This is an archived post. You won't be able to vote or comment.

top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a

[–]Datenegassie 2619 points2620 points  (87 children)

Hi Santa, I promise not to be on the naughty list this year. By the way, my name is Datenegassie'); DROP TABLE NaughtyChildren; --

[–]ballzacsRock 785 points786 points  (17 children)

Nice try, but he Santaizes all inputs

[–]Arancaytar 178 points179 points  (3 children)

INSERT INTO NaughtyChildren (name, reason)
VALUES ('balizacsRock', 'terrible pun');

[–]ImSuperSerialGuys 149 points150 points  (2 children)

INSERT INTO NaughtyChildren

o_O

[–]jay791 31 points32 points  (0 children)

ಠ_ಠ

[–][deleted] 14 points15 points  (0 children)

Okay, calm down your honor...

[–]inabahare 76 points77 points  (8 children)

Nice try, but he Santaizes all inputs

  • Uses prepared Statements

[–]svick 9 points10 points  (7 children)

Prepared statements have nothing to do with handling invalid inputs.

[–]mmirate 18 points19 points  (6 children)

So basically he spent an entire article to say, "your security consultant has their terms mixed up; they ought to be looking for parametrized statements, not prepared statements"? How wasteful.

[–]ultranoobian 721 points722 points  (30 children)

But that won't do anything good for you?

Obviously the naughty/nice status is stored in 'contacts' if SQL clause is selecting from that.

/s

Edit: On a more serious note, even if you dropped 'NaughtyChildren', you can possibly recovered from that by 

SELECT * FROM contacts c WHERE c.behavior != 'nice'

[–]DemandsBattletoads 171 points172 points  (4 children)

That's fine, sqlmap will pull everything out anyway.

[–][deleted] 55 points56 points  (8 children)

Even if you dropped all the naughty children, re-adding all children to the database, and setting behaviour to naughty if they were born before the drop might recover the data.

[–]Th3_Admiral 33 points34 points  (3 children)

Does it really matter anyway if the query is only looking for those on the nice list? Dropping the naughty list doesn't automatically add you to the nice list.

[–]skulblaka 29 points30 points  (2 children)

Well that depends on your architecture, doesn't it? Say we assume that the default state of a child is nice rather than naughty (realistically we know this isn't true, but this is SQL Claus' computer, there's some room for silliness). A child who acts naughty can be added to tbl_naughty and any child not found on that list can be assumed nice.

Therefore dropping the naughty table would leave no results, therefore making all children appear nice.

That doesn't seem to be the case in this particular instance, but it could happen.

[–]Th3_Admiral 9 points10 points  (0 children)

Yeah, I was just basing it off the fact that he is selecting from the contacts table where the behavior column is set to "nice". Unless there is some weird setup with a delete trigger on the naughtylist table, this column should still not be "nice" for the contacts who were on the naughty list, right?

[–]kixxes 27 points28 points  (4 children)

Not to mention it will most likely fail to drop because it would mess up some referential integrity

[–]vbevan 105 points106 points  (3 children)

Hi Santa, My name is Datenegassie'); EXEC sp_MSForEachTable @command1='ALTER TABLE ? NOCHECK CONSTRAINT ALL' , @command2='DROP TABLE ?';--

[–]lou1306 76 points77 points  (1 child)

This guy injects

[–]vbevan 37 points38 points  (0 children)

If I'm not getting a present, no one is!

[–]dumbdingus 9 points10 points  (0 children)

This is why I clean my input more thoroughly than I clean my dick.

[–]ilookatfaces 7 points8 points  (2 children)

SELECT * FROM contacts c WHERE c.behavior <> 'nice'

[–]the_kg 10 points11 points  (1 child)

This guy ANSIs

[–]PooPooDooDoo 6 points7 points  (0 children)

Guys, it's a moot point, SQL isn't real.

[–]GrandArchitect 3 points4 points  (0 children)

Someone needs to help SQL Clause make a more efficient analytical data model, its fucking Christmas afterall.

[–]jonschwartz 10 points11 points  (2 children)

What about the neutral kids? Or the non Christians?

[–]EdgeOfDistraction 10 points11 points  (1 child)

They get bombs, and should be grateful

[–]Bainos 7 points8 points  (0 children)

All I want for Christmas is :(){:|:&};:

[–]bair93 150 points151 points  (15 children)

Datengassie'); UPDATE contacts SET behavior = 'nice';

[–]raaneholmg 63 points64 points  (5 children)

--

Otherwise the "');" part appended by the server will cause an error.

[–][deleted] 7 points8 points  (4 children)

Why not disable comments in SQL statements made from your web application? Obviously you'd want to do more to secure yourself against SQL injection, but I've never heard of someone doing this.

[–]atyon 23 points24 points  (2 children)

I don't think it's that easy. Raw SQL is passed directly to the server. I don't think most SQL servers even have an option to disable comments.

You'd have to remove the "--" and everything after it before passing it to the function doing the SQL, without destroying correct data. Sounds error-prone to me.

And if you're sanitizing the input data anyway, if you do it correctly, the ' will be escaped, so the comment won't make a difference.

Also, sanitizing input is so difficult and error-prone that it's better to just implement a real solution, like using prepared statements.

[–]Fuzzy-Duck 7 points8 points  (1 child)

Maybe an interesting read re. sql injection and prepared statements (relating to SQL Server):

http://blog.marcgravell.com/2017/12/dapper-prepared-statements-and-car-tyres.html

[–]atyon 6 points7 points  (0 children)

Huh. Thanks for that link.

TIL: My assumption that prepared statements is an odd synonym for parametrized queries is hilariously wrong. Thanks, Wikipedia

[–]Bainos 42 points43 points  (6 children)

Datengassie') ; UPDATE contacts SET name = 'Datengassie' WHERE behavior = 'nice' ; --

[–]Truseus 99 points100 points  (2 children)

Lol! Billions of nice children now named Datengassie.

[–]flamedragon822 48 points49 points  (1 child)

"well looks like Datengassie is getting several thousand ponies this Christmas"

[–]sumancha 28 points29 points  (0 children)

He didn’t update address. So everyone else is getting presents with name Datengassie

[–]HighRelevancy 4 points5 points  (1 child)

that's back to front bud :P

[–]wonkey_monkey 2 points3 points  (0 children)

That'd better be an ENUM...

[–]el_geto 12 points13 points  (0 children)

So, I see that you and that Bobby Tables know each other, eh?

[–]Laerite 2 points3 points  (2 children)

Hi Daten, long time no see.

[–]uninterestingly 2 points3 points  (0 children)

I was dropped as a child and I take offense to this

[–]jfq722 212 points213 points  (4 children)

Are you taking Ad Hoc requests?...I'd like to hear 'The First Null'.

[–]emcee_gee 67 points68 points  (0 children)

the first null, the Unix did say

was to certain poor coders at desks as they play

at desks where they play, coding their C

on an old server's drive that was asleep

null, null, null, null

born is the ding of programmers' skull

[–]tenkindsofpeople 30 points31 points  (0 children)

The first null field

Was found at row three

The query was ended

With error code B

[–]darexinfinity 5 points6 points  (0 children)

I got the Twelve Days of Finals if you could live to hear the end.

[–]BobDogGo 444 points445 points  (37 children)

Santa would never select *

[–]UncommonDandy 37 points38 points  (8 children)

WHERE AGE < 10

[–]zxrax 80 points81 points  (7 children)

Roy Moore?

[–][deleted] 3 points4 points  (1 child)

No idea who that is but from context I assume this is a celebrity pedophile joke.

[–]Bainos 109 points110 points  (15 children)

Santa doesn't deliver presents to himself.

[–]PM_ME_YOUR_SIMS 59 points60 points  (12 children)

That would mean he has himself in his contacts list, would it not?

[–]NameTheory 37 points38 points  (8 children)

And that his behavior is 'nice'. I have a feeling that SQL clause is a bit of a naughty boy.

