It has been a long time since I wrote about SQL Humor. Following is the cartoon sent to me by many (more than 10 times) so far by many users. I did not publish it till now as it has been quite popular and I believed many people had already seen it. However, recently by one of the quite big personality asked me why I have not included this in my blog, so I have finally decided to include that in my blog. Let us read humor about SQL Injection.
Those who have not understood it, please leave comments here. I will do my best to explain. One of the recommendations I give is about not using Dynamic SQL. There might be some situations where you can’t avoid it. My only advice would be, avoid if possible. In this blog, I would demonstrate a SQL Injection problem due to dynamic SQL and a possible solution you can have. Many have claimed SQL Injection is a SQL Server problem. It takes quite some time for me to let them know there is nothing about SQL Server and SQL Injection. SQL Injection is an outcome of wrong coding practices.
Here is an amazing article on this subject.
Reference : Pinal Dave (https://blog.sqlauthority.com), Original Location of Cartoon.
I know what SQL Injection is but I don’t get the relation between “Little Bobby Tables” and “Drop Table Students”. Would you explain it? I’m sorry I’m not a native English speaker and that might be my problem.
Can u explain more please?
The name ‘Bobby’ is a diminutive or ‘nickname’ for Robert.
The joke is that the parent named the child
Robert ‘);DROP TABLE Students;
And so the database input actually executed the code DROP TABLE Students.
Which the parent then is making fun of the school for not checking their data inputs.
(I have no idea how you would import such a string so that it would actually run, but I gues there must be a way)
I’ll take a whack at it…
imagine that the program used to enter new students in the database looked something like this:
sql = ” insert into students (firstname,lastname) VALUES (‘” & field1.value & “‘, ‘” & field2.value & ‘”)”
normally, it’d be fine, where fields “bobby tables” could be:
insert into students (firstname,lastname) VALUES (‘bobby’,’tables’);
with the comic’s first name provided, which is “Robert’); DROP TABLE Students; — ”
insert into students (firstname,lastname) VALUES (‘Robert’); DROP TABLE Students; –‘,’tables’);
in other words, the punctuation inserted causes the insert to become two statements and a comment.
in other words, insert into students, drop table students and comment out the rest.
so … as the mother of bobby tables states in the comics,
“AND I HOPE YOU’VE LEARNED TO SANITIZE YOUR DATABASE INPUTS”.
Hehe, good one!
Please elaborate more…
Search for SQL injection in google/bing
Its simple. The name of the student which school entered in the application caused dropping of the table. Pupils name is
“Robert’);drop table students”
I enjoyed this actually this is a good one to realize about the validation of the inputs.
Lol, even though i got it, Vaevictus explained it quite well
THAT was FUNNY!!! If I had a nickel for every time I fixed a database where the only ‘real’ problem was user inputs… I would have more money than Bill Gates!
hey really good one. Provides better understanding about the sql injection.
Thats cool. I have seen lot of people referring that
Here is an approach with derived table that avoids sql injection
I really enjoyed it.