Ah yes, little Nell=%00\u0000’\0’“”‘0’0x000x30’';
Nellie Null we call her.
She and her cousin Bobby Tables love to scamper around, but they are good kids. They would never break anything intentionally
Mandatory xkcd:
NULL!= ‘NULL’How do devs make this mistake
Code is easy in a vacuum. 50 moving parts all with their own quirks and insufficient testing is how you get stuff like this to happen.
How do devs make this mistake
it can happen many different ways if you’re not explicitly watching out for these types of things
example let’s say you have a csv file with a bunch of names
id, last_name 1, schaffer 2, thornton 3, NULL 4, smith 5, "NULL"if you use the following to import into postgres
COPY user_data (id, last_name) FROM '/path/to/data.csv' WITH (FORMAT csv, HEADER true);number 5 will be imported as a string “NULL” but number 3 will be imported as a NULL value. of course, this is why you sanitize the data (GIGO) but I can imagine this happening countless times at companies all over the country
there are easy fixes if you’re paying attention
COPY user_data (id, last_name) FROM '/path/to/data.csv' WITH (FORMAT csv, HEADER true, NULL '');sets the empty string to NULL value.
example with js
fetch('/api/user/1') .then(response => response.json()) .then(data => { if (data.lastName == "null") { console.log("No last name found"); } else { console.log("Last name is:", data.lastName); } });if
dataisdata = { id: 5, lastName: "null" };then the if statement will trigger- as if there was no last name. that’s why you gotta know the language you’re using and the potential pitfalls
now you may ask – why not just do
if (data.lastName === null)instead? But what if the system you’re working on uses
JSON.parse(data)and that auto-converts everything to a string? it’s a very natural move to check for the string"null"obviously if you’re paying attention and understand the pitfalls of certain languages (like javascript’s type coercion and the particularities of
JSON.parse()) it becomes easy but it’s something that is honestly very easy to overlookLike you said, GIGO, but I can’t say I’m familiar with any csv looking like that. Maybe I’m living a lucky life, but true null would generally be an empty string, which of course would still be less than ideal. From a general csv perspective, NULL without quotes is still a string.
If “NULL” string, then lord help us, but I would be inclined to handle it as defined unless instructed otherwise. I guess it’s up to the dev to point it out and not everyone cares enough to do so. My point is these things should be caught early.
I’ll admit I’m much more versed in mysql than postgres.
“True”
It’s baffling to me. Maybe I’m just used to using “modern” frameworks, but the only way this could be an issue is if you literally check if the string value equals “null” and then replace it with a null value.
lastName = lastName.ToUpper() == "NULL" ? null : lastName;Either that or the database has some bug where it’s converting a string value of “null” into a
null.That is something I’ve had to do on rare occasions because people set up and store info in stupid ways…
How do devs make off by one mistakes.
The most common source of security vulnerabilities is memory corruption and off by one errors.
(to make the joke more obvious)
The two most common sources of security vulnerabilities are buffer overflows, use-after-free, and off-by-one errors.
Lmao, I knew a guy from grade school with the last name Null.
Friend of little Bobby I presume
I was NaN years old when I learned this.
It’s funny because I also learned on [Object object].
And here I am at undefined years old, learning for the first time.
I’m a year old undefined and I find it [redacted]
I’ve been doing web development for something like 20 years now and I just can’t imagine how shitty your backend is if this is an issue.
As a backbend dev, I blame DBAs. We were forced to support CSV imports from out support team so they could fix data issues on their own, and now we have some wonky data in prod…
Yeah that’s a whole other can of worms. I see this a lot at work where people are asking for direct database credentials and cringe every time.
Lately I’ve been dealing with tons of invalid byte sequences in MySQL dumps and it makes me question what the hell they’re allowing in there.
This was my thought as well, sanitize your inputs! Are they not quoting/casting to string before input?
Unless you’re coding from scratch it’s hard to not do this with any modern framework.
Unless you’re coding from scratch it’s hard to not do this with any modern framework.
I think that word modern is doing a lot of heavy lifting there.
A lot of systems simply aren’t modern. There’s always that mentality of “well, it’s been working for the last 12 years, let’s not mess with it now”, despite all the valid objections like "but it’s running on Windows2000” or “it’s a data breach waiting to happen”…
Is it though? I haven’t used a framework since probably 2007 that doesn’t do this. There are the smaller, more DIY frameworks out there but I’ve never used them professionally.
What is a data beach?
Thanks, I missed that
Legacy systems still handle more traffic than modern ones, I’d wager
And it’s probably not seen as urgent enough an issue to need replacing the whole system for.
any govt system.
A couple years ago I wanted to write a simple website with SQL injection vulnerability, so I could demonstrate sqlmap to someone
It was surprisingly difficult (and every fiber in my body screamed)
Imagine how hard it is to be this bad. Yet still people manage to do it.
