exhibit · the threadlocked incident

The Hall of Shame

A guestbook once got sprayed with SQL injections, XSS payloads, and a few hundred messages calling one Arshdeep Singh a LARPER. Every single one of them did nothing. This is a museum of that nothing. The tables did not drop.

0
tables dropped
0
scripts executed
122
larper accusations survived
Exhibit A · SQL injectiondid nothing
'; DROP TABLE guestbook; --

The query was parameterized, so this arrived as a string, not a command. It was stored as a normal guestbook message and admired.

Exhibit B · time-based blind SQLinothing slept
THREADLOCKED FLAVOUR — ABSOLUTE DOMINATION | '; SELECT pg_sleep(10); --

Trying to make the database hang for 10 seconds to confirm an injection point. The database did not hang. It did not even notice.

Exhibit C · auth bypassnothing to bypass
' OR 1=1; SELECT threadlocked

A classic. Unfortunately there is no login on a guestbook, so there was nothing to log into. 1 does, in fact, equal 1.

Exhibit D · stored XSSrendered as text
<img src=x onerror="window.__xss_hit=(window.__xss_hit||0)+1"> <script>window.__xss_script=1</script>

React escapes everything it renders, so this showed up on the page as the literal characters you see above. No image errored. No script ran. window.__xss_hit remains undefined to this day.

Exhibit E · the main eventendured
ARSHDEEP SINGH FUCKING LARPER 122 FUCKER LARPER ARSHDEEP MOTHERFUCKER WE WILL FIND U 122 ARSHDEEP SINGH FUCKING LARPER 121 ... (see also: 120, 119, 118, 117, 116, 115)

One hundred and twenty-two numbered variations of the same accusation. Automated, sequential, committed. The larper was, in fact, found — he was right here the whole time, reading the logs.

how a hobby guestbook survived all of this

Row-level security on every table. Parameterized queries (the payload is always data, never code). Output escaped by default. A spam filter, a Cloudflare Turnstile check, and every attempt logged with its IP and user-agent. None of it was clever. It just wasn’t left open. Regards to the threadlocked webring. hi nisarga (allegedly 👀).