youTellMe@lemmy.world to Programmer Humor@lemmy.worldEnglish · 1 年前Everyday we stray further from industry standardslemmy.worldimagemessage-square24linkfedilinkarrow-up1191arrow-down11
arrow-up1190arrow-down1imageEveryday we stray further from industry standardslemmy.worldyouTellMe@lemmy.world to Programmer Humor@lemmy.worldEnglish · 1 年前message-square24linkfedilink
minus-squaresebschlinkfedilinkEnglisharrow-up16·1 年前GET /api/database?query=SELECT+++name+++FROM+++users+++WHERE+++id=42 I’ve seen that exact type of endpoint, hitting databases in production. 🔥
minus-squaresurewhynotlem@lemmy.worldlinkfedilinkEnglisharrow-up1·1 年前If that’s a pass through, that’s bad. If that’s used for authentication, authorization, credential limiting, or rate limiting, then sure.
minus-squaresebschlinkfedilinkEnglisharrow-up3·1 年前There is no context in this world validating this level of unsanitized SQL. Even for internal use this is bad, since it bypasses the auth of server and dbms.
GET /api/database?query=SELECT+++name+++FROM+++users+++WHERE+++id=42I’ve seen that exact type of endpoint, hitting databases in production. 🔥
If that’s a pass through, that’s bad.
If that’s used for authentication, authorization, credential limiting, or rate limiting, then sure.
There is no context in this world validating this level of unsanitized SQL. Even for internal use this is bad, since it bypasses the auth of server and dbms.
That is a very good point.