Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.
Comment on It's that time of the year again!
krotti@sh.itjust.works 11 months agoHonest question, which ones wouldn’t it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?
jaybone@lemmy.world 11 months ago
GBU_28@lemm.ee 11 months ago
Other reply s accurate but it’s always a good practice to include the semicolon else you can get
“Bobby tables’ed” look that xkcd comic up
docAvid@midwest.social 11 months ago
I’m not sure how including a final semicolon can protect against an injection attack. In fact, the “Bobby Tables” attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.
GBU_28@lemm.ee 11 months ago
Yep it would only work if you didn’t sanitize a user input string
krotti@sh.itjust.works 11 months ago
Wouldn’t that still apply, if you can inject straight SQL, such as “query’ OR 1=1?”