Comment On Classic WTF: Five Wrongs Don't Make a Right

Anonymous:

Then again, why bother? Just print it on the label and have the postman figure it out.

This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

Answer: They send to the localities post office, the post man knows everyone by name and where they live.

drake:

If he had used Regular Expressions, he would have had 10 problems

In reality, that would have been 25 problems at minimum, 32 problems in likelihood

Norman Diamond:

Foo Bar:

If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.

Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.

Please indicate which non-slavic country in Europe uses ý, named in the the example?

What intrigues me _the most_ is that the implementor **and** all commenters get the specifications all reversed:

"ensure that all five lines of a shipping address contains valid characters."

To me this means that any check beyond finding the first 'valid character' would be redundant. Also, empty string cannot be accepted, as they would contain _no valid characters_.

People need to learn how to read specs :)

Java doesn't put this requirement on you. Of course, people like to blame the tools instead of the developer.

You can just use a boolean to return true or false, then that method is reusable and the caller of the method could decide whether to throw an exception or how to further handle it.

^c^v is way more efficient than thinking.

Sehe:

Norman Diamond:

Foo Bar:

If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.

Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.

Please indicate which non-slavic country in Europe uses ý, named in the the example?

Iceland does.

Sehe:

Norman Diamond:

Foo Bar:

If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.

Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.

Please indicate which non-slavic country in Europe uses ý, named in the the example?

Well, the absence of letters such as đ and ş made me guess that the company didn't intend to ship to Slavic countries, but someone else already pointed out that I missed the inability to ship to Norway and Denmark. So the company's selection of destination companies doesn't really seem to follow any geographic rule.

iceland:

Anonymous:

Then again, why bother? Just print it on the label and have the postman figure it out.

This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

Answer: They send to the localities post office, the post man knows everyone by name and where they live.

It's the same in a lot of countries. It's the same in villages where my wife used to live, her relatives live (some better known than others), and maybe including me in the future. It's not quite the same in Canada because the rural route number had to be written.

In some countries that have addresses, often there's no street name but district numbers, block numbers, and lot numbers narrow down the destination. If there are two or more buildings on a single lot then it's wise to include the name of the building (and it does not mean that you can just name the building and leave out the rest of the address).

In some countries that have addresses, often there are street names but no numbers, so again the building should be named.

The only correct way to handle this is ^C^V. Try to refrain from guessing that the customer doesn't know their state or city, because you'll just screw it up if you rearrange stuff instead of doing ^C^V. (If anyone in this forum works for a court in the US, please try to teach this to your employer.)

moreON:

why not just

return !expr;

Because you don't want to break from the for loop if the expression is false.

argle bargle:

But a blacklist would have been easier to get right since it would have been a lot shorter than a whitelist.

In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.

And you, please stay far away from me. Form validation is for basic sanity checks in order to be more user friendly. It is not where the application should be secured.

Agreed - concerns over injection attacks means your data access code has been written poorly and left to rot for too long.

An escape character won't allow an attacker to clear you database if you use placeholders/named parameters properly and I'm not aware of any escape sequence that opens a terminal to give attackers root access to a machine.

Let users enter whatever they want and record it exactly as keyed.

In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.

And you, please stay far away from me. Form validation is for basic sanity checks in order to be more user friendly. It is not where the application should be secured.

If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.

But the wrongs felt so right! But then again, I have unprintable character.

Now what about the character at my former position? Is he on the black list, white list, both, or neither?

I think you're all skipping the obvious reason for having those characters:
The reason for stripping the characters is probably that the printer is not utf-8 compliant (probably a simple iso8859-1 printer that chokes/interprets special characters)
2) The nitwit writing this POS didn't know all the characters used in Denmark and Norway and either way, eastern Europe isn't part of iso8859-1 anyway afaik.

Correct me if I'm wrong, but with all those null checks and weird logic, it has to be an Indian working in Europe (the good Indian programmers all stay in India or work in the USA).

Worf:

And this makes it a lot easier. If the country is your own, most post offices offer an address validation system - either online or offline subscription which will contain every valid address in the country.

Except when they don't, or when they are wrong.

