It's not because Companies House is vulnerable to SQL injection (there's no reason to think it is) and the purpose isn't to protect Companies House from SQL injection.

Companies House data is consumed by a very large number of companies and organisations, some of whom probably are vulnerable to such attacks. Fixing them isn't something Companies House can do. The joke Bobby Tables company name that was registered deliberately wasn't actually a functioning SQL injection. If someone does try to register a name containing a real one, it seems like a good idea for Companies House to be able to reject it on those grounds. This is just giving them that ability, as part of a larger ability to reject names that are designed to mislead or facilitate fraud.

The knee-jerk HN Nelson laugh at everything the UK and EU governments do makes for tedious reading, especially when there are so many actually bad policies and laws to criticise.

Perhaps Companies House should put some canaries in their data to trigger such these SQL injections in a non-destructive way. That way they might accomplish some good by forcing these companies to fix their shit.

Regardless, anyone affected by a "bobby tables" should be thankful it was that, and not hackers exfiltrating their data and selling it.

This is a great idea though done naively could cause unintended side effects. But key to the consideration today (and as pointed out by the commenter in TFA) is that not just SQL would need to be considered, especially in the dawn of the LLM era.

It makes sense. 'DROP TABLE users; is obviously not a real company name.

Maybe it'd be better to deliberately include some Bobby Tables entries in every data set to make sure users think about these problems early-on, but it's probably too late for that.

No. Their infrastructure is secure but there are a great many people out there consuming the company names data feed and the U.K. government can make no assumptions about how technically proficient they are.

I’m sure some will object to this as “big government gone mad” or whatever but it feels pretty common sense to me to at least try. No one actually needs to name their company after a SQL statement.

Companies House provides a "data feed" of things like company registrations to people interested in such things.

It turns out, even if Companies House computer systems are 100% secure, the same isn't true of downstream systems. Unfortunately, Companies House has decided that telling downstream systems to git gud isn't enough.

Handrails on a balcony is not a sign of weakness.

lol, last week I came across a website (in 2023!!!) that told me to set a new password, but be careful not to use the following special characters. (including both kinds of quotation mark)