this post was submitted on 09 Dec 2023
1166 points (97.4% liked)
Programmer Humor
19821 readers
771 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Other reply s accurate but it's always a good practice to include the semicolon else you can get
"Bobby tables'ed" look that xkcd comic up
I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.
Yep it would only work if you didn't sanitize a user input string in this case 'nice'
They could write ''; drop table blah;
Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"