Classic WTF: Five Wrongs Don't Make a Right

  • configurator 2012-12-31 08:07
    So it throws an Exception when invalid, returns 1 for valid and 0 for null.

    TRWTF is Java, of course.
  • Fred 2012-12-31 08:09
    If this line is not blank then maybe 5 seconds can make a frist.
    If this line is not blank then maybe 5 seconds can make a frist.
    {snip}
    If this line is not blank then maybe 5 seconds can make a frist.
  • Victor 2012-12-31 08:11
    /** Valid signs */

    You don't need to read any further than that to know you're not dealing with a programmer here.

    But when he went home at night I bet he was thinking yeah I'm sooooo cool I wrote some code today yeehaw!
  • drake 2012-12-31 08:12
    If he had used Regular Expressions, he would have had 10 problems
  • Walter 2012-12-31 08:14
    Well at least he implemented a whitelist not a blacklist. Even if I offered a $10,000 bonus, I don't think I could get our lead web "developer" to grasp that concept.
  • Smug Unix User 2012-12-31 08:17
    10 problems are less than 101 problems.
  • Yasmin 2012-12-31 08:19
    You might think this could be reduced to a single function, but you would be forgetting the unique messages:

    "Vsadr5 with invalid sign"

    (And, of course, your users are naturally intuitively going to know what Vsadr5 means... to say nothing of invalid sign.)


    WARNING: CAPTCHA not invalid!
  • Foo Bar 2012-12-31 08:59
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
  • @Deprecated 2012-12-31 09:11
    That's awesome how all the tests have the same logic, just the exception message and the variable names are different.
  • Dazed 2012-12-31 09:11
    I suppose this might have been written with one of the early Java versions that didn't have regexes. But that's not much of an excuse ...
  • ObiWayneKenobi 2012-12-31 09:11
    Ah the classic case of a clueless/lazy programmer who, rather than sit back after the first one and think "Hey wait a minute, this seems really inefficient. What if we need to validate more than one line?" and then goes and refactors out the code properly, does it once, says "It's done Boss" and then copy-pastes that function when they need to do it again.

    It's a damn shame these bozos are more common than they should be.
  • ObiWayneKenobi 2012-12-31 09:14
    Dazed:
    I suppose this might have been written with one of the early Java versions that didn't have regexes. But that's not much of an excuse ...


    Even if it was, that's not an excuse for not refactoring this out into a method so the code doesn't have to be repeated. That's the real WTF here, not the way it's implemented but that it's not reusable so it has to be copied.
  • F 2012-12-31 09:32
    ObiWayneKenobi:
    Ah the classic case of a clueless/lazy programmer who, rather than sit back after the first one and think "Hey wait a minute, this seems really inefficient. What if we need to validate more than one line?" and then goes and refactors out the code properly, does it once, says "It's done Boss" and then copy-pastes that function when they need to do it again.

    It's a damn shame these bozos are more common than they should be.


    That's what you should expect when people get rated on lines of code instead of quality.

    He's missed a trick, though. He could have added code for address lines 6 to 10, `"to allow for future enhancement".
  • That Guy 2012-12-31 10:20
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.


    I was more worried about the semicolon, back slash, and the open and close parens. What, curly braces are too good for your addresses?
  • Matt Westwood 2012-12-31 10:21
    The clunking tedium of creating an array of characters: 'A', 'B', .... yecch. My immediate thought (in absence of any knowledge of the existence of regexps) would be:

    String validChars = "ABCDE ... "

    But apart from repeating the business end 5 times (oh, and failing to handle exceptions and null cases correctly) I've seen plenty worse.
  • Matt Westwood 2012-12-31 10:25
    He should have written it like this:


    for (i = 0; i < address.length(); i++) {
    if (address[i:i] != 'A' then {
    if (address[i:i] != 'B' then {
    .... etc. ad barf
    }
    }
    }
  • MarkMc 2012-12-31 11:01
    My eyes. The goggles aren't helping. How many times do we need to write
    something like the following?


    private boolean ValidateShippingAddress( String input )
    {
    String whitelist =
    "^[a-zA-Z0-9\.,\'-/&!\"$%()*+:;=\üéâäàçêëèïîìßôöòûùßáíóúñÑÄÖÜ#åÿýÁÂÀÅÇÉÊËÈÍÎÏÌÓÔÒÚÛÙÝ]*$";
    Pattern pattern = Pattern.compile(whitelist);
    return pattern.matcher(input).matches();
    }


    Or more likely refactor this to generalize for all the other input fields that need validation, providing a standardized regex pattern.
  • Yaos 2012-12-31 12:01
    That Guy:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.


