Comment On Not Exactly AJAX

It takes time and money to provide a server. Why bother even having a server when you can just have the client go directly to the DB?

snoofle:

It takes time and money to provide a server. Why bother even having a server when you can just have the client go directly to the DB?

Better yet, just provide a simple interface to the DB.
That way the user can get exactly the data they require and it saves on unnecessary coding.

Brillant!

A steaming pile of bad practices. That's a proper WTF.

I have read lot of WTFs from this site, but this kind of things still make me wonder, if person who wrote that were really complete moron or was there some other reason. I mean, i have'nt learn security or even programming in university( I learn physics), but even at the beginning of my programmer profession I did'nt wrote this kind on WTF. I mean..... well i can't even think anything after that thing.

Hell yeah! Why not! Just give the user some command line and admin/admin acces to the database.

CAPTchA: transverbero, what did i do to you?

Yes, we loves us some plaintext DB passwords...

proko:

I have read lot of WTFs from this site, but this kind of things still make me wonder, if person who wrote that were really complete moron or was there some other reason. I mean, i have'nt learn security or even programming in university( I learn physics), but even at the beginning of my programmer profession I did'nt wrote this kind on WTF. I mean..... well i can't even think anything after that thing.

You would be surprised how many programmers don't understand basic Client/Server interactions. Now, don't expect them to know secure interactions.

I once had to use a library in ASP.Net that absolutly needed a window to connect to. Now, try to create one in ASP.Net and it'll tell you that you can't create a window since the web service is not interactive despite it's logged in as an interactive service.

I googled my problem, hoping to find the missing config somewhere, but the google internets tubes were clogged with idiots trying to pop an alert box using System.Windows.Forms.MessageBox. My answer was probably burried on the 1000th google search result page.

A coworker came to the rescue, he still can't remember how he got the answer since he had the same problem as me finding it.

proko:

I have read lot of WTFs from this site, but this kind of things still make me wonder, if person who wrote that were really complete moron or was there some other reason. I mean, i have'nt learn security or even programming in university( I learn physics), but even at the beginning of my programmer profession I did'nt wrote this kind on WTF. I mean..... well i can't even think anything after that thing.

A lot of it can be attributed to laziness and/or lack of imagination.

Laziness: "Why should I write a server when I can just talk to the database directly?"

Lack of imagination: "My DB is only going to be talking to my web page so it's OK to do this." (Unfortunately, I've seen this more frequently than I'd like.)

back in the olden days we used to do the db search on page load and chuck everything into unwieldy javascript arrays. glad to see things are progressing..

:(

Coincoin:

proko:

I have read lot of WTFs from this site, but this kind of things still make me wonder, if person who wrote that were really complete moron or was there some other reason. I mean, i have'nt learn security or even programming in university( I learn physics), but even at the beginning of my programmer profession I did'nt wrote this kind on WTF. I mean..... well i can't even think anything after that thing.

You would be surprised how many programmers don't understand basic Client/Server interactions. Now, don't expect them to know secure interactions.

I once had to use a library in ASP.Net that absolutly needed a window to connect to. Now, try to create one in ASP.Net and it'll tell you that you can't create a window since the web service is not interactive despite it's logged in as an interactive service.

I googled my problem, hoping to find the missing config somewhere, but the google internets tubes were clogged with idiots trying to pop an alert box using System.Windows.Forms.MessageBox. My answer was probably burried on the 1000th google search result page.

A coworker came to the rescue, he still can't remember how he got the answer since he had the same problem as me finding it.

So the WTF is that you're bad a Googling?

Grovesy:

JonC:

snoofle:

It takes time and money to provide a server. Why bother even having a server when you can just have the client go directly to the DB?

Better yet, just provide a simple interface to the DB.
That way the user can get exactly the data they require and it saves on unnecessary coding.

why even do that? Just give them Query Analyser, and MSSQL for Dummies(tm).

