this post was submitted on 04 Apr 2024
970 points (97.5% liked)

Programmer Humor

19557 readers
676 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
970
Life Hack (lemm.ee)
submitted 7 months ago by [email protected] to c/[email protected]
128 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (11 children)

does not protect from SQL injection attacks (many don't, despite it being easy to protect against)

Every modern database library automatically protects against SQL injection, usually by using prepared statements (where the query with placeholders, and the placeholder values, are sent as two separate things). so a system would have to be written extremely poorly to be vulnerable to it.

This post is just a joke as developers should hopefully be aware of the OWASP top 10 security vulnerabilities.

Edit: Bad developers will do bad things, but any reasonable developer should be well aware of these risks.

[–] [email protected] 11 points 7 months ago (4 children)

Oh sweet summer child.

First, injection attacks are third on the owasp list, although they do roll xss into it too, which changed the name, since "shit sanitization on input" and "shit escaping before use" are the cause of both.
https://owasp.org/Top10/A03_2021-Injection/

Secondly, SQL injection is freakishly common and easy. I don't know of any database libraries that prevent you from directly executing an SQL literal, they just encourage parameterized statements.

I have personally run into plenty of systems where people build SQL via string concatenation because for whatever reason they can't use an orm or "proper" SQL generator.

You can find them in the wild fairly often by just tossing ' or 1=1;-- into fields in forms. If it gets mad in a way that doesn't make sense or suddenly takes forever, you win!

Don't do that though, because it's illegal.

[–] [email protected] 2 points 7 months ago (3 children)

Secondly, SQL injection is freakishly common and easy.

Do you have any recent examples of major SQL injection holes?

[–] [email protected] 4 points 7 months ago

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=sql+injection

And without giving away specifics, I've personally found SQLi vulns in the wild within the last 5ish years.

load more comments (2 replies)
load more comments (2 replies)
load more comments (8 replies)