Comment On Good Answer... Perhaps TOO Good

Peter B. was an out-of-work PHP developer looking for contract work in early 2005. A recruiter he'd worked with in the past emailed him some information regarding a possible position. Reading the job description, Peter thought he'd be a good fit, so he submitted his resume and got a response via email a few days later. [expand full text]
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7Next »

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:05 • by IHaveNoName:-( (unregistered)
"[...]plagiarized it[...]"


this statement makes my day :-D

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:06 • by J (unregistered)
I could have written most of that by my third quarter at school and the rest well before I graduated. Their technical interviewer must still be struggling with the concept of static.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:09 • by Papper (unregistered)
Outrageous!

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:09 • by Welbog
Makes you wonder what kind of answer they would have considered "just good enough".

String concatenation is making one string out of two strings?

WTF indeed.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:09 • by Digitalbath
"What is your favorite color?"

"Blue, I mean red...aaarrrgghhh!"

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:10 • by Craig M. Rosenblum (unregistered)
Jeez, this happens so often.

Do human resources or managers ever get a clue?

Maybe instead of having hr hire/screen people it's technical people to do that job for technical employee's, then if they pass the tech guy's screening, then to hire/not hire by the manager.

A lot less time, money and frustration would be going on...

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:15 • by Andy (unregistered)
I wouldn't want that job either.
And it's somewhat appropriate that my CAPTCHA was alarm :)

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:15 • by Jesse (unregistered)
WTF:


SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


Can I say SQL injection? That would be why I wouldn't have hired him..

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:18 • by FredSaw
We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:18 • by Snuggles (unregistered)
150646 in reply to 150644
I think Pete the PHP guy should wait a month or so and then let ConcatCorp know they've been PUNK'd on WTF. :o)

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:19 • by bah (unregistered)
I think the real stupid part is they are doing this by email.. Anyone could have googled an answer.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:20 • by Scott (unregistered)
PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:21 • by Cory the Cobol guy (unregistered)
150649 in reply to 150644
LOL, That's funny. Yep, no more dynamic sql generation...

So tell me, you don't know how to prevent sql injection and use dynamic sql? Indeed there is someone that wouldn't be hired....

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:22 • by SomeCoder (unregistered)
150650 in reply to 150644
Jesse:
WTF:


SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


Can I say SQL injection? That would be why I wouldn't have hired him..



I was thinking this too. However, in answering the question I probably would have given a SQL concat example as well. It's a "real world" problem that can have concatenation applied to it.

The part that disturbs me is that Peter said he does that all the time on real projects. That should be a little bit of a WTF.

The main WTF is the company thinking he plagiarized it. Yeah, because no one on the planet could come up with a concat definition *eye roll*

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:22 • by Dwayne (unregistered)
150651 in reply to 150644
Jesse:
WTF:

SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

Can I say SQL injection? That would be why I wouldn't have hired him..

Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:26 • by M Diamond (unregistered)
The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.

The second-most ridiculous aspect is that if they choose not to trust the results from the screening question in a case like this, then a moment's thought would have revealed to them that they need a new pre-screening process. The old one is unable to distinguish between someone ignorant but unscrupulous and someone extremely knowledgeable. That's about as broken as you can get.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:27 • by akatherder
Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.






Made you look!

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:33 • by dande
150656 in reply to 150654
akatherder:
Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.






Made you look!


I would have, had you not written 'Made you look!'

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:35 • by lostlogic (unregistered)
150657 in reply to 150648
PHP5 does support parameterized queries.

captcha: digdug -- man that was a good game.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:38 • by Ken (unregistered)
150658 in reply to 150644
Jesse:
WTF:

SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

Can I say SQL injection? That would be why I wouldn't have hired him..

Just because you don't know how to prevent injection attacks doesn't mean it can't be done. A proper followup might be "how do you prevent SQL injection attacks in your dynamic queries" before you dismiss him offhand.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:44 • by seejay
150660 in reply to 150644
Your web apps must be very static.

It's not difficult to "fix" whatever comes in first before passing it on to the SQL command. Any developer worth their salt knows this.

-- Seejay

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:44 • by matthewr81
150661 in reply to 150644
Jesse:
WTF:


SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


Can I say SQL injection? That would be why I wouldn't have hired him..


I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

I am curious how you do insert statements without dynamic data...

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:44 • by dubbreak
150662 in reply to 150651
Dwayne:
Jesse:
WTF:

SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

Can I say SQL injection? That would be why I wouldn't have hired him..

Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.

I have hemorrhoids you insensitive clod!!!

