this post was submitted on 25 May 2026

903 points (99.2% liked)

Programmer Humor

31560 readers

1781 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

903

#NULL! (lemmy.world)

submitted 18 hours ago by ivanafterall@lemmy.world to c/programmer_humor@programming.dev

59 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] copacetic@discuss.tchncs.de 9 points 10 hours ago* (last edited 10 hours ago)

If you use the SQLite C API like this

    char query[256];
    snprintf(query, sizeof(query),
             "SELECT * FROM users WHERE username = '%s'", username);
    int rc = sqlite3_exec(db, query, NULL, NULL, &err_msg);

and someone enters Robert'; DROP Table Students;-- as username, it deletes the table Students.

    const char *sql = "SELECT * FROM users WHERE username = ?";
    int rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
    if (rc != SQLITE_OK) {
        fprintf(stderr, "Failed to prepare statement\n");
        return;
    }
    sqlite3_bind_text(stmt, 1, username, -1, SQLITE_STATIC);

Using this "prepared statement" and "bind", your code is secured against such SQL injection attacks.