What? Why not just give every user the credit card numbers stored in your system... That way they don't have to learn SQL.

This code isn't so bad, I have seen more unsecured way to do such a things. I do the same when I was a child...

This code isn't so bad, I have seen more unsecured way to do such a things. I do the same when I was a child...

Who needs XML web services when you can just go straight to the database? Why have that extra layer when it just slows things down? Brilliant!"

For the last time, it's BRILLANT.

The real WTF is why you would use IE for development to begin with. :P

dlikhten:

Grovesy:

JonC:

snoofle:

It takes time and money to provide a server. Why bother even having a server when you can just have the client go directly to the DB?

Better yet, just provide a simple interface to the DB.
That way the user can get exactly the data they require and it saves on unnecessary coding.

why even do that? Just give them Query Analyser, and MSSQL for Dummies(tm).

What? Why not just give every user the credit card numbers stored in your system... That way they don't have to learn SQL.

Why do that when in the UK we have a goverment bueracracy to do it for us!

Missing Discs 'worth £1.5bn' to criminals

It's especially brilliant to be passing the database connection string along like that.

vman:

It's especially brilliant to be passing the database connection string along like that.

How else would you do it, given that you're going to do the query from the web page itself?

- You could encrypt it slightly, but you'd have to run the decryption algorithms on the client as well.
- You could have some AJAX to get the connection parameters from the server, but, as well as being just as insecure, if you're going to do AJAX, why not do the whole job properly.

Lol

you dont need any management tools.. a simple DB client tool would do.. given that the developers has just provided us with the connection strings and table and column names!.

wow...this is GOLD...

Anonymous:

Who needs XML web services when you can just go straight to the database? Why have that extra layer when it just slows things down? Brilliant!"

For the last time, it's BRILLANT.

great post :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :)) :))

security? security over usability and performance? hmmmm...taking your logic to its natural end, you must necessarily agree with that Dilbert strip where the security consultant says "if it were up to me, everything would be so secure you couldn't do anything"

(tried to link to the comic archive, but couldn't find it. looks like they don't keep them available but for so long)

TRWTF is that you cannot save your personaliz(s)ed page on their server. at least it would give you the chance to write your own queries.

The even bigger WTF is that you can disable JS but I never found an option to disable VBScript.

Cloak:

The even bigger WTF is that you can disable JS but I never found an option to disable VBScript.

Is that true?!? I'm not a web developer, and am not all that familiar with IE. But last time I looked IE's options dialog(s) were a byzantine horror--maybe it's buried in there somewhere. It's gotta be, doesn't it? Can somebody confirm this?

Yes, you can do that of course. But AFAIR, you can only toggle both JScript and VBScript off or on simultanously - there is no option for "JScript alone".

Just a few years ago, I took a job at a place that hadn't made the jump from classic ASP yet. One developer there was very proud of his code to dynamically sort tables on a webpage. I noticed that resorting the table refreshed the page with a new querystring variable such as "?order=lname" and soon discovered that he was dynamically creating SQL queries and just swapping out the "ORDER BY" field. (Of course, the queries always began with "SELECT * FROM" and let the ASP do the filtering work.)

Luckily I found a new job by the time clients started getting attacked by the most elementary form of SQL injections.

J:

Just a few years ago, I took a job at a place that hadn't made the jump from classic ASP yet. One developer there was very proud of his code to dynamically sort tables on a webpage. I noticed that resorting the table refreshed the page with a new querystring variable such as "?order=lname" and soon discovered that he was dynamically creating SQL queries and just swapping out the "ORDER BY" field. (Of course, the queries always began with "SELECT * FROM" and let the ASP do the filtering work.)

Luckily I found a new job by the time clients started getting attacked by the most elementary form of SQL injections.

We found a great potential SQL injection attack in a system I worked on. It sucked in CV's and processed them into structured profiles. It was all brand new and pretty well coded, except the actuall CV processor which was ancient, horrible and very very complicated, alot of dynamic SQL was used.

