this post was submitted on 09 Dec 2023
1192 points (97.5% liked)
Programmer Humor
19557 readers
779 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
No closing semicolon, anyone got any extras to throw on this thing?
; found this in the back for you should still work though
Can confirm.
At the very least I'd try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.
WHERE UPPER(TRIM(behavior)) = 'NICE'
Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I'd rather see if there was a methodology using code values or existing indicators instead of a string, but that's often just wishful thinking.
Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)
(This is my favorite Xmas meme lol)
behavior
is an ENUM.That’s a table scan, right there. Naughty.
Need to normalize the database. I would add a join to a BehaviorTypes table.
Edit: or, if the only options are naughty or nice, make it a boolean.
Honest question, which ones wouldn't it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?
Other reply s accurate but it's always a good practice to include the semicolon else you can get
"Bobby tables'ed" look that xkcd comic up
I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.
Yep it would only work if you didn't sanitize a user input string in this case 'nice'
They could write ''; drop table blah;
Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"
Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.
You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.
If you don't use a semicolon directly in MySQL it won't do anything until you add it.
In the MySQL client console where you can run multiple commands.
If you add semicolon in language library commands such as fetch() you will get an error.
Can we get a SIMILARITY?