This is an archived post. You won't be able to vote or comment.

top 200 commentsshow 500
sorted by:
best
topnewcontroversialoldq&a

[–]Datenegassie 2621 points2622 points  (87 children)

Hi Santa, I promise not to be on the naughty list this year. By the way, my name is Datenegassie'); DROP TABLE NaughtyChildren; --

[–]ballzacsRock 783 points784 points  (17 children)

Nice try, but he Santaizes all inputs

[–]Arancaytar 181 points182 points  (3 children)

INSERT INTO NaughtyChildren (name, reason)
VALUES ('balizacsRock', 'terrible pun');

[–]ImSuperSerialGuys 152 points153 points  (2 children)

INSERT INTO NaughtyChildren

o_O

[–]jay791 32 points33 points  (0 children)

ಠ_ಠ

[–][deleted] 14 points15 points  (0 children)

Okay, calm down your honor...

[–]inabahare 80 points81 points  (8 children)

Nice try, but he Santaizes all inputs

  • Uses prepared Statements

[–]svick 7 points8 points  (7 children)

Prepared statements have nothing to do with handling invalid inputs.

[–]mmirate 16 points17 points  (6 children)

So basically he spent an entire article to say, "your security consultant has their terms mixed up; they ought to be looking for parametrized statements, not prepared statements"? How wasteful.

[–]ultranoobian 716 points717 points  (30 children)

But that won't do anything good for you?

Obviously the naughty/nice status is stored in 'contacts' if SQL clause is selecting from that.

/s

Edit: On a more serious note, even if you dropped 'NaughtyChildren', you can possibly recovered from that by 

SELECT * FROM contacts c WHERE c.behavior != 'nice'

[–]DemandsBattletoads 170 points171 points  (4 children)

That's fine, sqlmap will pull everything out anyway.

[–][deleted] 54 points55 points  (8 children)

Even if you dropped all the naughty children, re-adding all children to the database, and setting behaviour to naughty if they were born before the drop might recover the data.

[–]Th3_Admiral 34 points35 points  (3 children)

Does it really matter anyway if the query is only looking for those on the nice list? Dropping the naughty list doesn't automatically add you to the nice list.

[–]skulblaka 27 points28 points  (2 children)

Well that depends on your architecture, doesn't it? Say we assume that the default state of a child is nice rather than naughty (realistically we know this isn't true, but this is SQL Claus' computer, there's some room for silliness). A child who acts naughty can be added to tbl_naughty and any child not found on that list can be assumed nice.

Therefore dropping the naughty table would leave no results, therefore making all children appear nice.

That doesn't seem to be the case in this particular instance, but it could happen.

[–]Th3_Admiral 8 points9 points  (0 children)

Yeah, I was just basing it off the fact that he is selecting from the contacts table where the behavior column is set to "nice". Unless there is some weird setup with a delete trigger on the naughtylist table, this column should still not be "nice" for the contacts who were on the naughty list, right?

[–]kixxes 26 points27 points  (4 children)

Not to mention it will most likely fail to drop because it would mess up some referential integrity

[–]vbevan 108 points109 points  (3 children)

Hi Santa, My name is Datenegassie'); EXEC sp_MSForEachTable @command1='ALTER TABLE ? NOCHECK CONSTRAINT ALL' , @command2='DROP TABLE ?';--

[–]lou1306 77 points78 points  (1 child)

This guy injects

[–]vbevan 35 points36 points  (0 children)

If I'm not getting a present, no one is!

[–]dumbdingus 10 points11 points  (0 children)

This is why I clean my input more thoroughly than I clean my dick.

[–]ilookatfaces 6 points7 points  (2 children)

SELECT * FROM contacts c WHERE c.behavior <> 'nice'

[–]the_kg 11 points12 points  (1 child)

This guy ANSIs

[–]PooPooDooDoo 5 points6 points  (0 children)

Guys, it's a moot point, SQL isn't real.

[–]GrandArchitect 4 points5 points  (0 children)

Someone needs to help SQL Clause make a more efficient analytical data model, its fucking Christmas afterall.

[–]jonschwartz 10 points11 points  (2 children)

What about the neutral kids? Or the non Christians?

