to prevent, so why haven’t I added a search? I’m just worried that I’ll forget something upon release and be hacked in 30 seconds, better safe than sorry.