Are there character escapes for SQL, to protect against stuff like that?
Comment on Life isn't easy if your last name is 'Null' as it still breaks database entries the world over
solrize@lemmy.world 3 months ago
/me changes name to '); DROP TABLE STUDENTS; –.
ZILtoid1991@lemmy.world 3 months ago
solrize@lemmy.world 3 months ago
Yes but it’s a dangerous process. You should use paramatrized queries instead.
sugar_in_your_tea@sh.itjust.works 3 months ago
Yup, then it becomes a front-end problem to deal with wonky input. As a backend dev, this is ideal.
purplemonkeymad@programming.dev 3 months ago
Use parameters, that way data and queries are separate.
Septimaeus@infosec.pub 3 months ago
Input sanitation typically handles this as a string that only includes characters supported by the data type of the table in question. While in transit, the strings might be escaped at certain stages, such as via URL encoding. Though this is considered poor practice in many applications, it’s not uncommon to see. The point, however, is to prevent the evaluation of inputs as anything other than their intended type, whether or not reserved characters are present.
sugar_in_your_tea@sh.itjust.works 3 months ago
Only noobs get hit by this (called SQL injection). That’s why we have leads review code…
funkajunk@lemm.ee 3 months ago
Oh. Yes. Little Bobby Tables, we call him.