• IHaveNoName:-( (unregistered)

    "[...]plagiarized it[...]"

    this statement makes my day :-D

  • J (unregistered)

    I could have written most of that by my third quarter at school and the rest well before I graduated. Their technical interviewer must still be struggling with the concept of static.

  • Papper (unregistered)

    Outrageous!

  • Welbog (cs)

    Makes you wonder what kind of answer they would have considered "just good enough".

    String concatenation is making one string out of two strings?

    WTF indeed.

  • Digitalbath (cs)

    "What is your favorite color?"

    "Blue, I mean red...aaarrrgghhh!"

  • Craig M. Rosenblum (unregistered)

    Jeez, this happens so often.

    Do human resources or managers ever get a clue?

    Maybe instead of having hr hire/screen people it's technical people to do that job for technical employee's, then if they pass the tech guy's screening, then to hire/not hire by the manager.

    A lot less time, money and frustration would be going on...

  • Andy (unregistered)

    I wouldn't want that job either. And it's somewhat appropriate that my CAPTCHA was alarm :)

  • Jesse (unregistered)

    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

  • FredSaw (cs)

    We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.

  • Snuggles (unregistered) in reply to Jesse

    I think Pete the PHP guy should wait a month or so and then let ConcatCorp know they've been PUNK'd on WTF. :o)

  • bah (unregistered)

    I think the real stupid part is they are doing this by email.. Anyone could have googled an answer.

  • Scott (unregistered)

    PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.

  • Cory the Cobol guy (unregistered) in reply to Jesse

    LOL, That's funny. Yep, no more dynamic sql generation...

    So tell me, you don't know how to prevent sql injection and use dynamic sql? Indeed there is someone that wouldn't be hired....

  • SomeCoder (unregistered) in reply to Jesse
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    I was thinking this too. However, in answering the question I probably would have given a SQL concat example as well. It's a "real world" problem that can have concatenation applied to it.

    The part that disturbs me is that Peter said he does that all the time on real projects. That should be a little bit of a WTF.

    The main WTF is the company thinking he plagiarized it. Yeah, because no one on the planet could come up with a concat definition eye roll

  • Dwayne (unregistered) in reply to Jesse
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.
    Can I say SQL injection? That would be why I wouldn't have hired him..
    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.
  • M Diamond (unregistered)

    The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.

    The second-most ridiculous aspect is that if they choose not to trust the results from the screening question in a case like this, then a moment's thought would have revealed to them that they need a new pre-screening process. The old one is unable to distinguish between someone ignorant but unscrupulous and someone extremely knowledgeable. That's about as broken as you can get.

  • akatherder (cs)

    Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.

    Made you look!

  • dande (cs) in reply to akatherder
    akatherder:
    Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.

    Made you look!

    I would have, had you not written 'Made you look!'

  • lostlogic (unregistered) in reply to Scott

    PHP5 does support parameterized queries.

    captcha: digdug -- man that was a good game.

  • Ken (unregistered) in reply to Jesse
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.
    Can I say SQL injection? That would be why I wouldn't have hired him..
    Just because you don't know how to prevent injection attacks doesn't mean it can't be done. A proper followup might be "how do you prevent SQL injection attacks in your dynamic queries" before you dismiss him offhand.
  • seejay (cs) in reply to Jesse

    Your web apps must be very static.

    It's not difficult to "fix" whatever comes in first before passing it on to the SQL command. Any developer worth their salt knows this.

    -- Seejay

  • matthewr81 (cs) in reply to Jesse
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...

  • dubbreak (cs) in reply to Dwayne
    Dwayne:
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.
    Can I say SQL injection? That would be why I wouldn't have hired him..
    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.
    I have hemorrhoids you insensitive clod!!!
  • Michael McRorey (unregistered)

    you can use the following:

    <?php $sql="sprintf" (="" "select="" article_id,="" article_body="" from="" articles="" where="" author_id='%s' order="" by="" article_date="" desc",="" addslashes($user-=""?>getID()) ); ?>

    you can also use the following if it is a MySQL db: mysql_real_escape_string($User->getID())

    sure, the above aren't the standard "." method of concatenation, but it is concatenation AND a cure for SQL injection.

  • AuMatar (unregistered) in reply to matthewr81
    matthewr81:
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...

    Bind variables

  • bkendig (cs)

    At least the question made sense!

    A year ago I applied for a contracting job with a local company. I was told that I had to take a specific JavaScript aptitude test online, through a service which manages these sorts of tests; once I began I would only have a half-hour to finish, I couldn't change an answer once given, my time spent on each question would be recorded, etc.

    The test turned out to be extremely difficult. The difficulty was entirely in trying to decipher what the test-maker actually meant for each question. Many of the questions didn't make sense or weren't in complete sentences or didn't use anything approximating valid grammar; others were so awkward that I couldn't tell whether the test-maker was trying to be coy and make a joke or whether he just couldn't get his point across.

    I answered the questions to the best of my ability, and afterwards, I submitted a 'fixed' copy of the test back to the hiring manager, explaining exactly which questions didn't parse and suggesting how they could be rewritten to be clearer.

    I was told that I had scored 'impressively high' on the test. Still, I wasn't offered an interview, and I never got any farther with the company.

    I think they didn't want someone who had a good command of the English language or who had a tendency to identify problems and offer solutions to them.

