| « Prev | Page 1 | Next » |
|
The way I see it from looking over it briefly is that he's just removing all apostrophes? So the obvious thing would be MyFunction = Replace(inText,"'","")... But ofcourse, you could opt to KEEP the apostophes. Gues he never found this out: MyFunction = Replace(inText,"'","''") If this |
|
HEY! Why can't I edit my message? [:@] Anyways... I wanted to add that you gotta love his one and only comment. And to say that I never understand why these |
Ok, so it's off-topic, but damn it, it's Teh Funneh
2005-07-26 14:46
•
by
Schol-R-LEA
|
|
Speaking of 'giant' programs written in VB6 that need to be reverse
engineered, I wonder how Mycosoft are going to handle this little matter... |
|
That, and the fact that he is using a really lame method to clean
strings of sql injections... and doesn't even realise that an injection is possible (hence the comment) |
|
I wonder if this is the reason that the last time I was at the local
"gentleman's" club and asked the dancer to stripweird she danced twice as long and took all my $'s |
|
>>> 'sql server freaks out on this character: ' <<< And my word processor completely freaks out over both the CR and LF characters! Starts moving the cursor over to the left side of the screen !! Of a new line!!! Damn lousy word processor... |
And given that I can't - why is there an "Edit" button? |
|
At least he didn't Dim pos as Double
|
|
Do you think he does the loop twice, once for the opening quote and once for the closing quote?????
|
|
So, he doesn't know what ' does.
Doesn't bother to /find out/. Then he decide to do a string concentration to remove it, and then he repeats it, just to be safe. This indicate WAY bigger problems elsewhere. |
|
If this was originally written in VB5, there was no replace function. I do like the way he loops twice though, and the left 16000 is a nice touch. |
|
From TFA Ok, maybe if you're doing ad hoc queries or Dynamic SQL ("INSERT INTO .." .. But SQL Server doesn't choke on the ' character if part of a stored procedure, doesn't it?! Stored Procs, in general, are better than dynamic SQL, in my experience.
|
|
I think the way he/she makes extra double sure there aren't any ' chars is really just good, good, sound, sound, careful, careful programming. Hey, if the code missed one, then it can miss it again! Sure beats writting an error handler! My only worry is when the InTxt value is 16001 char or more - wouldn't it be better to write: Private Function StripWeird(InTxt As String) As String if LEN(inTxt)<= 16000 THEN StripWeird = InTxt |
|
This WTF has rendered dubwai unable to form coherent sentences. Is this a first? [:)]
|
WTF is the second loop for? That doesn't do anything, does it? |
Insurance in case that the first loop's eyes were tired and missed the ' |
Some people said I was crazy to build a loop that removed all apostrophes from a string. But I did it anyway. And that loop missed some apostrophes. So I ran the loop again. That loop missed some apostrophes too. So I ran the loop a third time. That loop missed some apostrophes too. So I ran the loop a FOURTH time. And that one caught all the apostrophes! And today that's what you're getting, son.
A thousand apologies to Monty Python. |
Re: Weird Stripping - no excuse at all
2005-07-26 16:10
•
by
MoebiusStreet
|
|
No excuse at all. Even for dynamically generated SQL, you should be using parameter placeholders, and then setting the values in Parameter objects for the Command. It's easy, and completely avoids both injection attacks as well as any need to mangle your apostrophes. Anyone on my team who doesn't do it this way is going to get a good talking-to [:@] |
|
WTF is why does anyone use Visual Basic, that is one of the most horrible programming languages ever seen!?
|
|
What IS that character?? I have never seen that character before.
