Http://thedailywtf.com/wtf?sql=WHERE id eq 857



  • Was browsing for Python testing resources when stumbled across PyLint. Looks normal at first, but notice the URL in the address bar! WTF! Seems to me there are two things that could have happened here - they directly copy from URL into database connection string, or have invented entire SQL-like URL query language.



  • Some observations:

     Any Y WHERE Y eid 857

    This works exactly the same.

     

    Any Z WHERE X eid 857

     This throws an error: logilab-astng #3291: failure of inference on overloaded operators

    http://www.logilab.org/ticket/3291

     

    Also try:

    http://www.logilab.org/view?rql=Any X WHERE X eid 856

    http://www.logilab.org/view?rql=Any X WHERE X cid

    http://www.logilab.org/view?rql=Any X WHERE X blah

    (seems to search comments for the word "blah" or whatever you put in there.)

    http://www.logilab.org/view?rql=First X WHERE X blah



  • It's maybe not quite as dumb as it may look. In fact, the site seems to actively endorse using the site this way:

    This site is not a content management system with items placed in folders. It is an interface to a relational database.

    They're even so nice to provide the schema to their database. 

    If they are that open about it, I'd assume they have proper rights management and other security mechanisms in place, so you can't mess anything up.

    Besides, apparently the queries are not in SQL but in "RQL", a language to query RDF based datasets. There doesn't seem to be much information on the syntax though, unfortunately.



  • @PSWorx said:

    If they are that open about it, I'd assume they have proper rights management and other security mechanisms in place, so you can't mess anything up.

    That's sad.

    ...

    LET'S TRY IT ANYWAY!!!



  • Word!


Log in to reply