    I was more worried about the semicolon, back slash, and the open and close parens. What, curly braces are too good for your addresses?


    I feel great joy when I ask how do we know what we want. Suddenly people realize that they never bothered to figure out what they actually want.
  • Matt Westwood 2012-12-31 12:03
    MarkMc:
    My eyes. The goggles aren't helping. How many times do we need to write
    something like the following?


    private boolean ValidateShippingAddress( String input )
    {
    String whitelist =
    "^[a-zA-Z0-9\.,\'-/&!\"$%()*+:;=\üéâäàçêëèïîìßôöòûùßáíóúñÑÄÖÜ#åÿýÁÂÀÅÇÉÊËÈÍÎÏÌÓÔÒÚÛÙÝ]*$";
    Pattern pattern = Pattern.compile(whitelist);
    return pattern.matcher(input).matches();
    }


    Or more likely refactor this to generalize for all the other input fields that need validation, providing a standardized regex pattern.


    What, like this:


    private boolean ValidateBusinessString( String input, String whitelist )
    {
    Pattern pattern = Pattern.compile(whitelist);
    return pattern.matcher(input).matches();
    }


    Possibly even compile the pattern statically and pass the pattern in. At which stage there is a school of thought that suggests you might as well factor out the method itself as it contains but one line. I would probably keep the method just in case it needs to get more complicated in future.
  • jay 2012-12-31 13:17
    Dazed:
    I suppose this might have been written with one of the early Java versions that didn't have regexes. But that's not much of an excuse ...


    It must also have been written with one of the early versions of Java where you couldn't call the same function in two different places with two different values for the parameter.
  • Adin 2012-12-31 14:32
    Ha ha. Absolutely agree.
  • Jeff Grigg 2012-12-31 14:36
    Well, I find it helpful that they allow the single quote character ('), for SQL injection attacks. And the ampersand character (&) for HTML injection/cross-site scripting attacks. They're always working harder to make my life easier!!!

    >;->
  • Meep 2012-12-31 15:25
    @Deprecated:
    That's awesome how all the tests have the same logic, just the exception message and the variable names are different.


    Which is perfectly reasonable since you might want to change the logic for one field.

    What's awesome is how the author didn't simply put the common functionality in another method. "I'll write a method for each field, but I'd rather copy and paste my code five times than create a sixth."
  • instigator 2012-12-31 15:34
    If only ASCII was arranged in a logical manner, then you wouldn't even need regular expressions. You could do something like:

    for( int i = 0; i < vsadr1.length(); i++ )
    {
    char c = vsadr1.charAt(i)
    if(!( (c >= 'A' && c <= 'Z') ||
    (c >= 'a' && c <= 'z') ||
    (c >= '0' && c <= '9') ||
    (c == ' ') // || ...
    ))
    return false;
    }
    return true;

    captcha: sagaciter: The SAGACITER loved to reference "Lord of the Rings"
  • Darth Paul 2012-12-31 16:22
    The other WTF - yet another data modeller/BA who thinks that addresses consist of 5 fields.

    No doubt it is near impossible to create a report to the effect of "sales by state" and the excuse will be "no-one has ever asked for that in all the years I have been here."
  • Anonymous 2012-12-31 16:49
    The requirement is mostly bogus, too... We've all seen the multi-page regex to (mostly) get email addresses right, and postal addresses are a lot more irregular. There is no way to construct a whitelist, except closely studying the postal guidelines of all the countries you're shipping to, going insane, then settle on a blacklist of the most esoteric Unicode blocks – it's most likely none of ⟺ or ☻ or πŸ’‚.