|
|
VB isn't great, but it is fantastic for rapid application
development. It comes in handy for small little projects and was a godsend before Java came mainstream. Develop a small GUI App in VC then do the same one in VB and see how long they both take you. Dollars to doughnuts says VB kicks the ever living crap out of the VC time. In the end, larger projects needing closer interfacing to hardware should be done in VC. The problem is, 90% of projects out there start small, then through maintenance and evolution become projects that should have been spec'd completely and prolly done in Java or maybe, just maybe VC if you have someone who knows what they are doing. |
You would think a reply would actually reply to the post selected...but NOOOOOO. You have to quote them... |
I'm would bet the development time for a fat client VB is gong to kick the crap out of Java too. The problem tends to be that the app is quick in the first dev cycle but each progressive cycle takes longer and longer. Eventually it takes longer to make a few enhancements than it did to write the app in the first place. It's no the language mind you, it's that the skill level required to code in VB is a lot lower than most languages so you tend to get less skilled developers. Another way to put it is that VB makes it easy to do a lot of things that experienced programmers know not to do. |
|
Couldn't
If pos > 1 Then Be... pos = InStr(InTxt, "'")When you re-invent the wheel, be sure to make it round. |
|
I think what he was trying to do was remove single quotes from strings
to prep for database insertions. Makes the whole purpose of the thing a WTF: he should've added escape characters instead of removed them single quotes. |
Well, he could do that, but InStr(pos - 1) is faster, because you know there aren't any ' before pos, so skipping that part of the string kinda makes sense... |
Oh, do us a favour. "Real programmers" know that you use the best tool for the job. It's is so dull when this board turns into a VB vs TheRestOfTheProgrammingLanguagesInTheWorld discussion by snobby programmers who like to look down on VB because it is fast, easy and popular, and somehow undermines their own sense of self importance in being a guru programmer in a 'difficult' language. Time to move on, people! |
|
Private Function StripWeird(InTxt As String) As String InTxt = Left(InTxt, pos - 1) & Mid(InTxt, pos + 1) StripWeird = InTxt For my money, one of the best bits is the way he's passing the input in by reference (the default before VB.Net) then using it as his temporary variable, modifying it and passing it back out. Beautiful. Even if he didn't return the results, anyone calling this so-called function will find the contents of their argument variable have been modified.
|
|
OK. What's the deal with the fonts on this forum?
|
|
The comments indicate that the coder (I hesitate to use the word 'programmer') has found that quotes cause problems with his database engine of choice.
So, rather than working out _why_, and risk providing a sensible solution, he has decided unilaterally to simply strip all the quotes out. Neet. And deserving of a poke up the arse with a sharpened stick. I fully expect to see, elsewhere in the system, something that converts quotes to some other character, and then converts them back again after it's been through this routine. The funy thing is, if you use a decent toolkit, you don't ever have to worry about reinventing this particular wheel. But I don't remember ever seeing VB described as a decent toolkit, so I guess that point is moot. Simon |
Were I feeling charitable, I'd guess that mentioning "replace" as the right way to do what the coder originally intended (even if he didn't realise he intended it) - twice - was an ironic commentary on the double construct in the original code. However, I'm not feeling charitable, and I am forced to conclude that you must be one of those "morrons" we hear so much about. |
|
Yup, I agree - there's plenty of scope for similar/worse approaches in ANY language...having said that, this WTF is a corker. |
|
It should be clearly obvious to everyone here that the real WTF is SQL Server freaking out over a standard ASCII character!
I'd love to see the first error message he got when he found this out. "Dude, that character like totally freaked me out!!! Don't send me any more, ok?" [OK] [Cancel] |
I was commenting on the code as it was posted, not what he should have done (Stored Procedures, Parametrized Query's). Everyone knows he should have used XML with some XSLT and some Javascript and preferably throw in some other languages too. [:D] |
|
Yeah, it does look like he's running the loop twice, once for open, once for closing quote... how very very very odd.
