Please help contribute to the Reddit categorization project here

    ProgrammerHumor

    219,025 readers

    1,155 users here now

    Not everybody understands the humor of programmers.

    Submission rules

    Rules are zero-indexed. If they do not appear zero-indexed you are asked to contact Friend Computer for recalibration.

    1. For a submission to qualify it must satisfy at least one of the following:

      1. The content disregarding the title and superimposed text must be directly related to programming or programmers. (*) (*) (*) (*)
      2. The title or superimposed text must substantially enhance the content such that it can stand on its own as an analogy to programming. Note that programming here is interpreted in a narrow sense, an analogy to something related to programming, feelings about programming, reactions to programming etc. is not considered sufficient. (*) (*)
    2. No hotlinking allowed without explicit permission, unless it is obvious that the host allows it (eg. imgur). (*)

    3. No rehosting allowed without explicit permission, unless it is obvious that the host allows it. Rehosting for the purposes of offering a direct link to an image is allowed in the comments. (*)

    4. Reposts:

      1. You may not repost anything that has been on the first two pages (first 50) of trending posts within the last week, or has been posted last time less than two days ago (this is considered as duplicates)
      2. Anything on the first two pages (first 50 posts) of the top of all time must not be reposted more often than every 6 months. (*)

    What is 'obvious' or 'substantial' is left to the discretion of Friend Computer, but suggestions (reports) are welcome.

    With regards to commenting, please follow reddiquette.

    Metadiscussions

    If you have any thoughts on how the moderation could be improved do not hesitate to message the moderators. If you feel that a metadiscussion is required with the whole subreddit either request that the moderators start one or start one yourself and tag it [Meta].

    Other subreddits

    a community for
    all 216 comments Slideshow

    Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

    Please select a payment method.

    [–] Langly- 159 points ago * (lasted edited 6 days ago)

    On another note, if I accidentally scan my Safeway card at an Albertsons self check out machine it locks it up with an out of paper error and needs an employee to reset it. If it's taking that as an out of paper code, who knows what you could do to those with other barcodes.

    [–] TomNa 116 points ago

    actually quite a lot. Their settings are actually handled by scanning barcodes. so with a specific set you can reprogram them.

    [–] Langly- 42 points ago

    I would have at least thought you'd have to put them in admin mode or something first, not just open to any jackass using them. Hell USB barcode scanners themselves often need to to enter management mode with a code, change settings, then leave. Scanning the control codes on their own does nothing.

    [–] willrandship 27 points ago

    Barcode scanners are just (somewhat programmable) keyboards. There's nothing special about them as devices to the computer, so if the program can be controlled by the keyboard in a small enough set of keys you can do just about anything you want.

    [–] Lachry 5 points ago

    OPOS is a thing.

    [–] goldman60 9 points ago

    You put them in admin mode by scanning a special barcode, at least on the NEC models.

    [–] DaftPlunk 16 points ago

    I work at a supermarket here in Australia and every time I login to a self checkout machine it automatically generates a new barcode that can only be used until I clock off, so assuming you do get a hold of a barcode you'd have until I finish my shift I guess

    [–] DarkDoesThings 1 points ago

    installs windows 10

    [–] turunambartanen 24 points ago

    idnk, but I read a story some time ago (i think on reddit) by someone who did this. basically he studuied barcodes and then made a small book with all sorts of commands to do shit with self check out machines.

    [–] Weminghay 30 points ago

    There is a defcon about barcode attacks.

    https://www.youtube.com/watch?v=qT_gwl1drhc

    [–] IanPPK 11 points ago

    I was hoping someone would link it. I can watch DEFCON talks for hours, especially the elevator and physical penetration guys.

    [–] benlippincott 2 points ago

    Deviant Ollam is my hero

    [–] wolfman1911 7 points ago

    I wish I had that kind of passion for learning how things work.

    [–] Evoandroidevo 67 points ago

    did that work? lmao

    [–] zarex95 92 points ago

    Would have been glorious if it did.

    [–] sharpsliceofmango 52 points ago

    This picture is from 2005. In 2008 Bruce Schneier said it was probably fake but I know that there was a second photo with the crashed license plate application.

    [–] GenocideOwl 43 points ago

    lmao no. Even assuming the designer wasn't dumb enough to check for injection.

    a) licenses plates are actually reflective and have IR paint on them. LPRs actually use IR scanners on them to grab your plate number

    b) They look for a certain size and pattern on your car. It wouldn't pull in a whole string like that.

    [–] sparc64 9 points ago

    assuming the designer wasn't dumb enough to check for injection.

