At the very least I’d try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.
WHERE UPPER(TRIM(behavior)) = ‘NICE’
Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I’d rather see if there was a methodology using code values or existing indicators instead of a string, but that’s often just wishful thinking.
Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)
Honest question, which ones wouldn’t it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?
I’m not sure how including a final semicolon can protect against an injection attack. In fact, the “Bobby Tables” attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.
You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.
No closing semicolon, anyone got any extras to throw on this thing?
; found this in the back for you should still work though
Can confirm.
At the very least I’d try to clean up that fuzzy condition on behavior to anticipate any bad or inconsistent data entry.
WHERE UPPER(TRIM(behavior)) = ‘NICE’
Depending on the possible values in behavior, adding a wildcard or two might be useful but would need to know more about that field to be certain. Personally I’d rather see if there was a methodology using code values or existing indicators instead of a string, but that’s often just wishful thinking.
Edit: Also, why dafuq we doing a select all? What is this, intro to compsci? List out the values you need, ya heathen ;)
(This is my favorite Xmas meme lol)
behavior
is an ENUM.Need to normalize the database. I would add a join to a BehaviorTypes table.
Honest question, which ones wouldn’t it work with? Most add a semicolon to the end automatically or have libraries and interfaces saved me a million times?
Other reply s accurate but it’s always a good practice to include the semicolon else you can get
“Bobby tables’ed” look that xkcd comic up
I’m not sure how including a final semicolon can protect against an injection attack. In fact, the “Bobby Tables” attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.
Wouldn’t that still apply, if you can inject straight SQL, such as “query’ OR 1=1?”
Usually with libraries like jdbc or whatever and prepared statements you don’t need the semicolon.
You need semicolons if it is a script with multiple commands to separate them. It is not needed for a single statement, like you would use in most language libraries.