undefined | Better HN

0 pointsomnicognate2y ago0 comments

It's not because Companies House is vulnerable to SQL injection (there's no reason to think it is) and the purpose isn't to protect Companies House from SQL injection.

Companies House data is consumed by a very large number of companies and organisations, some of whom probably are vulnerable to such attacks. Fixing them isn't something Companies House can do. The joke Bobby Tables company name that was registered deliberately wasn't actually a functioning SQL injection. If someone does try to register a name containing a real one, it seems like a good idea for Companies House to be able to reject it on those grounds. This is just giving them that ability, as part of a larger ability to reject names that are designed to mislead or facilitate fraud.

The knee-jerk HN Nelson laugh at everything the UK and EU governments do makes for tedious reading, especially when there are so many actually bad policies and laws to criticise.

0 comments

3 comments · 2 top-level

beeboobaa2y ago· 1 in thread

Perhaps Companies House should put some canaries in their data to trigger such these SQL injections in a non-destructive way. That way they might accomplish some good by forcing these companies to fix their shit.

Regardless, anyone affected by a "bobby tables" should be thankful it was that, and not hackers exfiltrating their data and selling it.

rezonant2y ago

This is a great idea though done naively could cause unintended side effects. But key to the consideration today (and as pointed out by the commenter in TFA) is that not just SQL would need to be considered, especially in the dawn of the LLM era.

hot_gril2y ago

It makes sense. 'DROP TABLE users; is obviously not a real company name.

Maybe it'd be better to deliberately include some Bobby Tables entries in every data set to make sure users think about these problems early-on, but it's probably too late for that.

j / k navigate · click thread line to collapse