220

If spammers can abuse something, they gonna abuse it

you are viewing a single comment's thread
view the rest of the comments
[-] Dark_Arc@social.packetloss.gg 5 points 9 months ago* (last edited 9 months ago)

That's not how this works.

You have a database driver that takes care of communicating with the database.

In the bad old days (pre-early 2000s) the only way they knew how to do that was plain old SQL strings so you passed a string that contained both the data and the instructions on what to do with it.

Now you SHOULD be writing prepared statements that contain the instructions then passing the data separately to fill in the placeholders in the prepared statement via the driver (NOT via modifying the string).

// DO NOT DO THIS
execute("INSERT INTO foo VALUES ('a', 'b', 'c')")

vs

// DO THIS
executePrepared("INSERT INTO foo VALUES (?,?,?)", "a", "b", "c")
[-] noUsernamesLef7@infosec.pub 3 points 9 months ago

And yet injection is still #3 in the OWASP Top 10

[-] Dark_Arc@social.packetloss.gg 2 points 9 months ago
[-] noUsernamesLef7@infosec.pub 1 points 9 months ago

You make it sound as if it's a thing of the past when it is still a common problem.

[-] Dark_Arc@social.packetloss.gg 2 points 9 months ago* (last edited 9 months ago)

It's a common problem for the same reason that it's a common problem for people to have precision errors when doing math with currencies... People write the wrong code because they don't know any better (in that case using float or double/floating point math instead of a BigDecimal type).

Not filtering out characters that could be part of URL has no bearing on whether or not the site is properly protected from SQL injection. I'm much more often worried about sites that explicitly filter out certain characters because it likely means they don't understand what they're doing (similar to sites that insist on annual password changes).

The fact that people are arguing about this shows how much of an issue we have with education on this topic.

[-] TigrisMorte@kbin.social 1 points 9 months ago

Please explain how you remain confident of that "SHOULD" when they are not sanitizing the HTML out?

[-] Dark_Arc@social.packetloss.gg 1 points 9 months ago

Because it's literally impossible for SQL injection to occur if you do this. The database has already compiled the operation. There's nothing to escape, there's no more logic that can be added, you're free to insert arbitrary gook just like you can into any old array.

[-] TigrisMorte@kbin.social 1 points 9 months ago

"if" caring a lot of water on this here frog's back mr. scorpion.

this post was submitted on 09 Feb 2024
220 points (100.0% liked)

Software Gore

5325 readers
5 users here now

Welcome to /c/SoftwareGore!


This is a community where you can poke fun at nasty software. This community is your go-to destination to look at the most cringe-worthy and facepalm-inducing moments of software gone wrong. Whether it's a user interface that defies all logic, a crash that leaves you in disbelief, silly bugs or glitches that make you go crazy, or an error message that feels like it was written by an unpaid intern, this is the place to see them all!

Remember to read the rules before you make a post or comment!


Community Rules - Click to expand


These rules are subject to change at any time with or without prior notice. (last updated: 7th December 2023 - Introduction of Rule 11 with one sub-rule prohibiting posting of AI content)


  1. This community is a part of the Lemmy.world instance. You must follow its Code of Conduct (https://mastodon.world/about).
  2. Please keep all discussions in English. This makes communication and moderation much easier.
  3. Only post content that's appropriate to this community. Inappropriate posts will be removed.
  4. NSFW content of any kind is not allowed in this community.
  5. Do not create duplicate posts or comments. Such duplicated content will be removed. This also includes spamming.
  6. Do not repost media that has already been posted in the last 30 days. Such reposts will be deleted. Non-original content and reposts from external websites are allowed.
  7. Absolutely no discussion regarding politics are allowed. There are plenty of other places to voice your opinions, but fights regarding your political opinion is the last thing needed in this community.
  8. Keep all discussions civil and lighthearted.
    • Do not promote harmful activities.
    • Don't be a bigot.
    • Hate speech, harassment or discrimination based on one's race, ethnicity, gender, sexuality, religion, beliefs or any other identity is strictly disallowed. Everyone is welcome and encouraged to discuss in this community.
  9. The moderators retain the right to remove any post or comment and ban users/bots that do not necessarily violate these rules if deemed necessary.
  10. At last, use common sense. If you think you shouldn't say something to a person in real life, then don't say it here.
  11. Community specific rules:
    • Posts that contain any AI-related content as the main focus (for example: AI “hallucinations”, repeated words or phrases, different than expected responses, etc.) will be removed. (polled)


You should also check out these awesome communities!


founded 1 year ago
MODERATORS