Ok, musically, I’m not going to comment. Really.
But the content of the song isn’t that bad.
Lyrics:
I see your input’s not validated properly
You have to check it at all tiers: 1, 2 and 3
Give me a browser and quite soon you will agree. There must be
50 ways to inject your SQLYou see it really is my business to intrude
The CTO wants to see this web app broke into
Turn on my proxy and all doubt will be removed. There must be
50 ways to inject your SQL
50 ways to inject your SQLTry a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL queryEvade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the queryBreak the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the queryUse “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the queryHe said our application is secure against your kind
There are no simple vulnerabilities to find
I said your coders write their code like they are blind, there must be
50 ways to inject your SQLHe said our logs show unexpected funds were sent
Its probably time we started using Prepared-Statements
I said I’m glad you’re seeing what I meant, there were
50 ways to inject your SQL
50 ways to inject your SQLBreak the syntax, Max
Use a backslash, Cash
Try command shell, Mel,
And change the queryUse “one equals one,” son,
Unhandled exception!
Read the stack trace, ace
and change the queryTry a quick hack, Jack
Add a new row, Joe
Try an insert, Kurt
Change their SQL queryEvade the regex, Rex
Encode it all in hex
Unbalance the quotes, Vinod
And change the query
Alex Eckelberry (via Cedric)