So, stick 'DROP Users' at the end a certain section on your CV and you're laughing.

We found a better one, which executed dynamic SQL to do a best match lookup for one section and directly put the returned data into that section on your structured CV. So, just write a sub select query, and you can pretty much get any data you want from the DB.

Brilliant!

why not just open the ASP page on the server and goto File->Save As
then rename the .html file to .hta

-jugis

suzilou:

security? security over usability and performance? hmmmm...taking your logic to its natural end, you must necessarily agree with that Dilbert strip where the security consultant says "if it were up to me, everything would be so secure you couldn't do anything"

Taking your "logic" to its natural end, you must necessarily agree that abusability is just another form of usability and therefore desirable. This is because the normal end user will notice no difference at all whether or not you are using a proper 3-tier design or accessing the database directly from the web browser, but the black hat hacker surely will.

And quoting Dilbert in defense of your position is somewhat like quoting Richard Dawkins in defense of Catholicism.

if this was just for the corporate intranet, it's not that big of a wtf. Perhaps the server would be inaccessible for the general public, only allow connection from a few IPs that should.

And even if it is wide open, perhaps the user/pass it uses has the permissions set up so it can not modify anything, or not even access sensitive data. That would be quite OK.

AdT:

And quoting Dilbert in defense of your position is somewhat like quoting Richard Dawkins in defense of Catholicism.

Wasn't Richard Dawkins the host of Family Feud?

So I thought about this, and decided to write about it. http://preachsecurity.blogspot.com/2008/02/how-to-tell-your-webappsec-program-has.html

Throw some digg's my way if you find it interesting.

Thanks

"What? You need the access credentials for DROP TABLE? Just look at the source code, it gives you everything you need."

Please tell me this was on a public server.

suzilou:

Wasn't Richard Dawkins the host of Family Feud?

I must be missing the irony tags... anyway, I don't know Family Feud but Wikipedia tells me this show was once hosted by a man called Richard Dawson.

Richard Dawkins is a controversial, anti-theistic British evolutionary biologist, and the author of several books, the latest being "The God Delusion". Obviously, you don't need to read this book to understand my point.

I vaguely remember reading once somewhere that Microsoft encouraged this for certain applications - obviously internal only, but web page code to database and even now web page code to very thin app server that returns an XML ResultSet was not unknown for certain types of development.

Not saying it's a good idea of course. You have to work on the basis that you have authentication throught which a closed Windows environment can give you, and also that you're granting all your users database access so you need to be happy your database permissions are correct.

I'd feel nervous without limiting that to stored procedure execution only and maybe some views I've constructed, but then I'm heading towards writing a middle tier only in stored procedure land.

AdT:

I must be missing the irony tags... anyway, I don't know Family Feud but Wikipedia tells me this show was once hosted by a man called Richard Dawson.

Richard Dawkins is a controversial, anti-theistic British evolutionary biologist, and the author of several books, the latest being "The God Delusion". Obviously, you don't need to read this book to understand my point.

No irony intended. Just making light of your very serious response to my original post. No trolling going on here...not wanting to pick fights...just wanting to keep it light in an attempt to show that my 'Dilbert' post wasn't meant to be a true defense at all.

(Now, if your first reply was all meant to support my, apparently non-humorous, humor with equivalent jest, then accept a resounding "my bad" :-)

The WTFeyness of this story is pretty dependant on when the code was written...

Maybe it was written pre-XHR and the coder was this clever but not quite clever enough to try an iframe proxy.

Also, it could very well be that the organization had an IE4 policy and the 'PLAINTEXT' user had reasonably limited access to SQL.

Not Brillant. Brillig.

'Twas brillig, and the slithy toves
Did gyre and gimble in the wabe:
All mimsy were the borogoves,
And the mome raths outgrabe.

pscs:

vman:

It's especially brilliant to be passing the database connection string along like that.

