Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
C0D4669025yThat's because SQLi is not taught.
Which is beyond stupid as it's not that hard to do some sanity checking and filtering (for legacy systems) or use prepared statements in new systems. -
It's the other way around. Increasingly less developers today learn about string interpolation and proper escaping. Most use frameworks that sometimes in an attempt to foolproof hide common responsibilities such as escaping.
For example, the shift to prepared queries and templating languages that escape everything by defaul. "echo subject;" becomes "echo htmlescape(subject);". -
@kwilliams Typed strings can juggle in theory in any language on an interpolate operator but that potentially makes things a lot worse eventually if people over rely on auto typing in particular. A "clever" language can interopolate only when the string is actually used such that it has to be and might then infer type but there's a reason no one really bothers with that stuff.
Related Rants
-
BM32180My dumb CEO just hired an even dumber CTO. The new CTO asked me the following questions... 1. What is GitHub...
-
wilziack47Jesus, Apple are fucking amazing at design! A keyboard I need to prop up with a book and a mouse I can't use w...
-
Meta41This may be limited to Germany: Apparently you can get free vouchers (from 2 to 5 euros in value) on the webs...
I thought most developers were aware of the dangers of interpolating variables into strings in the context of SQL queries, but apparently some people are oblivious.
`SELECT * FROM USERS WHERE USERNAME = ${username}`
My username is ' ' OR 1=1;
rant
incompetence
sqlinjection
idiots