Go Home Bob You're Drunk

what follows is a tongue in cheek response, hopefully Bob is cool:

Ah good ‘ol Uncle Bob (Robert C Martin), made a blog post a few days ago entitled “Bobby Tables” (most likely a reference to this xkcd post):


Great xkcd post as always it’s funny because its true: sql injections are bad, like really bad.

I’m not sure if Bob was actually drunk, but the logic that follows is erm, not right: Since SQL injections are possible, ergo SQL is flawed?

Bob then makes a radical announcement:

here’s an idea STOP USING SQL!

Woah hey Uncle Bob, slow down there! lets not just throw the baby out with bathwater shall we?

SQL is just fine, unsanitised user input on the other hand is akin to self harm. Like the good Dr tells us “if it hurts stop doing it”. Are there idiots still out there making these mistakes? most likely, but sadly we can’t just fix stupid. Is sanitising inputs and using proper parameterised sql hard or arcane? not really, in fact there is no excuse, almost every modern framework or library can do this (if not, lol no sql sanitising)

Bob goes onto drive the message home, voice now slurred and dazed:

so long as there is a SQL engine in the system, there is simply no reliable way to guarantee that such an attack can be prevented?

If only there was some kind of automated tool, a tool that could test for sql injections oh my! (3 google seconds later):

sql injection penetration testing tools

Holy batman, look!! 509K hits, such results, much hits! so happy


Keep calm and carry on using SQL (sanitised sql of course, we’re not savages after all)