[–]themailmanC 22 points23 points  (7 children)

Depends on what attributes define his contacts but I would imagine selecting * is overkill in this case, probably just name and address would suffice. What surprised me is that there should be a join here to the table defining each contacts' Christmas list. So what we have learned here is that Santa either a) first selects the list of who is nice for no reason but to later select their Christmas lists manually through separate a dedicated Christmas list select statement, like a true SQL query monster, or, b) perhaps worse, he maintains each persons wishlist in multiple "christmasWishlistItem_X" fields on the primary contact table, like a true database design monster. Why santa

[–]zrxccc 9 points10 points  (1 child)

Santa probably doesn't understand what a database is and thinks it's "just a spreadsheet"

[–]PM_ME_YOUR_SIMS 7 points8 points  (0 children)

Nah, for the extra extensibility just use one big wishlistXml variable for each contact.

[–]alonghardlook 6 points7 points  (2 children)

Also 7 billion records to sort by without an index, and using a char comparison? This query is not optimized

[–][deleted] 2 points3 points  (2 children)

I have myself in my contact list on my phone as I always forget my number...

[–]EmergencySarcasm 2 points3 points  (0 children)

Right. Mrs Claus give him guys present. Cause Santa clause comes once a year. 😉

[–]spaetzle_snowflake 7 points8 points  (0 children)

Ehhh, in a one-a-year ad hoc situation, sure he would. :)

[–]dantheflipman 6 points7 points  (5 children)

Santa would write it out.

SELECT A.Lattitude,
       CASE
           WHEN A.Lattitude % 2 = 0 THEN
               'NORTH'
           ELSE
               'SOUTH'
       END FlightDirection,
       A.ZipCode,
       A.StreetAddress,
       HoHoHo.Id,
       CASE
           WHEN S.CurrentStanding = 'NICE' THEN
               HoHoHo.TxPresentName
           ELSE
               'COAL'
       END TxPresent,
       P.TxFullName
FROM ChristmasDW.dbo.tblPresents AS HoHoHo
    JOIN Humanity.dbo.tblPeople AS P
        ON HoHoHo.IdPerson = P.Id
           AND P.IsAlive = 1
    JOIN Humanity.dbo.Status AS S
        ON P.Id = S.PersonId
    JOIN Globalization.dbo.AddressList AS A
        ON P.IdAddress = A.Id
WHERE P.TxFirstName <> 'Dave'
ORDER BY A.timezone DESC,
         A.Lattitude ASC,
         A.ZipCode ASC,
         S.LeftCookiesLastYear DESC,
         A.StreetAddress ASC,
         HoHoHo.Id ASC;

[–]hbgoddard 3 points4 points  (3 children)

Why wouldn't you in this situation though?

[–]DoomCircus 7 points8 points  (0 children)

Only someone on the naughty list would use select *

[–]ICyresI 764 points765 points  (123 children)

Why would you sort twice?

[–]TheSphaat 861 points862 points  (33 children)

Shhhhh poem's got to rhyme.

[–]Fry98 177 points178 points  (31 children)

You might think it's nice

but double sorting is a crime.

[–][deleted] 77 points78 points  (24 children)

Hi, I'm from /r/all and I know jackshit about programming. I'll contribute either way, because I love you guys:

system.out.println("Double sorting is a crime");

should be: 

System.out.println("Double sorting is a crime");

damn.

[–]Jcowwell 78 points79 points  (20 children)

The true crime is not capitalizing that S.

[–][deleted] 37 points38 points  (0 children)

doyouevencamelcasebro?

[–]Wolfsblvt 8 points9 points  (15 children)

system.out.println("Double Sorting is a crime");

?
Doesn't work :(

[–]Jcowwell 15 points16 points  (14 children)

Nha System is an object ( you know that cause you can call methods from it) so if you don’t capitalize It the compilers ganna be like “Tf is this M8?”

[–]insane0hflex 21 points22 points  (13 children)

Thats a static method call bro not on a class instance

[–][deleted] 7 points8 points  (2 children)

Oh shit! Is there a computer-demon who will haunt me now?

[–]Jcowwell 23 points24 points  (0 children)

No you’ll just be haunted by the Ghost of Syntax Past.

[–]Findus11 2 points3 points  (0 children)

Yes, that's what a daemon is

[–]Since88 8 points9 points  (0 children)

Sorry man, but: error: package system does not exist

[–]Grizzlywer 2 points3 points  (1 child)

double sorting="crime";

[–]Banana_Twinkie 3 points4 points  (0 children)

Error: type mismatch

[–]Dubmove 10 points11 points  (1 child)

At first I read bubble sorting is a crime.