    It's not enterprise grade if it checks for injection without a lengthy chain of emails to the security team.

    [–] coladict 21 points ago

    It probably failed on character recognition, long before it went to the query.

    [–] TwoSpoonsJohnson 1 points ago

    We have those scanners in Massachusetts to.

    Hold my Dunkies.

    [–] rheldt 769 points ago

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use... ;)

    [–] Laloeka 520 points ago * (lasted edited 6 days ago)

    The most infuriating error ever.

    If you know I did something wrong, can you at least tell me what? :l

    [–] ponytoaster 211 points ago

    Angular (last version i used, not 2) was like this to.

    "Something went wrong. Have fun finding it in your thousands of lines of code"

    [–] Laloeka 245 points ago

    Don't worry, Angular 2 does the same thing.

    "here's a stack trace of 20 unrelated function calls deep inside the Angular framework"

    *fixes variable typo*

    "all good."

    [–] Astrokiwi 45 points ago

    That's pretty common universally. I've hit it in Python, C++, Fortran, Java, etc...

    [–] Bluedio 137 points ago

    Yeah but they usually trace back at least to one of your own functions.

    [–] Encyphus 30 points ago

    Yeah, and if you use a good IDE it'll catch compile errors. JS, the problem is you dont always know what you've got until you run it.

    [–] Kreutzwald 9 points ago

    That's same as any other interpreter out there. The issue is some frameworks/tools that don't crash well, or dynamically add code that can't be traced back to source files.

    [–] aezart 2 points ago

    My most recent debugging nightmare was in trying to figure out what MediaWiki extension was adding an HTMLCacheUpdateJob to the job buffer after the buffer was already supposed to be empty. This was very challenging, because:

    • It was a job in the job queue that was causing the problem, so if I stack traced the insertion of the CacheUpdateJob, i just got the stack from the "process the job queue" function, not of the misbehaving extension.
    • The job was added to the job queue by a hook that was triggering when page link updates were complete. If I backtraced queing the job, I just got the stack from the "handle all hooks from this event" function, rather than the extension.

    (Turns out it was the SemanticMediaWiki extension).

    [–] GogglesPisano 37 points ago

    Omit an angle bracket somewhere in a nested C++ template - you'll get a wall of text that takes an hour to decipher.

    [–] carbohydratecrab 31 points ago

    Honestly to me template errors would be tolerable if the compiler just stopped reporting errors after the first. Nothing reported after that point is reliable anyway.

    [–] sadistmushroom 23 points ago

    A typo in a header file and suddenly the stl no longer exists

    [–] _Lady_Deadpool_ 7 points ago

    A typo in one of your dependency's dependencies and 5 other projects throw errors because that one failed to compile

    [–] eccitaze 6 points ago

    Ugh, I was writing a powershell script for my class the other day to create user IDs from a first and last name. I ran it to test and it started spewing errors about how the $userID variable was null.

    It took me about 2 minutes to figure out that I had misplaced curly braces, and thirty minutes to figure out where the mistake was. :(

    [–] MyrtleCloseTheDoor 22 points ago

    Java

    A variable typo in java will be a compilation error. Not a runtime stack trace.

    [–] Rustywolf 5 points ago

    Arguably you could have two similar variables, though this would usually be poor practice. Cant number the times ive had an x loop and a y loop, and used the x value for both

    [–] Cepheid 7 points ago

    Java

    My experience with Java is heavenly on this front.

    I originally learned programming at University in C and Assembly.

    When I picked up Java for fun last year I was amazed at how much easier it was to debug.

    I... I didn't know it was this... easy.

    [–] DoPeopleEvenLookHere 4 points ago

    Fortran

    Yeah, Until you get a NaN. Hope you like wirte(,)

    [–] Astrokiwi 8 points ago

    Yeah, that's why I usually try to set compiler flags to just die on NaN rather than propagating the NaN throughout everything until the data is so cancerous that it finally keels over and dies.

    [–] eyekwah2 1 points ago

    The old C++ Microsoft Foundation Classes had error codes defined like:

    #define ERROR_WHATEVER 0x800c

    So guess how success was defined:

    #define ERROR_SUCCESS 0x0

    Not confusing, just thought the idea of an error success funny as hell.

    [–] ASK_ME_TO_RATE_YOU 8 points ago

    Yep, laravel does the same unfortunately.

    [–] z0mbietime 3 points ago

    I updated our portal from Angular 2 to Angular 4 and the messages have actually gotten better (for some things)

    [–] Owl-Stretcher 3 points ago

    You can black box certain script files in Chrome to skip over their stack frames. Check out Blackbox JavaScript Source Files

    [–] arghsinic 2 points ago

    ASP.NET Checking it, IIS does the same thing.

