memes

18061 readers

2447 users here now

Community rules

1. Be civil

No trolling, bigotry or other insulting / annoying behaviour

2. No politics

This is non-politics community. For political memes please go to !politicalmemes@lemmy.world

3. No recent reposts

Check for reposts when posting a meme, you can only repost after 1 month

4. No bots

No bots without the express approval of the mods or the admins

5. No Spam/Ads/AI Slop

No advertisements or spam. This is an instance rule and the only way to live. We also consider AI slop to be spam in this community and is subject to removal.

A collection of some classic Lemmy memes for your enjoyment

Sister communities

!tenforward@lemmy.world : Star Trek memes, chat and shitposts
!lemmyshitpost@lemmy.world : Lemmy Shitposts, anything and everything goes.
!linuxmemes@lemmy.world : Linux themed memes
!comicstrips@lemmy.world : for those who love comic stories.

founded 2 years ago

MODERATORS

Tenthrow@lemmy.world

The_Picard_Maneuver@lemmy.world

The_Picard_Maneuver@startrek.website

820

CVS style (infosec.pub)

submitted 1 day ago by themaninblack@lemmy.world to c/memes@lemmy.world

103 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] abbadon420@sh.itjust.works 31 points 1 day ago* (last edited 1 day ago) (2 children)

') closes the input for the original sql statement. So the actual input would be "Robert", but it's not really important for this kind of attack.
; says that the statement is over and anything after is a new statement.
DROP TABLE customer; is that new statement, which deletes a table with the name "customers".
-- is the syntax for an sql comment. It effectively makes sure that any other sql statements in the actual script get ignored, so you don't get a compile error.

This is an effective attack for when some programmer uses unsanitized string instertion in their sql script. In this case I could imagine a statement like: SELECT id FROM users WHERE name == {user_input}; where {user_input} is the literal, unsanitized input that you give on the website.

Notice that in this case, the ') doesn't do anything, but it just becomes part of the input, so that is now "') Robert".

[–] drolex@sopuli.xyz 21 points 1 day ago

The obvious parade here is to be semi-illiterate when you create your database and name your field "costumer"

[–] PhobosAnomaly@feddit.uk 5 points 1 day ago* (last edited 1 day ago) (1 children)

Spot on.

As for the sanitisation, it can take many forms. Either characters that don't usually appear in the context for that field (in terms of names, you can usually scrub most parentheses, more than one hyphen in a row etc) can be removed; copy it to a known encoded field such as unicode to get rid of characters with unusual properties; and making sure bounds are enforced to avoid overflows.

It should mean that your data is exactly that - raw data, and not commands or operands for the interpreter to act upon.

[–] ryannathans@aussie.zone 9 points 1 day ago (2 children)

Parameterisation entirely solves the problem without needing to sanitise the string

[–] PhobosAnomaly@feddit.uk 2 points 18 hours ago

I don't disagree, but throwing out the concept of prepared statements and parameterisation to someone who has asked for an explanation of the Bobby Tables jokes is a bit heavy going.

[–] MotoAsh@piefed.social 3 points 1 day ago

Not entirely (I recall seeing some obscure CVEs some years ago), but it's a hell of a lot better than what some coders try to get away with.