Comment On Paging Dr. Null

meh...funny?

I must say, that Null is a pretty software-crashing name :)

Obviously the chances of someone being named "Null" is not that bad. However, the fact that it took empty search fields to be a string value of "Null" is the WTF. It should've came back with something like "Please provide one or more search values"

this smells like SQL-Injection?
Inviting desaster to lunch...

Or how about N.A. Jones?

Or maybe <null> , the asshole who legally changed his name to have the angle brackets. It's unpronouncable.

I wouldn't be surprised to learn that no matter what criteria you enter, you will never be able to locate Dr. Stephen Null, Dr. Tomas Null, or Dr. William Null.

-Harrow.

If (lastName IS NULL OR lastName = 'NULL') THEN


I can't think of what else it could be.

How many of us tried to see if we could get on the site to check this though?

I know I did (can't be bothered trying to find out how to register though, and havent got time to try and get in by force/stealth)

Captcha:- pigeons

The real wtf is that when hiding information in screen captures, don't use blur or mosaic. Use a solid color!

I guess I should read the article now. meh.

i like the login screen on their site - the helpful message is a haiku:

Express Login
A Fast Loading Page
That Can Be Bookmarked
For Your Convenience

Let me see if I get it: The WTF is that a search with no criteria searched for the STRING "Null" instead of either A) having an error message saying you need to enter criteria or B) Using the actual SQL value NULL. Right?

Seems like a kinda tame WTF to me.

Is that phone number 1-858-480-1067 ??

What are the results of the blood test? true, false, maybe, file not found?

captcha: smile - anagram for imels

Well, that could simply be the "lastName" variable referenced in a query without checking wether it is Null or not.
Some OO-languages will always reply "null" when you ask for a null pointer to be casted as a String. Indeed it would be great if it showed somthin' quite like a NullPointerException or such.

In fact, not checking before casting might either crash the application or give weird results like this. Interesting, through !

It'd be great name. Dr. Dev Null, I presume?

sounds like someone built SQL from a string and forgot to add ' around the strings contained within the string.
for example:
declare @string varchar(255), @search varchar(255)
set @search = 'NULL'
set @string = 'select * from table where name = '+@search
exec sp_executesql @string
(which would never return anything)
humorous, but not inconceivable.

kirchhoff:

Or how about N.A. Jones?

Or maybe <null> , the asshole who legally changed his name to have the angle brackets. It's unpronouncable.

And how would someone search for "The Artist Formelly Known As Prince" in the days he used that weird symbol as his name. It's not even a unicode character, neither a symbol of WingDing font.

ernesti:

It'd be great name. Dr. Dev Null, I presume?

In a James-Bond-like voice:

The name's Null, Dev Null!

Le Poete:

kirchhoff:

Or how about N.A. Jones?

Or maybe <null> , the asshole who legally changed his name to have the angle brackets. It's unpronouncable.

And how would someone search for "The Artist Formelly Known As Prince" in the days he used that weird symbol as his name. It's not even a unicode character, neither a symbol of WingDing font.

...Spock You-Couldn't-Pronounce-It

Le Poete:

kirchhoff:

Or how about N.A. Jones?

Or maybe <null> , the asshole who legally changed his name to have the angle brackets. It's unpronouncable.

And how would someone search for "The Artist Formelly Known As Prince" in the days he used that weird symbol as his name. It's not even a unicode character, neither a symbol of WingDing font.

It was easy, you searched for "Prince" and you got everything that had his prior discography and everything under "formally known as Prince". Remember, unofficially everyone still called him "Prince" or "The Artist", the name change was purely for legal purposes.

A friend of mine has the email address null@<domain>.<tld> You can't imagine how much test-emails he receives, including ones that contain real user names and passwords. People assume that 'null' is a non-existing email adres so they expect their test-emails to bounce. Which they don't....

The Satanic Dr. Null.

The dietician Gary Null has a radio show on Pacifica (which I would not recommend).

The archetype for this one is Jon Bentley's story in one of the Programming Pearls books about the APL program that failed whenever it hit the Ecuadorean data set. Alas, the capital of Ecuador is Quito, a prefix of the magic token Quit.

I can get to the site, because I work there. It's not true. The only way to get Mr. Null to come up in the search results is to enter "Null" in the name. The submitter did so and then deleted it before grabbing a screen shot. So, whoever you are, you're a liar.

Having worked for CardinalHealth before
the phonebook website does not allow empty fields, although Dr. Null is a real person. This is fake. There are quite a number of WTF's here though. Ask me about the VB ap connecting to the Oracle database running a query to pull data from an SAP application...yeah...

Actually, this is not a search for a doctor - this is our internal phone book (Cardinal employee's). Still, rather disappointing...

Does your last name start with K?

At this point I'm kinda amazed at the number of Cardinal employees/contractors who read WTF. Hello all! ::waves invitingly::

omitted:

The dietician Gary Null has a radio show on Pacifica (which I would not recommend).

The archetype for this one is Jon Bentley's story in one of the Programming Pearls books about the APL program that failed whenever it hit the Ecuadorean data set. Alas, the capital of Ecuador is Quito, a prefix of the magic token Quit.

A fuck-up that can be made by programmers in any language. APL doesn't even make it easier to make that mistake.

grkvlt:

i like the login screen on their site - the helpful message is a haiku:

Express Login
A Fast Loading Page
That Can Be Bookmarked
For Your Convenience

is there a 5-5-5 haiku I don't know about?