    Then again, why bother? Just print it on the label and have the postman figure it out.
  • urza9814 2012-12-31 16:50
    instigator:
    If only ASCII was arranged in a logical manner, then you wouldn't even need regular expressions. You could do something like:

    for( int i = 0; i < vsadr1.length(); i++ )
    {
    char c = vsadr1.charAt(i)
    if(!( (c >= 'A' && c <= 'Z') ||
    (c >= 'a' && c <= 'z') ||
    (c >= '0' && c <= '9') ||
    (c == ' ') // || ...
    ))
    return false;
    }
    return true;

    captcha: sagaciter: The SAGACITER loved to reference "Lord of the Rings"


    Wouldn't need a regex, but it's still far simpler...because you can do the same basic thing. Why type out "(c >= 'A' && c <= 'Z') ||" when you could just use "[A-Z]"?
  • Alex Emelianov 2012-12-31 17:06
    And then you need to ship to Japan. Oops (times five)!
  • moreON 2012-12-31 17:12
    So that's:

    if(expr){
    return !expr;
    }
    return expr;


    why not just
    return !expr;
    ?
  • Mr. Shine 2012-12-31 19:21
    I think y'all are being too hard on this programmer. He *did* recognize that he needed only one validSign array, after all.
  • dkf 2012-12-31 20:10
    Anonymous:
    The requirement is mostly bogus, too... We've all seen the multi-page regex to (mostly) get email addresses right, and postal addresses are a lot more irregular. There is no way to construct a whitelist, except closely studying the postal guidelines of all the countries you're shipping to, going insane, then settle on a blacklist of the most esoteric Unicode blocks – it's most likely none of ⟺ or ☻ or πŸ’‚.

    Then again, why bother? Just print it on the label and have the postman figure it out.
    You don't know how true that is. I know someone who used to work on systems for automated reading of postal labels and routing of letters and parcels based on that (he might still be doing that, building post sorting machines for post offices) and he said that it was incredibly hard. He particularly noted that the UK was especially bad, as there is no standard address form (though we do have detailed postal codes to make things easier, and they're in common use). Ultimately, the best policy is indeed to just put whatever the user gave you on the label and let the post office deal with it.
  • Jeff Grigg 2012-12-31 21:04
    dkf:
    Anonymous:
    The requirement is mostly bogus, too... ... postal addresses are a lot more irregular. There is no way to construct a whitelist, except closely studying the postal guidelines of all the countries you're shipping to, going insane, then settle on a blacklist of the most esoteric Unicode blocks – it's most likely none of ⟺ or ☻ or πŸ’‚. ...


    You don't know how true that is. ... it was incredibly hard. ... the UK was especially bad, as there is no standard address form ... Ultimately, the best policy is indeed to just put whatever the user gave you on the label and let the post office deal with it.


    I would suggest that one should first trust the user to be able to type in an address that will get it to them. If they can't do that, then you have more serious problems than playing games with what characters to allow.

    OK, you should probably not allow non-printable characters.

    But I would suggest that instead of making up "requirements," maybe one should consult the appropriate standards. For United States addresses, it would be "Publication #28."

    http://pe.usps.gov/cpim/ftp/pubs/pub28/pub28.pdf
  • Norman Diamond 2012-12-31 21:04
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.
  • Norman Diamond 2012-12-31 21:11
    Jeff Grigg:
    But I would suggest that instead of making up "requirements," maybe one should consult the appropriate standards. For United States addresses, it would be "Publication #28."

    http://pe.usps.gov/cpim/ftp/pubs/pub28/pub28.pdf
    USPS standards aren't there to be obeyed, you know. One standard says that senders should put their country name at the end of the return address. Government operations such as one called "IRS" (not that there's anything internal or service about it) put "PA" at the end of their return address, which is the ISO abbreviation for Panama. Whenever the sender puts a nondeliverable destination address on a letter, the receiving country has to send it back to Panama. Guess who gets blamed and who gets their refunds stolen.
  • Coyne 2012-12-31 23:05
    5 x the lines
    5 x the functions
    5 x the productivity
    5 x the maintenance

    5 x the pay, right?

    TRWTF is that he didn't make 5 copies of the array. WIW is wrong with the programmer?

    Sigh. How are we supposed to win when the turkeys outnumber the eagles 5:1?
  • Dotan Cohen 2013-01-01 08:00
    Jeff Grigg:
    I would suggest that one should first trust the user to be able to type in an address that will get it to them. If they can't do that, then you have more serious problems than playing games with what characters to allow.

