SQL
Dan Tobias (Talk | contribs) |
(Mention host parameters) |
||
Line 10: | Line 10: | ||
SQL is frequently encountered in the form of queries sent to databases by programs in other languages, but it is a programming language in its own right with constructs sufficient to create large and complicated routines. | SQL is frequently encountered in the form of queries sent to databases by programs in other languages, but it is a programming language in its own right with constructs sufficient to create large and complicated routines. | ||
− | "SQL injection" is a security issue with a number of poorly-developed systems and websites, if user input is not properly sanitized before inserting it into SQL statements for database operations. "Dangerous" characters such as quotes need to be properly escaped or stripped, or else it is possible to include a quote to end the string an input field is being inserted into, and follow it with other commands which might do dangerous things with the database. Poorly-done attempts to avoid such attacks may also cause harm; for instance, if a programmer tries to strip out any substrings that might be SQL commands, they might end up rejecting perfectly valid names, street addresses, and so on which happen to have a string like "table" in them. | + | "SQL injection" is a security issue with a number of poorly-developed systems and websites, if user input is not properly sanitized before inserting it into SQL statements for database operations. "Dangerous" characters such as quotes need to be properly escaped or stripped, or else it is possible to include a quote to end the string an input field is being inserted into, and follow it with other commands which might do dangerous things with the database. Poorly-done attempts to avoid such attacks may also cause harm; for instance, if a programmer tries to strip out any substrings that might be SQL commands, they might end up rejecting perfectly valid names, street addresses, and so on which happen to have a string like "table" in them. Some SQL implementations support host parameters, which allow you to use data that is not a part of the SQL statement, and is added separately; this is done by substituting question marks in the parts of the SQL code where the value would belong. |
[http://performinsider.com/2014/07/ed-magedson-founder-of-ripoffreport-com-facing-criminal-charges/ This article] claims that legal troubles could result from use of "potentially illegal SQL technology", but it's unclear what that entails. | [http://performinsider.com/2014/07/ed-magedson-founder-of-ripoffreport-com-facing-criminal-charges/ This article] claims that legal troubles could result from use of "potentially illegal SQL technology", but it's unclear what that entails. |
Latest revision as of 21:30, 19 January 2020
SQL (Structured Query Language) is a database query language initially developed at IBM in the 1970s. It was originally called SEQUEL, but IBM changed the name due to a trademark conflict with another company. It is currently very popular as an interface language for relational database systems. Although it is officially standardized (ISO/IEC 9075, ISO/IEC 13249), SQL still has a number of incompatible "dialects", reminiscent of BASIC in its heyday.
SQL is frequently encountered in the form of queries sent to databases by programs in other languages, but it is a programming language in its own right with constructs sufficient to create large and complicated routines.
"SQL injection" is a security issue with a number of poorly-developed systems and websites, if user input is not properly sanitized before inserting it into SQL statements for database operations. "Dangerous" characters such as quotes need to be properly escaped or stripped, or else it is possible to include a quote to end the string an input field is being inserted into, and follow it with other commands which might do dangerous things with the database. Poorly-done attempts to avoid such attacks may also cause harm; for instance, if a programmer tries to strip out any substrings that might be SQL commands, they might end up rejecting perfectly valid names, street addresses, and so on which happen to have a string like "table" in them. Some SQL implementations support host parameters, which allow you to use data that is not a part of the SQL statement, and is added separately; this is done by substituting question marks in the parts of the SQL code where the value would belong.
This article claims that legal troubles could result from use of "potentially illegal SQL technology", but it's unclear what that entails.
[edit] See also
[edit] Links and references
- Wikipedia article
- SQL 2008 draft standard (as ZIP archive)
- Solving coding tests in PostgreSQL
- What ORMs have taught me: just learn SQL
- q: Command line tool to do SQL-like queries on CSV and similar files