I thought it was 5-7-5

I think this is fake to be honest I can't see how this can be implemented. Null = null evals to false... so for a real null to be there then nothing should be returned..

Precision: There are no magic tokens or reserved words in APL itself, so it must have been in the application.

Anonymous cardinal person:

At this point I'm kinda amazed at the number of Cardinal employees/contractors who read WTF. Hello all! ::waves invitingly::

Frankly it looks a bit suspicious that 5 cardinal employees make comments in a row, each within a minute of the last. Particularly since they're all unregistered. Almost as if one person was trolling under different names...
But then, I suppose it's believable that someone at Cardinal saw the WTF and pointed it out to h(is|er) co-workers, but I would still think there'd be a bit more variance in the posting times.

Jon:

grkvlt:

i like the login screen on their site - the helpful message is a haiku:

Express Login
A Fast Loading Page
That Can Be Bookmarked
For Your Convenience

is there a 5-5-5 haiku I don't know about?

I thought it was 5-7-5

Yep, it is supposed to be 5-7-5, though it is also supposed to allude to the natural world and/or a season, if you want to get really picky...

After some thought this is a pretty good WTF. It's "Null". "Null" or "NULL" should NOT equal NULL

Wow, paranoid much? Consider this - in the R&D building where I work, everyone gets in around the same time in the morning, and most of us have WTF as one of our start pages.

Ha! I was shocked to see this as I just left the company. (my job moved to dublin! rat bastards!)

./wave at all my fellow ex-coworkers...

aren't you all supposed to be fixing something?

Naaa... it's a big company that stays behind the scenes for a HUGE amount of medical stuff. It's spread out all over the place so lots of IT.

Null, Mr. Bond, I expect you to die!

Another Anonymous Cardinalite:

Wow, paranoid much?

That's what I'm paid to be, so yes.

Consider this - in the R&D building where I work, everyone gets in around the same time in the morning, and most of us have WTF as one of our start pages.

I noted that there were explanations, I just had to make note of how suspicious it looked.

RSS readers all update at roughly the same time and since we all freaked when we saw it....

Hello, I'm doctor "; DROP TABLE; pleased to meet you.

Well done, you just made me spit tea all over my laptop screen.

Working with the UK NHS directory, it was said that there were quite a few of "Dr. Death" in the list; five or fifty, depending on who was telling the story. For some reason this got a laugh.

Either the submitter, Michael, was lying, or he was being very disingenuous in his submission.

A quick look at the source for this page reveals:

Quick search:
if(input == null || input == ""){

alert("Enter a value for QuickSearch");
return false;

}
else if(noInvalidChar(input))
{
document.form1.submit();
}

Detailed search:
if((fn == "") && (ln =="") && (location == "") && (business =="")){
alert("Enter a value for Detailed Search");
document.form9.firstName.focus();
}
else{
if(noInvalidCharFn(fn)){
fnValid=true;
if(noInvalidCharLn(ln)){
lnValid=true;

}
}
}

And no, submitting with only spaces in either the quick search or the detailed search textbox fields does not work, either. The noInvalidChar* routines trim whitespaces and validate that the resulting string is not empty.

The only way he could have submitted a search request with no parameters would be to have modified the JavaScript code to disable this check locally, or performed some sort of submission trickery that a typical user would not be able to do. I personally did not bother to go out of my way to test this, but it's reasonable that bypassing the JavaScript check might result in a small issue like this. Hardly a WTF.

There is also the very unlikely possibility that the page was corrected between Michael's screenshot and when the first CH employee attempted to confirm the result. I sincerely doubt such an important page would be updated with such thorough validation routines so quickly, however.

I'm actually more curious as to why Michael would be searching for his doctor on an internal company phone book that I hope is not accessible to the public, however.

This story was almost certainly fabricated, and makes me wonder about other stories on this site. Though you can't blame Jake, as he would obviously not be able to personally verify this himself before accepting the submission ...

Huh, wouldn't entering an invalid character result in nothing happening? Or did you leave out an else?

Anyway, does the site actually claim anywhere that the articles are guarenteed to be real? Aren't these stories just supposed to be entertainment? If an occasional fictional story passes through, so what?

Nah. Sorry, I didn't want to post the source to the entire non-public page here. If you fail that test, it just returns "no records found" and doesn't actually search anything.

The only way this would be an issue is if the site is performing loose SQL queries based on the search strings, hoping that JavaScript filters the strings safely, but the backend should at least be protected against escape quotes. I hope. I don't have access to that to tell you, though.

For those who don't know, Null is a last name shared by 0.003% of all Americans. In 1990 it was the 4509th most popular last name.

Yet another anonymous CH employee ...:

Either the submitter, Michael, was lying, or he was being very disingenuous in his submission.

A quick look at the source for this page reveals:

[...]

Just a thought: what if you disable javascript? Does the form stil get submitted?

Is it too late to have my name changed to Mr. No Carrier?

I searched two days ago for Null Null in the whitepages (purely coincidental!), and found some people .

Is Null really a surname, or is it problems when merging some databases?

I figure this is possible if the backend DB is Oracle. After all, Oracle thinks NULL and the empty string are equal, doesn't it?