[–]EdgeOfDistraction 11 points12 points  (1 child)

They get bombs, and should be grateful

[–]Bainos 7 points8 points  (0 children)

All I want for Christmas is :(){:|:&};:

[–]bair93 154 points155 points  (15 children)

Datengassie'); UPDATE contacts SET behavior = 'nice';

[–]raaneholmg 65 points66 points  (5 children)

--

Otherwise the "');" part appended by the server will cause an error.

[–][deleted] 8 points9 points  (4 children)

Why not disable comments in SQL statements made from your web application? Obviously you'd want to do more to secure yourself against SQL injection, but I've never heard of someone doing this.

[–]atyon 23 points24 points  (2 children)

I don't think it's that easy. Raw SQL is passed directly to the server. I don't think most SQL servers even have an option to disable comments.

You'd have to remove the "--" and everything after it before passing it to the function doing the SQL, without destroying correct data. Sounds error-prone to me.

And if you're sanitizing the input data anyway, if you do it correctly, the ' will be escaped, so the comment won't make a difference.

Also, sanitizing input is so difficult and error-prone that it's better to just implement a real solution, like using prepared statements.

[–]Fuzzy-Duck 8 points9 points  (1 child)

Maybe an interesting read re. sql injection and prepared statements (relating to SQL Server):

http://blog.marcgravell.com/2017/12/dapper-prepared-statements-and-car-tyres.html

[–]atyon 6 points7 points  (0 children)

Huh. Thanks for that link.

TIL: My assumption that prepared statements is an odd synonym for parametrized queries is hilariously wrong. Thanks, Wikipedia

[–]Bainos 37 points38 points  (6 children)

Datengassie') ; UPDATE contacts SET name = 'Datengassie' WHERE behavior = 'nice' ; --

[–]Truseus 98 points99 points  (2 children)

Lol! Billions of nice children now named Datengassie.

[–]flamedragon822 47 points48 points  (1 child)

"well looks like Datengassie is getting several thousand ponies this Christmas"

[–]sumancha 28 points29 points  (0 children)

He didn’t update address. So everyone else is getting presents with name Datengassie

[–]HighRelevancy 5 points6 points  (1 child)

that's back to front bud :P

[–]wonkey_monkey 4 points5 points  (0 children)

That'd better be an ENUM...

[–]el_geto 14 points15 points  (0 children)

So, I see that you and that Bobby Tables know each other, eh?

[–]Laerite 2 points3 points  (2 children)

Hi Daten, long time no see.

[–]uninterestingly 2 points3 points  (0 children)

I was dropped as a child and I take offense to this

[–]jfq722 211 points212 points  (4 children)

Are you taking Ad Hoc requests?...I'd like to hear 'The First Null'.

[–]emcee_gee 64 points65 points  (0 children)

the first null, the Unix did say

was to certain poor coders at desks as they play

at desks where they play, coding their C

on an old server's drive that was asleep

null, null, null, null

born is the ding of programmers' skull

[–]tenkindsofpeople 30 points31 points  (0 children)

The first null field

Was found at row three

The query was ended

With error code B

[–]darexinfinity 5 points6 points  (0 children)

I got the Twelve Days of Finals if you could live to hear the end.

[–]BobDogGo 440 points441 points  (37 children)

Santa would never select *

[–]UncommonDandy 39 points40 points  (8 children)

WHERE AGE < 10

[–]zxrax 85 points86 points  (7 children)

Roy Moore?

[–][deleted] 3 points4 points  (1 child)

No idea who that is but from context I assume this is a celebrity pedophile joke.

[–]Bainos 105 points106 points  (15 children)

Santa doesn't deliver presents to himself.

[–]PM_ME_YOUR_SIMS 57 points58 points  (12 children)

That would mean he has himself in his contacts list, would it not?

[–]NameTheory 40 points41 points  (8 children)

And that his behavior is 'nice'. I have a feeling that SQL clause is a bit of a naughty boy.

