• Doc Avid Mornington@midwest.social
    link
    fedilink
    English
    arrow-up
    8
    ·
    11 months ago

    I’m not sure how including a final semicolon can protect against an injection attack. In fact, the “Bobby Tables” attack specifically adds in a semicolon, to be able to start a new command. If inputs are sanitized, or much better, passed as parameters rather than string concatenated, you should be fine - nothing can be injected, regardless of the semicolon. If you concatenate untrusted strings straight into your query, an injection can be crafted to take advantage, with or without a semicolon.

    • GBU_28
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      11 months ago

      Yep it would only work if you didn’t sanitize a user input string in this case ‘nice’

      They could write ‘’; drop table blah;