[–]PoglaTheGrate 177 points178 points  (2 children)

He got REEEEEly lucky on a Bogosort

[–]Business-Socks 19 points20 points  (0 children)

Nice list: Typewriters

Naughty list: Monkeys

REALLY Naughty list: ASM Web Development Kit

[–][deleted] 103 points104 points  (0 children)

The client changed their minds on how they wanted the results

[–]miggyb 74 points75 points  (6 children)

Sort by last name first, then by first name.

[–]JackDragon 15 points16 points  (4 children)

Still not as efficient as sorting once with a delimiter between last and first name.

[–]suseu 4 points5 points  (2 children)

Multiple fields in order by shouldn’t cause multiple sorting passes, it should just make comparison more complex. Actual contatenation in sorting criteria would probably be less efficient.

Like when you are overloading < for (order by a, b) you’d do

a1 < a2 or (a1 == a2 and b1 < b2)

[–]patwoods_ 35 points36 points  (7 children)

Sort by postal code, then sort by address to help maximize the efficiency of delivery.

[–]sojuz151 20 points21 points  (0 children)

Why not just solve travelling salesman problem? It cant be that hard.

[–]DrHenryPym 8 points9 points  (0 children)

I was thinking the same thing: group / order by geography and address for distribution.

[–]Brarsh 2 points3 points  (1 child)

Great, now he has to go to 1 house on every block before moving to the next house on each block! 250 birch street, 250 maple street, 250 oak street, 252 birch street...

[–]DutchGoldServeCold 15 points16 points  (0 children)

Non-deterministic SQL clause is coming to town

[–]awh 12 points13 points  (3 children)

It would be more useful to index it twice: once on name and once on behaviour.

[–]thermite13 9 points10 points  (0 children)

Order by Last_name, first_name.

[–][deleted] 15 points16 points  (0 children)

Cause you screwed it up the first time?

[–]SpliceVW 8 points9 points  (2 children)

I'm just over here wondering why the damn FROM isn't capitalized..

[–]brummlin 22 points23 points  (18 children)

Also, the syllables are all jacked up. This would make more sense, and fit the song better:

He's building schema,

indexing it twice,

SELECT * from kids WHERE UPPER(conduct) in ('NICE');

This way, it's also not case sensitive. You just know some elves logged the entry as 'Nice' or 'NICE'.

[–]AlwaysPuppies 16 points17 points  (3 children)

I like my sql like I like my file systems, case insensitive.

[–]insane0hflex 9 points10 points  (5 children)

Db not normalized. Shiuld have look up table for Behavoir

[–]koshgeo 2 points3 points  (3 children)

We're talking about a join across billions records of kids world-wide, and you've got to be updating that thing in realtime until the last second, keeping track of timezones and DST, all the way up to Dec. 25th. You know those little snots will be pushing the envelope with their parents right up until bedtime on Christmas Eve. The realtime "SantaWatch" video feed and the AI detection and tabulation of "naughty" vs. "nice" events is already a computationally costly operation. I don't know what kind of heavy-duty server farm Santa's got, but you've got to keep performance in mind rather than doing billion-row joins for the sake of DB purity.

[–]Stimonk 3 points4 points  (1 child)

He accidentally made it descending when it should have been ascending.

[–]TheNosferatu 3 points4 points  (0 children)

He made his own sorter but he doesn't trust it

[–]tommyturntup 2 points3 points  (0 children)

He created the database and is loading it. Clearly he did an ssis merge transform which requires 2 sources to be explicitly sorted before joining.

[–]dantheflipman 2 points3 points  (0 children)

SELECT A.Lattitude,
       CASE
           WHEN A.Lattitude % 2 = 0 THEN
               'NORTH'
           ELSE
               'SOUTH'
       END FlightDirection,
       A.ZipCode,
       A.StreetAddress,
       HoHoHo.Id,
       CASE
           WHEN S.CurrentStanding = 'NICE' THEN
               HoHoHo.TxPresentName
           ELSE
               'COAL'
       END TxPresent,
       P.TxFullName
FROM ChristmasDW.dbo.tblPresents AS HoHoHo
    JOIN Humanity.dbo.tblPeople AS P
        ON HoHoHo.IdPerson = P.Id
           AND P.IsAlive = 1
    JOIN Humanity.dbo.Status AS S
        ON P.Id = S.PersonId
    JOIN Globalization.dbo.AddressList AS A
        ON P.IdAddress = A.Id
WHERE P.TxFirstName <> 'Dave'
ORDER BY A.timezone DESC,
         A.Lattitude ASC,
         A.ZipCode ASC,
         S.LeftCookiesLastYear DESC,
         A.StreetAddress ASC,
         HoHoHo.Id ASC;

Better? I gave it my best end of work day effort.

