Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
I came in to my rather new team 3 months ago as a php developer and had to start coding in python instead, and all of my 4 new coworkers were quite sufficient in python (or so they claimed) due to working with it for years. When I looked into the database handler they had built it had no support for prepared statements, so when I asked them about it they didn't even know that was a thing. They were preformatting all of their queries for all these years, in production. And they are all at least 10 years older than me with that much more experience as well. I got quite scared for the company's future after that.
-
thoxx19778y@sebh0602
This can cause SQL Injections. You can end and modify SQL Statements to the Database via injected Strings (Parameters/Placeholders can prevent Injections and most OR-Mappers are doing this internally) -
Xenotoad508y@sebh0602
Imagine your code looks like this:
db.query("INSERT INTO Students VALUES ('" + name + ');");
Then your friendly neighborhood school tries to add your kid named
Robert'); DROP TABLE Students;--
Well, then the query you run winds up looking more like this...
INSERT INTO Students VALUES ('Robert'); DROP TABLE Students;--');
You can probably guess what a semicolon does, what DROP TABLE is, and that "--" is a SQL comment...
Related Rants
And they still don't learn 😑
undefined
python
sql injection