    OK, you should probably not allow non-printable characters.


    This is my address without nonprintable characters:
    64/2 Χ¨ΧžΧ‘"ם

    This is my address with nonprintable characters:
    ‫64/2 Χ¨ΧžΧ‘"ם

    So even those are important.
  • Kasper 2013-01-01 09:06
    Walter:
    Well at least he implemented a whitelist not a blacklist.
    But a blacklist would have been easier to get right since it would have been a lot shorter than a whitelist.

    I have yet to come across a situation where the validity of an input field can be correctly validated using a list of valid characters. There are however cases, where a list of valid characters can provide a good enough approximation.

    If for example an input field contains a value such as a number or an IP address, then a whitelist of permitted characters could make sense. It would still permit lots of invalid inputs, but you'd rule out all inputs that could perform some sort of injection attack.

    As soon as your inputs start looking even slightly similar to free text, then forget about validating using a list of valid characters. The only proper approach to such fields is to consider all characters to be valid and apply proper escaping. Most of the possible escaping bugs can be caught by simply testing that you can indeed use all different characters.
  • David 2013-01-01 10:05
    Jeff Grigg:
    Well, I find it helpful that they allow the single quote character ('), for SQL injection attacks. And the ampersand character (&) for HTML injection/cross-site scripting attacks. They're always working harder to make my life easier!!!

    >;->


    Because there's no need for anyone at Plummer's Landing to reliably get their mail, is there? Programmers don't get to mangle people's data for their convenience.
  • derula 2013-01-01 13:53
    moreON:
    So that's:

    if(expr){
    return !expr;
    }
    return expr;


    why not just
    return !expr;
    ?


    I hope you're trolling.
  • fjf 2013-01-01 16:33
    dkf:
    Anonymous:
    The requirement is mostly bogus, too... We've all seen the multi-page regex to (mostly) get email addresses right, and postal addresses are a lot more irregular. There is no way to construct a whitelist, except closely studying the postal guidelines of all the countries you're shipping to, going insane, then settle on a blacklist of the most esoteric Unicode blocks – it's most likely none of ⟺ or ☻ or πŸ’‚.

    Then again, why bother? Just print it on the label and have the postman figure it out.
    You don't know how true that is. I know someone who used to work on systems for automated reading of postal labels and routing of letters and parcels based on that (he might still be doing that, building post sorting machines for post offices) and he said that it was incredibly hard. He particularly noted that the UK was especially bad, as there is no standard address form (though we do have detailed postal codes to make things easier, and they're in common use). Ultimately, the best policy is indeed to just put whatever the user gave you on the label and let the post office deal with it.
    Interestingly, this is basically an extended version of the SPOT (Single Point Of Truth) principle. Though here, the point of truth is not in the application at all, but external (post office). I guess for some programmers and managers, this is too hard to swallow, so they rather do a half-assed, buggy job than not doing anything.
  • LK 2013-01-01 16:53
    Of course TRWTF is that he replaces the valid characters in that string with spaces instead of empty strings. So he needs the 2nd loop to check each character instead of checking if the string is empty... :-)
  • fjf 2013-01-01 16:57
    LK:
    Of course TRWTF is that he replaces the valid characters in that string with spaces instead of empty strings. So he needs the 2nd loop to check each character instead of checking if the string is empty... :-)
    If you think that's the RWTF, look again. For starters, the fact that he's doing a full string replacement for each valid character (whether it occurs or not) is much worse for performance. Once they support Unicode, these will be thousands.
  • Decius 2013-01-01 18:11
    At least packages won't get lost in the æther.
  • Jimmy the Greek 2013-01-01 18:22
    fjf:
    dkf:
    Anonymous:
    The requirement is mostly bogus, too... We've all seen the multi-page regex to (mostly) get email addresses right, and postal addresses are a lot more irregular. There is no way to construct a whitelist, except closely studying the postal guidelines of all the countries you're shipping to, going insane, then settle on a blacklist of the most esoteric Unicode blocks – it's most likely none of ⟺ or ☻ or πŸ’‚.

