From Test-Scratch-Wiki

Note Note: This article does not explain everything about hacking. To see more information about "hacking", please refer to Wikipedia:Hacker (computer security)

Warning Warning: This article is only intended to give examples, and educate users about hacking. Please don't attempt anything in this article, as it could lead to an account block.

Hacking in computer science termination is tampering of another individual or company's (or one's own) software, computers, or databases. However, on most site termination is when a user finds out one's password in any manner and uses it to get onto their account. Typically, when they are on the account they cause problems; such as deleting projects and doing inappropriate behavior in order to get the account banned. There are many types of hacking that range from trying random combinations of characters to tricking a user into telling their password.


Main article: Phishing

Sometimes users trick other users into giving their password away — this is called phishing.[1]


UserA is on Scratch and he made a project where you need a password to get in. UserB is new and does not know much about hacking and gives away their password to UserA.

This is called Phishing, as seen in example here.


See also: List of Misconceptions about Scratch#Kaj


An urban legend has it that Kaj once hacked or stole another account. Kaj is sometimes mistakenly used as a symbol for hacking. People have also made fake accounts boasting about being Kaj, though these accounts get taken down.

"Hacking" projects

Main article: JSON Tutorial

Some users refer to modifying the JSON code of a project as "hacking", although it is not really hacking, but editing a project without the use of either the online or offline editor.

The term is more correct when modifying the JSON in order to implement features never possible in the normal editor, such as placing variables inside of dropdowns.

The Scratch Team, however, partially discourages doing so because it could confuse new users.[2]

SQL Injection

Note Note: Since the Scratch Website and all Scratch-related projects "sanitizes database queries" (meaning that SQL commands are not run when entered into the database), this will not work on any of them.

SQL injection is undoubtedly the most common method individuals use for hacking website databases. A database on a web server is an organized unit of storage, typically in table-based format. The database software that a web server runs is entirely separate from the software the server and server-side code interpretation run on (such as PHP or Python). SQL database programs use coded to manage the databases, meaning reading from table cells, writing data to table cells, etc.

All SQL programs use similar syntax to one another. An example of a command from MySQL, a common database software, is as follows:

INSERT INTO table VALUES('GenericScratcher','password',0);

The above code is a command that would insert a new column into the table by the name "table" with the specified values. Since three values were specified and separated by commas, this means the table has three columns to it. The first value goes into the leftmost column, and the right goes into the rightmost column. These commands can be executed within the terminal or command line interface of an operating system.

There comes many times when the SQL command cannot be directly executed because the command is not being interpreted by the SQL program. For instance, PHP, a server-side scripting language, cannot execute SQL commands because it is not programmed to do so, but it can transfer over the commands to a SQL program to be executed by it. This is where the vulnerability comes into action.

When a server-side language sends a command to a SQL program, the command must be formatted as a string, or sequence of computer characters. Very often, user entries on websites will be placed within a SQL command. For instance, a website may have two input boxes for logging in, "username" and "password". An example of PHP code that would pass on the username and password values to a database to be analyzed would be as follows:

    $username = $_REQUEST['username']; //stores username input into a variable
    $password = $_REQUEST['password'];
    $query = "SELECT * WHERE username ='$username' and password ='$password';"; //command to be sent to database

Notice that single quotation marks surround both the username and password inputs of the end user. If the end user entered "test" for the username and "password" for the password, the query would appear as follows:

SELECT * WHERE username ='test' and password ='password';

When this command is sent to the database, it can analyze if there are any columns of its table with that username and password match. If there are not any rows, more code can be used to decide where to go from there. Anyways, suppose an individual puts single quotes into the actual input. This would cancel out the previous single quote, and the user can enter any malicious command that will be sent to the SQL server to be executed. For example, if the user types "test" as the username and "' or '1'='1;" as the password, the user will automatically log on as that user without actually knowing the user's password. The query in this case would be:

SELECT * WHERE username ='test' and password ='' or '1'='1';

The password will pass because of the "or" logic, and could provide an end user with easy access to the user's settings and privileges. This only poses a risk when the command has to be transferred to the SQL program from another program in string format. Concatenation of strings works perfectly when placing the string's outer character into the inside unless the outputted string will be passed to a SQL program because strings within have to be sent in their assignment format/state to the SQL program.

This vulnerability can be fixed in various ways. For one thing, preventing the usage of certain quotes by checking user inputs for them could prevent injection. This may not be the best because quotes are often used in normal sentences and such. Quotes can be turned into HTML entities that will be rendered as quotes even though the true HTML text is not a quote itself. One can also make use of prepared statements in a server-side language to prevent injection.

What one should do when hacked

If in the rare case an account is hacked, the Scratcher in question should use the Contact Us link at the bottom of every page on the Scratch Website. They then get in contact with the Scratch Team and tell them what happened. Then, the Scratch Team does their best to keep the hacked account safe. When sending a message, the following should be included:

  • The username of the hacked account
  • The user who hacked the account
  • Ways the Scratch Team can contact the owner of the hacked account
  • Any other info the Scratch Team needs to know
  • If you already changed your password (if possible)

If the user with the hacked account can still log in, it is advisable to change the password so the account is no longer hacked.

In severe cases, notify your local law enforcement agency.

See Also

  • Kaj, often alleged to have hacked an account


Cookies help us deliver our services. By using our services, you agree to our use of cookies.