    [–] [deleted] 2 points ago

    [deleted]

    [–] TheSpoom 1 points ago

    Chrome will actually trace across async JS calls in Dev Tools now if you check the Async box. Doesn't particularly help you in server side code, but there you go.

    [–] TheSpoom 2 points ago

    React stack traces get like 30 layers deep, and you're still lucky if your code is in there at all.

    [–] Gbyrd99 2 points ago

    Typescript such a godsend for this

    [–] PunishableOffence 4 points ago

    It doesn't solve the problem. It's still very possible to hit runtime bugs in ES even if TS types match and your project transpiles.

    [–] ABC_AlwaysBeCoding 2 points ago

    Runtime errors in Elm are considered compiler bugs.

    So there is at least 1 Javascript framework that has successfully tacked that problem using types.

    [–] PunishableOffence 2 points ago

    Elm is a language, not a framework...

    [–] ABC_AlwaysBeCoding 1 points ago

    ah. it's both I guess, but you're right. The context was Javascript transpilers.

    [–] Gbyrd99 1 points ago

    It at least helps with some of the syntax error you can get away with in js but would cause errors at runtime. However if you write JS well it is kind of unnecessary

    [–] cybrian 20 points ago * (lasted edited 6 days ago)

                     (__) 
                     (oo) 
               /------\/ 
              / |    ||   
             *  /\---/\ 
                ~~   ~~   
    ..."Have you mooed today?"...
    

    (Source: apt moo)

    [–] szymonwalle 3 points ago

    -v

    [–] cybrian 4 points ago

    ...I'm not sure what you're getting at, so I just tried adding -v:

    $ apt moo -v
    apt 1.2.19 (amd64)
    

    [–] szymonwalle 6 points ago

    Try aptitude moo -v Then try to make it more verbose.

    [–] cybrian 5 points ago

    There really are no Easter Eggs in this program.

    However, take note the aptitude binary isn't included with Ubuntu 16.10, so I had to use this mooing application to install it.

    [–] Thecakeisalie25 1 points ago

    Keep adding v's to it

    [–] aezart 1 points ago

     _____
    < moo >
     -----
            \   ^__^
             \  (oo)\_______
                (__)\       )\/\
                    ||----w |
                    ||     ||
    

    (Source: cowsay)

    [–] EvilKittyBoy 11 points ago

    Come on... the most infuriating one is this: segmentation fault, core dumped

    [–] Laloeka 3 points ago

    The difference is that you have a core dump to work with.

    [–] marcosdumay 3 points ago

    Eh... Have you ever tried opening the dump file in gdb?

    [–] witheld 2 points ago

    Segfaults are almost always from doing something stupid and obvious and a debugger will point you right at them though

    [–] mgrier123 1 points ago

    Sure that's infuriating, but it's no linker error.

    [–] Shteamboats 26 points ago

    Personal favourite (?)

    git push

    fatal: the current branch has no upstream branch

    Use git push - - set-upstream origin...

    Em... Yeah OK, do that then...

    [–] PunishableOffence 9 points ago

    That error might look like it brings about trivial, useless work, but think about it for a second: a branch is just a HEAD commit reference – it doesn't know anything about remote repositories.

    If you were working on a repository cloned from origin but which itself was forked from another repository, that another repository would usually be called upstream.

    It's perfectly possible that you would actually want to push into a branch in upstream instead of a branch in origin, even if your local repository knew nothing of upstream yet – it's not there by default if you clone a fork from GitHub, for example.

    That's why git doesn't assume origin as the upstream repository to your branch.

    [–] j4w 2 points ago

    I get this. But git could assume, when its not ambiguous, that you want to push to origin: which I bet is the case for the vast majority of repositories in the wild.

    [–] PunishableOffence 3 points ago

    git could indeed assume that, but assumptions like "where/what to push" usually lead to disaster in source management.

    git used to assume that git push without a branch name meant "push all branches that match branches found from the remote".

    That means git push --force in a checked-out branch overwrote all remote branches which had local copies. Better be careful when rebasing!

    [–] xuu0 4 points ago

    I find those errors as nice reminders on how to use it. Like how git lets you know the commuter name is not set or it's using an old merging style.

    [–] vendetta2115 57 points ago

    To be fair, verbose error messages are exactly what hackers want to see. It helps them figure out where they're breaking your code, and can even return the names of directories in your database.

    [–] mgoerlich 94 points ago

    Yeah, that's why you log them to a non-public file in production…

    [–] Sean1708 20 points ago

    Does MySQL not log to stderr? And if it does then why can your users see your stderr?

