• GBU_28@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    2
    ·
    1 year ago

    Other reply s accurate but it’s always a good practice to include the semicolon else you can get

    “Bobby tables’ed” look that xkcd comic up

    • Doc Avid Mornington@midwest.social
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 year ago

      I’m not sure how including a final semicolon can protect against an injection attack. In fact, the “Bobby Tables” attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

      • GBU_28@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        edit-2
        1 year ago

        Yep it would only work if you didn’t sanitize a user input string in this case ‘nice’

        They could write ‘’; drop table blah;

    • krotti
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Wouldn’t that still apply, if you can inject straight SQL, such as “query’ OR 1=1?”