this post was submitted on 09 Dec 2023

1173 points (97.4% liked)

Programmer Humor

19551 readers

1020 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 1 year ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

1173

It's that time of the year again! (files.mastodon.social)

submitted 11 months ago by masimatutu@nerdica.net to c/programmer_humor@programming.dev

49 comments fedilink hide all child comments

files.mastodon.social/media_at…

you are viewing a single comment's thread
view the rest of the comments

[+] GBU_28@lemm.ee 4 points 11 months ago* (last edited 10 months ago) (2 children)

[removed by mod]

[–] docAvid@midwest.social 8 points 11 months ago (1 children)

I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

[–] krotti@sh.itjust.works 1 points 11 months ago

Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"