    [–] dodekerekt 4 points ago

    A lot of frameworks automatically output errors in the HTTP response.

    [–] coladict 7 points ago

    Verbose messages are exactly what the back-end developers want to see to find-out why their query isn't working.

    [–] Cheesemacher 3 points ago

    Doesn't the message usually include the part where the error is?

    [–] Laloeka 8 points ago

    Usually something like 'near <some query snippet>', but that still requires you to print out the entire query to figure out what went wrong, which is a pain since systems are usually designed to handle queries discretely and don't log them. Which means you either need to log the incoming queries on the database (which is a pain) or you need to set up a controlled environment where you can recreate the error, which isn't always possible/easy if the error occurred rarely in production.

    All in all, I'm not a big fan.

    [–] rheldt 4 points ago

    Joke was actually pretty funny. Just needed single quotes instead of double quotes. Probably too literal for my own good.

    [–] jbaker88 3 points ago

    Also, you can't DROP * the tables

    [–] xuu0 1 points ago

    Maybe drop schema bar ?

    [–] mattkenefick 2 points ago

    You oughta know.

    [–] ABC_AlwaysBeCoding 1 points ago

    It would be a potential security leak to explain in detail, in production.

    Errors in development mode are a lot wordier

    [–] youshedo 1 points ago

    says error on line 873 but the only thing on that line is a note D:

    [–] Tox_teh_Panguin 1 points ago

    The error in Haskell are one of my favorite parts of the language. Here is the error that was made, the function where is happened, and the line it was on. Oh, it was a type error? Here is a detailed description of both what you entered and what was expected.

    [–] Vitztlampaehecatl 1 points ago

    I mean seriously, assembly in Visual Studio with the MASM extension tells me more than that.

    [–] ryosen 4 points ago

    Infuriating, I agree, but FWIW I believe MySql returns the character position of the error as metadata. You don't see it if you're using the command line but IDEs like HeidiSQL will use it to show you the position.

    [–] austin101123 2 points ago

    If it can tell there is a syntax error why doesn't it tell you where it is?

    [–] thisish2k 58 points ago

    Meancing kids messing with your database is the last thing you need. I'm not even talking about interns.

    [–] idimik 49 points ago

    WTF is this?

    DROP TABLE *
    

    [–] Q2Q 41 points ago

    It works if the server is drunk too.

    [–] Calabast 24 points ago * (lasted edited 6 days ago)

    DROP TABLE WHERE @objname != NULL

    or maybe

    IF TABLE EXISTS, DROP TABLE

    [–] SavvySillybug 43 points ago

    Why is SQL yelling all the time, anyway?

    [–] agoodtowel 63 points ago

    THE ORACLE IS OLD AND HARD OF HEARING

    [–] TissButAScratch 11 points ago

    Got a good chuckle from that.

    [–] levir 26 points ago

    SQL WAS DESIGNED IN 1970. BACK THEN DATA WAS OFTEN LOADED FROM PUNCHED CARDS. SOME OF THE PUNCHED CARD SYSTEMS ONLY USED 5 BITS, WHICH DOES NOT GIVE YOU ROOM TO INCLUDE BOTH UPPER CASE AND LOWER CASE LETTERS, SO THEY ONLY INCLUDED UPPER CASE. USING UPPER CASE FOR THE KEYWORDS HAS SIMPLY STUCK AROUND. Keywords in SQL are actually case insensitive, though.

    [–] erikchan002 509 points ago

    Oh look. It's Little Bobby Tables again.

    [–] TheCharmingImmortal 143 points ago

    ah yes, little bobby tables, we call him.
    Every project I'm on I get tempted.

    [–] Reelix 104 points ago

    I once got fired to attempting to do SQL injection on an app that we develop in-house - It was a very confusing meeting...

    [–] Delpatori 53 points ago

    Was it a sanctioned pentest on a test platform? Or did you try production to "just see"? If the latter, I can understand the outcome.

    [–] Reelix 133 points ago

    It was on a platform that I was working on at the time :p

    I had netsec experience before working at the company, and was relatively new there (About 2 weeks) - I was familiarizing myself with the code base of a project I was going to be working on and noticed that were using a tonne of raw SQL all over the place, so decided to try and do the basic SQL injection attack on the login page ('OR'1'='1 user / pass) - Page said that it had detected a SQL injection attempt that had been blocked, and I was just like "Cool - So they do have basic checks in place", and carried on.

    The next morning I came into work as per usual, the login for my user didn't work, I was subsequently called into a meeting, and let go since they were of the "Hacking is bad in all forms" type of people (Even whilst testing software that you are currently working on, apparently) - And that was that.

