Skip to content

Revisiting SQL Injections on the Final Frontier

In a recent Star Trek Discovery episode, the crew was investigating how a probe (from the future!) was attempting to hack into their systems. This is what was said about it:

“The probe used multiple SQL injections”

Apparently, in the fictional 23rd century relational databases and SQL are still in use not only by the United Federation of Planets but also by alien probes from the future! Normally Star Trek creates some technobabble gibberish for this sort of thing, so I certainly found this line surprising. Perhaps the writers thought it was just gibberish or that it would sound like gibberish to the average person.

But anyone who uses databases knows that SQL Injections can be a real issue. A SQL Injection refers to an issue when your app inadvertently allows a user to inject their own SQL into one of its database queries. Read this post on how to avoid them.

Essentially, it can occur when you use standard string concatenation to create an SQL query from user-provided text. If you prompt the user for a name so you can show their tasks, for example then you’d normally get SQL like this:

SELECT * FROM Task WHERE Name = 'Paul';

But what if the user provides malicious input, such as this: Paul’ OR 1

Then your concatenation code might create SQL like this:

SELECT * FROM Task WHERE Name = 'Paul' OR 1;

And this will return a lot more data. Obviously this is a simple example, but this type of exploit can be much more sophisticated. And apparently also something that alien probes from the future might try to use.

You can avoid this problem by taking advantage of a feature called database binding so that you do not use string concatenation to generate the SQL. With Xojo you do this by creating a prepared statement with placeholders for input strings and then let the database create the query itself using binding. So the SQL might look something like this:


Read the User Guide topic to more about how to avoid SQL injection by using prepared statements with your Xojo database code:

UserGuide:SQL Injection

And of course, relevant XKCD.