← Back to context

Comment by dhosek

6 years ago

Nah, because it's not unsanitized SQL at fault, but people writing a literal NULL in the license plate field when there isn't one.

22 comments

dhosek

Reply
jerf  6 years ago

I doubt that. Normal people do not tend to use the word NULL at all.

What this usually is is the result of systems that talk to systems that talk to systems that talk to systems, all in different legacy formats never written to be interchange formats. One system has true SQL NULLs, the next system down the chain only accepts strings for that field, NULL gets written as the most sensible string, and then from that point on all downstream systems can't tell the difference between the original system having had an SQL NULL or having had the string NULL.

  • slips  6 years ago

    Did you read the article? It literally says people at a private citation outfit put NULL in the license plate field when there is no number available.

    • jerf  6 years ago

      And I still expect my story is more accurate, with theirs being a reasonable expectation of what you'd get when some techie tells their manager what happened, who tells their manager, who tells the reporter.

      To be clear, I'm not denying that what you say is literally true, just that by the time I'm done filtering that particular fact through my personal belief network and personal experiences, I still end up saying that my story is more likely. It's true enough that they put a "NULL" in, it's just that the way the private firm does that is most likely that the field agents leave it blank, some software somewhere puts a NULL in some database, and the report that comes out for the enforcing authority has NULL in it. For a reporter, it's not a false statement, it's just not all the technical details.

      With this story, the responsibility ends up distributed in a very plausible manner I've seen many times over; HN readers could fill in a dozens of similar stories no problem. It's a problem characteristic of these sorts of systems and the way they tend to communicate with each other.

      2 replies →

    • vinceguidry  6 years ago

      As per HN guidelines, please don't ask or insinuate that someone's not read the article, instead just quote the relevant part.

hn_throwaway_99  6 years ago

Actually, I think it's doubtful the folks at the private processing facility are actually writing 'NULL', but my guess is the DB field is just not set (i.e. left as NULL), and then when the info is read out somewhere it's just printed as the string literal value.

  • knd775  6 years ago

    Wouldn't their license plate be in quotes, though? 'NULL' != NULL

    • jerf  6 years ago

      As my other comment points out, this is probably systems talking to systems talking to systems talking to systems to the nth degree. So even if the first system did in fact distinguish the NULL case from the string case, it only takes one system in the chain to be incapable of representing the difference to permanently and unrecoverably wreck it for all downstream systems.

      What are the odds at least one system silently filters out apostrophes as invalid characters in license plate fields? Pretty good. These systems are often unattended, unmonitored processes often maintained by people who either can't fix errors upstream, or don't even want to, so these conversions are often written extremely permissively, trying to get through the data with whatever heuristics are necessary for the process to just Keep Working.

      1 reply →

mikehollinger  6 years ago

A colleague’s name is “True.” When we ran some reports to generate a check in list for an event - it was converted to either “TRUE” or “1” depending on the script.

I was amused.

Even without sql doing odd things certain strings will just cause problems.

baybal2  6 years ago

I wonder, what will "DROP *;" license plate do?