Programmer Humor

19154 readers

2012 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 1 year ago

MODERATORS

[email protected]

1175

It's that time of the year again! (files.mastodon.social)

submitted 9 months ago by [email protected] to c/[email protected]

59 comments fedilink hide all child comments

files.mastodon.social/media_at…

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 4 points 9 months ago (2 children)

Other reply s accurate but it's always a good practice to include the semicolon else you can get

"Bobby tables'ed" look that xkcd comic up

[–] [email protected] 8 points 9 months ago (1 children)

I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago)

Yep it would only work if you didn't sanitize a user input string in this case 'nice'

They could write ''; drop table blah;

[–] [email protected] 1 points 9 months ago

Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"