Programmer Humor

31576 readers

2101 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

anzo@programming.dev

Feyter@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

1301

#NULL! (lemmy.world)

submitted 1 day ago by ivanafterall@lemmy.world to c/programmer_humor@programming.dev

90 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] deadbeef79000@lemmy.nz 8 points 1 day ago (3 children)

Don't sanitise inputs. Reject non-conforming inputs entirely.

But otherwise: yes.

[–] nonagonOrc@lemmy.world 6 points 23 hours ago

No fuck both of those, just use prepared statements so user input can't be interpreted as SQL.

[–] Valmond@lemmy.dbzer0.com 8 points 1 day ago (1 children)

And end up having loads of valid requests rejected 😁

[–] deadbeef79000@lemmy.nz 3 points 1 day ago (2 children)

If they were valid they wouldn't be rejected.

[–] AzuraTheSpellkissed@lemmy.blahaj.zone 5 points 15 hours ago (1 children)

I've managed webapps which rejected "René". Heck, my deadname has a hyphen, which often is considered illegal

[–] deadbeef79000@lemmy.nz 2 points 14 hours ago

Which means the app was crap. Rather the rules it used to validate a valid name are garbage.

Usually because someone tried to be too strict. E.g. names are space delimited A-Za-z strings, rather than just accepting any old Unicode string and safely processing it (e.g. with an SQL prepared statement).

I've had websites reject email addresses with one of the newish TLD's because someone decided they new how to validate an email address (it's more a more flexible spec than you might think).

[–] Valmond@lemmy.dbzer0.com 4 points 1 day ago (2 children)

Well then someone with a Tagalog name gets caught in your filter...

I mean if it's "perfect" they yes, it'll work, but in production...

Also, you sometimes want to be able to store "1); Drop table abc;" in your database, I mean how do you otherwise store this comment right here? Sanitizing.

[–] anton@lemmy.blahaj.zone 4 points 1 day ago

I agree with everything in your comment except the last word. Only sanitize in cases where there isn't a better option like html or terminal escape sequences. SQL had prepared statements, which are better.

[–] deadbeef79000@lemmy.nz 2 points 23 hours ago* (last edited 14 hours ago)

That's conforming (to what ever criteria). Send me a UTF-16 string of at most 100 code points. Send me a 7-bit ASCII string of only A-Z0-9. Reject anything that doesn't comform.

sanitizing is trying to clean an input. That's "lemme just double escape some special characters" or stripping/replacing/encoding characters or truncating strings, coercing types. Don't do this, your sanitization code will have bugs or edge cases.

[–] ivanafterall@lemmy.world 5 points 1 day ago (1 children)

I'll never conform!

[–] deadbeef79000@lemmy.nz 3 points 1 day ago

Righteous.