Ah yes, little Nell=%00\u0000'\0'""'0'0x000x30'';
Nellie Null we call her.
She and her cousin Bobby Tables love to scamper around, but they are good kids. They would never break anything intentionally
this post was submitted on 24 Feb 2025
414 points (98.6% liked)
Technology
63614 readers
3131 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
There is an infosec guy in California who had NULL as his car license plate. If a license-plate reader detects a ticketable event but the license plate is unreadable, guess how the system handles those events?
Infosec guy was not a happy bunny.
Mandatory xkcd:
I’ve been doing web development for something like 20 years now and I just can’t imagine how shitty your backend is if this is an issue.
As a backbend dev, I blame DBAs. We were forced to support CSV imports from out support team so they could fix data issues on their own, and now we have some wonky data in prod...
Lately I’ve been dealing with tons of invalid byte sequences in MySQL dumps and it makes me question what the hell they’re allowing in there.
Yeah that’s a whole other can of worms. I see this a lot at work where people are asking for direct database credentials and cringe every time.
This was my thought as well, sanitize your inputs! Are they not quoting/casting to string before input?
Unless you’re coding from scratch it’s hard to not do this with any modern framework.
Unless you’re coding from scratch it’s hard to not do this with any modern framework.
I think that word modern is doing a lot of heavy lifting there.
A lot of systems simply aren't modern. There's always that mentality of "well, it's been working for the last 12 years, let's not mess with it now", despite all the valid objections like "but it's running on Windows2000” or "it's a data breach waiting to happen"...
Is it though? I haven’t used a framework since probably 2007 that doesn’t do this. There are the smaller, more DIY frameworks out there but I’ve never used them professionally.
What is a data beach?
Thanks, I missed that
Word press code, and plugins, do not sanitize out of the box. You have to call an additional function, each time, that is not provided automatically. Many home made plugins miss that; many popular plugins used to be home made ones
load more comments
(9 replies)
load more comments
(2 replies)
load more comments
(2 replies)
I was NaN years old when I learned this.
It's funny because I also learned on [Object object].
And here I am at undefined years old, learning for the first time.
I'm a year old undefined and I find it [redacted]
/me changes name to '); DROP TABLE STUDENTS; --.
Dammit, Bobby!
That boy ain't right
Oh. Yes. Little Bobby Tables, we call him.
load more comments
(6 replies)
NULL != 'NULL'
How do devs make this mistake
Code is easy in a vacuum. 50 moving parts all with their own quirks and insufficient testing is how you get stuff like this to happen.
How do devs make this mistake
it can happen many different ways if you're not explicitly watching out for these types of things
example let's say you have a csv file with a bunch of names
id, last_name
1, schaffer
2, thornton
3, NULL
4, smith
5, "NULL"
if you use the following to import into postgres
COPY user_data (id, last_name)
FROM '/path/to/data.csv'
WITH (FORMAT csv, HEADER true);
number 5 will be imported as a string "NULL" but number 3 will be imported as a NULL value. of course, this is why you sanitize the data (GIGO) but I can imagine this happening countless times at companies all over the country
there are easy fixes if you're paying attention
COPY user_data (id, last_name)
FROM '/path/to/data.csv'
WITH (FORMAT csv, HEADER true, NULL '');
sets the empty string to NULL value.
example with js
fetch('/api/user/1')
.then(response => response.json())
.then(data => {
if (data.lastName == "null") {
console.log("No last name found");
} else {
console.log("Last name is:", data.lastName);
}
});
if data is
data = {
id: 5,
lastName: "null"
};
then the if statement will trigger- as if there was no last name. that's why you gotta know the language you're using and the potential pitfalls
now you may ask -- why not just do
if (data.lastName === null)
instead? But what if the system you're working on uses JSON.parse(data) and that auto-converts everything to a string? it's a very natural move to check for the string "null"
obviously if you're paying attention and understand the pitfalls of certain languages (like javascript's type coercion and the particularities of JSON.parse()) it becomes easy but it's something that is honestly very easy to overlook
Like you said, GIGO, but I can't say I'm familiar with any csv looking like that. Maybe I'm living a lucky life, but true null would generally be an empty string, which of course would still be less than ideal. From a general csv perspective, NULL without quotes is still a string.
If "NULL" string, then lord help us, but I would be inclined to handle it as defined unless instructed otherwise. I guess it's up to the dev to point it out and not everyone cares enough to do so. My point is these things should be caught early.
I'll admit I'm much more versed in mysql than postgres.
really it's a cautionary tale about the intersections of different technologies. for example, csv going into a sql database and then querying that database from another language (whether it's JS or C# or whatever)
when i was 16 and in driver's ed, I remember the day where the instructor told us that we were going to go drive on the highway. I told him I was worried because the highway sounds scary- everybody is going so fast. he told me something that for some weird reason stuck with me: the highway is one of the safest places to be because everybody is going straight in the same direction.
the most dangerous places to be, and the data backs this up, are actually intersections. the points where different roads converge. why? well, it's pretty intuitive. it's where you have a lot of cars in close proximity. the more cars in a specific square footage the higher probability of a car hitting another car.
that logic follows with software too. in a lot of ways devs are traffic engineers controlling the flow of data. that's why, like you said, it's up to the devs to catch these things early. intersections are the points where different technologies meet and all data flows through these technologies. it's important to be extra careful at these points. like in the example i gave above..
the difference between
WITH (FORMAT csv, HEADER true);
and
WITH (FORMAT csv, HEADER true, NULL '');
could be the difference between one guy living a normal life and another guy receiving thousands of speeding tickets https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/
"True"
I can't even think of a language that does that. I don't think even JS does it, and if anything was going to it's fucking that.
load more comments
(5 replies)
My academic advisor in college was named Null
Even I kept running into trouble because the system thought I didn't have a registered advisor.
I have never seen this happen, and I don't know what tools would confuse the strings "null" or "Null" with NULL. From the comments in this thread, there are evidently more terribly programmed systems than I imagined.
Two likely reasons:
- CSV got involved somewhere
- JavaScript
load more comments
(4 replies)
Lmao, I knew a guy from grade school with the last name Null.
Friend of little Bobby I presume
How about XÆa-12? Asking for a friend.
Knew a guy who had the license plate ‘NULL’ and he was telling me how he never got a toll bill or red light ticket.
The article talks about a guy with a “NULL” license plate who gets tons of tickets for things he didn’t do so probably not the best plan
Yep. For the curious, any time a license plate photo couldn’t be fully read by the automated system, it was marked as “NULL” and he was flagged as the driver. So every single red light camera and speeding camera in the area was sending him to court every day.
load more comments
(4 replies)
view more: next ›