Nice SQLi vulnerability you got there ;-)

> making this project was the most fun I have had in some time haha!

> sorryyyyy for vibe coding it though. Peace. I am only human after all […]

Well, yes, of course the whole app was written by an LLM. I’m not surprised at all.

---

Request:

  POST /?user=play&add_http_cors_header=1 HTTP/1.1
  Host: play.clickhouse.com
  Content-Type: text/plain;charset=UTF-8
  User-Agent: Mozilla/5.0 (KHTML, like Gecko) Chrome/109.0.5414.120
  Accept: */*
  Origin: https://serjaimelannister.github.io
  Referer: https://serjaimelannister.github.io/
  
  SELECT username, total_words, global_rank, total_active_users,
  concat(toString(global_rank), ' / ', toString(total_active_users)) AS placement,
  round(100 * (1 - (global_rank / total_active_users)), 2) AS percentile
  FROM (
      SELECT by AS username, sum(length(splitByWhitespace(text))) AS total_words,
      rank() OVER (ORDER BY sum(length(splitByWhitespace(text))) DESC) AS global_rank,
      count(*) OVER () AS total_active_users
      FROM hackernews_history WHERE type = 'comment' AND deleted = 0 AND notEmpty(by)
      GROUP BY by
  ) WHERE username = '' OR 1=1;--' FORMAT JSON

Response:

  This message is too large to display

▲ usefulposter 3 hours ago | parent [-]

There's no vulnerability here.

This is a client-side GitHub Pages app. GitHub Pages doesn't do server-side SQL execution.

As your POST request shows, it's querying the hackernews_history table on Clickhouse Playground which is a big read-only demo environment.

The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.

https://play.clickhouse.com/play?user=play

https://clickhouse.com/docs/getting-started/playground

https://clickhouse.com/blog/announcing-the-new-sql-playgroun...

▲

embedding-shape an hour ago | parent | next [-]

Kind of ironic that a vibe coded project is seemingly receiving vibe coded security reports already. Only a moment before all comments are vibed as well.

	▲	Imustaskforhelp 17 minutes ago \| parent [-]
		Well emsh, to be honest, I just coded it out of seeing if its possible or not and what the feedback was on it. Now seeing the project having people be interested. I really don't mind writing it myself from scratch (although you might have to wait a few months as my exams are re-approaching & I would have to learn sql again, this time in more depth so give or take 6-7 months before I get free enough) But honestly, I vibe coded it for myself to see how much words I wrote. I found clickhouse cool enough to recreate it for others & (I have written a comment in more depth about it) It's really just a prototype. Wasn't expecting it on the front page of Hackernews :) [Though I did thought that maybe it could be front page material just because of the novelty idea behind it which is probably the case as you can see but it was uploaded 2 days ago and only recently got a boost which I was surprised to find my karma boosted/seeing this on front page when I woke up today] > Only a moment before all comments are vibed as well. regarding this. I see a lot of really great comments in here (written by human afterall) & this is honestly one of the best case scenarios for what I had in mind. If vibe means relax comments, then I am all for it but if vibe means AI generated. Nah, I really hope so that Hackernews comments itself remains a place for humans. (Also a bit of a side note but I wanted to tell you that when I made this, the first people I searched were myself, pg, dang then you, and then simonw) (I searched you because I felt like I saw you quite often actually/talked to you on bluesky and everything too and you are one of the more newer accounts like mine so I was curious about how many game of thrones have you written :]) Have a nice day man!

▲

Imustaskforhelp an hour ago | parent | prev [-]

Yes.

> The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.

To be honest, I want more people to play with the clickhouse playground too. I feel like a lot of people have some great ideas to expand upon & I feel like they should play around with clickhouse playground for themselves! Highly recommended (also the reason why I referenced them in the website a lot)

Also, another point, but the data's not completely 1:1 but pretty close, I think the HN comments references till 6 january 2026 when I had run a date like query on it, but pretty close if you ask me & Clickhouse updates their database a lot from what I can feel like.

A bit of a backstory but I first wanted to try it with algolia api. Found the 10_000 requests per ip per hour to be really restricting. Then thought of using the big query data but it was really hard to play with that & I really couldn't understand how to really use it (a bit of skill issue), I also tried looking at firebase api of HN itself but found that it also had rate limits from what I can tell which wouldn't have been so useful.

I then found a HN comment about someone from clickhouse when searching to find that they had the play.clickhouse feature and then I remembered playing with that/being familiar with it from some time ago as well so decided to build on top of it.

The most interesting part was that when I was running it on browser & it ran. I felt like it would be a huge job to create an api. (I was thinking of having a puppeeter instance on my netcup vps) but then I simply took the request from network and pasted it in gemini to simplify it (remove all the browser things so that it can work in curl as when I pasted it directly in curl, it had issues) and it gave me a curl command which when I ran actually gave just the table itself. I wasn't really expecting this but it made the whole process even smoother and was thus capable of being able to run on github pages.

Clickhouse's pretty awesome from what I can tell :] (Wish I was sponsored xD)

Honestly, Tried to find if clickhouse has any merch but couldn't find any. Oh well, I might as well still print a sticker of clickhouse and paste it on my mac because I found it really cool for olap. (Honestly I now love both duckdb [for simple purposes] and clickhouse [for more advanced queries from large databases like this one])