Our address didn't used to be in the UK post office database (it is now, thankfully), which caused problems with some suppliers.

Also, our address is like:

111 Acacia Drive
MyVillage
MyTown
AB1 2CD

There is also a
111 Acacia Drive
MyTown
AB1 5XY

Some databases miss out the 'MyVillage' part of the address (it's not *strictly* necessary, because of the postcode), and we can't add it when ordering (since the database is the 'definitive' source of data).

So, unless the delivery man is careful and checks the post code, things end up going to the wrong address... (This usually happens with couriers - the post office generally gets it right, because they automate the sorting to smaller delivery runs)

McMuffin:

If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.

Sure. Because users who disable javascript do not deserve a friendly UI?

And yeah, go ahead and cludge together security throughout the layers. Afterall, if you nest together enough seives, the sand will stop flowing through.

Security within Form validation is often a symptom of security being "thrown on top at the end". The correct approach for SQL injection is to implement it in the DAL from the beginning.

iceland:

Anonymous:

Then again, why bother? Just print it on the label and have the postman figure it out.

This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

Answer: They send to the localities post office, the post man knows everyone by name and where they live.

I live in the rural US, where the USPS delivers only to post office boxes, but courier services will deliver only to street addresses. This tends to cause problems when ordering things.

Probably the greatest issue I've had here was ordering something from AT&T (because Verizon doesn't work here, either). They yelled at me for giving them a non-deliverable street address, then yelled at me for giving them a PO Box, and there was only one address field.

The solution ended up being to have them send it to the post office with my name on it and hope that it ended up in my PO Box. (It did.)

Anon:

McMuffin:

If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.

Sure. Because users who disable javascript do not deserve a friendly UI?

People who deliberately disable functions on their computer for no reason deserve less of a friendly UI than those who don't.

Dear Sir/Madam

Are you a business man or woman? Do you need a Loan of any Amount for funding for any reason contact us today richard.smith356@yahoo.co.za

a) Personal Loan,Business Expansion,
b) Business Start-up ,Education,
c) Debt Consolidation , Home Improvement Loans
d) Hard Money Loans, Investment Loans,
e) X-mas preparation Loan

We offer loan at low interest rate of 2% and with no credit check CONTACT EMAIL us now richard.smith356@yahoo.co.za

Fill out the below information for procedure.

Full Name:
Address:
Country:
Loan Amount Needed:
Loan Duration:
Purpose For Loan:
Phone Number:

Thanks
Management
Mr(Richard.Smith)

Hello everyone, My name is Mrs Jennifer Anderson and i am talking as the happiest person in the whole wild world today and i told my self that any lender that rescue my family from our poor situation, i will tell the name to the whole wild world and i am so happy to say that my family is back for good because i was in need a loan of $ 100,000 USD to start my life all over as i am a single mum with 4 kids and the whole world seemed like it was hanging on me until i met the GOD sent loan lender that changed my life and that of my family, a GOD fearing lender, Mr.Musa of musa Micro Finance, he was the saviour GOD sent to rescue my family and at first i thought it was not going to be possible until i received my loan of $ 100,000 USD and i will advise any one who is in genuine need of a loan to contact Mr.Musa Jemi via email at. (musa_jemi@yahoo.com.sg)because he is the most understanding and kind hearted lender.

Dear Investors/Financial Seekers.

We are a Registered Private Investors/Loan Lender, Do you need FINANCIAL ASSISTANCE? Are you in financial mess OR debts? We offer loan at 3% interest rate within 1 year to 30 years repayment duration period to Individual and Companies that are in need of financial assistance and to any part of the world.


We give out loans ranging from $5,000.00 to $500,000,000.00, CURRENCIES: USD, CAD, KWD, OMR, SGD, RUB, GBP, AUD, MYR, ZAR, IDR, UAH, PHP, EURO.


Our loans are well insured for maximum security is our priority, Are you losing sleep at night worrying how to get a legit loan lender? Are you in poverty? Do you need financial assistance to set-up a business? We can assist you financially.


Interested Individual OR Companies should contact us via: Email: {linpohloanfirm@yahoo.com.sg}

Regards,

Lin Poh Loan Firm Team.