Full walk-through of the room

https://youtu.be/hVjNjWePaRA

$book_name = $_GET['book_name'] ?? '';
$special_chars = array("OR", "or", "AND", "and" , "UNION", "SELECT");
$book_name = str_replace($special_chars, '', $book_name);
$sql = "SELECT * FROM books WHERE book_name = '$book_name'";
echo "<p>Generated SQL Query: $sql</p>";
$result = $conn->query($sql) or die("Error: " . $conn->error . " (Error Code: " . $conn->errno . ")");
if ($result->num_rows > 0) {
    while ($row = $result->fetch_assoc()) {
...
..

What makes this code vulnerable?

bunabyte.com

Why this code is vulnerable

• User input is directly concatenated into the SQL query
• Once input enters the query string, SQL injection is already possible

Why str_replace makes it worse

• SQL is a grammar-based language, not a keyword list
• Removing words like OR, AND, UNION, SELECT does not change SQL logic

str_replace is:

- case-sensitive
- literal
- context-unaware

Attackers can bypass filters using:

- alternative operators
- comments
- encodings
- numeric logic
- functions and comparisons

🙅‍♂️The critical mistake

• User input is still placed inside quotes

WHERE book_name = '$book_name'

• The database still parses input as executable SQL
• Filtering inside a dangerous context does not make it safe

Additional security issues

• Echoing the SQL query leaks:

- table names
- column names
- filtering logic

• Displaying database errors gives attackers free reconnaissance


Here is the best‑practice version of that code

$book_name = $_GET['book_name'] ?? '';

$stmt = $conn->prepare(
    "SELECT * FROM books WHERE book_name = ?"
);

$stmt->bind_param("s", $book_name);
$stmt->execute();

$result = $stmt->get_result();

if ($result->num_rows > 0) {
    while ($row = $result->fetch_assoc()) {
        // process result
    }
}

☕️ $stmt turns user input from code into data.

bunabyte.com
@bunabytecs

እንኳን አደረሳችሁ! መልካም የጥምቀት በዓል!

bunabyte.com

Buna Byte Resources Channel, You can find book files related to ethical hacking and cybersecurity in this channel.

👉 here: @hacker_habesha

Are you ready to join today and tomorrow's cybersecurity foot soldiers?

picoCTF-Africa 2026 is back! Bigger, better and upto 80 students to be awarded!

Join our picoCTF-Africa prep info session
📅 24 January
⏰ 11 am Rwanda time ( convert time to your own country )
⛓️‍💥  bit.ly/picoCTF2026

Registration for the CTF opens on 1 February 2026, so get ready.
Competition runs 9 - 19 March 2026

stay alert. protect your accounts. share this with a friend

https://www.instagram.com/p/DTxI73ZDAS2/?igsh=MWlzYWgwbTZ1c3UyMA==

#Buna_Qurs

The original definition of hacking, emerging in the 1950s-1960s at MIT’s Tech Model Railroad Club, referred to

creative, skillful, and often playful modification of technical systems to improve them or make them function in new, unconventional ways.

@bunabytecs

⚡️ Buna Byte Academy is coming.

We are building a focused learning space for:
• Hands-on cybersecurity labs
• Expert-led training
• Structured paths for real-world skills

The waitlist is now open.

Join early to get launch updates, early access, and exclusive opportunities reserved for first members.

👉 Join the waitlist: academy.bunabyte.com

#Cybersecurity #Learning @bunabytecs

BBJST Buna Byte Junior Security Tester Course Batch 04 is coming....👨‍💻👩‍💻

A
R
E

Y
O
U

R
E
A
D
Y
❓

🌐: bunabyte.com
☎️: +251923167274
✉️: info@bunabyte.com

#BBJST@bunabytecs

THE LONG AWAITED ANNOUNCEMENT IS HERE 🔥

​The most intensive Cybersecurity training in Ethiopia BBJST Batch 04 is officially open for registration. 🛡💻

​You’ve been asking for it. Now it’s here. This is your chance to stop being a spectator and start becoming a Junior Security Tester.

​Why now?

✅ High-demand skill set
✅ Practical, lab-based learning
✅ Limited seats for maximum focus

​Stop waiting for the "perfect time." The perfect time is now.

​🚀 REGISTER BEFORE SLOTS FILL UP: 👉 bunabyte.com/bbjst

@bunabytecs

🟣 The BBJST program is crafted for individuals with a passion for technology and security but who lack formal experience.

We strip away the complexity and focus on actionable, real-world skills used by penetration testers every day.

Register here: bunabyte.com/bbjst

#BBJST@bunabytecs

🪫Slides don’t make security testers.

Practice does.

BBJST focuses on hands-on labs, real-world attack scenarios, and beginner-friendly guidance to help you build actual security skills, not just knowledge.

Learn cybersecurity the right way.
🔗 bunabyte.com/bbjst

Who Should Join BBJST? 🤔

✅ Absolute beginners
✅ IT students
✅ Career switchers
✅ Curious ethical hackers

Learn cybersecurity the right way.
🔗 bunabyte.com/bbjst

Only 3️⃣ Days Left! Don’t Miss Out!
⚡
Become a Buna Byte Junior Security Tester and kickstart your cybersecurity journey. 🔐

What you’ll get:
🛡 Hands-on hacking experience
🛡 Insider tips from industry pros
🛡 Certificate that stands out

Time is running out⏰

Registration closes in just 3 DAYS!
Secure your spot now before it’s too late limited seats available.

✅ Don’t be the one who hears about it later… be the one who gets ahead today.

https://bunabyte.com/bbjst

@bunabytecs

Only 2️⃣ DAYS LEFT
BunaByte Junior Security Tester (BBJST) Registration is about to close 🔒

Gain skills in:
✅Ethical Hacking & Cybersecurity Basics
✅Linux & Windows for Hackers
✅ Network Security & Cryptography
✅ Web & System Hacking
✅ Social Engineering Defense

https://bunabyte.com/bbjst

@bunabytecs

ONLY 1⃣ DAY LEFT ALERT!⏰
Registration for BunaByte Junior Security Tester (BBJST) closes tomorrow ⏳

Do you know? 👀

➡️ Cybersecurity experts and Bug Bounty Hunters are some of the most in-demand and highly paid tech professionals today.

➡️ Companies worldwide are desperate for skilled testers who can secure their systems.

This is YOUR chance to step in.😉

https://bunabyte.com/bbjst

@bunabytecs