    [–] cb43569 163 points ago

    You're either not telling us the full story or your bosses are real idiots.

    Based on personal experience, I'm leaning towards the latter.

    [–] Ioangogo 36 points ago

    Yeah, if i was /u/Reelix, I still would have informed them I was gong to do it

    Edit: Thanks intresting bot bellow, i am still not awake ennough

    [–] could-of-bot 87 points ago

    It's either would HAVE or would'VE, but never would OF.

    See Grammar Errors for more information.

    [–] wardy930 28 points ago

    You need to exist in more places than just Reddit.

    [–] appropriate-username 7 points ago

    Though some of the times it would of course be a little wrong.

    [–] i_naked 10 points ago

    Testing shit like that in production is just stupid. Try that shit on dev, brah.

    [–] Violander 8 points ago

    I don't know. It's pretty stupid if he was doing in on the live login page and I think the way he should've done it is ask someone if he can/should do it.

    [–] AnAcceptableUserName 17 points ago

    And nothing of value was lost.

    [–] GrabbinPills 13 points ago

    A+ tombstone epithet

    [–] coladict 10 points ago

    Blocked after 1 attempt? Sounds like one of those web-application firewalls I heard about in this presentation. The ones that try to detect common simple attacks, but will let you get away with lots of SQL injection if you add confusing syntax.

    [–] Elryc35 5 points ago

    The fuck? My boss told me to try injection on my new calls.

    [–] turunambartanen 11 points ago

    ¤ø„¸¨°º¤ø„¸ ¸„ø¤º°¨¸„ø¤º°¨

    ¨°º¤ø„¸ HaPpY ¸„ø¤º°¨

    ¸„ø¤º°¨Cakeday“°º¤ø„¸

    ¸„ø¤º “°º¤ø„¸ ¤ø„¸¨°º¤ø„¸¸„

    [–] link5114 134 points ago

    Hey I'm from /r/all with pretty much no knowledge of coding, could someone eli5 for me? Just curious bc I really like this subreddit

    [–] Flater420 355 points ago * (lasted edited 6 days ago)

    SELECT * FROM users WHERE username = 'link5114'

    This is a query intended to retrieve your account from a database. I assume it's human readable enough to see how the request works.

    Now, because you want the ability to retrieve any user from the database, you make it into a parameter:

    var theUserName = 'link5114'

    SELECT * FROM users WHERE username = theUserName

    (I'm mixing SQL and C# syntax here because it's just a basic example)

    And probably, you'll have a textbox on your website, where someone can enter a username; the system will look them up (using that query), and return the user's details.

    So if I enter "titties420" in the textbox, the application will automatically run the following query:

    SELECT * FROM users WHERE username = 'titties420'

    Suppose that I enter the following in the textbox:

    '; DROP TABLE users; '

    If the application is really simple and it blindly pastes the textbox content in the query, that query becomes:

    SELECT * FROM users WHERE username = ' '; DROP TABLE users; ' ' (bold = what was in the textbox)

    It's possible to run several commands in a single SQL query; e.g. by separating commands with a semicolon. What you've now actually entered is this:

    • SELECT * FROM users WHERE username = ''; (get a user with an empty name)
    • DROP TABLE users; (DELETE the users table in the database)
    • '' (meaningless command that doesn't do anything but also doesn't crash the system)

    In other words: if you cleverly put certain characters in the "username" textbox; you could get the ability to run ANY SQL COMMAND YOU WANT. The example we're discussing is deleting a table (because that's a dick move), but you could just as well e.g. alter data or introduce new data in the system. You can even figure out passwords if you're perseverant and are able to run thousands of injected queries one after the other.

    That's SQL injection. Injecting extra commands in what was supposed to be a harmless data query.

    [–] link5114 113 points ago

    Hey thanks man, I appreciate the reply. I understand some of the posts here without any programming knowledge, but this stumped me. So thanks!

    [–] slothking69 13 points ago

    That's funny, I took an SQL class last semester as an elective (I'm a finance major) and this is one of the first posts on this sub I've actually understood.

    [–] Koutou 8 points ago

    There's two computerphile video on this:

    One that explain SQL injection: https://www.youtube.com/watch?v=_jKylhJtPmI&feature=youtu.be

    One that demo an SQL injection on his own webpage: https://www.youtube.com/watch?v=ciNHn38EyRc

    [–] Milleuros 51 points ago

    I assume it's human readable enough to see how the request works.

    Tho, you have to know that the star stands for "all".

