I am become the avenger 🦹

Today I was working on some code that responds to HTTP requests by looking stuff up in a database. It went a bit like this.

String getCurrency(String userInput){
  return executeQuery(
    "select ccy from Foo where Bar = '" + userInput + "'"
  );
}

Well, it certainly looked like unsanitised input text, so I gave it a go. First attempt, I got all the currencies in the table, to my surprise and delight. Second attempt, I changed tha name of something else in another unrelated table. It was only a test system, but I felt deliciously naughty.

I fessed up to my colleagues, who thought that we should fix it. Well, maybe. It's not public-facing (or we'd have found out about it years ago). And as dodgy as this particular bit of code is, I bet there are dozens of other equivalent examples. For now, I'm content for you to know me as someone who has dabbled with the forces of darkness.

Now, let me introduce you to my kid, little Bobby Tables,