Are there character escapes for SQL, to protect against stuff like that?
Comment on Life isn't easy if your last name is 'Null' as it still breaks database entries the world over
solrize@lemmy.world 1 month ago
/me changes name to '); DROP TABLE STUDENTS; –.
ZILtoid1991@lemmy.world 1 month ago
solrize@lemmy.world 1 month ago
Yes but it’s a dangerous process. You should use paramatrized queries instead.
sugar_in_your_tea@sh.itjust.works 1 month ago
Yup, then it becomes a front-end problem to deal with wonky input. As a backend dev, this is ideal.
purplemonkeymad@programming.dev 1 month ago
Use parameters, that way data and queries are separate.
Septimaeus@infosec.pub 1 month ago
Input sanitation typically handles this as a string that only includes characters supported by the data type of the table in question. While in transit, the strings might be escaped at certain stages, such as via URL encoding. Though this is considered poor practice in many applications, it’s not uncommon to see. The point, however, is to prevent the evaluation of inputs as anything other than their intended type, whether or not reserved characters are present.
sugar_in_your_tea@sh.itjust.works 1 month ago
Only noobs get hit by this (called SQL injection). That’s why we have leads review code…
funkajunk@lemm.ee 1 month ago
Oh. Yes. Little Bobby Tables, we call him.