← Back to context

Comment by lores

3 days ago

Any time "$var" is interpolated without check into an INSERT, and any maintainer finds it easier to just check for null as a string rather than ask a DB admin or committee to update the DB after a lot of red tape and risk assessment.

So... very often.

13 comments

lores

Reply
munchler  3 days ago

I don't buy that. The string "Null" is different from the keyword null in programming, so `if $var = null` would be false when $var is the string "Null".

Note that when interpolated into SQL, the contents of $var must be surrounded by single quotes, so you end up with `insert into Table (Name) values ('Null')`, which correctly inserts the string "Null" into the table.

If you were to leave off the quotes, you'd get a SQL syntax error for all other people, so that code would never make it into production. E.g. `insert into Table (Name) values (Smith)` is a syntax error.

  • lores  3 days ago

    > $req = "insert into people (name) ('$name')";

    > $db.exec($req)

    Now you have "null" as strings in the DB in any language that interpolates null as "null".

    > select * from people where name is not null

    "Why do we see nulls in testing? Damn, the DB has dirty data. Go through the trouble of fixing it, or...

    > select * from people where name is not null and name != "null"

    The end. Sorry Mr Null.

  • Terr_  2 days ago

    > I don't buy that.

    I think you underestimate how many systems are stringly-typed, not just in terms of problematic programming languages, but data traveling between different APIs or through literal dead-tree paperwork.

    They don't have to all fail at null handling, just one or two can gum up the works.

  • mrkeen  2 days ago

    I don't buy that type-checkers would look at the value null, and say "Yep, that's a String/Integer/User". But here we are.

hsbauauvhabzb  3 days ago

Guess I’ll change my name to ‘;drop table customers then ;)

  • lores  3 days ago

    You can make a good case to spend time sanitising requests to avoid catastrophic failure, but the "null" problem is one that quickly becomes a lot of work and risk to fix after the fact, for no obvious benefit except what's seen as the pedantry of some nerd, so it gets ranked all the way at the back of the list... until someone named Null comes along, and probably still even then.