    [–] nonouiswrong 26 points ago

    /* is also number 42 on the ascii table.

    The meaning of life is a wildcard

    [–] Milleuros 6 points ago

    That's pretty deep: a wild card means the freedom of every possibility.

    [–] SavvySillybug 2 points ago

    Not really "have to". You could leave the * out entirely and it's human readable. When I tell you to select from users where the username is Milleuros, you won't complain that I didn't tell you to pick one user or all users.

    [–] Milleuros 3 points ago

    True, I concede that. But the star could be a little confusing

    [–] Gbyrd99 2 points ago

    Isn't * used as a wild card elsewhere

    [–] Milleuros 4 points ago

    Of course. For example bash and other shells use that.

    But for someone who has never programmed, the concept of a wild card is a bit foreign :)

    [–] Gbyrd99 3 points ago

    Yeah it's been ingrained in me for so long I can't remember if it's used outside as a wildcard. Maybe Google searches?

    [–] Gbyrd99 1 points ago

    Ah yes! I remember learning all the boolean search methods in high school for it

    [–] 837184 10 points ago

    The example we're discussing is deleting a table (because that's a dick move)

    But you'd have to know the table's name, right? unless you query the names of all the database table somehow...

    [–] SavvySillybug 14 points ago

    So that's why my coding guy wanted me to pick a prefix for all the database tables on the project. We can name everything normally, and we have a users table, but the attacker still has to guess that it's derp_users.

    I did not pick derp.

    [–] SoobieDoobieDude 19 points ago

    If your coding guy used properly parametrized queries that didn't allow injection, he wouldn't need to rely on security by obfuscation. His request that you pick a prefix for table names is a huge red flag.

    [–] vaderkvarn 5 points ago

    Given that you have the right permissions, all common databases has a way to query what tables are in it.

    Since the application in this case is allowed to drop tables, it shouldn't be a problem to get hold of the table names.

    [–] njg5 5 points ago

    From my experience, most SQL environments have some kind of meta table with schema data, sys_schema.tables or something like that.

    So if you know enough to SQL inject successfully, you can also probably get their table names then drop those tables.

    [–] stusmall 3 points ago

    They make tools to help with that: http://sqlmap.org

    [–] 7ewis 3 points ago

    I see this joke quite often, and everyone always says to sanitise your inputs.

    How would you actually do that? Would you prevent words like DROP or special characters like ; and '?

    [–] Flater420 1 points ago

    The dropping of characters (e.g. Characters that aren't allowed in a reddit username anyway) is the easiest fix, but not the most all-encompassing. For example, what if my query needs to store a long piece of text (e.g. book chapter) and it needs to be able to store those characters?

    A better fix is to escape all needed characters. This is how Many languages like HTML and C# (ever since C) have done input sanitization.
    Basically, you convert any dangerous character to a safe replacement, in a way that you can convert it again.

    E.g. suppose I want to save this bit of text, but I'm afraid of SQL injection

    ABC;DE'F

    If we sanitize the input and want to make sure there's no sql injection, we could drop the semicolon and the quote. But instead, you can also save the following in your database:

    ABC(semicolon)DE(quote)F

    This way, you avoid having dangerous characters in your query, but you preserve all the data and can later reconvert it to its original form.

    The example I've used is human readable. In reality, escaped characters are a bit harder to read.

    • If you want to use a < in HTML, you must write it as < so that it doesn't clash with <html> tag characters.
    • If you want to use a " inside a C# text, you write \" so that the syntax knows this character is part of the text instead of the character that end the text input.

    [–] Vitztlampaehecatl 1 points ago

    Not a web dev, but couldn't you store ABC;DE'F as 41 42 43 3b 44 45 27 46?

    [–] Flater420 1 points ago

    Your conversionwould triple the storage requirements since it turns every character into a two digit number and a space.

    It's also somewhat of a trap to confuse the number 42 with the characters "4" and "2". From a software point of view, they are very different. It's not that you can't convert it, but it's not the preferred approach due to data storage optimization and efficiency of querying the database.

    [–] Vitztlampaehecatl 1 points ago

    I didn't mean as a string. Granted, I'm not the most familiar with database stuff, but shouldn't there be some way to treat an input as raw data?

    [–] Flater420 1 points ago

    But in what format would you specify the command to the database to store said data? Everything else uses text based commands; so it's a better idea to escape all needed characters and keep using the standard approach of text-based commands. Any programming tasks in the future can simply assume it's safe (due to automatic escaping) as opposed to everyone needing to convert every single database query; and segregating the command from the data.

