SQL Injection Fail
The following snapshot was taken from a Norwegian company database registration.
Check out the second line below the numbers, it is ‘;UPDATE TAXRATE SET RATE = 0 WHERE NAME = ‘EDVIN SYSE’.
What that line was supposed to do was changed the tax rate to 0 for any company name “EDVIN SYSE” hehe. It is a classic SQL Injection hack and my guess is that company registration are done online over there. The person registering for that company thought he could escape tax with a little hack.
Well good programming by the site sanitized the string and now his attempt is stored for all to see.
Anyway, here’s a cartoon from xkcd to accompany this story.
UPDATE 27 Apr 2009
So this is actually not an actual failed attempt at SQL Injection, here’s an explanation from the people supposedly responsible for the company’s name. Though I don’t really understand them :P
In 1999 Syse Data was converted to a limited liability company, and has since been trading under the name Syse Data AS. As the names are so similar, searches for our company in the official Norwegian registry of just-about-anything (Br?nn?ysundregistrene) often resulted in potential customers looking up the wrong company. To prevent this confusion we recently changed the name of the old (non-LLC) company, and figured we’d use the opportunity for some harmless – or so we thought – fun.
The old company was renamed to:
‘;UPDATE TAXRATE SET RATE = 0 WHERE NAME = ‘EDVIN SYSE’