this post was submitted on 25 May 2026

954 points (99.3% liked)

Programmer Humor

31699 readers

352 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 3 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

954

#NULL! (lemmy.world)

submitted 1 week ago by ivanafterall@lemmy.world to c/programmer_humor@programming.dev

91 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[–] Kenny2999@lemmy.world 161 points 1 week ago (3 children)

[–] akunohana@piefed.blahaj.zone 15 points 1 week ago (4 children)

How would you do this in C? I'm a beginner. Does it entail checking/disallowing certain characters and data types? What? 😃

[–] vrek@programming.dev 17 points 1 week ago (1 children)

How do you sanitize your inputs or how do you exploit inputs which are not sanitized.

[–] akunohana@piefed.blahaj.zone 18 points 1 week ago (1 children)

Santize inputs.

I'll get back to you on exploits when I can write something that throws zero compilation errors. 😈

[–] vrek@programming.dev 19 points 1 week ago (3 children)

Couple big things are 1. Only accept reasonable characters, on a white list instead of rejecting bad characters based on a black list. This will mean you are less likely to forget to block /0 for example. 2. Understand how strings work and ensure both reading and writing to that string doesn't extend beyond the end of memory allocated for the string. For example do you understand what the /0 would do to a string your program accepts?

[–] akunohana@piefed.blahaj.zone 6 points 1 week ago (1 children)

Sic! Thanks! I'll work on this this weekend! 😊

load more comments (1 replies)

load more comments (2 replies)

[–] copacetic@discuss.tchncs.de 15 points 1 week ago

If you use the SQLite C API like this

    char query[256];
    snprintf(query, sizeof(query),
             "SELECT * FROM users WHERE username = '%s'", username);
    int rc = sqlite3_exec(db, query, NULL, NULL, &err_msg);

and someone enters `Robert; DROP Table Students;--' as username, it deletes the table Students.

    const char *sql = "SELECT * FROM users WHERE username = ?";
    int rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
    if (rc != SQLITE_OK) {
        fprintf(stderr, "Failed to prepare statement\n");
        return;
    }
    sqlite3_bind_text(stmt, 1, username, -1, SQLITE_STATIC);

Using this "prepared statement" and "bind", your code is secured against such SQL injection attacks.

[–] jaybone@lemmy.zip 13 points 1 week ago (2 children)

Many languages like C, Java, Python, etc allow you to construct SQL queries or SQL statements, where SQL is its own language used to communicate with a database, like Oracle or MySql, or Postgres or MSSQL. One way to do this is to construct a string in your language using whatever string functions, concatenation etc available in your language. The problem occurs because usually you want some kind of user input as one of the parameters in your sql query, in order to fetch the correct records the user is asking for. Like say a record ID or name. If you do not properly sanitize that ID or name which originally comes from some type of user input, then a malicious user could carefully craft an ID or name which includes their own SQL and other special characters, which will interfere with the query you intended to construct, and instead do something malicious. Like delete records or obtain records the user is not supposed to have access to.

There are many ways to guard against this, and you should learn about this when you start working with SQL and databases. It’s called a SQL injection.

There is another type of code injection which can occur if you are making exec() calls (or whatever your language uses) to run shell commands. Similar caution should be taken there.

load more comments (2 replies)

[–] LovableSidekick@lemmy.world 6 points 1 week ago* (last edited 1 week ago)

You wouldn't - what they're describing is called "SQL injection" - a way to fool poorly written web server code (regardless of what language it's writen in) into executing SQL code. The poorly written server code takes what's entered in a form field on a web page and pastes it into a skeleton of a SQL statement - in this case the text in the input field is SQL that ends the intended statement, followed by a new statement that deletes a table. For this to even work, the SQL skeleton on the server would have to be structured in just the right way so the modified version with the pasted-in text still makes sense. For this reason, hackers attempting SQL injection usually have to do a lot of trial and error to get something to happen. The only way it can work at all is if the server software handling the web page sends SQL commands to a database server as text, as if they're being typed in, and the server executes them. You can't inject C in this way because unlike SQL, C code isn't just executed, C programs have to be precompiled.

[–] RobertTableaux@programming.dev 11 points 1 week ago

My day has come!!!

[–] deadbeef79000@lemmy.nz 5 points 1 week ago (4 children)

Don't sanitise inputs. Reject non-conforming inputs entirely.

But otherwise: yes.

[–] Valmond@lemmy.dbzer0.com 6 points 1 week ago (6 children)

And end up having loads of valid requests rejected 😁

load more comments (6 replies)

load more comments (3 replies)

[–] Klear@piefed.world 83 points 1 week ago (1 children)

I see little Bobby Tables is all grown up

load more comments (1 replies)

[–] zqwzzle@lemmy.ca 72 points 1 week ago (3 children)

[object Object]

[–] panda_abyss@lemmy.ca 26 points 1 week ago

Yes?

[–] resipsaloquitur@lemmy.cafe 8 points 1 week ago

What? My mother was a saint!

load more comments (1 replies)

[–] elvith@feddit.org 58 points 1 week ago (1 children)

I � Unicode!