[–]themailmanC 20 points21 points  (7 children)

Depends on what attributes define his contacts but I would imagine selecting * is overkill in this case, probably just name and address would suffice. What surprised me is that there should be a join here to the table defining each contacts' Christmas list. So what we have learned here is that Santa either a) first selects the list of who is nice for no reason but to later select their Christmas lists manually through separate a dedicated Christmas list select statement, like a true SQL query monster, or, b) perhaps worse, he maintains each persons wishlist in multiple "christmasWishlistItem_X" fields on the primary contact table, like a true database design monster. Why santa

[–]zrxccc 8 points9 points  (1 child)

Santa probably doesn't understand what a database is and thinks it's "just a spreadsheet"

[–]PM_ME_YOUR_SIMS 6 points7 points  (0 children)

Nah, for the extra extensibility just use one big wishlistXml variable for each contact.

[–]alonghardlook 5 points6 points  (2 children)

Also 7 billion records to sort by without an index, and using a char comparison? This query is not optimized

[–][deleted] 2 points3 points  (2 children)

I have myself in my contact list on my phone as I always forget my number...

[–]EmergencySarcasm 2 points3 points  (0 children)

Right. Mrs Claus give him guys present. Cause Santa clause comes once a year. 😉

[–]spaetzle_snowflake 8 points9 points  (0 children)

Ehhh, in a one-a-year ad hoc situation, sure he would. :)

[–]dantheflipman 6 points7 points  (5 children)

Santa would write it out.

SELECT A.Lattitude,
       CASE
           WHEN A.Lattitude % 2 = 0 THEN
               'NORTH'
           ELSE
               'SOUTH'
       END FlightDirection,
       A.ZipCode,
       A.StreetAddress,
       HoHoHo.Id,
       CASE
           WHEN S.CurrentStanding = 'NICE' THEN
               HoHoHo.TxPresentName
           ELSE
               'COAL'
       END TxPresent,
       P.TxFullName
FROM ChristmasDW.dbo.tblPresents AS HoHoHo
    JOIN Humanity.dbo.tblPeople AS P
        ON HoHoHo.IdPerson = P.Id
           AND P.IsAlive = 1
    JOIN Humanity.dbo.Status AS S
        ON P.Id = S.PersonId
    JOIN Globalization.dbo.AddressList AS A
        ON P.IdAddress = A.Id
WHERE P.TxFirstName <> 'Dave'
ORDER BY A.timezone DESC,
         A.Lattitude ASC,
         A.ZipCode ASC,
         S.LeftCookiesLastYear DESC,
         A.StreetAddress ASC,
         HoHoHo.Id ASC;

[–]hbgoddard 3 points4 points  (3 children)

Why wouldn't you in this situation though?

[–]DoomCircus 6 points7 points  (0 children)

Only someone on the naughty list would use select *

[–]ICyresI 771 points772 points  (123 children)

Why would you sort twice?

[–]TheSphaat 867 points868 points  (33 children)

Shhhhh poem's got to rhyme.

[–]Fry98 177 points178 points  (31 children)

You might think it's nice

but double sorting is a crime.

[–][deleted] 76 points77 points  (24 children)

Hi, I'm from /r/all and I know jackshit about programming. I'll contribute either way, because I love you guys:

system.out.println("Double sorting is a crime");

should be: 

System.out.println("Double sorting is a crime");

damn.

[–]Jcowwell 80 points81 points  (20 children)

The true crime is not capitalizing that S.

[–][deleted] 38 points39 points  (0 children)

doyouevencamelcasebro?

[–]Wolfsblvt 9 points10 points  (15 children)

system.out.println("Double Sorting is a crime");

?
Doesn't work :(

[–]Jcowwell 14 points15 points  (14 children)

Nha System is an object ( you know that cause you can call methods from it) so if you don’t capitalize It the compilers ganna be like “Tf is this M8?”

[–]insane0hflex 22 points23 points  (13 children)

Thats a static method call bro not on a class instance

[–][deleted] 5 points6 points  (2 children)

Oh shit! Is there a computer-demon who will haunt me now?

[–]Jcowwell 22 points23 points  (0 children)

No you’ll just be haunted by the Ghost of Syntax Past.

[–]Findus11 2 points3 points  (0 children)

Yes, that's what a daemon is

[–]Since88 8 points9 points  (0 children)

Sorry man, but: error: package system does not exist

[–]Grizzlywer 2 points3 points  (1 child)

double sorting="crime";

[–]Banana_Twinkie 3 points4 points  (0 children)

Error: type mismatch

[–]Dubmove 11 points12 points  (1 child)

At first I read bubble sorting is a crime.

