Link to Original Source
Since QR codes can hold arbitrary strings, why not sql injection attacks?
Given that at any time
1) banks would not be the only party interested in tracking money and/or customers,
2) codes would be scanned and entered into database,
3) at some point tracking would become mandatory,
4) there are still sloppy programmers out there building SQL statements by concatenating
I can see, why this could be a not-so-good idea...
Dinosaurs aren't extinct. They've just learned to hide in the trees.