    Then again, why bother? Just print it on the label and have the postman figure it out.
    You don't know how true that is. I know someone who used to work on systems for automated reading of postal labels and routing of letters and parcels based on that (he might still be doing that, building post sorting machines for post offices) and he said that it was incredibly hard. He particularly noted that the UK was especially bad, as there is no standard address form (though we do have detailed postal codes to make things easier, and they're in common use). Ultimately, the best policy is indeed to just put whatever the user gave you on the label and let the post office deal with it.
    Interestingly, this is basically an extended version of the SPOT (Single Point Of Truth) principle. Though here, the point of truth is not in the application at all, but external (post office). I guess for some programmers and managers, this is too hard to swallow, so they rather do a half-assed, buggy job than not doing anything.

    Generally, it is best to keep user data as is for things like this.
    Who are the experts in delivering to (hopefully) the right address - a programmer who thinks he understands addresses or a Post Office who deals with addresses every day? Of course, there may be some sense in ensuring there's no data injection, but beyond that the validity of the data requires an expert to assess it - so short of the the PO providing explicit rules (alla the pdf link someone posted) on how the address is parsed, the address should be left up to them to deal with....
  • Worf 2013-01-01 19:34
    There is only one field that will be present on ALL postal addresses - the country. It's often omitted (and thus local is assumed), but it's present in all addresses.

    And this makes it a lot easier. If the country is your own, most post offices offer an address validation system - either online or offline subscription which will contain every valid address in the country. You can use it to validate in-country addresses.

    FOr out of country addresses, the postal service looks at the country field and routes it there and lets the local post office handle it.

    And let's not forget about Mojibake making things even more interesting.
  • A. Nonymous 2013-01-01 20:02
    Victor:
    /** Valid signs */

    You don't need to read any further than that ...


    This!
  • Some dude but not the other some dude 2013-01-01 20:41
    Worf:
    If the country is your own, most post offices offer an address validation system - either online or offline subscription which will contain every valid address in the country.

    ORLY? What is most? Do you mean most post offices in a certain country, or do you mean most postal sevices/systems?

    Pretty sure they don't in my country....
  • Norman Diamond 2013-01-02 01:33
    Worf:
    There is only one field that will be present on ALL postal addresses - the country.
    I wonder. When sending letters to Hong Kong now, I write Hong Kong, China. But in the past I didn't write Hong Kong, UK, I just wrote Hong Kong. I write Puerto Rico, USA, but if I were writing to Guam I'm not sure if I would write USA.

    Yahoo auctions resemble eBay. When I give my address to sellers, I omit the country because it's assumed that everyone is in Japan, and in case anyone ever doubted because of my foreign name they'd see my address starting with a postal code and 東京都 (Tokyo). Well, one time a seller shipped from China. They didn't insert ζ—₯ζœ¬ε›½ (Japan) which would go at the beginning in Chinese or Japanese order or at the end in common international addressing order. They just copied my address and mailed the package from China. The Chinese post office figured out what country Tokyo is in. (That predated war moves on the Senkaku islands. Who knows if they'd be cooperate today.)
  • argle bargle 2013-01-02 04:27
    But a blacklist would have been easier to get right since it would have been a lot shorter than a whitelist.


    In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.
  • Jon Haugsand 2013-01-02 05:03
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.


    Actually, not Norway and Denmark as the letters 'Æ' and 'Ø' are missing, e.g. "Færøy", http://www.faeroy.no/.

    /Jon
  • iceland 2013-01-02 08:04
    Anonymous:

    Then again, why bother? Just print it on the label and have the postman figure it out.


    This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

    Answer: They send to the localities post office, the post man knows everyone by name and where they live.
  • Sehe 2013-01-02 08:34
    drake:
    If he had used Regular Expressions, he would have had 10 problems


    In reality, that would have been 25 problems at minimum, 32 problems in likelihood
  • Sehe 2013-01-02 08:39
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.


    Please indicate which non-slavic country in Europe uses ý, named in the the example?
  • Sehe 2013-01-02 08:43
    What intrigues me _the most_ is that the implementor **and** all commenters get the specifications all reversed:

    "ensure that all five lines of a shipping address contains valid characters."


    To me this means that any check beyond finding the first 'valid character' would be redundant. Also, empty string cannot be accepted, as they would contain _no valid characters_.