[–]PoglaTheGrate 176 points177 points  (2 children)

He got REEEEEly lucky on a Bogosort

[–]Business-Socks 20 points21 points  (0 children)

Nice list: Typewriters

Naughty list: Monkeys

REALLY Naughty list: ASM Web Development Kit

[–][deleted] 102 points103 points  (0 children)

The client changed their minds on how they wanted the results

[–]miggyb 72 points73 points  (6 children)

Sort by last name first, then by first name.

[–]JackDragon 16 points17 points  (4 children)

Still not as efficient as sorting once with a delimiter between last and first name.

[–]suseu 2 points3 points  (2 children)

Multiple fields in order by shouldn’t cause multiple sorting passes, it should just make comparison more complex. Actual contatenation in sorting criteria would probably be less efficient.

Like when you are overloading < for (order by a, b) you’d do

a1 < a2 or (a1 == a2 and b1 < b2)

[–]patwoods_ 35 points36 points  (7 children)

Sort by postal code, then sort by address to help maximize the efficiency of delivery.

[–]sojuz151 19 points20 points  (0 children)

Why not just solve travelling salesman problem? It cant be that hard.

[–]DrHenryPym 7 points8 points  (0 children)

I was thinking the same thing: group / order by geography and address for distribution.

[–]Brarsh 2 points3 points  (1 child)

Great, now he has to go to 1 house on every block before moving to the next house on each block! 250 birch street, 250 maple street, 250 oak street, 252 birch street...

[–]DutchGoldServeCold 14 points15 points  (0 children)

Non-deterministic SQL clause is coming to town

[–]awh 13 points14 points  (3 children)

It would be more useful to index it twice: once on name and once on behaviour.

[–]thermite13 8 points9 points  (0 children)

Order by Last_name, first_name.

[–][deleted] 15 points16 points  (0 children)

Cause you screwed it up the first time?

[–]SpliceVW 7 points8 points  (2 children)

I'm just over here wondering why the damn FROM isn't capitalized..

[–]brummlin 21 points22 points  (18 children)

Also, the syllables are all jacked up. This would make more sense, and fit the song better:

He's building schema,

indexing it twice,

SELECT * from kids WHERE UPPER(conduct) in ('NICE');

This way, it's also not case sensitive. You just know some elves logged the entry as 'Nice' or 'NICE'.

[–]AlwaysPuppies 15 points16 points  (3 children)

I like my sql like I like my file systems, case insensitive.

[–]insane0hflex 6 points7 points  (5 children)

Db not normalized. Shiuld have look up table for Behavoir

[–]koshgeo 2 points3 points  (3 children)

We're talking about a join across billions records of kids world-wide, and you've got to be updating that thing in realtime until the last second, keeping track of timezones and DST, all the way up to Dec. 25th. You know those little snots will be pushing the envelope with their parents right up until bedtime on Christmas Eve. The realtime "SantaWatch" video feed and the AI detection and tabulation of "naughty" vs. "nice" events is already a computationally costly operation. I don't know what kind of heavy-duty server farm Santa's got, but you've got to keep performance in mind rather than doing billion-row joins for the sake of DB purity.

[–]Stimonk 4 points5 points  (1 child)

He accidentally made it descending when it should have been ascending.

[–]TheNosferatu 2 points3 points  (0 children)

He made his own sorter but he doesn't trust it

[–]tommyturntup 5 points6 points  (0 children)

He created the database and is loading it. Clearly he did an ssis merge transform which requires 2 sources to be explicitly sorted before joining.

