Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@King of Lithuania parameterized queries placeholder for arguments is a question mark
-
@swablu I know the question mark. What troubles me is 'LIKE'
-
I agree with @King of Lithuania
@swablu although it’s parametrised, if you are not validating your input, then that LIKE ? will get replaced with LIKE “%” matching all records which could be massively damaging in more ways at one -
@King of Lithuania of course. Haven't you ever remembered only part of your password? I know it's kinda like this. Maybe. At least you can still log in. How nice of them...
Ahemm....
Admin
%
Nothing to see here. Move along.... -
@err-occured yes I agree with you. What we have here is an implicit circular dependency.
If you think parametised queries will save the day think again.
I occasionally test sites I visit throwing a few quotes at inputs and query params.
I also always test logging in as % with user or pass.
Not only are plaintext passwords a thing but so is this:
WHERE username LIKE ? AND password LIKE ?.
Once I saw an OR.
rant
foolproof
sql fucktards