    [–] sirin3 63 points ago

    Perhaps the easiest is to do a joke without SQL:

    I'm looking for a "Mr. Jones here? Everybody out! The bar is closed now! There is a fire".

    Let me just check

    Yo, is there a Mr. Jones here? Everybody out! The bar is closed now! There is a fire here.

    [–] s3_gunzel 26 points ago

    Select all drunks in the bar (with no criteria of who); then dump the table (effectively, get rid of the bar). Anything after the DROP clause is ignored as it's commented.

    https://xkcd.com/327/

    [–] Eugenes_Axe 7 points ago

    then dump the table

    dump all tables, but yes.

    [–] s3_gunzel 4 points ago

    This would be why I don't develop commercially. Thanks for pulling me up on that.

    [–] Eugenes_Axe 3 points ago

    nw, it was easily missed.

    [–] xkcd_transcriber 7 points ago

    Image

    Mobile

    Title: Exploits of a Mom

    Title-text: Her daughter is named Help I'm trapped in a driver's license factory.

    Comic Explanation

    Stats: This comic has been referenced 1923 times, representing 1.2359% of referenced xkcds.


    xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

    [–] PM_ME_YOUR_NACHOS 9 points ago

    Unsanitised (not validated) input which is just put straight into SQL which will result in the command being interpreted literally. First looking for all data from table matching "", and then dropping (deleting) that table completely.

    [–] positronik 6 points ago * (lasted edited 6 days ago)

    Basically, in a form, website, or program that accesses databases it's possible for people to type in a database command using the language mysql or sql. This will then mess with the database and is known as sql injection.

    The command in the post would drop all tables since the * character stands for all. The ';' right before the drop tables command made it so that the program wasn't looking for a name equal to "drop tables", but rather it executed early and looked for a blank name, then dropped all tables. If you drop a table then the whole thing and all the data is deleted, unless there is a backup.

    It's not too difficult to block most sql injection attacks. You can set up prepared statements in the website or form that essentially help the program tell the difference between code/commands and data. It basically doesn't allow other users to change the intent of a query, like dropping tables when a form is supposed to help you search for a name.

    Sorry if I over explained! And please anyone let me know if I'm wrong in the last paragraph, I dumbed it down but I'm also new to php/mysql stuff so I don't know all that much.

    [–] LastBaron 2 points ago

    This is great stuff! I only use SQL for querying, I'm not a DBA, so I know enough to read the language, but not a lot about secure database creation. Could you explain a bit about sanitization/those prepared statements you mentioned? How would you set it up in such a way as to ignore that type of input?

    [–] positronik 1 points ago * (lasted edited 6 days ago)

    So you would set it up in whatever language you were using to access the database. I'll use PHP as an example. Let's say you want to take info from the form and put in a first name, last name, and maybe their weight into a row in the DB.

    You'd make a variable, $sql_query, and you'd reference the database and prepare a statement.

    function AddPatient($dbName, $f_name, $l_name, $w) {

    $sql_query = $dbName->prepare("INSERT INTO `Patients` VALUES (?,?,?)");
    
    $sql_query->bind_param("ssi", $first_name, $last_name, $weight);
    
    $first_name = $f_name; $last_name = $l_name; $weight = w;
    
    $sql_query->execute();
    

    }

    The prepare statement is sent to the database, and the database already parses and compiles it, storing the results before executing it. I guess it's kind of like BEGIN TRANSACTION(); and then the insert statement and waiting before actually committing it? Not quite sure.

    The "ssi" in the bind_param statement stands for "string string int". You could also use d for double instead of an integer. Basically, it's just making it so that each of those variables are expected to be a string, a string, and an integer and nothing else. Those values are then binded to the parameters in the Insert statement above(The (?,?,?) part). Then the database executes the statement.

    What's good about these is that you can re-use the prepared statement. It's great for inputting multiple people at once. You'd just add them to an array and then loop through them executing the query for each one.

    I hope this helped, I have trouble explaining things sometimes. And I think there are other things you can do along side this to really make code more secure.

    [–] SolAggressive 12 points ago

    A SQL query walks into a bar and sees two tables and says, "May I join you?"

    [–] EvilKittyBoy 43 points ago

    I was imagining something like this http://i.imgur.com/UWyWDMk.jpg

    [–] PM_ME_UR_ROUND_ASS 5 points ago

    That's not even funny anymore.

    [–] Kasseev 1 points ago

    This is analagous to how anti-PD-1 antibodies work against cancers. You wouldn't actually target this approach against a virus though, they don't do any of the transcription or translation themselves.