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:49 • by Michael McRorey (unregistered)
you can use the following:

<?php
$sql = sprintf
(
"SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC",
addslashes($User->getID())
);
?>
you can also use the following if it is a MySQL db:
mysql_real_escape_string($User->getID())

sure, the above aren't the standard "." method of concatenation, but it is concatenation AND a cure for SQL injection.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:49 • by AuMatar (unregistered)
150664 in reply to 150661
matthewr81:
Jesse:
WTF:


SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


Can I say SQL injection? That would be why I wouldn't have hired him..


I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

I am curious how you do insert statements without dynamic data...


Bind variables

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:50 • by bkendig
At least the question made sense!

A year ago I applied for a contracting job with a local company. I was told that I had to take a specific JavaScript aptitude test online, through a service which manages these sorts of tests; once I began I would only have a half-hour to finish, I couldn't change an answer once given, my time spent on each question would be recorded, etc.

The test turned out to be extremely difficult. The difficulty was entirely in trying to decipher what the test-maker actually *meant* for each question. Many of the questions didn't make sense or weren't in complete sentences or didn't use anything approximating valid grammar; others were so awkward that I couldn't tell whether the test-maker was trying to be coy and make a joke or whether he just couldn't get his point across.

I answered the questions to the best of my ability, and afterwards, I submitted a 'fixed' copy of the test back to the hiring manager, explaining exactly which questions didn't parse and suggesting how they could be rewritten to be clearer.

I was told that I had scored 'impressively high' on the test. Still, I wasn't offered an interview, and I never got any farther with the company.

I think they didn't want someone who had a good command of the English language or who had a tendency to identify problems and offer solutions to them.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:51 • by rbowes
Something similar happened to me in school. We were asked to do a research paper on a topic in security, which just happens to be my specialty. So I did a detailed overview of several different security vulnerabilities (stack overflow, etc) with detailed information on why it's exploitable, and even a demonstration of an exploitable program and the exploit for it. I got an A+.

The next year, my friend took the course. Apparently, when given the paper, they were told "No more than 10 pages. Last year, we had an issue with some plagiarism." Apparently, although she couldn't prove it, the prof thought my paper had been plagiarized!

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:51 • by TheRubyWarlock
The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:52 • by Scott (unregistered)
150668 in reply to 150657
lostlogic:
PHP5 does support parameterized queries.


Thanks for this bit of info. PHP4 did not.

Re: Good Answer... Perhaps TOO Good

2007-08-22 14:55 • by AdT (unregistered)
150669 in reply to 150648
Scott:
PHP doesn't support parameterized queries, so you actually have to concatenate the strings.


I have encountered the following statements:
a) in defense of PHP: PHP does support parameterized queries
b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries

Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.

Dwayne:
Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.


And as usual, string escaping is the right answer to the wrong question, being "How do I prevent malicious users from exploiting the fact that I intermingle SQL code and data?".

The right question is: "Why would I want to intermingle SQL code and data in the first place if my development environment does not force me to?"

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:00 • by tekiegreg (unregistered)
150670 in reply to 150640
Hey, PLAGIARISM!!! I'm sending the Knights that say "Ni" after your @$$ immediately...go turn yourself in immediately or I'll accuse you a second time!

(Paraphrase: Best answer ever...)
(Captcha: gotcha)

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:04 • by Chris (unregistered)
150672 in reply to 150644
Jesse:
WTF:


SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


Can I say SQL injection? That would be why I wouldn't have hired him..

Oh piss off!

The guy can stretch what is a very simple concept of concatenation into many paragraphs, including the syntax of other languages and a common SQL example. He even gave an example of $User object, all of which shows he's at least half way competent.

While I wouldn't automatically assume he was aware of preventing SQL injection, I wouldn't automatically dismiss him of not knowing about it simply because he didn't mention it here.

If you're the type of person that dismisses someone because they write an essay but miss out a word, then I really hope I never have to work for you.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:05 • by AdT (unregistered)
150673 in reply to 150667
M Diamond:
The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.


TheRubyWarlock:
The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.


This is what I was thinking, too. Though, maybe they had other reasons for dismissing him and didn't want to tell the truth. E.g. they might have thought him overqualified for the job and thus (probably) too expensive. Then maybe they were simply the morons that they appear to be.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:12 • by AdT (unregistered)
150674 in reply to 150663
Michael McRorey:

<?php
$sql = sprintf
(
"SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC",
addslashes($User->getID())
);
?>


addslashes escapes ' as \', but the standard way to escape single quotes in SQL is to double them: '' (that's two single quote characters, not one double quote character).

So if proper string escaping is as simple as sitting on a couch, here is the first example of someone who puts his head on the seat and his bottom on the back of the couch. (scnr!)

