This used to work. Point is this is a design error, the interpreter is treating the complete string as an input which includes runtime text.
I haven’t touched sql in a long time so I am sure theres a fix but SQL injections were an endemic issue for a long time, like buffer overflows for C. Same idea—design errors in the language itself (including the standard libraries) are what make them possible.
Yeah. It’s still possible to program in such a way that that works, and it’s always been possible to program in such a way that it doesn’t work. But prepared statements make it easier to program in such a way that it doesn’t work, by allowing the programmer to pass executable code (which is probably directly embedded as a literal in their application language) separately from the parameters (which may be user-supplied).
(I could imagine a SQL implementation forbidding all strings directly embedded in queries, and requiring them to be passed through prepared statements or a similar mechanism. That still wouldn’t make these attacks outright impossible, but it would be an added layer of security.)
https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work
This used to work. Point is this is a design error, the interpreter is treating the complete string as an input which includes runtime text.
I haven’t touched sql in a long time so I am sure theres a fix but SQL injections were an endemic issue for a long time, like buffer overflows for C. Same idea—design errors in the language itself (including the standard libraries) are what make them possible.
Yeah. It’s still possible to program in such a way that that works, and it’s always been possible to program in such a way that it doesn’t work. But prepared statements make it easier to program in such a way that it doesn’t work, by allowing the programmer to pass executable code (which is probably directly embedded as a literal in their application language) separately from the parameters (which may be user-supplied).
(I could imagine a SQL implementation forbidding all strings directly embedded in queries, and requiring them to be passed through prepared statements or a similar mechanism. That still wouldn’t make these attacks outright impossible, but it would be an added layer of security.)