- cross-posted to:
- programmer_humor@programming.dev
- cross-posted to:
- programmer_humor@programming.dev
Do you remember little Bobby Tables? This is him now.
I wanna meet the web dev who’s still not sanitizing inputs in 2025.
When the job of sanitizing inputs is left to libraries and LLMs, it’s very easy to accidentally forget it.
That’s a backend job tho.
Yeah, but it’s still a good idea to have some protections on the front end in case the back end dev is an idiot. Of course thats easily bypassed but you’ve done what little you can.
If you mean front end developers, then yes, that’s me.
First, it’s not front end’s responsibility to sanitise the input before executing the query because it’s not the front end code which operates on the database. What if we have ten front ends? Implement it ten times?
Second, it’s the back end who’s executing the query so they are doing it anyway. Doing it in the front end code is a waste of time and electricity.
It’s not a war zone outpost. There is no such thing as multiple layers of security. It’s absurd to think that a piece of malicious data “beat up” the security code at the first spot, just to be knocked out by the same security code further down the road. If a piece is code is effectively sanitising the input then the best place to put it is where it’s closest to the database, and it only needs to happen once.
Yes. That’s a given. As long as it’s in the back end, there isn’t a problem. My concern is if someone out there still isn’t checking it at all. There must be some inept devs out there if SQL injection attacks on the web are still a thing. That’s the kind of thing you’d hear about way back in 2004. Hell I know to defend against it and I don’t even do web development.
You’d be surprised! The developers at my company are terrible at their jobs and do the bare minimum lol
Securing the application should be considered the bare minimum.
Should be, but we all know delivery is lol
SecuringRunning the application should be considered the bare minimum.Should be, maybe. The reality is that you can spend extra time making the program work, but if it works and you want to spend extra hours on it for whatever reason, it’s usually considered a waste of time.
Until they get hacked and it costs incredible amounts of money, that is.
Smart programmers do all the things they need to do before they get everything working. As soon as it works they get pushed to work on something else.
Security should be built in from the ground up. It’s not an afterthought. If you’re not doing that, you’re not doing it right. I get that there are time constraints but you should factor that in when giving your estimates.
Oh I agree. It’s just not always how it goes.
Good one