You're viewing a single thread.
No closing semicolon, anyone got any extras to throw on this thing?
; found this in the back for you should still work though
Can confirm.
At the very least I'd try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.
WHERE UPPER(TRIM(behavior)) = 'NICE'
Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I'd rather see if there was a methodology using code values or existing indicators instead of a string, but that's often just wishful thinking.
Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)
(This is my favorite Xmas meme lol)
behavioris an ENUM.That’s a table scan, right there. Naughty.
Need to normalize the database. I would add a join to a BehaviorTypes table.
Edit: or, if the only options are naughty or nice, make it a boolean.
Honest question, which ones wouldn't it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?
Other reply s accurate but it's always a good practice to include the semicolon else you can get
"Bobby tables'ed" look that xkcd comic up
I'm not sure how including a final semicolon can protect against an injection attack. In fact, the "Bobby Tables" attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.
Yep it would only work if you didn't sanitize a user input string in this case 'nice'
They could write ''; drop table blah;
Wouldn't that still apply, if you can inject straight SQL, such as "query' OR 1=1?"
Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.
You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.
If you don't use a semicolon directly in MySQL it won't do anything until you add it.
In the MySQL client console where you can run multiple commands.
If you add semicolon in language library commands such as fetch() you will get an error.
Can we get a SIMILARITY?