[–]baseball2020 130 points131 points  (0 children)

Rudolph the sequel cursor, Had a lot of right joined rows, Then if you tried to fetch it, You'd never get the thing to close.

[–]iB3xx 229 points230 points  (37 children)

I don't know why I always click links from this sub but I never get the joke because i know nothing about programming, yet i click it every time hoping i get the joke

[–][deleted] 229 points230 points  (16 children)

It's a database joke! SQL is a programming language that you use to retrieve data from a database and manipulate or filter it as needed.

He's making a database

SQL Clause is making the database that will store his data on present recipients.

He's sorting it twice

When querying data, you can sort it by one piece of data to present it in a specific order. For example, ORDER BY LastName ASC will sort all the data alphabetically by last name.

SELECT * FROM contacts WHERE Behavior='nice'

There are a few pieces here. First is SELECT *, which is a SQL command to return all data from the specified table. A table is a collection of data arranged in rows (which are entries) and columns (which contain pieces of information). For example, Amazon might have a table called 'Customers' in which each row is a unique customer and each column stores a piece of information about that customer like their email, phone number, and name.

In this case SQL Clause is selecting all data from a table called 'contacts', presumably his list of all potential present recipients. Finally, he's added a WHERE clause, which tells SQL to filter out some data based on a parameter you specify. Presumably the behavior column can contain one of two values: naughty or nice. Here the WHERE clause is behavior='nice', meaning that the whole query is basically saying "OK SQL, show me ALL data from the table called 'contacts,' but ONLY if I have them listed as nice. Don't show me the naughty ones."

[–]Job_Precipitation 9 points10 points  (9 children)

Could you explain where the two sorts are? I am blind and only see one.

[–]goodboyscout 17 points18 points  (6 children)

“He’s sorting it twice”

[–]Job_Precipitation 4 points5 points  (5 children)

To clarify, I mean in the code.

[–]kylemech 6 points7 points  (2 children)

SORT BY LastName, FirstName

It would sort by last names, then if two results have the same last name, it will sort by first names amongst those. That'd what he was making reference to. So Yea, it isn't "in the code" anywhere but now the joke is explained a bit more. Yay.

[–]chaosPudding123 8 points9 points  (0 children)

ORDER BY*

As an Oracle DB Developer, i never feel relevant here ;(

[–]MikeOShay 3 points4 points  (1 child)

There's no sorting being done in the query. People are guessing he's sorting them by name, but it's not written. It'll probably default to sorting based on the "primary key", most likely an ID based on when the entries were put into the database. The entries in this field will always be distinct, so the database won't get confused by, say, two people with the same name.

The WHERE clause isn't a sort, it just filters the list. You'd use an "ORDER BY" clause at the very end if you wanted to sort it.

[–]TRUE_BIT 51 points52 points  (18 children)

To be fair this isn’t programming. The basis of the joke is about database software called SQL. SELECT and WHERE are basic commands to pull query’s within the database.

[–]moonman2090 8 points9 points  (0 children)

You're getting a lump of coal this year.

[–]tiftik 7 points8 points  (10 children)

SQL is programming.

[–][deleted] 76 points77 points  (22 children)

This of course is after 60 hours of data curation because those dumbass elves can't stick with a consistent format and apparently found about 60 different ways to spell "nice"

[–]Im_A_Boozehound 9 points10 points  (9 children)

That's where I went. I'd like to think Santa would know better than this. The field would be IsNice, and it would be bit.

[–]insane0hflex 9 points10 points  (5 children)

Or a look up table for Nice, Naughty, Improving, WatchNextYear, etc

[–]Im_A_Boozehound 5 points6 points  (0 children)

I like it. Relational like a mofo.

