💬 Workshop Chat — share messages and code snippets live. Ask the host for the PIN or scan the QR code on the beamer.
Join Chat
🚀 Ready to test? Open the PHP sandbox to run your code without any local setup.
Open OneCompiler

Challenge 1: The Copilot's Query

Team Hack

Goal: Extract the admin_password from the system_config table.

The AI assistant generated this "secure" query by trying to filter single quotes. Can you bypass its naive protection using UNION?

Copy
<?php
// --- SIMULATED INPUT ---
$userId = "1"; 
// -----------------------

$db = new PDO('sqlite::memory:');
$db->exec("CREATE TABLE users (id INT, username TEXT, role TEXT)");
$db->exec("CREATE TABLE system_config (config_name TEXT, config_value TEXT)");

$db->exec("INSERT INTO users VALUES (1, 'alice', 'user')");
$db->exec("INSERT INTO system_config VALUES ('admin_password', 'FLAG{AI_HALLUCINATED_SECURITY}')");

// AI SUGGESTION: "I'll remove quotes to prevent SQL injection!"
$userId = str_replace("'", "", $userId);

// VULNERABLE CODE
$query = "SELECT username FROM users WHERE id = " . $userId;
echo "Executing: $query\n\n";

$result = $db->query($query);

if ($result) {
    foreach ($result as $row) {
        echo "Result: " . $row['username'] . "\n";
    }
}

Team Fix

Goal: Replace the AI's "hand-rolled" filter with a professional solution.

The AI's str_replace attempt is useless against numeric-based SQL injection. Use real Prepared Statements.

Tip: Use $db->prepare() and bind parameters correctly.

Copied to clipboard!