← Back to context

Comment by sepositus

2 days ago

> A database had associated the word “null” with his personal information and citations were sent to Tartaro, who lives in Los Angeles.

I'm not the biggest expert on databases, although I've worked with them a bit, but how does this occur in the first place? Usually, associations are done with primary/foreign keys. What database would allow null in that case?

13 comments

sepositus

Reply
aithrowawaycomm  2 days ago

I actually wonder if many individual cops use "null" (the ordinary word) as a shorthand for "plate not applicable," "not identified", "missing" etc - semantically the same thing as NULL in programming, but then in this case it wouldn't be a database NULL error. In theory the same thing could happen if someone had a DEALER vanity plate. (Though that choice might be rejected for obliquely referencing drugs.)

samplatt  2 days ago

There are so SO many databases out in the wild that were built by people with little regard for building them correctly - or they simply not programmers/DBA's in the first place, but their boss told them to just make it happen.

  • nyarlathotep_  2 days ago

    This is genuinely terrifying to think about. All the ones that are really important are correct, right...? Like medical systems and financial systems and legal and..

dragonwriter  2 days ago

If there are multiple systems involved, one of them produces a null and the other takes that as a key to create a record, but somewhere in between it gets stringified, then the string null might be accepted by a system using string keys.

__MatrixMan__  2 days ago

I'd guess that something somewhere has got its sanitization wrong. They tested it against

    Robert'); DROP TABLE Students;--

And see that it now provides

    'Robert DROP TABLE Students'

Problem solved! And then later somebody else comes along, ignorant of the sanitization step, and provides

    NULL

But the code strips special characters and adds quotes, so they've actually inserted:

    'NULL'

TheBozzCL  2 days ago

It'd be sufficient if a system involved somewhere in the process converted null values to strings. There's innumerable ways, but here's a simple one in Java:

    final String myNullString = "" + null;
    System.out.println(myNullString);

ipaddr  2 days ago

They all do. But these are seperate databases that get translated to text at some point and then converted to Null

CREATE TABLE orders ( id INT PRIMARY KEY, customer_id INT NULL, FOREIGN KEY (customer_id) REFERENCES customers(id) );

vs

CREATE TABLE orders ( id INT PRIMARY KEY, customer_id INT NOT NULL, FOREIGN KEY (customer_id) REFERENCES customers(id) );

hed  2 days ago

The simple explanation is most of these are Excel VLOOKUPs gone wrong.

azinman2  2 days ago

The real question is why anything in the STRING is getting interpreted at all. In databases ‘null’ is not the same thing as NULL.