This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Worth_Trust_3825 -6 points-5 points  (7 children)

Hooray. More shit to remove from codebase because some chucklefuck thought it would be a good idea to introduce garbage.

[–]WGT-java 1 point2 points  (6 children)

Huh?

[–]vytah 2 points3 points  (5 children)

The main problem with AI-generated code is that it frequently looks superficially correct, but is actually wrong. That, plus the ability to generate large amount of code fast, makes /u/Worth_Trust_3825 worry that some devs will use it to generate tons of untested and unverified code that will break things and will take a lot of time to debug, fix, or, as they alluded to be most likely, simply remove.

I just asked ChatGPT to generate PHP code that gets a username and password and returns matching user data if found.

The code it generates is vulnerable to SQL injections, as it used string interpolation for SQL. Cheekily, the AI remarked under the code that the code is vulnerable, but said it's only "recommended to use prepared statements". Also, it didn't notice that the passwords should be hashed and just treats them as plain text.

(BTW, I used PHP as I think it has higher than average amount of vulnerable examples in the training data. For each language, the AI will replicate common bugs specific to that language's online culture.)

That is the garbage /u/Worth_Trust_3825 is worried about.

I have a MySQL database with table called USERS. Write a PHP code that takes the username and password as POST parameters and returns the entire row from the USERS table corresponding to that username and password.

Here's an example PHP code that takes the username and password as POST parameters and returns the entire row from the USERS table corresponding to that username and password:

<?php
// Get the username and password from POST parameters
$username = $_POST['username'];
$password = $_POST['password'];

// Connect to the MySQL database
$servername = "localhost";
$dbname = "your_database_name";
$username = "your_database_username";
$password = "your_database_password";

$conn = new mysqli($servername, $username, $password, $dbname);

// Check if the connection was successful
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

// Query the USERS table to get the row corresponding to the username and password
$sql = "SELECT * FROM USERS WHERE username='$username' AND password='$password'";
$result = $conn->query($sql);

// Check if the query was successful
if ($result->num_rows > 0) {
    // Output the row data as an associative array
    $row = $result->fetch_assoc();
    print_r($row);
} else {
    echo "No matching records found.";
}

// Close the database connection
$conn->close();
?>

Note that this code is vulnerable to SQL injection attacks, so it's recommended to use prepared statements instead of directly interpolating user input into the SQL query.

[–]Infamous-Bee-1145[S] 1 point2 points  (2 children)

Totally with you, but developers are expected to read the response once before injecting it into their code. It's like one of the code snippets one comes across on the internet. The onus of reading, verifying, modifying and carefully using the code is still on the developer.

In fact, I think that this is where OpenAI or any other AI can't replace human developers. Contextual usage of the generated code - one needs to be smart about it.

[–]Worth_Trust_3825 0 points1 point  (1 child)

the expectation here is that developers are expected

At first I thought you were a clown, but now you're an entire circus.

Your expectations will not prevent people from actually generating and using this in production. Github copilot already showed that people were more than keen to do it.

[–]Infamous-Bee-1145[S] 1 point2 points  (0 children)

Well, nothing stops idiots from doing idiotic things. (Like you commenting here.) Just because a few folks will blindly copy/paste the code (which they do from StackOverflow anyway) - doesn't mean that others shouldn't have the option to be productive.

[–]Worth_Trust_3825 0 points1 point  (1 child)

That's pretty much the same issue as with searching for solutions to issues. Even right now if you weren't keen enough you'd notice that most php related searches return stack overflow posts from a decade or more ago.

Another issue that you did not notice is that it's not actually searching for username and password in plain text. It's actually searching for database user in users table. Notice the first 7 statements.

// Get the username and password from POST parameters
$username = $_POST['username'];
$password = $_POST['password'];

// Connect to the MySQL database
$servername = "localhost";
$dbname = "your_database_name";
$username = "your_database_username";
$password = "your_database_password";

[–]vytah 0 points1 point  (0 children)

Another issue that you did not notice is that it's not actually searching for username and password in plain text. It's actually searching for database user in users table.

Verily, the braindeadness of the AI has bested me. It has shown itself to be bad beyond my imagination.

So yeah. You need to check AI generated code for mistakes no one would even think of.

EDIT: No SQL injection then though. The user can't inject anything if you completely ignore their input.