use %20 randomly for fun
this post was submitted on 25 May 2026
1290 points (99.3% liked)
Programmer Humor
31647 readers
599 users here now
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
founded 3 years ago
MODERATORS
Or just use MIME (e.g. =20). Guaranteed to make someone say "okay, how the hell did that happen?"
(It's also trendy because badly cleaned up MIME garbage is in the Epstein files!)
And I would be the one biting that bait hard because mojibake are like a pet peeve of mine.
[object Object]
How would you do this in C? I'm a beginner. Does it entail checking/disallowing certain characters and data types? What? 😃
How do you sanitize your inputs or how do you exploit inputs which are not sanitized.
Santize inputs.
I'll get back to you on exploits when I can write something that throws zero compilation errors. 😈
Couple big things are 1. Only accept reasonable characters, on a white list instead of rejecting bad characters based on a black list. This will mean you are less likely to forget to block /0 for example. 2. Understand how strings work and ensure both reading and writing to that string doesn't extend beyond the end of memory allocated for the string. For example do you understand what the /0 would do to a string your program accepts?
Is it easy for a good developer to allow new lines without any extra security risk exposure?
Sometimes e.g. a government form will remove new lines, though perhaps sometime they intend to reduce length.
Depends...how well written the form is. Often stuff like this is pushed to libraries who have covered all the gotchas but you have to be careful not to get into dependency hell. Understand where to use them and not. For example don't use left_pad but also don't make your own encryption.
How easy is it to allow new lines,very easy. The important part is only accepting new lines e.g. /r/n a well made form can include extra functions but anything not defined should be denied.
Also consider you likely should not accept a username with a semi-colon in it...
load more comments
(2 replies)
If you use the SQLite C API like this
char query[256];
snprintf(query, sizeof(query),
"SELECT * FROM users WHERE username = '%s'", username);
int rc = sqlite3_exec(db, query, NULL, NULL, &err_msg);
and someone enters Robert'; DROP Table Students;-- as username, it deletes the table Students.
const char *sql = "SELECT * FROM users WHERE username = ?";
int rc = sqlite3_prepare_v2(db, sql, -1, &stmt, NULL);
if (rc != SQLITE_OK) {
fprintf(stderr, "Failed to prepare statement\n");
return;
}
sqlite3_bind_text(stmt, 1, username, -1, SQLITE_STATIC);
Using this "prepared statement" and "bind", your code is secured against such SQL injection attacks.
Many languages like C, Java, Python, etc allow you to construct SQL queries or SQL statements, where SQL is its own language used to communicate with a database, like Oracle or MySql, or Postgres or MSSQL. One way to do this is to construct a string in your language using whatever string functions, concatenation etc available in your language. The problem occurs because usually you want some kind of user input as one of the parameters in your sql query, in order to fetch the correct records the user is asking for. Like say a record ID or name. If you do not properly sanitize that ID or name which originally comes from some type of user input, then a malicious user could carefully craft an ID or name which includes their own SQL and other special characters, which will interfere with the query you intended to construct, and instead do something malicious. Like delete records or obtain records the user is not supposed to have access to.
There are many ways to guard against this, and you should learn about this when you start working with SQL and databases. It’s called a SQL injection.
There is another type of code injection which can occur if you are making exec() calls (or whatever your language uses) to run shell commands. Similar caution should be taken there.
load more comments
(2 replies)
load more comments
(1 replies)
My day has come!!!
load more comments
(11 replies)
I � Unicode!
I like this very much! It implies that the person expressing this knows exactly how they feel about Unicode. It's just us, the readers (or some other link in the chain), who have/ has the wrong encoding.
Allow me to introduce you to my favorite Unicode character, the zero width space
that sounds awesome! (there's 10k zero width spaces between the quotes ->''.)
Checks out:
load more comments
(4 replies)
Unfortunately, evil people blacklist this character a lot :(
May I introduce you to my favorite Unicode character, the Braille zero dots
load more comments
(2 replies)
Unless they work for Microsoft. Teams has been showing � instead of ä for the caller's name in the popup when someone calls for several weeks now. It didn't use to do that before. I don't think they care anymore.
I don't think it's even "they" any more.
Allow me to make one thing perfectly clear: If you insert those symbols into my perfectly working website... only to mess with me and inadvertently give me vietnam-style flashbacks to the days when I had to deal with incredibly badly formed and misencoded CSV-files on the daily...
Then I will find you and break into your home to replace every second sock with one of the same color and pattern but slightly different make, size or material and you will always wonder why you can't find any exactly fitting pairs of socks anymore.
I willingly embraced mismatched socks years ago. I just pretend it's a fashion statement. Come at me bro.
Don't let the world change you, this is wonderful
I always buy identical socks, cannot mismatch if they are all the same.
load more comments
(2 replies)
Depends on if it breaks the form and they get called. Actually if it gets through they might rightfully question their sanitation coding.
To the op of the screenshot meme, calm down satan
Former dev here, can confirm on occasion it does.
Calm down satan 😅
Actual monster
I remember feeling extra powerful when Moonshell for the DS shipped with UTF-8 and UTF-16 support because the developer was japenese and wanted to make sure any language would work.
Ok calm down there Satan. Leave some chaos for the rest of us 😅
Usually only happened when a French person copied and pasted their text directly from a Word document... dang weird spaces and accented characters... drove my boss mad when I told him it was because it French, and not a glitch.
Still had to work around it... text counters in textboxes had to account for accented characters, which took two bytes instead of one.
"I only have 2000 letters!" ... 2000 including 200 accent characters made it 2200 characters, not 2000.
I remember one day long ago when Notepad++ was the real shit, I was using the vertical selection feature and noticed that the selection was shorter on lines that had accented characters. I thought: "huh, accented characters count as two? What would happen if the selection ended in one? Can I select half a character?" no I could not and I had to restart my computer after trying.
I loved Notepad++.
Started in DOS with Edit, regular notepad, got introduced to UltraEdit, then found NP++.
... lol. Sounds like you tried splitting an atom.
load more comments
(6 replies)
view more: next ›