|
I'm a little worried about the efficiency of the code. Why not a script that generates the function, explicitely unrolled for an arbitrary number of bytes (up to say, 640K, since Bill Gates decreed that's all we'd ever need) and then just checks each byte explicitely. 'That's, in my mind, efficiency's best bet, y'all, since you don't know how many ASSKISS 39's the input may be packin''. We can call such a script: Duff's Dementia. |
Do you mind if I use this quote? It perfectly sums up many of the problems with VB (and several other RAD tools as well). |
While I agree that a lot of the VB-bashing (such as the example above) is uncalled for, there are objective reasons why VB is less than desirable. The language is extremely large and complex (far more so than most client-programmers suspect when they begin using it), has many grave design flaws, and through VB6 at least had been developed in a slipshod and ad hoc manner. VB.Net really does fix many (nowhere near all) of the problems with VB as a language, but the result is about as different from VB6 as Java is from C++. Since the language is proprietary and subject to arbitrary change (something which is also true of Java, admittedly) I doubt that a 'visual' RAD tool based on, say, Ruby, would have nearly as many problems, or as many complaints. To give a real example, I've heard of implementation complaints regarding Boa Constructor, but I can't recall many complaints about the underlying language (Python), and certainly nothing like those levelled at VB; this may be just a function of popularity, I suppose, but from what I've seen Python is mostly a language people move to rather than away from. Had VB been better designed as a language (and if there were an open, published standard from the start), I doubt that it would have the odious reputation it does. Personally, my biggest issue is that VB looks easy to use, and is for fairly straightforward projects, but becomes monstrously difficult to maintain beyond that. Also, I personally feel that VB is a poor language for teaching - something I also feel about C, C++, Java, and Perl, though for different reasons in each case - and encourages sloppy programming habits. It tries to fit the 'casual programmer' niche Smalltalk was designed for, and fails. |
|
Feh. I apparently dropped the end of that first paragraph somehow. It should have read:
"Since the language is proprietary and subject to arbitrary change, programmers using it cannot be certain if the code they write today will work on the next version of the language - something which is also true of Java, admittedly, but the Java developers tend to make fewer radical changes, and phase out old constructs rather than simply axing them or rearranging them. The fact that the language is not fully documented (AFAIK), and no standards body exists for it, makes some aspects of development a matter of guesswork. |
it you be much better to store the javascript in the db as xml, like so: ... then convert it javascript [Y] |
Jesus, dude, don't you have anything better to do? |
|
It's missed it's requirement goal. If it strips "wierd", how come I can still see the code?
|
|
So many WTFs... Let's see:
1. (most importantly) That d00d is too dense to use stored procedures, even after he's realized that there's a problem with apostrophes in strings. 2. He decides to remove apostrophes/single quotes from string parameters before assembling a query (ok, at least he does something that will prevent SQL injection), but he doesn't actually know what he's doing, as exemplified by the comment. 3. This means that apostrophes can no longer be used in string parameters at all, which is kind of annoying if you use SQL for feedback/guestbook/comment/mail body fields. 4. He writes his own method instead of just using Replace. 5. Instead of writing a general purpose "Replace"-like function, he decides to hardcode it to perform Replace(InTxt, "'", ""). 6. He executes the exact same copy-pasted Do While loop twice in a row, just to be sure. 7. His Replace implementation manages to require quadratic time in the worst case, which is essentially an invitation to cheap DoS attacks (just send 16,000 single quotes to the server). 8. The function name is a WTF in itself. 9. He trims string parameters to 16,000 characters without any notice. 10. He's using VB6 (scnr). Ok, did I miss any? |
He's probably trying to shave off some cycles, but, unfortunately, he's a bozo, which means it doesn't actually buy him anything. That's because the line InTxt = Left(InTxt, pos - 1) & Mid(InTxt, pos + 1)always requires linear time, and it's executed once for every apostrophe, so in the worst case, he manages to make a simple string replacement, which should be O(n), O(n²) in time complexity. |
Were I feeling charitable, I'd calmly point out that what you are saying has nothing at all to do with RobIII's comments. However, I'm not feeling charitable, and I am forced to conclude that your "brain" is actually a half-rotten cauliflower, moron. |
Re: Weird Stripping
2007-11-03 01:39
•
by
m@ciek
(unregistered)
|
|
Nieruchomości, mieszkania, domy
sprzedam dom Sprzedaż mieszkań mieszkania wynajem Kupno, sprzedaż, wynajem |
| « Prev | Page 1 | Next » |
RobIII: