Little Bobby Tables
|Little Bobby Tables|
|First appearance||327: Exploits of a Mom|
Robert'); DROP TABLE students;--, nicknamed Little Bobby Tables, is the youngest son of elite hacker Mrs. Roberts. His elder sister is Help I'm stuck in a driver's license factory Elaine Roberts.. His "full" name is known to cause problems with some computers. When he was first enrolled in school (327: Exploits of a Mom), it exploited a vulnerability in the parsing of student's names into the school's student database resulting in the school losing all the student records for the year.
In SQL, commands are terminated by semicolons
; and data is often quoted using single quotes
'. Commands may also be enclosed in parentheses
). Data is stored in tables of similar items (e.g.
students) and individual entries are "rows" in the table. To delete an entire table (and every row of data in that table), you use the command
DROP TABLE students). The
-- represents the start of a SQL comment which ensures that the rest of the command is ignored so an error will not occur.
The exploited vulnerability is that the single quote in the name input was not properly "escaped" by the software. Thus, when the name is embedded into some SQL statement, the quote is erroneously parsed as a closing quote inside that statement, rather than being parsed as part of the name. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as SQL injection.
The name Bobby Tables inspired a website, bobby-tables.com, a guide for beginning programmers to learn the right way to avoid SQL injection in their code. A similarly named character, Mister Rogers, appears in 884: Rogers St., with the same code injection in his middle name. It appears in 1253: Exoplanet Names as one of the suggested planet names.
 Example of SQL injection
A typical, unsecured SQL command vulnerable to SQL injection would be something like:
database.execute("INSERT INTO students (name) VALUES ('" + name + "');");
name is a variable which is filled with the name to be inserted into the database. With a regular name, this would result in the following SQL command to be send to the database system:
INSERT INTO students (name) VALUES ('Elaine');
However, with Little Bobby Tables's full name, the SQL command would be:
INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students;--');
Or, if split after each
INSERT INTO students (name) VALUES ('Robert'); DROP TABLE students; --');
The first commands inserts the name
Robert into the database as in the first example. The second command however completely deletes the table
students. The remainder is a comment to prevent syntax errors with the apostrophe and the closing parenthesis.
 Real Life occurrence
In French-speaking countries, apostrophes are a common character in street names. More often than not, Frenchmen (or Luxembourgers, or Belgians, ...) unwittingly trigger SQL injection bugs when trying to order something from a US shop. In Italy, they are often part of town names, too (e.g. L'Aquila).