this post was submitted on 09 Dec 2023
1192 points (97.5% liked)

Programmer Humor

19557 readers
779 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 78 points 11 months ago (6 children)

No closing semicolon, anyone got any extras to throw on this thing?

[–] [email protected] 30 points 11 months ago (1 children)

; found this in the back for you should still work though

[–] [email protected] 7 points 11 months ago
[–] [email protected] 17 points 11 months ago* (last edited 11 months ago) (2 children)

At the very least I'd try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.

WHERE UPPER(TRIM(behavior)) = 'NICE'

Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I'd rather see if there was a methodology using code values or existing indicators instead of a string, but that's often just wishful thinking.

Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)

(This is my favorite Xmas meme lol)

[–] [email protected] 12 points 11 months ago

behavior is an ENUM.

[–] [email protected] 4 points 11 months ago

That’s a table scan, right there. Naughty.

[–] [email protected] 7 points 11 months ago* (last edited 11 months ago)

Need to normalize the database. I would add a join to a BehaviorTypes table.

Edit: or, if the only options are naughty or nice, make it a boolean.

[–] [email protected] 4 points 11 months ago (2 children)

Honest question, which ones wouldn't it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?

[–] [email protected] 4 points 11 months ago (2 children)

Other reply s accurate but it's always a good practice to include the semicolon else you can get

"Bobby tables'ed" look that xkcd comic up

[–] [email protected] 8 points 11 months ago (1 children)

I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

[–] [email protected] 2 points 11 months ago* (last edited 11 months ago)

Yep it would only work if you didn't sanitize a user input string in this case 'nice'

They could write ''; drop table blah;

[–] [email protected] 1 points 11 months ago

Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"

[–] [email protected] 1 points 11 months ago

Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.

[–] [email protected] 4 points 11 months ago (1 children)

You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.

[–] [email protected] 2 points 11 months ago (1 children)

If you don't use a semicolon directly in MySQL it won't do anything until you add it.

[–] [email protected] 2 points 11 months ago

In the MySQL client console where you can run multiple commands.

If you add semicolon in language library commands such as fetch() you will get an error.

[–] [email protected] 2 points 11 months ago

Can we get a SIMILARITY?