144
opengenus
80d

Interviewer: Do you know about SQL injection?

Student: Yessss

Interviewer: Okay, how we can prevent it?

Student: Yes, we should prevent it as prevention is always better than cure. It can lead to data loss and other problems so it can be difficult to fix it if it happens. The best case is that nothing like that takes place. [...]

Interviewer: I get it but how?

Student: By not building any web applications.

[Silence]

Interviewer: Nice, you may go. Do not call us. We will call you.

Comments
  • 40
    Do they get extra points for not just saying "I don't know"?
  • 6
  • 45
    @kamen Minus. Not admitting the lack of knowledge can bring down entire projects.
  • 20
    I thought the joke was "By not using SQL"
  • 17
    Well I'm totally not into database knowledge, but my try would have been "by never trusting any external input, always sanitising/escaping it server-side (no matter whether it had been validated client-side)"?
  • 12
    @Fast-Nop

    and by using prepared statements
  • 9
    so did u get the job or not dont leave us hanging
  • 9
    Prepared statements, sanitize your inputs, thoughts and prayers.
  • 25
    I injected some SQL once and now I'm on the streets and I lost all my teeth.

    SQL - not even once.
  • 6
    Is that student an AI?
  • 4
    @SukMikeHok 2 weeks in, still waiting.
  • 2
    @ultimaterage so you mean No-SQL ?
  • 4
    @Fast-Nop Data that writes to the database should ALWAYS be sanitized client side and server side. I think were in agreement but just wanted to stress that it should never be just one even if it's getting done server side.
  • 3
  • 3
    He's right you know?
  • 4
    @smirving For the injection issue specifically, I think client-side sanitation can never be trusted because attackers can modify any client-side code anyway and use their modified forms etc for submitting.

    For catching user errors without needing several roundtrips in GUI delay, client-side validation is still helpful.
  • 5
    I know it! You need to base64 every user input. That way it'll never be meaningful SQL.
  • 3
    @Lor-inc Yeah, you're right. Fair enough.
  • 16
    "Do you know MySQL?"

    "Your SQL?"
  • 3
    Hardcode all dat shitteeeee
Add Comment