Word press code, and plugins, do not sanitize out of the box. You have to call an additional function, each time, that is not provided automatically. Many home made plugins miss that; many popular plugins used to be home made ones
Wordpress is a sin against mankind.
Let’s take a blog and slap a whole e-commerce system on it through a plugin and let it auto translate with another one, what could go wrong. wait why is everything so slow, oh i need additional plugins for caching and one more for functionality XYZ why is everything broken now?!?
Edit: Sorry, my app had a hiccup and posted my comment several times
Maybe your app is based on WordPress :'D
Yet here we are, it and the plugins handle too much of my daily traffic. It’s easy to dismiss the piss poor coding, but is done at our peril.
Everyone of us has personal data stored in those God awful plugins, in their thousands of basic security holes
deleted by creator
deleted by creator
deleted by creator
deleted by creator
deleted by creator
It happened to a friend who wasn’t passing in the proper types into their stored procedures, all strings, and “null” (not case sensitive) conflicted with actual null values. Everything in the web interface were strings, and so was null.
For some people it takes this mistake before they learn to always care about the data types you’re passing in.
With LLM coding increasing, it might be going up. Idk am no pro, just worried.
Tangential, but I find it hilarious how Gemini’s syntax fucks up all the time.
I ask it to change my light called “CX2” to red. It complies, like usual, and it reads Okay, changing “CX2” to red., but what it says out loud is Okay, changing "CX two inches to red.
/me changes name to
'); DROP TABLE STUDENTS; --.Oh. Yes. Little Bobby Tables, we call him.
Dammit, Bobby!
That boy ain’t right
Are there character escapes for SQL, to protect against stuff like that?
Only noobs get hit by this (called SQL injection). That’s why we have leads review code…
Yes but it’s a dangerous process. You should use paramatrized queries instead.
Yup, then it becomes a front-end problem to deal with wonky input. As a backend dev, this is ideal, just give me data and I’ll store it for ya.
Use parameters, that way data and queries are separate.
Input sanitization typically handles this as a string that only allows characters supported by the data type specified by the table field in question. A permissive strategy might scrub the string of unexpected characters. A strict one might throw an error. The point, however, is to prevent the evaluation of inputs as anything other than their intended type, whether or not reserved characters are present.
My academic advisor in college was named Null
Even I kept running into trouble because the system thought I didn’t have a registered advisor.
I have never seen this happen, and I don’t know what tools would confuse the strings “null” or “Null” with NULL. From the comments in this thread, there are evidently more terribly programmed systems than I imagined.
Two likely reasons:
- CSV got involved somewhere
- JavaScript
As long as there’s javascript somewhere, anything can happen
Sounds like a promise of magic!
Shit happens, mistakes are sometimes made. Valve once had code that could delete your entire drive.
I’m pretty sure at least some of the university’s systems were designed by students.
How about XÆa-12? Asking for a friend.
Knew a guy who had the license plate ‘NULL’ and he was telling me how he never got a toll bill or red light ticket.
The article talks about a guy with a “NULL” license plate who gets tons of tickets for things he didn’t do so probably not the best plan
Yep. For the curious, any time a license plate photo couldn’t be fully read by the automated system, it was marked as “NULL” and he was flagged as the driver. So every single red light camera and speeding camera in the area was sending him to court every day.
It got worse than this, the ticketing company really wanted to get the money from him so when he got hold of a copy of the records and pointed out that one ticket was for a completely different car they modified the records on their end to change the make of car so it would match his. iirc he only got out of it because he had paper copies.
Isn’t that falsifying legal documents? In many countries that would land you in jail? Am I wrong, did the people really run that risk?
Don’t they have to prove it with a photograph? In GermanyI’d laugh in theirface withput a photograph as evidence.
Hey AI can you swap this 2015 corolla with a green 2019 Mazda 2.
Keep the license plate the same!
And remember THERE ARE FOUR PASSENGER DOORS NOT 6
What about X Æ A-Xi? lol
Hey leave the danish alphabet alone 😂
ahha its also used in Norwegian, Icelandic, and Faroese. :D
The languages are often comparable, we share some of the same sounds; the letters are a little different, but sound the same. In Danish “Æ” resembles Swedish/Finnish/Estonian “Ä”.
While Danish have “Å” it is sounds a little different
To give you an example where the letter “Æ” makes sense, could be in the word “exactly”. It sounds like it should have been spelled “Æxactly” because it’s not really a true “E” sound. It really is just A+E and is kinda pronounced that way. :-)
Hehe in Dutch the word “exactly” would be pronounced ‘ikzaaklie’ in Dutch, but that doesn’t help you either haha. Meaning the ‘e’ is more a ‘i’. The Dutch word for exactly is actually “precies”.
