undefined | Better HN

dataflow1y ago· 6 in thread

This fails if either the UI sanitizes wildcards, or if the database prohibits them, or if it produces so much data that you can't ingest it in time, etc.

mcv1y ago

It also fails if the system was written using parameterized queries. I wouldn't expect a system to be sanitizing anything if fails to take the most basic step for db access. This whole discussion is only relevant for systems developed by amateurs. SQL injection can only work at all if you use string concatenation to create queries, which you should never do.

wglb1y ago

Injections don't always need ''. The statements
1=1
and
1=0
if injected into a query will give different answers if SQLI exists.
There are MANY other tricks that don't involve '
'.

Besides, consider the number of valid queries done by the application that involve '*'. You are not going to turn that off.

wglb1y ago

Sanitization almost always fails. This becomes an arms race.

valenterry1y ago

If you do it wrong, yes. Sure, there is no 100% security, but honestly, it's 2025. We already know the techniques how to prevent SQL injection of any kind. I wrote about this here: https://valentin.willscher.de/posts/sql-api/

2 more replies

IshKebabOP1y ago

There are trivial ways around all of those. `LIMIT 1`, `SELECT .. FROM information_schema...`, etc.

dataflow1y ago

> There are trivial ways around all of those. `LIMIT 1`

LIMIT 1 limits row count. The issue here was columns. Like a giant blob someone might've stored in there.

> `SELECT .. FROM information_schema...`

no such table: information_schema.columns

> etc.

https://news.ycombinator.com/item?id=43181799

1 more reply

ic4l1y ago· 1 in thread