Can a raging barbarian carry live rabbits to kill them, in order to keep his rage going?

One of my players, a human barbarian, came up with the idea of carrying captured rabbits, feeding them and treating them nicely, so that he can rip them apart mid-battle if he knows he will be unable to attack during the round. Does this sound balanced or does this sound like breaking the rules?

Does the second attack from the Dual Wielder feat require an additional action, or a bonus action, to carry out?

I am looking at taking the Dual Wielder feat (PHB, p. 165), but I am not entirely sure as to how it works specifically. It includes the following benefit, among others:

You can use two-weapon fighting even when the one-handed melee weapons you are wielding aren’t light.

Does this second weapon attack require an additional action, or a bonus action, to carry out?

Do any feats carry over when in Wild Shape?

I’m wondering if any feats might carry over when a druid assumes a Wild Shape. I’m specifically looking at the Alert and Lucky Feats.

PHB p.67 stipulates:

Your game statistics are replaced by the statistics of the beast…

So I would tend to think that that precludes the +5 to Initiative in the Alert Feat, but I thought it would be a good idea to check with you guys.

How can I carry out SQL insert injection when there’s a select statement beforehand

So here’s the deal. I’ve been working on an SQL injection challenge and here’s what comes up.

There’s a registration page where you input your Username, password and confirm password. It’s vulnerable to INSERT SQL injection, I’m basically trying to insert my own data and make myself and admin (admin=1). However, there is a SELECT statement before the INSERT statement that checks if the username exists in the database. The problem is, if I try inserting data with SQL injection, the SELECT statement will fail and will generate an error, and the INSERT statement will never be executed.

I’ve made an in-a-nutshell PHP code to show you how it works.

<?php     $  username = $  _POST['username'];     $  password = md5($  _POST['password']);      $  sql = mysqli_query("SELECT * FROM users WHERE username = '$  username';");     if(mysqli_num_rows($  sql) > 0 || !$  sql) {         // this code will be run if the username already exists OR an SQL error in the query above.     }     else {         $  sql = mysqli_query("INSERT INTO users (`id`,`username`,`password`,`admin`) VALUES (NULL,'$  username','$  password',0);");     } ?> 

So the thing is, if I tried signing up with the username "admintest','password',1);-- " which should in theory INSERT myself into the database as an admin, here comes the problems.

The problem, is the SELECT query. Watch what happens.

SELECT * FROM users WHERE username = 'admintest','password',1);-- '; 

This of course is a syntax-error, and as we saw by the code I provided above, an IF statement will confirm that the SQL query was a syntax error, and the INSERT statement will NEVER run.

In an ideal world, this should happen in the INSERT statement, which will insert me as an ADMIN.

INSERT INTO users (`id`,`username`,`password`,`admin`) VALUES (NULL,'admintest','password',1);-- ','password',0); 

I’ve tried to work out something that doesn’t generate a syntax error on the SELECT, and also INSERTs the data I want to insert. Would be appreciated if anyone could help out 🙂

Can the spell immovable object be used to carry very heavy things?

The spell immovable object from Explorer’s Guide to Wildemount (pg. 187) says:

You touch an object that weighs no more than 10 pounds and cause it to become magically fixed in place. You and the creatures you designate when you cast this spell can move the object normally. […]

At Higher Levels. If you cast this spell using a spell slot of 4th or 5th level, the DC to move the object increases by 5, it can carry up to 8,000 pounds of weight, and the duration increases to 24 hours. If you cast this spell using a spell slot of 6th level or higher, the DC to move the object increases by 10, it can carry up to 20,000 pounds of weight, and the effect is permanent until dispelled.

The two phrases I am interested in here are:

You … can move the object normally

and,

it can carry up to 20,000 pounds of weight.

Suppose I cast immovable object at 6th level on a thin sheet of plywood. I then proceed to stack 19,999 pounds of gold ingots on top of the sheet of plywood. I then attempt to move the sheet of plywood normally.

Can an object under the effect of a 6th level immovable object spell still be moved normally while it is carrying up to 20,000 pounds?

Can Mage Hand drag more weight than it can carry?

I have been watching/listening to Chance’s D&D Spellbook, which highlights a potential ‘loophole’ in that the spell doesn’t list how much the hang can drag, say if attached via a rope that weighs less than 10lbs.

Normally a spell only does what it says, but carrying and dragging seem closely enough related that there might be some room for interpretation.

URL editing shows success message, but doesn’t carry out function

I’ve been looking into my college’s internal alumni network. In that we can send connections to users and when you send a connection request, you’re taken to a url which is: https://www.website.com/yourwall/sent-invite/username/?Sendcon=true And a message

Your invitation to Name was sent.

is displayed where ‘Name’ is the name of the user associated with ‘username’ Even though we get a success message, the connection request is not sent. And if we supply an invalid ‘username’ parameter into the url we still get a success message but as:

Your invitation to {:user} was sent.

Could this be a vulnerability? How can it be exploited and mitigated?

Does the effects of a failed save versus disease or poison carry over into an alternate form?

Most diseases (mundane or magical) and poison deal ability damage upon a failed save after the incubation time.

Once the damage takes place, does the negative effects of a failed save versus disease or poison carry over into an alternate form?

This question is only asking about alternate forms, not wildshape or polymorph.