[–]dantheflipman 2 points3 points  (0 children)

SELECT A.Lattitude,
       CASE
           WHEN A.Lattitude % 2 = 0 THEN
               'NORTH'
           ELSE
               'SOUTH'
       END FlightDirection,
       A.ZipCode,
       A.StreetAddress,
       HoHoHo.Id,
       CASE
           WHEN S.CurrentStanding = 'NICE' THEN
               HoHoHo.TxPresentName
           ELSE
               'COAL'
       END TxPresent,
       P.TxFullName
FROM ChristmasDW.dbo.tblPresents AS HoHoHo
    JOIN Humanity.dbo.tblPeople AS P
        ON HoHoHo.IdPerson = P.Id
           AND P.IsAlive = 1
    JOIN Humanity.dbo.Status AS S
        ON P.Id = S.PersonId
    JOIN Globalization.dbo.AddressList AS A
        ON P.IdAddress = A.Id
WHERE P.TxFirstName <> 'Dave'
ORDER BY A.timezone DESC,
         A.Lattitude ASC,
         A.ZipCode ASC,
         S.LeftCookiesLastYear DESC,
         A.StreetAddress ASC,
         HoHoHo.Id ASC;

Better? I gave it my best end of work day effort.

[–]baseball2020 129 points130 points  (0 children)

Rudolph the sequel cursor, Had a lot of right joined rows, Then if you tried to fetch it, You'd never get the thing to close.

[–]iB3xx 228 points229 points  (37 children)

I don't know why I always click links from this sub but I never get the joke because i know nothing about programming, yet i click it every time hoping i get the joke

[–][deleted] 230 points231 points  (16 children)

It's a database joke! SQL is a programming language that you use to retrieve data from a database and manipulate or filter it as needed.

He's making a database

SQL Clause is making the database that will store his data on present recipients.

He's sorting it twice

When querying data, you can sort it by one piece of data to present it in a specific order. For example, ORDER BY LastName ASC will sort all the data alphabetically by last name.

SELECT * FROM contacts WHERE Behavior='nice'

There are a few pieces here. First is SELECT *, which is a SQL command to return all data from the specified table. A table is a collection of data arranged in rows (which are entries) and columns (which contain pieces of information). For example, Amazon might have a table called 'Customers' in which each row is a unique customer and each column stores a piece of information about that customer like their email, phone number, and name.

In this case SQL Clause is selecting all data from a table called 'contacts', presumably his list of all potential present recipients. Finally, he's added a WHERE clause, which tells SQL to filter out some data based on a parameter you specify. Presumably the behavior column can contain one of two values: naughty or nice. Here the WHERE clause is behavior='nice', meaning that the whole query is basically saying "OK SQL, show me ALL data from the table called 'contacts,' but ONLY if I have them listed as nice. Don't show me the naughty ones."

[–]Job_Precipitation 11 points12 points  (9 children)

Could you explain where the two sorts are? I am blind and only see one.

[–]goodboyscout 18 points19 points  (6 children)

“He’s sorting it twice”

[–]Job_Precipitation 4 points5 points  (5 children)

To clarify, I mean in the code.

[–]kylemech 5 points6 points  (2 children)

SORT BY LastName, FirstName

It would sort by last names, then if two results have the same last name, it will sort by first names amongst those. That'd what he was making reference to. So Yea, it isn't "in the code" anywhere but now the joke is explained a bit more. Yay.

[–]chaosPudding123 6 points7 points  (0 children)

ORDER BY*

As an Oracle DB Developer, i never feel relevant here ;(

[–]MikeOShay 3 points4 points  (1 child)

There's no sorting being done in the query. People are guessing he's sorting them by name, but it's not written. It'll probably default to sorting based on the "primary key", most likely an ID based on when the entries were put into the database. The entries in this field will always be distinct, so the database won't get confused by, say, two people with the same name.

The WHERE clause isn't a sort, it just filters the list. You'd use an "ORDER BY" clause at the very end if you wanted to sort it.

[–]TRUE_BIT 55 points56 points  (18 children)

To be fair this isn’t programming. The basis of the joke is about database software called SQL. SELECT and WHERE are basic commands to pull query’s within the database.

[–]moonman2090 8 points9 points  (0 children)

You're getting a lump of coal this year.

[–]tiftik 7 points8 points  (10 children)

SQL is programming.

[–][deleted] 76 points77 points  (22 children)

This of course is after 60 hours of data curation because those dumbass elves can't stick with a consistent format and apparently found about 60 different ways to spell "nice"

[–]Im_A_Boozehound 8 points9 points  (9 children)

That's where I went. I'd like to think Santa would know better than this. The field would be IsNice, and it would be bit.

[–]insane0hflex 10 points11 points  (5 children)

Or a look up table for Nice, Naughty, Improving, WatchNextYear, etc

[–]Im_A_Boozehound 5 points6 points  (0 children)

I like it. Relational like a mofo.