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:14 • by Bob (unregistered)
Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:18 • by Rama Lama Ding Dong (unregistered)

Remember, the company's goal isn't to find you a good job, it's to find a good candidate for themselves.

Particularly when the labor market gets thin, you find some absolute and completely useless people taking up your time.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:21 • by ratsbane (unregistered)
150677 in reply to 150669
I'm absolutely amazed at the number of so-called programmers who completely fail to grasp the concept of escaping or encoding as relates to SQL and injection attacks.

Properly encoding (escaping) the strings you embed is the key.

And you will be mingling SQL with data whether you like it or not - it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.

Vote-ups to Dwayne and the original WTF.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:24 • by Tim (unregistered)
150679 in reply to 150648
PHP has always supported parameterized queries for some databases (although not mysql which I'm guessing is what you meant), there was just no standard. Most of us programmers have been using PEAR::DB or PDO (shipped with 5.1) to get parameterized queries in PHP for several years now.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:25 • by Ryan (unregistered)
I wouldn't hire him either. Instead of answering the simple question he proceeded to give them a lecture. It shouldn't take that much space to explain concatenation. The back of a postage stamp would offer too much space.

A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer.

"concatenation is joining things together. I use it to put variables into sql statements."

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:28 • by iMalc (unregistered)
How dare they decide he copied it before actually interviewing him!

He should have told her that he doesn't accept their accusation, and wont have the accusation they gave tarnishing his reputation. Then insist on an interview to prove he knows his stuff. Then go along, show that he knows his stuff, and demand too high a salary, and be turned down because they can't afford him instead.

Bah, they probably thought he was overqualified anyway.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:31 • by Not Bob (unregistered)
150683 in reply to 150675
Bob:
Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)


Haha, the real WTF is about all the morons in here that don't know about subject-verb agreement :)

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:34 • by D (unregistered)
150685 in reply to 150660
Yeah, just turn on Magic quotes :P

could have been worse

2007-08-22 15:36 • by Mitch (unregistered)
The PHP question could have been: You, Jeepies?

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:39 • by Martin Ritchie (unregistered)
Oddly similar to a question I used to ask during interviews:
Please write a C# function to concatenate 3 strings.

For example the function would be passed "Martin", "Donald", "Ritchie" and should return "MartinDonaldRitchie".

I would ask them to write the answer on a piece of paper. Only about one third of the interviewees were able to answer it. Even after saying that I accepted answers in vb c++ or any other language if they were not familiar with c#.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:43 • by Cynical Bastage (unregistered)
The problem was that they were screening for something else. Did you read this guy's answer? The type of guy that probably would be a high salaried, hard to work with, troublemaker.

They probably wanted an "average" PHP developer so they could at least guarantee some amount of leverage in pay/turnover/working hours.

Sometimes the best is only trouble.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:46 • by pitchingchris
150693 in reply to 150675
Bob:
Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)


Hey guys, why are we arguing in here about parameterized queries, when the original article was about concatenation. Even if the test taker did know about parameterized queries, going into that topic would have deviated from the point at hand, and wouldn't help answer the question.

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:46 • by Mike (unregistered)
150694 in reply to 150639
Welbog:
Makes you wonder what kind of answer they would have considered "just good enough".

String concatenation is making one string out of two strings?

WTF indeed.


Sadly, that is probably exactly what they were looking for.

Captcha: gygax (my stomach filled that in with voice recognition....time for lunch)

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:53 • by Mike (unregistered)
150696 in reply to 150688
Oooh Oooh! I know that one:

1) return string1 + string2 + string3;

2) StringBuilder sb = new StringBuilder();
sb.Append( string1 );
sb.Append( string2 );
sb.Append( string3 );
return sb.ToString();

3) return string.Concat( string1, string.Concat( string2, string3 ) );

4) return string.Format( "{0}{1}{2}", string1, string2, string3 );

Re: Good Answer... Perhaps TOO Good

2007-08-22 15:59 • by Michael (unregistered)
150698 in reply to 150669
AdT:
I have encountered the following statements:
a) in defense of PHP: PHP does support parameterized queries
b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries

Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.

As a matter of fact, they can both be right, depending on your setup. PHP itself doesn't provide database access, you rely on modules for that. The mysql module, one of the most popular in php4, does not support parameterized queries. Pear::DB and PDO, in PHP5, provide database abstraction and parameterized queries.

Re: Good Answer... Perhaps TOO Good

2007-08-22 16:00 • by QuestionC (unregistered)
150699 in reply to 150651
Just because you can work around some of the issues of a kludge doesn't make it any less of a kludge. Even when it works, string escaping is a pretty ugly hack around a nonexistant problem.



This doesn't even touch the efficiency issues with constructing SQL statements on the fly.
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7Next »

Add Comment