How Are QR Codes Hacked? SQL Injections

Who scanned all the QR codes? What's your fav? Drop the meme

Sumsubcom

wouldn't the devs be able to use parametrized queries or validate user input? can't they compare only the id and get the price from the db? and can't the qr codes be encrypted?

oussama

Also prices come from the database, as they may change, the qr code doesn't need to change nor should it contain the price, no database designer would include the price in the qr code allowing an attacker to change the price or even change the behavior. Its programming madness. no one would be so stupid to allow this.

bjtaudio

Input sanitization? This video makes no sense.

aw_dev

My understanding is a qr code is used as a simple id code for a product, nothing else. As it is used to just identify just one item from a list of valid products from your database, if any other code including sql injection is attempted it would not work as your system simply will not use it, it just is looking for the product id and that is it. It would be stupid to design or allow a qr code to include sql code, to change critical database behavior, if it is attempted, it should be ignored, or come up with an invalid code error.

bjtaudio

what is this video??? this does not make sense in at least shopping scenario, and likely for others.
Why take QR payment for example? items in the stores are coded in standardized barcode, with only what item that is supposed to be, price data is in the POS system that asks for the price to DB. there is no way malicious actor can change price with QR code.
also payment processors know these risks, so the payment authoriztion QR has 2 types.
one where customer scan the store code and send the amount, which requires customer to show how much they send (apps prompt to show it to clerk) or the opposite, the store scans for your barcode with your UserID, again, not a QR, then the store system asks for the processing for said amount, the result will show up on customer's device.
also if there are funny businesses, the payment will just error out like credit card gets rejected.

don't get me wrong, SQL injection can be still possible if the system were configured in such a way so QR contains value that shouldn't be altered.
But that kind of configuration needs to be configured per-store, per-item basis. so normal POS system with compatibility with payment processor is pretty safe from these kind of attacks.
it will like I said, will reject the payment or error out.


I think you are out of touch, and there were several mistakes in the vide. at least 5.
Your videos are usually very good but not this one.

petertrex

Well idea is cool but almost all stores use bar code not qr codes

exe

Well done taking the time with the QR thumbnail

aaronrdaniels

That is definitely one good quality video that got me sticked to the screen wondering how. I m a programmer and still I haven't heard of that before

criticalgrower

Always wear white gloves to type steathly on the keyboard guys ...

SALTINBANK

Dude, your video are usually great, but you are out of touch here. 100%.

hixe

What do if I have a link to my website attached to a QR code? Right now I want to put it on all of the print material (postcard and business card sized adverts) and put it where I can (ex. Coffee Shops, Gyms, Local stores). I get the feeling that this is a bad idea, and I'd like to know what I can do instead of this. I'm open to SERIOUS suggestions.

mhmrules

"An sql query is an entire language" ... What?
ima head out. No one has been susceptible to sql injection in years, unless you have edit rights to a database, you aren't changing a thing in the database and QR codes are single data points well outside the perimeter of injecting sql. They are almost always a url nowadays. You won't have table names, credentials to get into any database or anything because no one does this with QR codes, and no decent company will be this dumb on this many levels.
This video is clearly fearmongering piggybacking disinformation in order to plug a business. That's an unsub from me.

goofballbiscuits

Your video had me on the edge of my seat, like waiting for a breath of fresh air!
Your content is truly the pinnacle of excellence, and I always find myself eagerly anticipating each new release.

tiojoe_

I find that QR codes are typically just things like URLs or user names/ids/addresses; such as the case with COVID-19 vaccination QR codes. Seems a lot harder to hack the typical sort of uses like that. In theory injection could still be done, but only if there was no sanitation, and typical cases like URL accessers ("browsers") and apps that use user ids or what-not all have sanitation in them already, not required for the users/businesses to ever set up.

MsHojat

me trying to scan all Qr codes showed in the video 💀

jubair

Interesting, Only if the cashier gets suspicious that a guy buys a TV for 0.01

hugovalters

This video is fiction! Check out systems don't work that way! The price can't be changed by the QR code because the price is stored in the database which the scanning terminals only have read only access. Forget SQL injection because the data is always sanitised. At best, all you will get are errors if you dare scan a dodgy QR code and hopefully, it will trigger a store alarm in a secure environment! 😊 Also some cool self check out systems also have a scale to measure the total weight of items you checked out to ensure the weight corresponds with the weight of the items saved in the database. Forget about it.

rotechs

bro thinks we're living in 2010, grocery stores aren't that stupid bud, everybody sanitizes their sql queries or uses some olm nowadays...

sierragutenberg

Excellent video, I hope to recommend more!

HESHUI-gk