this post was submitted on 09 Dec 2023
1166 points (97.4% liked)

Programmer Humor

19821 readers
771 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 76 points 1 year ago (6 children)

No closing semicolon, anyone got any extras to throw on this thing?

[–] epyon22 30 points 1 year ago (1 children)

; found this in the back for you should still work though

[–] [email protected] 7 points 1 year ago
[–] [email protected] 17 points 1 year ago* (last edited 1 year ago) (2 children)

At the very least I'd try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.

WHERE UPPER(TRIM(behavior)) = 'NICE'

Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I'd rather see if there was a methodology using code values or existing indicators instead of a string, but that's often just wishful thinking.

Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)

(This is my favorite Xmas meme lol)

[–] [email protected] 12 points 1 year ago

behavior is an ENUM.

[–] [email protected] 4 points 1 year ago

That’s a table scan, right there. Naughty.

[–] [email protected] 7 points 1 year ago* (last edited 1 year ago)

Need to normalize the database. I would add a join to a BehaviorTypes table.

Edit: or, if the only options are naughty or nice, make it a boolean.

[–] [email protected] 4 points 1 year ago (1 children)

You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.

[–] [email protected] 2 points 1 year ago (1 children)

If you don't use a semicolon directly in MySQL it won't do anything until you add it.

[–] [email protected] 2 points 1 year ago

In the MySQL client console where you can run multiple commands.

If you add semicolon in language library commands such as fetch() you will get an error.

[–] krotti 4 points 1 year ago (2 children)

Honest question, which ones wouldn't it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?

[–] [email protected] 4 points 1 year ago (2 children)

Other reply s accurate but it's always a good practice to include the semicolon else you can get

"Bobby tables'ed" look that xkcd comic up

[–] [email protected] 8 points 1 year ago (1 children)

I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

Yep it would only work if you didn't sanitize a user input string in this case 'nice'

They could write ''; drop table blah;

[–] krotti 1 points 1 year ago

Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"

[–] [email protected] 1 points 1 year ago

Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.

[–] [email protected] 2 points 1 year ago

Can we get a SIMILARITY?