How does that work in practice?

Suppose the Table family type their son Bobby's name into a form. The Perl program now has a "tainted" string in memory - "Robert'; DROP TABLE Students --".

The Perl code passes this string through a regex that checks the name is valid. Names can include apostrophes (Miles O'Brien) and hyphens (Jean-Luc Picard) along with spaces and normal ASCII letters, so the regex passes and the string is now untainted.

> The Perl code passes this string through a regex that checks the name is valid

I think "parse don't validate" doesn't help in this example, but naively the regex would not check whether a name is valid but "extract all parts of the string that are provenly safe".

Which is not reasonable for SQL statements, so someone invented prepared statements.

I think the idea is that the Regex parsing forces the programmer to think about what they're doing with the string and what the requirements for the non-tainted variable are.

For example, a file name string would not allow unescaped directory separators, dots, line breaks, null bytes (I probably got most details wrong here...) and the regex could remove these or extract the substring until the first forbidden character.

Sure, this cannot prevent mistakes.

But the idea, I think, is not to have a variable "safeUserName", instead a "safeDbStatement" one.

You should be using DBI or something that builds on DBI to use prepared statements for database interactions. That’s why it’s called the DataBase Interface.

Or any reason to actually free the hostages.

Who do y'all use for a dialable USA phone number these days? (I'm in England.)

I have (had) a +1-423 Skype number to receive calls (twice a month or so) that took messages that I could play in the Skype web-app.

Google Voice is amazing, but requires a US phone number to set up.

I wonder if an American friend could set it up for me. My gmail mailbox but their US phone number. (Thanks for the recommendation!)

It should, but they've recently been somewhat picky about which phone numbers they accept for the initial setup.

Once you get it, you don't need access to that US number afterwards – very useful when traveling; everything just works via VoIP, including texting, which is a lifesaver for 2FA when traveling without US roaming.

Of course, it's a Google service, so expect it to be discontinued without warning at the exact moment you've totally integrated it into your daily life.

If it were unskilled, any cow would do, but if you've ever been on a dairy farm you'll know that not all cows make the cut.

Most (all?) SQL client libraries will allow you indicate a parameter placeholder and supply that parameter value separately.

I was going to buy a domain back in my student days, but I stopped when I realised I didn't have a phone number. I used the public phone-box on the corner whenever I needed to actually call anyone. It was a little annoying to have to register a phone number when I didn't actually want anyone to call me.

Thank you. I read that the tunnel "will link Denmark and Germany" and I had to check a map to confirm that yes, they are already linked. By land. By a lot of land. You're not experiencing memory loss.

But why?

Because so many people on here talk about how good the "old web" used to be. This is it. This is peak old web. Maybe a bit too polished, but still. Pointless and fun, because fun is fun.

I refer you to the title of the submission, my good man.

"You need to choose an access PIN."

"How about (digits)?"

"You can't use that one. Someone else has already chosen that."

"Wait, now I know someone else's PIN code. I could use that and it'd be logged under their name."