    People need to learn how to read specs :)
  • Anonymous 2013-01-02 09:27
    Java doesn't put this requirement on you. Of course, people like to blame the tools instead of the developer.

    You can just use a boolean to return true or false, then that method is reusable and the caller of the method could decide whether to throw an exception or how to further handle it.
  • Rufus T. Firefly 2013-01-02 11:42
    ^c^v is way more efficient than thinking.
  • Cencored 2013-01-02 15:22
    Sehe:
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.


    Please indicate which non-slavic country in Europe uses ý, named in the the example?

    Iceland does.
  • Norman Diamond 2013-01-02 19:33
    Sehe:
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.
    Please indicate which non-slavic country in Europe uses ý, named in the the example?
    Well, the absence of letters such as Δ‘ and ş made me guess that the company didn't intend to ship to Slavic countries, but someone else already pointed out that I missed the inability to ship to Norway and Denmark. So the company's selection of destination companies doesn't really seem to follow any geographic rule.
  • Norman Diamond 2013-01-02 19:43
    iceland:
    Anonymous:

    Then again, why bother? Just print it on the label and have the postman figure it out.
    This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

    Answer: They send to the localities post office, the post man knows everyone by name and where they live.
    It's the same in a lot of countries. It's the same in villages where my wife used to live, her relatives live (some better known than others), and maybe including me in the future. It's not quite the same in Canada because the rural route number had to be written.

    In some countries that have addresses, often there's no street name but district numbers, block numbers, and lot numbers narrow down the destination. If there are two or more buildings on a single lot then it's wise to include the name of the building (and it does not mean that you can just name the building and leave out the rest of the address).

    In some countries that have addresses, often there are street names but no numbers, so again the building should be named.

    The only correct way to handle this is ^C^V. Try to refrain from guessing that the customer doesn't know their state or city, because you'll just screw it up if you rearrange stuff instead of doing ^C^V. (If anyone in this forum works for a court in the US, please try to teach this to your employer.)
  • instigator 2013-01-03 14:25
    moreON:

    why not just

    return !expr;


    Because you don't want to break from the for loop if the expression is false.
  • Anon 2013-01-03 14:30
    argle bargle:
    But a blacklist would have been easier to get right since it would have been a lot shorter than a whitelist.


    In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.


    And you, please stay far away from me. Form validation is for basic sanity checks in order to be more user friendly. It is not where the application should be secured.
  • Anon 2013-01-04 17:25
    Agreed - concerns over injection attacks means your data access code has been written poorly and left to rot for too long.

    An escape character won't allow an attacker to clear you database if you use placeholders/named parameters properly and I'm not aware of any escape sequence that opens a terminal to give attackers root access to a machine.

    Let users enter whatever they want and record it exactly as keyed.
  • McMuffin 2013-01-04 22:46
    In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.


    And you, please stay far away from me. Form validation is for basic sanity checks in order to be more user friendly. It is not where the application should be secured.


    If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.
  • Bill C. 2013-01-07 01:22
    But the wrongs felt so right! But then again, I have unprintable character.

    Now what about the character at my former position? Is he on the black list, white list, both, or neither?
  • Toby 2013-01-07 14:11
    I think you're all skipping the obvious reason for having those characters:
    The reason for stripping the characters is probably that the printer is not utf-8 compliant (probably a simple iso8859-1 printer that chokes/interprets special characters)
    2) The nitwit writing this POS didn't know all the characters used in Denmark and Norway and either way, eastern Europe isn't part of iso8859-1 anyway afaik.

    Correct me if I'm wrong, but with all those null checks and weird logic, it has to be an Indian working in Europe (the good Indian programmers all stay in India or work in the USA).
  • Paul 2013-01-08 06:41
    Worf:
    And this makes it a lot easier. If the country is your own, most post offices offer an address validation system - either online or offline subscription which will contain every valid address in the country.


    Except when they don't, or when they are wrong.

    Our address didn't used to be in the UK post office database (it is now, thankfully), which caused problems with some suppliers.

    Also, our address is like:

    111 Acacia Drive
    MyVillage
    MyTown
    AB1 2CD

    There is also a
    111 Acacia Drive
    MyTown
    AB1 5XY

    Some databases miss out the 'MyVillage' part of the address (it's not *strictly* necessary, because of the postcode), and we can't add it when ordering (since the database is the 'definitive' source of data).

