Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

How is SQL Injection real?

Name: Anonymous 2018-10-19 8:11

What kind of a backwards language do you have to use that doesn't have the simple feature of protecting you from it out of the box? Are you building you queries by concatenating strings like a CS freshman?

Name: Anonymous 2018-10-19 8:38

Real computer scientists use datalog instead of SQL.

Name: Anonymous 2018-10-19 12:52

>>2
datalog
Datalog Injection is actually not a real vuln because three people use the language professionally and they would just hack each other's autistic applications.

Name: Anonymous 2018-10-19 17:23

this isn't a language feature. it's a library feature.

Name: Anonymous 2018-10-19 20:53

>>4
Sql integration is such a basic and common feature that it’s basically a language feature.

Name: Anonymous 2018-10-19 20:56

Haxmy anus bobby tables (xkcd reference, a webcomic got geeks)

Name: Anonymous 2018-10-19 21:18

Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.
https://www.w3schools.com/php/php_mysql_prepared_statements.asp
PREPARE MY ANUS

Name: Anonymous 2018-10-20 10:41

ADO doesn‘t let you parameterize table names. Does this work with other systems?

Name: Anonymous 2018-10-20 12:08

>>5
Wrong

Name: Anonymous 2018-10-20 15:39

>>8
I don't think any allow you to

Name: Anonymous 2018-10-20 16:57

>>8
Why would you want to do that? It sounds like terrible design,.

Name: Anonymous 2018-10-20 22:18

>>11
For example for an app which sends sms which lets you configure a view and columns to get number/name etc from.

Name: Anonymous 2018-10-21 17:24

>>12
do string concatenation for the SQL query but only insert source level constants

table_names = {'users': 'users'}
table_name = table_names.get(user_input)
if table_name:
query("select * from " + table_name)

Name: Anonymous 2018-10-22 3:15

>>13
actually scratch that, you should be using stored procedures for this type of thing. it’s the only way to make this safe.

Name: Anonymous 2018-10-22 7:04

>>14
I just wish there was a standardized, portable way of doing stored proc

Name: Anonymous 2018-10-22 8:45

>>14
How would stored procedures help with this? You still can't use dynamic table names.

Name: Anonymous 2018-10-22 9:01

>>16
you can wrap your sql query in an nvarchar and then execute that query

Name: Anonymous 2018-10-22 13:37

>>17
But that allows sql injections

Name: Anonymous 2018-10-22 13:50

>>17
oh no!

Name: Anonymous 2018-10-22 14:59

dependent types would have prevented this

Name: Anonymous 2018-10-22 15:00

>>20
The new variation of "Rewrite it in Rust"?

Name: Anonymous 2018-10-22 18:26

>>21
No, Rust does not have dependent types. This is why it does not prevent crashes.

Name: Anonymous 2018-10-23 17:34

>>22
Actually it does now.
https://github.com/AndyShiue/pts

Name: Anonymous 2018-10-23 18:11

>>23
You can implement a pts type checker in pretty much any Turing complete language. This does not mean that the language itself supports dependent types.

Name: dependently typed brainfuck 2018-10-23 18:28

dependently typed brainfuck
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode + RSS -