Comments on: SQLAuthority News – SQL Injection – SQL Joke, SQL Humor, SQL Laugh

By: Shatrughna Kumar

Shatrughna Kumar — Tue, 23 Aug 2011 11:27:18 +0000

Good one.
I really enjoyed it.

By: Madhivanan

Madhivanan — Fri, 14 May 2010 13:01:21 +0000

Search for SQL injection in google/bing

By: Madhivanan

Madhivanan — Fri, 14 May 2010 13:00:31 +0000

Thats cool. I have seen lot of people referring that

Here is an approach with derived table that avoids sql injection
http://beyondrelational.com/blogs/madhivanan/archive/2010/05/14/derived-table-new-approach-to-avoid-sql-injection.aspx

By: pramod

pramod — Tue, 21 Jul 2009 07:09:47 +0000

hey really good one. Provides better understanding about the sql injection.

By: deeno

deeno — Fri, 27 Feb 2009 00:03:53 +0000

THAT was FUNNY!!! If I had a nickel for every time I fixed a database where the only ‘real’ problem was user inputs… I would have more money than Bill Gates!

By: Iceman

Iceman — Thu, 19 Feb 2009 11:45:08 +0000

Lol, even though i got it, Vaevictus explained it quite well

By: Bala

Bala — Fri, 26 Dec 2008 11:21:15 +0000

I enjoyed this actually this is a good one to realize about the validation of the inputs.

By: Paresh A Bhurke

Paresh A Bhurke — Thu, 16 Oct 2008 09:10:25 +0000

Hi,

Good humour!

Its simple. The name of the student which school entered in the application caused dropping of the table. Pupils name is
“Robert’);drop table students”

Good one.

Paresh

By: LN

LN — Thu, 16 Oct 2008 04:23:51 +0000

Please elaborate more…

By: Em

Em — Wed, 15 Oct 2008 06:09:55 +0000

Hehe, good one!

By: Vaevictus

Vaevictus — Tue, 14 Oct 2008 02:48:33 +0000

I’ll take a whack at it…
imagine that the program used to enter new students in the database looked something like this:

sql = ” insert into students (firstname,lastname) VALUES (‘” & field1.value & “‘, ‘” & field2.value & ‘”)”

normally, it’d be fine, where fields “bobby tables” could be:
insert into students (firstname,lastname) VALUES (‘bobby’,'tables’);

with the comic’s first name provided, which is “Robert’); DROP TABLE Students; — ”

which becomes:
insert into students (firstname,lastname) VALUES (‘Robert’); DROP TABLE Students; –’,'tables’);

in other words, the punctuation inserted causes the insert to become two statements and a comment.

in other words, insert into students, drop table students and comment out the rest.

so … as the mother of bobby tables states in the comics,

“AND I HOPE YOU’VE LEARNED TO SANITIZE YOUR DATABASE INPUTS”.

cheers.

By: Robert

Robert — Mon, 13 Oct 2008 15:27:00 +0000

The name ‘Bobby’ is a diminutive or ‘nickname’ for Robert.

The joke is that the parent named the child

Robert ‘);DROP TABLE Students;

And so the database input actually executed the code DROP TABLE Students.

Which the parent then is making fun of the school for not checking their data inputs.

(I have no idea how you would import such a string so that it would actually run, but I gues there must be a way)

By: Mahmoud Hakeem

Mahmoud Hakeem — Mon, 13 Oct 2008 10:42:23 +0000

Can u explain more please?

By: Maysam

Maysam — Sun, 12 Oct 2008 18:06:24 +0000

I know what SQL Injection is but I don’t get the relation between “Little Bobby Tables” and “Drop Table Students”. Would you explain it? I’m sorry I’m not a native English speaker and that might be my problem.