this post was submitted on 19 Nov 2025
791 points (98.5% liked)
memes
18061 readers
2616 users here now
Community rules
1. Be civil
No trolling, bigotry or other insulting / annoying behaviour
2. No politics
This is non-politics community. For political memes please go to !politicalmemes@lemmy.world
3. No recent reposts
Check for reposts when posting a meme, you can only repost after 1 month
4. No bots
No bots without the express approval of the mods or the admins
5. No Spam/Ads/AI Slop
No advertisements or spam. This is an instance rule and the only way to live. We also consider AI slop to be spam in this community and is subject to removal.
A collection of some classic Lemmy memes for your enjoyment
Sister communities
- !tenforward@lemmy.world : Star Trek memes, chat and shitposts
- !lemmyshitpost@lemmy.world : Lemmy Shitposts, anything and everything goes.
- !linuxmemes@lemmy.world : Linux themed memes
- !comicstrips@lemmy.world : for those who love comic stories.
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Spot on.
As for the sanitisation, it can take many forms. Either characters that don't usually appear in the context for that field (in terms of names, you can usually scrub most parentheses, more than one hyphen in a row etc) can be removed; copy it to a known encoded field such as unicode to get rid of characters with unusual properties; and making sure bounds are enforced to avoid overflows.
It should mean that your data is exactly that - raw data, and not commands or operands for the interpreter to act upon.
Parameterisation entirely solves the problem without needing to sanitise the string
I don't disagree, but throwing out the concept of prepared statements and parameterisation to someone who has asked for an explanation of the Bobby Tables jokes is a bit heavy going.
Not entirely (I recall seeing some obscure CVEs some years ago), but it's a hell of a lot better than what some coders try to get away with.