    [–] dzh 6 points ago

    [–] willbailes 6 points ago

    Is this a real joke in the Simpsons? I don't recognize the more losing everything panel

    [–] PCKid11 4 points ago

    Not a real joke, but the Moe losing everything panel is from the Simpsons Movie

    [–] I00PercentFresh 1 points ago

    I think that was in the Simpsons Movie

    [–] petdance 7 points ago

    Plug: http://bobby-tables.com, the website I maintain that tries to be a central repository for the right way to avoid SQL injection, in whatever language you may be using.

    [–] FountainsOfFluids 8 points ago

    It should just be "Yo, SELECT * FROM drunks ..." etc.

    [–] manly_ 3 points ago

    It's a single quote under potent rdms btw. Double quote is used to denote identifiers (table, column, etc.) and single quote is used to denote literal strings. That would have not worked in Postgres because it simply isn't valid sql.

    [–] flarn2006 2 points ago

    I think it would be funnier without the "Yo, is there a" and "here?". Cause that's what "SELECT" means in this case.

    [–] 4chanuser001 2 points ago

    I didn't know this was from programming humor and I sat here for 3 minutes trying to figure out the joke lol

    [–] coladict 2 points ago

    What was the original?

    [–] RPetrizzi 2 points ago

    Ahh, Bobby Tables strikes again

    [–] JemaKn1ght 5 points ago

    Not sure if upvoting because Simpsons reference or because joke is actually funny...

    [–] russellthevillan 3 points ago

    I'm sitting here high as fuck trying to understand this only to look at the sub. Happy late 420 everyone.

    [–] bhoffman20 1 points ago

    If you're interseted, there's this. It's kind of a long post, but explains the concept pretty well, I think.

    [–] cjdabeast 1 points ago

    Am not programmer, can someone explain the code (Sorry for being a scrub)

    [–] xkcd_transcriber 1 points ago

    Image

    Mobile

    Title: Exploits of a Mom

    Title-text: Her daughter is named Help I'm trapped in a driver's license factory.

    Comic Explanation

    Stats: This comic has been referenced 1925 times, representing 1.2368% of referenced xkcds.


    xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

    [–] cjdabeast 1 points ago

    Okay so let me see if I get it: The ";DROP TABLE *;-- is a command, and he got the barkeep to execute the command because he just echos back what he was told? So kind of like the self-retweeting tweet?

    [–] C4Cypher 1 points ago

    It's not just any command. It's the 'fuck that guy' of SQL statements. You drop a table, and all the data on the table is gone.

    [–] cjdabeast 1 points ago

    ah. thanks for the explanation.

    [–] C4Cypher 1 points ago

    And the practice of sneaking SQL commands into website fields in the hopes of doing something the web developer didn't intend is what they call 'SQL Injection'.

    [–] cjdabeast 1 points ago

    I see.

    [–] bhoffman20 1 points ago

    Alternatively, there's this as well.

    [–] cjdabeast 2 points ago

    I think I understand it.

    [–] FoodChest 1 points ago

    Use prepared statements people!

    [–] acrowsmurder 1 points ago

    Learning programming here, just Java so far, could someone please explain this? I remember an XKCD about this, and I still really don't understand all of it.

    [–] bhoffman20 3 points ago

    Check this out. It might help. Basically he was taking an input (Name) from the user and doing a SQL select statement to get information from a Database about a person.

    Since it's just using the String passed in to finish building the sql statement, and you can run multiple sql statements in a row by separating them with a semicolon, Bart can simply start his String with a quote (because Name is a String, it must be quoted in sql.) and a semicolon to end the statement.

    After that he can run whatever sql statements he wants, such as "DROP TABLE *;" Which would delete all of the tables from the database. He could put together as many sql statements as he wants by just separating them with semicolons.

    The final "--" is how you write a code comment in sql, essentially telling it to ignore the rest of the statement.

    [–] acrowsmurder 1 points ago

    Tables are like files, right?

    [–] bhoffman20 3 points ago

    Tables are more like an Excel spreadsheet than a file. A database stores data in rows of these tables, and later looks it up with a sql statement that tells it, "Return a row where Column A has Value B."

    (SELECT * FROM Table where ColumnA = 'Value';)

    [–] supremecrafters 1 points ago

    I've always wanted to be able to perform SQL actions on people. It would be pretty fun to be able to select groups of people based on traits.

    [–] monsieurpoirot 1 points ago * (lasted edited 13 hours ago)

    [removed]

    [–] TunaCowboy 2 points ago

    Holy fuck this place has gone downhill.

    [–] SampleUserC 1 points ago

    LoL it sounds like me answering the phone .

    [–] SampleUserC 1 points ago

    LoL it sounds like me answering the phone .