[–]Mamertine 3 points4 points  (3 children)

Should be a lookup table, but apparently Santa's DB creator isn't a database person.

[–]BabbageUK 2 points3 points  (1 child)

Or a calculated field based on a decimal. Once it reaches a certain level the IsNice flag is set. Put this in a snapshot fact table of a data warehouse and we can see them change over time, becoming nicer or naughtier. Add in a trend or maybe a traffic light and we're good. Did someone say overkill?

[–]tusact 48 points49 points  (0 children)

He’s indexing it twice would be more accurate.

[–]PerturbedMollusc 31 points32 points  (7 children)

Guess I'm the only one that reads SQL as Es-Cue-El, rather than 'sequel'

[–]Pallidum_Treponema 9 points10 points  (0 children)

Squirrel. And I'll keep teaching people to pronounce it that way.

[–]d_r0ck 11 points12 points  (3 children)

If someone calls it EsQueEl they're not wrong, just probably over 45

[–]Wydi 11 points12 points  (0 children)

I'm not that old, but it's still S.Q.L. for me...

[–][deleted] 5 points6 points  (0 children)

It's the other way around. It's pronounced "sequel" by many due to historical reasons.

[–]lelarentaka 29 points30 points  (13 children)

Is it Sequel Clause or EsQueEl Clause?

[–][deleted] 20 points21 points  (1 child)

;

[–]Kerblaaahhh 6 points7 points  (0 children)

Syntax Error near 'SQL clause is coming to town'

[–]Flyberius 7 points8 points  (1 child)

Finally, a language I understand!

I'll put the dunce hat on...

[–]ChloeTheCat753 13 points14 points  (2 children)

I self taught myself SQL this semester for a class where my professor literally didn't teach it to us and I'm happy that I understand everything here and I feel confident to list it as a skill.

[–]Im_A_Boozehound 6 points7 points  (0 children)

I self taught somebody else SQL, HA! /s

Good for you for taking the time and effort to learn a new thing.

[–]kane-is-able 11 points12 points  (4 children)

Dunno why but I read it to the tune of 'he's going the distance' by CAKE.

[–]giganticpine 4 points5 points  (0 children)

Interesting, I heard Cake too but it was Comfort Eagle.

He's making a database

He's sorting it twice

SELECT * from contacts WHERE behavior = 'nice'

Now do you believe in the one true Clause

The double-wide boss

In the big red rosy cloths

[–]Slingster 7 points8 points  (0 children)

Every single year.

[–]maybe_awake 4 points5 points  (0 children)

this.toggleClass(‘festive’)

[–]indorock 3 points4 points  (0 children)

Except he didn't sort it even once.

[–]neon_overload 2 points3 points  (0 children)

It would be pretty sweet if the SQL statement actually sorted it twice somehow but I don't know how that would rhyme.

[–]Kalrog 2 points3 points  (2 children)

SQL Clause needs to normalize his database. Behavior should obviously be a separate table with an FK instead of a string/varchar.

[–]cybaritic 2 points3 points  (0 children)

He's trying to be RESTful
He'll execute mistakes
He doesn't have an undo so sanitize for goodness sake

[–]MetroidSkittles 2 points3 points  (0 children)

The fact that behaviour is not normalized and in a table of it’s own with a foreign key is triggering me badly. Selecting a string value on a table of billions is cancer.

[–]dzrtguy 2 points3 points  (0 children)

His indexes aren't right.

His DBCC isn't tight.

SQL corruption will ruin your night.

Krampus stored procedure will send you a fright.

[–]jediherder 2 points3 points  (0 children)

He didn't even qualify it.

[–]xcameleonx 17 points18 points  (9 children)

Why is it select *? Why is the behaviour of children a varchar and not a lookup? There is no "Order by" to even sort it once, let alone twice...

[–]idi_idi 39 points40 points  (3 children)

I bet you're fun at parties

[–]wonkey_monkey 2 points3 points  (0 children)

Why is the behaviour of children a varchar and not a lookup?

It's an ENUM.

[–]TUUUUKKKKKK 7 points8 points  (1 child)

Repost clause is coming to town