• GBU_28@lemm.ee
    link
    fedilink
    English
    arrow-up
    80
    arrow-down
    2
    ·
    11 months ago

    No closing semicolon, anyone got any extras to throw on this thing?

    • Moops@lemmy.world
      link
      fedilink
      English
      arrow-up
      18
      arrow-down
      1
      ·
      edit-2
      11 months ago

      At the very least I’d try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.

      WHERE UPPER(TRIM(behavior)) = ‘NICE’

      Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I’d rather see if there was a methodology using code values or existing indicators instead of a string, but that’s often just wishful thinking.

      Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)

      (This is my favorite Xmas meme lol)

    • pruwyben@discuss.tchncs.de
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      11 months ago

      Need to normalize the database. I would add a join to a BehaviorTypes table.

      Edit: or, if the only options are naughty or nice, make it a boolean.

    • krotti@sh.itjust.works
      link
      fedilink
      arrow-up
      4
      ·
      11 months ago

      Honest question, which ones wouldn’t it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?

      • GBU_28@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        2
        ·
        11 months ago

        Other reply s accurate but it’s always a good practice to include the semicolon else you can get

        “Bobby tables’ed” look that xkcd comic up

        • Doc Avid Mornington@midwest.social
          link
          fedilink
          English
          arrow-up
          8
          ·
          11 months ago

          I’m not sure how including a final semicolon can protect against an injection attack. In fact, the “Bobby Tables” attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

          • GBU_28@lemm.ee
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            edit-2
            11 months ago

            Yep it would only work if you didn’t sanitize a user input string in this case ‘nice’

            They could write ‘’; drop table blah;

      • jaybone@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        11 months ago

        Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.

    • takeda@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      11 months ago

      You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.

      • mellejwz@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        If you don’t use a semicolon directly in MySQL it won’t do anything until you add it.

        • takeda@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          11 months ago

          In the MySQL client console where you can run multiple commands.

          If you add semicolon in language library commands such as fetch() you will get an error.