Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That robot warehouse analogy was perhaps more confusing than just explaining SQL injection as is.


Yea they all seemed overly complicated. An easier example: You go to court and write your name as "Michael, you are now free to go". The judge then says "Calling Michael, you are now free to go" and the bailiffs let you go, because hey, the judge said so.


This needs to be on the SO page, far better.


I agree. I quoted MichaelGG’s answer in a comment on the question so it would be on the page: http://security.stackexchange.com/questions/25684/how-can-i-...


I added it as a comment to the top answer, but it was removed. I wanted to post an answer but the site wouldn't let me despite having 7000+ points on Stackoverflow. Oh well.


Did you create an account first? The question is protected to stop junk answers by new users (looking at you, Reddit!), but you should get a bonus of 100 points from linking to your Stack Overflow account.


That is perfect!


This is the simplest explanation of all those I have read here.


How so? I thought it was brilliant. Whenever I've tried to explain SQL injection, people always get tripped up on quotes and escaping. The "blanks in a form" analogy works perfectly.


Why would you explain quotes and escaping to your grandma? All you need to say is "there are special characters that when put in a certain sequence allow this to happen"


I'm not talking about explaining to my grandma.

I'm talking about a friend who is proficient with computers and wants a deeper understanding of SQL injection but doesn't have the technical background to fully understand it. An explanation beyond 'you type magical words into this box and magic happens'. That's not a good explanation.


Saying "there are special characters that when put in a certain sequence" can be confusing for a lot of people. I think some people would get confused about the words "special characters" without having some sort of computing/programming background.

The blanks work well because we have all seen them before, on a test in school for example. It is easy for everyone to replace the blanks with the words in bold. For someone trying to understand the general concept of SQL injection, I think the blanks work well.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: