[lennoff]

Well, how can we teach copilot to avoid raw string interpolation in such cases? Sure, some people will correct it, and the AI might improve, but I suspect that the majority of the developers will never notice it, and that'll just reinforce the AI's bad habits.

[captn3m0]

I gave the following prompt:

// get password from the database using a mysql query function fetch_password(string $username) {

And 7/10 parameters are vulnerable to SQL-injection. Here's the first:

        global $mysqli;
        $query = "SELECT password FROM users WHERE username = '$username'";
        if ($result = $mysqli->query($query)) {
            $row = $result->fetch_assoc();
            return $row['password'];
        }
        return false;

Here's all of them: https://paste.ubuntu.com/p/9qQ2BSnqbF/

[cbg0]

When I started with PHP over a decade ago I was using PDO and not MySQLi.

I think there's a lot of old code that perhaps should not be used by Copilot as a reference, given how some programming languages have changed quite a bit over time when it comes to the best way of doing certain things.

[flomo]

Yeah, that was always one of the big problems with PHP. Google search would produce these old tutorials full of SQL injection code. I think there was a community effort to clean these up, so (un)fortunately we have AI to bring them back.

[simonmales]

Could something like this be caught by static analysis?

[c0l0]

Could it? Yes.

Will it? Maybe.

Would I count on it in all cases? No.

Also, I find it preposterous to rely on a second automated system to cancel out the mistakes the first one made.

[papito]

Isn't this the principle the entire Javascript/Node ecosystem based upon?

Downvote away. You know who you are.

[handrous]

As someone who's done a ton of JS/TS development, for browsers and Node, I thought the principle the entire ecosystem was based on was up-to-the-minute crowdsourcing of not only a standard lib, but also 90% of your basic tools and about half of what ought to be language features. Not relying on automated systems to cancel out the mistakes of automated systems.

[papito]

As someone who spent two weeks trying to get a Typescript project working under Webpack when migrating to Vue 3, by stitching together a web of gratuitous tooling and transpilers that ultimately did not work (I went with Vite and it was all working in 2 hours)...

Also, I just checked out an old Flask/Python project from 7 years ago, updated it to use Poetry dependency management, and it all still works. A JS project that is 7 months old and unmaintained would be a dumpster fire.

[handrous]

Oh, for the "build" tools, yeah, that's actually entirely true. It's a bunch of automation fixing bad decisions and other, bad automation. Spot on.

[throwanem]

Yes. You could write an eslint rule for it, and there are probably a few of those already.