    So, unless the delivery man is careful and checks the post code, things end up going to the wrong address... (This usually happens with couriers - the post office generally gets it right, because they automate the sorting to smaller delivery runs)

  • Anon 2013-01-08 10:57
    McMuffin:

    If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.


    Sure. Because users who disable javascript do not deserve a friendly UI?

    And yeah, go ahead and cludge together security throughout the layers. Afterall, if you nest together enough seives, the sand will stop flowing through.

    Security within Form validation is often a symptom of security being "thrown on top at the end". The correct approach for SQL injection is to implement it in the DAL from the beginning.
  • TortoiseWrath 2013-01-08 13:58
    iceland:
    Anonymous:

    Then again, why bother? Just print it on the label and have the postman figure it out.
    This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

    Answer: They send to the localities post office, the post man knows everyone by name and where they live.


    I live in the rural US, where the USPS delivers only to post office boxes, but courier services will deliver only to street addresses. This tends to cause problems when ordering things.

    Probably the greatest issue I've had here was ordering something from AT&T (because Verizon doesn't work here, either). They yelled at me for giving them a non-deliverable street address, then yelled at me for giving them a PO Box, and there was only one address field.

    The solution ended up being to have them send it to the post office with my name on it and hope that it ended up in my PO Box. (It did.)
  • TortoiseWrath 2013-01-08 14:00
    Anon:
    McMuffin:

    If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.


    Sure. Because users who disable javascript do not deserve a friendly UI?


    People who deliberately disable functions on their computer for no reason deserve less of a friendly UI than those who don't.
  • RICHARD SMITH 2013-01-15 07:17
    Dear Sir/Madam

    Are you a business man or woman? Do you need a Loan of any Amount for funding for any reason contact us today richard.smith356@yahoo.co.za

    a) Personal Loan,Business Expansion,
    b) Business Start-up ,Education,
    c) Debt Consolidation , Home Improvement Loans
    d) Hard Money Loans, Investment Loans,
    e) X-mas preparation Loan

    We offer loan at low interest rate of 2% and with no credit check CONTACT EMAIL us now richard.smith356@yahoo.co.za

    Fill out the below information for procedure.

    Full Name:
    Address:
    Country:
    Loan Amount Needed:
    Loan Duration:
    Purpose For Loan:
    Phone Number:

    Thanks
    Management
    Mr(Richard.Smith)
  • jennifer 2013-03-19 07:17
    Hello everyone, My name is Mrs Jennifer Anderson and i am talking as the happiest person in the whole wild world today and i told my self that any lender that rescue my family from our poor situation, i will tell the name to the whole wild world and i am so happy to say that my family is back for good because i was in need a loan of $ 100,000 USD to start my life all over as i am a single mum with 4 kids and the whole world seemed like it was hanging on me until i met the GOD sent loan lender that changed my life and that of my family, a GOD fearing lender, Mr.Musa of musa Micro Finance, he was the saviour GOD sent to rescue my family and at first i thought it was not going to be possible until i received my loan of $ 100,000 USD and i will advise any one who is in genuine need of a loan to contact Mr.Musa Jemi via email at. (musa_jemi@yahoo.com.sg)because he is the most understanding and kind hearted lender.
  • Lin Poh 2013-04-04 01:49
    Dear Investors/Financial Seekers.

    We are a Registered Private Investors/Loan Lender, Do you need FINANCIAL ASSISTANCE? Are you in financial mess OR debts? We offer loan at 3% interest rate within 1 year to 30 years repayment duration period to Individual and Companies that are in need of financial assistance and to any part of the world.


    We give out loans ranging from $5,000.00 to $500,000,000.00, CURRENCIES: USD, CAD, KWD, OMR, SGD, RUB, GBP, AUD, MYR, ZAR, IDR, UAH, PHP, EURO.


    Our loans are well insured for maximum security is our priority, Are you losing sleep at night worrying how to get a legit loan lender? Are you in poverty? Do you need financial assistance to set-up a business? We can assist you financially.


    Interested Individual OR Companies should contact us via: Email: {linpohloanfirm@yahoo.com.sg}

    Regards,

    Lin Poh Loan Firm Team.