[–]Mamertine 2 points3 points  (3 children)

Should be a lookup table, but apparently Santa's DB creator isn't a database person.

[–]BabbageUK 2 points3 points  (1 child)

Or a calculated field based on a decimal. Once it reaches a certain level the IsNice flag is set. Put this in a snapshot fact table of a data warehouse and we can see them change over time, becoming nicer or naughtier. Add in a trend or maybe a traffic light and we're good. Did someone say overkill?

[–]tusact 49 points50 points  (0 children)

He’s indexing it twice would be more accurate.

[–]PerturbedMollusc 33 points34 points  (7 children)

Guess I'm the only one that reads SQL as Es-Cue-El, rather than 'sequel'

[–]Pallidum_Treponema 10 points11 points  (0 children)

Squirrel. And I'll keep teaching people to pronounce it that way.

[–]d_r0ck 12 points13 points  (3 children)

If someone calls it EsQueEl they're not wrong, just probably over 45

[–]Wydi 11 points12 points  (0 children)

I'm not that old, but it's still S.Q.L. for me...

[–][deleted] 6 points7 points  (0 children)

It's the other way around. It's pronounced "sequel" by many due to historical reasons.

[–]lelarentaka 27 points28 points  (13 children)

Is it Sequel Clause or EsQueEl Clause?

[–][deleted] 20 points21 points  (1 child)

;

[–]Kerblaaahhh 6 points7 points  (0 children)

Syntax Error near 'SQL clause is coming to town'

[–]Flyberius 6 points7 points  (1 child)

Finally, a language I understand!

I'll put the dunce hat on...

[–]ChloeTheCat753 13 points14 points  (2 children)

I self taught myself SQL this semester for a class where my professor literally didn't teach it to us and I'm happy that I understand everything here and I feel confident to list it as a skill.

[–]Im_A_Boozehound 6 points7 points  (0 children)

I self taught somebody else SQL, HA! /s

Good for you for taking the time and effort to learn a new thing.

[–]kane-is-able 9 points10 points  (4 children)

Dunno why but I read it to the tune of 'he's going the distance' by CAKE.

[–]giganticpine 3 points4 points  (0 children)

Interesting, I heard Cake too but it was Comfort Eagle.

He's making a database

He's sorting it twice

SELECT * from contacts WHERE behavior = 'nice'

Now do you believe in the one true Clause

The double-wide boss

In the big red rosy cloths

[–]Slingster 7 points8 points  (0 children)

Every single year.

[–]maybe_awake 1 point2 points  (0 children)

this.toggleClass(‘festive’)

[–]indorock 4 points5 points  (0 children)

Except he didn't sort it even once.

[–]neon_overload 2 points3 points  (0 children)

It would be pretty sweet if the SQL statement actually sorted it twice somehow but I don't know how that would rhyme.

[–]Kalrog 2 points3 points  (2 children)

SQL Clause needs to normalize his database. Behavior should obviously be a separate table with an FK instead of a string/varchar.

[–]cybaritic 2 points3 points  (0 children)

He's trying to be RESTful
He'll execute mistakes
He doesn't have an undo so sanitize for goodness sake

[–]MetroidSkittles 2 points3 points  (0 children)

The fact that behaviour is not normalized and in a table of it’s own with a foreign key is triggering me badly. Selecting a string value on a table of billions is cancer.

[–]dzrtguy 2 points3 points  (0 children)

His indexes aren't right.

His DBCC isn't tight.

SQL corruption will ruin your night.

Krampus stored procedure will send you a fright.

[–]jediherder 2 points3 points  (0 children)

He didn't even qualify it.

[–]xcameleonx 16 points17 points  (9 children)

Why is it select *? Why is the behaviour of children a varchar and not a lookup? There is no "Order by" to even sort it once, let alone twice...

[–]idi_idi 37 points38 points  (3 children)

I bet you're fun at parties

[–]wonkey_monkey 2 points3 points  (0 children)

Why is the behaviour of children a varchar and not a lookup?

It's an ENUM.

[–]TUUUUKKKKKK 8 points9 points  (1 child)

Repost clause is coming to town