Hey, Kristof !

Sure. This is a snapshot of the MD I use to check AI-generated code for security risks. Before public builds, I ask my software agent to go through this list. Instructions what to do next for the agent are at the end of the document.

1. Input Validation & Injection Risks

• Multi-Vector Injection: Have you checked for NoSQL, OS Command, and LDAP injections in addition to standard SQL injection?
• Indirect Prompt Injection: If this agent processes external data (emails, web pages, user uploads), could that data contain hidden instructions that hijack the agent’s logic?
• Trust Boundaries: Are you trusting any client-provided data (user IDs, roles, session states) that should instead be derived or verified strictly on the server?
• Allow-Listing: Are all inputs validated against a strict ‘allow’ list (specifying expected types, lengths, and formats) rather than a ‘deny’ list?
• Output Escaping: Does this code pass its output directly to another system (shell, browser, or database)? Treat your own generated output as untrusted user input and escape it accordingly.
• Memory Safety (C/C++): If writing in C or C++, have you explicitly prevented buffer overflows, checked for null pointers, and ensured all allocated memory is freed in all execution paths?

2. Authentication, Authorization, & State

• Direct Access & CSRF: What prevents a user from bypassing the UI? Have you implemented Anti-CSRF (Cross-Site Request Forgery) tokens for all state-changing actions?
• Session Integrity: Are sessions configured with appropriate timeouts, “Secure” and “HttpOnly” flags, and protected against session fixation?
• Fail-Secure Logic: Does the access control logic default to “Deny All” if it cannot reach its security configuration or if an internal error occurs?
• Least Privilege: Is the application connecting to the database or external services with the absolute lowest level of privilege required for this specific task?
• Excessive Agency: Does this code have more permission than it needs to function? Ensure it cannot perform unauthorized actions if a specific function is manipulated.

3. Sensitive Data & Cryptography

• Secret Sprawl: Have you scanned this code for hardcoded secrets, including ‘temporary’ bypasses, API keys, or hardcoded credentials?
• Modern Standards: Are you using industry-standard, modern cryptographic libraries (e.g., AES-GCM, Argon2) rather than deprecated methods like MD5 or SHA1?
• No Plain-Text: Are passwords, tokens, or keys stored in plain-text or using reversible two-way encryption? They must be hashed or stored in a dedicated Secret Manager.
• Logging Exposure: Does the error handling or logging logic record sensitive data, tokens, or PII (Personally Identifiable Information)?

4. Supply Chain & Environment

• Verified Provenance: Are all third-party libraries/skills pulled from verified publishers? Are versions pinned to specific hashes to prevent “Dependency Confusion” attacks?
• Safe Parsing: Does the code use safe parsers for data formats like YAML or JSON to prevent unsafe deserialization or “billion laughs” attacks?
• AI Integrity: Are suggested AI models or “agentic skills” pulled from unverified sources? Verify the hashes of these integrations.

5. Privacy & Compliance (GDPR/EU Standards)

• Data Minimization: Does this code only collect and process the absolute minimum personal data required for the task?
• Redaction: Is sensitive PII redacted or anonymized before being sent to external logging or AI monitoring services?
• Secure Headers: Are you enforcing secure HTTP headers (e.g., Content-Security-Policy, HSTS, X-Content-Type-Options)?

6. Advanced Probing & Red-Teaming

• Risk Identification: Identify the top three security risks with this specific approach and describe a concrete attack scenario for each.
• Scalability & DoS: What prevents a user from exhausting resources (CPU, Memory, DB Connections)? Is rate limiting or pagination implemented?
• Concurrency: Are there any race conditions in this concurrent data access pattern that could lead to unauthorized state changes or data leakage?
• The Adversarial Check: “If you were an attacker specifically trying to bypass the security logic you just wrote, what is the first thing you would try?”