How else would you do it, given that you're going to do the query from the web page itself?

- You could encrypt it slightly, but you'd have to run the decryption algorithms on the client as well.
- You could have some AJAX to get the connection parameters from the server, but, as well as being just as insecure, if you're going to do AJAX, why not do the whole job properly.

You could use stored procedures or views, or some other way to limit what can be done and gotten from the website.

To call this a WTF is an understatement. Bravo.

Richard:

I vaguely remember reading once somewhere that Microsoft encouraged this for certain applications - obviously internal only, but web page code to database and even now web page code to very thin app server that returns an XML ResultSet was not unknown for certain types of development.

Not saying it's a good idea of course. You have to work on the basis that you have authentication throught which a closed Windows environment can give you, and also that you're granting all your users database access so you need to be happy your database permissions are correct.

I'd feel nervous without limiting that to stored procedure execution only and maybe some views I've constructed, but then I'm heading towards writing a middle tier only in stored procedure land.

I don't know that they necessarily "encourage" it, but their sample code in MSDN is frequently WTF-worthy for ignoring basic principles of style and security.

GalacticCowboy:

Richard:

I vaguely remember reading once somewhere that Microsoft encouraged this for certain applications - obviously internal only, but web page code to database and even now web page code to very thin app server that returns an XML ResultSet was not unknown for certain types of development.

Not saying it's a good idea of course. You have to work on the basis that you have authentication throught which a closed Windows environment can give you, and also that you're granting all your users database access so you need to be happy your database permissions are correct.

I'd feel nervous without limiting that to stored procedure execution only and maybe some views I've constructed, but then I'm heading towards writing a middle tier only in stored procedure land.

I don't know that they necessarily "encourage" it, but their sample code in MSDN is frequently WTF-worthy for ignoring basic principles of style and security.

MSDN code is just meant to demonstrate how to do something with the API, not necessarily the best way to actually do it... The other point of it is it's actually meant to work if you cut and paste it. If for example they are demonstrating populating a drop down, they aren't going to include code to write stored procs, write a nice data layer, include an ORM mapper, wrap that up with some domain driven pattern accessed through a service layer wraped in a facade that expose the services over binary remoting.

They are just going to show an example with dynamic SQL... One would hope the reader is well enough educated to a.) get the point b.) translate the example into something that works/

No parameters in the SQL! Outrageous!

Please tell me that someone connected to the database and left them some surprise to teach them a lesson.

pscs:

vman:

It's especially brilliant to be passing the database connection string along like that.

How else would you do it, given that you're going to do the query from the web page itself?

- You could encrypt it slightly, but you'd have to run the decryption algorithms on the client as well.
- You could have some AJAX to get the connection parameters from the server, but, as well as being just as insecure, if you're going to do AJAX, why not do the whole job properly.

I could stuff the DB connection behind a service interface and then go looking for the original dev with a pair of rusty scissors.

snoofle:

It takes time and money to provide a server. Why bother even having a server when you can just have the client go directly to the DB?

I believe that can actually be done securely. Set up a user account for web use and grant it execute rights on a stored procedure, but no direct database privileges. The stored procedure checks that the user actually submitted literal card details before returning a result. (For extra protection, return random results on any query that doesn't match any entry in the database?) This way, the client goes directly to the database, but the security is on the same level that you would have had with an AJAXy solution.

Disclaimer: I'm no DBA... feel free to point out included WTF(s) if any.

Jack:

The real WTF is why you would use IE for development to begin with. :P

The code is VBscript so wouldn't work on any other browser (yes, doing IE specific webs is a real wtf).

There are times where the progarm is so bad I want Query Analyser and MSSQL for dummies, I could get the data I want faster then they can.

TRWTF is that Richard Dawkins can be described as 'controversial' as opposed to 'a proponent of the blindingly obvious'