Jon C. was planning to outsource a very simple order tracking system. He interviewed many prospects, each more hopeful than the last. He viewed samples of the websites they had built, and picked the one he liked the best. Jon then commissioned the job for his order tracking system to a local developer.
Upon delivery, Jon discovered that the email notification function didn't work, so he glanced at the code to see if he could identify the problem. Before Jon got that far, he discovered this on the login page:
sql = "SELECT * From tblUsers Where UserName ='" & textBoxUserName.Text & "' and UserPW = '" & textBoxPassword.Text & "' "
Every query in the project was built the same way, so Jon discussed this with the developer and gave him a proof-of-concept hack to demonstrate that you could use this code to log in as any user or accomplish any number of nefarious purposes.
The developer proposed the following fix:
Dim tempPassword As String, tempUserName As String tempUserName = textBoxUserName.Text.Replace("'", "") tempUserName = tempUserName.Replace("-", "") tempUserName = tempUserName.Replace("@", "") tempUserName = tempUserName.Replace(";", "") tempUserName = tempUserName.Replace(":", "") tempPassword = textBoxPassword.Text.Replace("'", "") tempPassword = tempPassword.Replace("-", "") tempPassword = tempPassword.Replace("@", "") tempPassword = tempPassword.Replace(";", "") tempPassword = tempPassword.Replace(":", "") sql = "SELECT * From tblUsers Where UserName ='" & tempUserName & "' and UserPW = '" & tempPassword & "' "
That night, Jon learned a lesson about tech'ing out and hiring developers.