[–] FreshLight@sh.itjust.works 18 points 1 week ago

I like this very much! It implies that the person expressing this knows exactly how they feel about Unicode. It's just us, the readers (or some other link in the chain), who have/ has the wrong encoding.

[–] _stranger_@lemmy.world 50 points 1 week ago (3 children)

Allow me to introduce you to my favorite Unicode character, the zero width space

https://unicode-explorer.com/c/200B

[–] blah3166@piefed.social 29 points 1 week ago (5 children)

that sounds awesome! (there's 10k zero width spaces between the quotes ->''.)

[–] DisasterTransport@startrek.website 13 points 1 week ago (3 children)

thats a 29kb comment right there

[–] ivanafterall@lemmy.world 7 points 1 week ago

I'll be damned. The crazy son of a bitch did it!

load more comments (2 replies)

[–] flint@lemmy.zip 13 points 1 week ago

Checks out:

[–] solxix@pawb.social 7 points 1 week ago (1 children)

On Interstellar it shows up as normal spaces for me so there's just a giant block of empty space

load more comments (1 replies)

[–] _stranger_@lemmy.world 6 points 1 week ago

load more comments (1 replies)

[–] Opisek@piefed.blahaj.zone 11 points 1 week ago (1 children)

Unfortunately, evil people blacklist this character a lot :(

May I introduce you to my favorite Unicode character, the Braille zero dots

https://unicode-explorer.com/c/2800

load more comments (1 replies)

[–] lalala@lemmy.world 5 points 1 week ago (1 children)

What kind of devil came up with this?

load more comments (1 replies)

[–] ValiantDust@feddit.org 46 points 1 week ago (1 children)

Unless they work for Microsoft. Teams has been showing � instead of ä for the caller's name in the popup when someone calls for several weeks now. It didn't use to do that before. I don't think they care anymore.

[–] ChickenLadyLovesLife@lemmy.world 18 points 1 week ago

I don't think it's even "they" any more.

[–] ODuffer@lemmy.world 18 points 1 week ago (2 children)

▞☒ę

[–] NoSpotOfGround@lemmy.world 11 points 1 week ago

Not always, but most times, yeah.

[–] gruvn@sh.itjust.works 5 points 1 week ago

Pretty sure that's illegal here.

[–] Rhaedas@fedia.io 17 points 1 week ago

Depends on if it breaks the form and they get called. Actually if it gets through they might rightfully question their sanitation coding.

[–] Enkrod@feddit.org 16 points 1 week ago (1 children)

Allow me to make one thing perfectly clear: If you insert those symbols into my perfectly working website... only to mess with me and inadvertently give me vietnam-style flashbacks to the days when I had to deal with incredibly badly formed and misencoded CSV-files on the daily...

Then I will find you and break into your home to replace every second sock with one of the same color and pattern but slightly different make, size or material and you will always wonder why you can't find any exactly fitting pairs of socks anymore.

[–] ivanafterall@lemmy.world 13 points 1 week ago (4 children)

I willingly embraced mismatched socks years ago. I just pretend it's a fashion statement. Come at me bro.

load more comments (4 replies)

[–] Quexotic@infosec.pub 15 points 1 week ago

To the op of the screenshot meme, calm down satan

[–] Valmond@lemmy.dbzer0.com 12 points 1 week ago

Calm down satan 😅

[–] LovableSidekick@lemmy.world 12 points 1 week ago

Former dev here, can confirm on occasion it does.

[–] Kojichan@lemmy.world 10 points 1 week ago (6 children)

Usually only happened when a French person copied and pasted their text directly from a Word document... dang weird spaces and accented characters... drove my boss mad when I told him it was because it French, and not a glitch.

Still had to work around it... text counters in textboxes had to account for accented characters, which took two bytes instead of one.

"I only have 2000 letters!" ... 2000 including 200 accent characters made it 2200 characters, not 2000.

load more comments (6 replies)

[–] Pika@sh.itjust.works 9 points 1 week ago

Ok calm down there Satan. Leave some chaos for the rest of us 😅

[–] GreenKnight23@lemmy.world 9 points 1 week ago (1 children)

my favorite thing to do is go to small town websites and look at the page source for their forms. 70% of the time they have inputs commented out to "disable" forms or just deprecated functionality.

I like to uncomment them and submit the forms just to fuck with them 🤣

load more comments (1 replies)

[–] mlg@lemmy.world 9 points 1 week ago

I remember feeling extra powerful when Moonshell for the DS shipped with UTF-8 and UTF-16 support because the developer was japenese and wanted to make sure any language would work.

[–] 9point6@lemmy.world 8 points 1 week ago

Actual monster

[–] Jakylla@jlai.lu 7 points 1 week ago

□□□□□□□□ !!

[–] davidagain@lemmy.world 6 points 1 week ago

You monster!

[–] cupcakezealot@piefed.blahaj.zone 6 points 1 week ago (1 children)

use %20 randomly for fun

load more comments (1 replies)

[–] diabetic_porcupine@lemmy.world 5 points 1 week ago

load more comments