this post was submitted on 07 Oct 2024
183 points (99.5% liked)

Programmer Humor

1350 readers
1 users here now

founded 1 year ago
MODERATORS
 
you are viewing a single comment's thread
view the rest of the comments
[โ€“] sebsch@discuss.tchncs.de 15 points 1 month ago* (last edited 1 month ago) (2 children)
GET /api/database?query=SELECT+++name+++FROM+++users+++WHERE+++id=42

I've seen that exact type of endpoint, hitting databases in production. ๐Ÿ”ฅ

[โ€“] surewhynotlem@lemmy.world 1 points 1 month ago (1 children)

If that's a pass through, that's bad.

If that's used for authentication, authorization, credential limiting, or rate limiting, then sure.

[โ€“] sebsch@discuss.tchncs.de 3 points 1 month ago (1 children)

There is no context in this world validating this level of unsanitized SQL. Even for internal use this is bad, since it bypasses the auth of server and dbms.

[โ€“] surewhynotlem@lemmy.world 1 points 1 month ago

That is a very good point.