334
SQL Injection
(lemmy.ml)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 Feb 2025
334 points (100.0% liked)
Programmer Humor
33243 readers
803 users here now
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
- Posts must be relevant to programming, programmers, or computer science.
- No NSFW content.
- Jokes must be in good taste. No hate speech, bigotry, etc.
founded 5 years ago
MODERATORS
If you mean front end developers, then yes, that's me.
First, it's not front end's responsibility to sanitise the input before executing the query because it's not the front end code which operates on the database. What if we have ten front ends? Implement it ten times?
Second, it's the back end who's executing the query so they are doing it anyway. Doing it in the front end code is a waste of time and electricity.
It's not a war zone outpost. There is no such thing as multiple layers of security. It's absurd to think that a piece of malicious data "beat up" the security code at the first spot, just to be knocked out by the same security code further down the road. If a piece is code is effectively sanitising the input then the best place to put it is where it's closest to the database, and it only needs to happen once.
Yes. That's a given. As long as it's in the back end, there isn't a problem. My concern is if someone out there still isn't checking it at all. There must be some inept devs out there if SQL injection attacks on the web are still a thing. That's the kind of thing you'd hear about way back in 2004. Hell I know to defend against it and I don't even do web development.
You'd be surprised! The developers at my company are terrible at their jobs and do the bare minimum lol
Securing the application should be considered the bare minimum.
I once worked on a codebase where the reset function had a hardcoded default password
I worked on a codebase like that once. At least it was Base64 encoded.
Should be, but we all know delivery is lol
~~Securing~~ Running the application should be considered the bare minimum.
Should be, maybe. The reality is that you can spend extra time making the program work, but if it works and you want to spend extra hours on it for whatever reason, it's usually considered a waste of time.
Until they get hacked and it costs incredible amounts of money, that is.
Smart programmers do all the things they need to do before they get everything working. As soon as it works they get pushed to work on something else.
Security should be built in from the ground up. It's not an afterthought. If you're not doing that, you're not doing it right. I get that there are time constraints but you should factor that in when giving your estimates.
Oh I agree. It's just not always how it goes.