SQLAuthority News – SQL Injection – SQL Joke, SQL Humor, SQL Laugh

It has been a long time since I wrote about SQL Humor. Following is the cartoon sent to me by many (more than 10 times) so far by many users. I did not publish it till now as it has been quite popular and I believed many people had already seen it. However, recently by one of the quite big personality asked me why I have not included this in my blog, so I have finally decided to include that in my blog. Let us read humor about SQL Injection.

SQLAuthority News - SQL Injection - SQL Joke, SQL Humor, SQL Laugh exploits_of_a_mom

Those who have not understood it, please leave comments here. I will do my best to explain.  One of the recommendations I give is about not using Dynamic SQL. There might be some situations where you can’t avoid it. My only advice would be, avoid if possible. In this blog, I would demonstrate a SQL Injection problem due to dynamic SQL and a possible solution you can have. Many have claimed SQL Injection is a SQL Server problem. It takes quite some time for me to let them know there is nothing about SQL Server and SQL Injection. SQL Injection is an outcome of wrong coding practices.

Here is an amazing article on this subject.

Reference : Pinal Dave (https://blog.sqlauthority.com), Original Location of Cartoon.

, , , ,
Previous Post
SQLAuthority News – Download – Microsoft SQL Server 2008 Feature Pack, August 2008
Next Post
SQLAuthority News – Book Review – Pro SQL Server 2005 Replication (Definitive Guide)

Related Posts

14 Comments. Leave new

  • I know what SQL Injection is but I don’t get the relation between “Little Bobby Tables” and “Drop Table Students”. Would you explain it? I’m sorry I’m not a native English speaker and that might be my problem.

    Reply
  • Mahmoud Hakeem
    October 13, 2008 4:12 pm

    Can u explain more please?

    Reply
  • The name ‘Bobby’ is a diminutive or ‘nickname’ for Robert.

    The joke is that the parent named the child

    Robert ‘);DROP TABLE Students;

    And so the database input actually executed the code DROP TABLE Students.

    Which the parent then is making fun of the school for not checking their data inputs.

    (I have no idea how you would import such a string so that it would actually run, but I gues there must be a way)

    Reply
  • I’ll take a whack at it…
    imagine that the program used to enter new students in the database looked something like this:

    sql = ” insert into students (firstname,lastname) VALUES (‘” & field1.value & “‘, ‘” & field2.value & ‘”)”

    normally, it’d be fine, where fields “bobby tables” could be:
    insert into students (firstname,lastname) VALUES (‘bobby’,’tables’);

    with the comic’s first name provided, which is “Robert’); DROP TABLE Students; — ”

    which becomes:
    insert into students (firstname,lastname) VALUES (‘Robert’); DROP TABLE Students; –‘,’tables’);

    in other words, the punctuation inserted causes the insert to become two statements and a comment.

    in other words, insert into students, drop table students and comment out the rest.

    so … as the mother of bobby tables states in the comics,

    “AND I HOPE YOU’VE LEARNED TO SANITIZE YOUR DATABASE INPUTS”.

    cheers.

    Reply
  • Hehe, good one!

    Reply
  • Please elaborate more…

    Reply
  • Paresh A Bhurke
    October 16, 2008 2:40 pm

    Hi,

    Good humour!

    Its simple. The name of the student which school entered in the application caused dropping of the table. Pupils name is
    “Robert’);drop table students”

    Good one.

    Paresh

    Reply
  • I enjoyed this actually this is a good one to realize about the validation of the inputs.

    Reply
  • Lol, even though i got it, Vaevictus explained it quite well

    Reply
  • THAT was FUNNY!!! If I had a nickel for every time I fixed a database where the only ‘real’ problem was user inputs… I would have more money than Bill Gates!

    Reply
  • hey really good one. Provides better understanding about the sql injection.

    Reply
  • Thats cool. I have seen lot of people referring that

    Here is an approach with derived table that avoids sql injection

    Reply
  • Shatrughna Kumar
    August 23, 2011 4:57 pm

    Good one.
    I really enjoyed it.

    Reply

Leave a Reply

Menu