21

I thought most developers were aware of the dangers of interpolating variables into strings in the context of SQL queries, but apparently some people are oblivious.

`SELECT * FROM USERS WHERE USERNAME = ${username}`

My username is ' ' OR 1=1;

Comments
  • 7
    That's because SQLi is not taught.

    Which is beyond stupid as it's not that hard to do some sanity checking and filtering (for legacy systems) or use prepared statements in new systems.
  • 5
  • 1
    It's the other way around. Increasingly less developers today learn about string interpolation and proper escaping. Most use frameworks that sometimes in an attempt to foolproof hide common responsibilities such as escaping.

    For example, the shift to prepared queries and templating languages that escape everything by defaul. "echo subject;" becomes "echo htmlescape(subject);".
  • 2
  • 0
    Doesn't EF6.3+ implicitly convert interpolated strings to escaped variables?
  • 0
    @kwilliams Typed strings can juggle in theory in any language on an interpolate operator but that potentially makes things a lot worse eventually if people over rely on auto typing in particular. A "clever" language can interopolate only when the string is actually used such that it has to be and might then infer type but there's a reason no one really bothers with that stuff.
Add Comment