7. Instructions for Agent

If any of the above checks return a “Fail” or “Uncertain,” flag the code block immediately and provide a remediation plan before proceeding. At no point should you change any code on your own. Report on the current situation and set up a roadmap listing each vulnerability or security risk on a scale of 1 to 5 with 1 being critical and 5 being advisory.

Why yes? With this script it’s easy as ABC. Just fill in the list of items you want scripted and off you go. This way you can script any stored procedure, view, function or anything else that resides in the sys.sql_modules table.

There is a small piece of code that will loop through the definition if it’s longer than 4000 characters long. The PRINT statement will only print the first 4000 characters of a (n)varchar variable. To work around this, we split off 4000 characters, then find the last carriage return and throw away the remainder of the string. This way we don’t get any nasty splits on the screen. Then we print that string and we subtract the length of that string from the original string, and we go again.

Of course I do! Here’s a little nifty function you can use or expand for your own needs. This was made for Dutch mobile phone numbers but can be easily tweaked for any other type of phone number.

The way this works is as follows.

First we split the string into a table of single characters. We then filter the ones that aren’t numeric. We use the like function because isnumeric would not filter anything that is used to represent a number like ‘-‘ or ‘+’ in the phone numbers. Finally we concatenate with the xml-trick. Then, we select the part of the resulting string that matches our pattern.

Change the pattern to suit your country’s phone number style – or you can just do the check and return a boolean to indicate it’s actually a valid phone number or not.

The elfproef is a Dutch validation check that was used for bank account numbers before the introduction of IBAN and is still used for BSN (National identifier) and payment references in bank transaction. Here’s a sweet inline table valued function that will yield instant results. 1 million iterations of this take up almost no cpu time so it’s very fast.

The first part checks if the supplied value is numeric. If it is , we work with the supplied value, otherwise we work with the value 1 which will never yield a valid BSN. We cannot work with if/then constructs because we are working with an inline table function.

I used a JSON array for configuration because it makes the code easier to read. If you want to know how an elfproef works, here’s an explanation in Dutch: https://nl.wikipedia.org/wiki/Elfproef

Example usage: select BSN from Personen as PRS WHERE dbo.tvf_CheckElfProef(PRS.BSN) = 0

Actually, I do. You have too many save games and you need to delete a few. But, there’s no delete option I hear you say? Simply select a save game and hit “delete” on the keyboard. It will ask you if you are sure (of course you are) and then you can save again. Woohoo! That’s some hard earned XP saved right there.

Oh, and I need a way to present it to my boss in an easy-to-use-excel-format.

Well, this code will search all your databases for the text combinations you provide and return the views that contain the keywords. You can easily modify this to include stored procedures or functions and you can extend the search combinations and what it says as a response to certain keywords being found.

Recently, the wireless charging on my Google Pixel4 stopped working. I blamed the wireless charging pad but it wasn’t until I travelled back to Europe and wanted to use my wireless payments that I noticed the NFC was also not working.

It now turns out it’s due to the back of the phone being slightly detached from the rest of the phone. It’s hardly noticeable, especially since I always keep it in a silicone case but removing the phone from the case revealed the right side (when the phone screen is away from you) to have a slight gap that I can run my nail through. Pressing down on the back immediately fixed the problem and at least the wireless charging is working once again. I hope adjusting the case will hold the back down hard enough. Other reports have users opening the phone, bending the pins and then trying to glue the back to the phone … for now, things are working again by just pushing it back down. Otherwise I will try duct tape.

I hear you. Here is a script in T-SQL that will fetch all the jobs (including the ones that are currently running) and displays a dashboard for each step. It will also display the last message SSIS generated (last error message in case of failure, or last message in case of a successful run).

You won’t believe this, but the reason why I got this was a weird trailing backslash. I failed to find where it came from and after HOURS of searching, I found out it was because I had entered a variable in the process step and accidentally type ENTER before the variable. So it was essentially a CRLF followed by the variable name. For some reason, that caused the illegal character. Guess it was trying to insert the CRLF in the path … Well, check your variable listings in your steps to see if you have any leading or trailing enters …