  • rbowes (cs)

    Something similar happened to me in school. We were asked to do a research paper on a topic in security, which just happens to be my specialty. So I did a detailed overview of several different security vulnerabilities (stack overflow, etc) with detailed information on why it's exploitable, and even a demonstration of an exploitable program and the exploit for it. I got an A+.

    The next year, my friend took the course. Apparently, when given the paper, they were told "No more than 10 pages. Last year, we had an issue with some plagiarism." Apparently, although she couldn't prove it, the prof thought my paper had been plagiarized!

  • TheRubyWarlock (cs)

    The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.

  • Scott (unregistered) in reply to lostlogic
    lostlogic:
    PHP5 does support parameterized queries.

    Thanks for this bit of info. PHP4 did not.

  • AdT (unregistered) in reply to Scott
    Scott:
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings.

    I have encountered the following statements: a) in defense of PHP: PHP does support parameterized queries b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries

    Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.

    Dwayne:
    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.

    And as usual, string escaping is the right answer to the wrong question, being "How do I prevent malicious users from exploiting the fact that I intermingle SQL code and data?".

    The right question is: "Why would I want to intermingle SQL code and data in the first place if my development environment does not force me to?"

  • tekiegreg (unregistered) in reply to Digitalbath

    Hey, PLAGIARISM!!! I'm sending the Knights that say "Ni" after your @$$ immediately...go turn yourself in immediately or I'll accuse you a second time!

    (Paraphrase: Best answer ever...) (Captcha: gotcha)

  • Chris (unregistered) in reply to Jesse
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Oh piss off!

    The guy can stretch what is a very simple concept of concatenation into many paragraphs, including the syntax of other languages and a common SQL example. He even gave an example of $User object, all of which shows he's at least half way competent.

    While I wouldn't automatically assume he was aware of preventing SQL injection, I wouldn't automatically dismiss him of not knowing about it simply because he didn't mention it here.

    If you're the type of person that dismisses someone because they write an essay but miss out a word, then I really hope I never have to work for you.

  • AdT (unregistered) in reply to TheRubyWarlock
    M Diamond:
    The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.
    TheRubyWarlock:
    The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.

    This is what I was thinking, too. Though, maybe they had other reasons for dismissing him and didn't want to tell the truth. E.g. they might have thought him overqualified for the job and thus (probably) too expensive. Then maybe they were simply the morons that they appear to be.

  • AdT (unregistered) in reply to Michael McRorey
    Michael McRorey:
    <?php $sql="sprintf" (="" "select="" article_id,="" article_body="" from="" articles="" where="" author_id='%s' order="" by="" article_date="" desc",="" addslashes($user-=""?>getID()) ); ?>

    addslashes escapes ' as ', but the standard way to escape single quotes in SQL is to double them: '' (that's two single quote characters, not one double quote character).

    So if proper string escaping is as simple as sitting on a couch, here is the first example of someone who puts his head on the seat and his bottom on the back of the couch. (scnr!)

  • Bob (unregistered)

    Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)

  • Rama Lama Ding Dong (unregistered)

    Remember, the company's goal isn't to find you a good job, it's to find a good candidate for themselves.

    Particularly when the labor market gets thin, you find some absolute and completely useless people taking up your time.

  • ratsbane (unregistered) in reply to AdT

    I'm absolutely amazed at the number of so-called programmers who completely fail to grasp the concept of escaping or encoding as relates to SQL and injection attacks.

    Properly encoding (escaping) the strings you embed is the key.

    And you will be mingling SQL with data whether you like it or not - it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.

    Vote-ups to Dwayne and the original WTF.

  • Tim (unregistered) in reply to Scott

    PHP has always supported parameterized queries for some databases (although not mysql which I'm guessing is what you meant), there was just no standard. Most of us programmers have been using PEAR::DB or PDO (shipped with 5.1) to get parameterized queries in PHP for several years now.

  • Ryan (unregistered)

    I wouldn't hire him either. Instead of answering the simple question he proceeded to give them a lecture. It shouldn't take that much space to explain concatenation. The back of a postage stamp would offer too much space.

    A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer.

    "concatenation is joining things together. I use it to put variables into sql statements."

  • iMalc (unregistered)

    How dare they decide he copied it before actually interviewing him!

    He should have told her that he doesn't accept their accusation, and wont have the accusation they gave tarnishing his reputation. Then insist on an interview to prove he knows his stuff. Then go along, show that he knows his stuff, and demand too high a salary, and be turned down because they can't afford him instead.

    Bah, they probably thought he was overqualified anyway.

  • Not Bob (unregistered) in reply to Bob
    Bob:
    Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)

    Haha, the real WTF is about all the morons in here that don't know about subject-verb agreement :)

  • D (unregistered) in reply to seejay

    Yeah, just turn on Magic quotes :P

  • Mitch (unregistered)

    The PHP question could have been: You, Jeepies?

  • Martin Ritchie (unregistered)

    Oddly similar to a question I used to ask during interviews: Please write a C# function to concatenate 3 strings.

    For example the function would be passed "Martin", "Donald", "Ritchie" and should return "MartinDonaldRitchie".

    I would ask them to write the answer on a piece of paper. Only about one third of the interviewees were able to answer it. Even after saying that I accepted answers in vb c++ or any other language if they were not familiar with c#.

  • Cynical Bastage (unregistered)

    The problem was that they were screening for something else. Did you read this guy's answer? The type of guy that probably would be a high salaried, hard to work with, troublemaker.

    They probably wanted an "average" PHP developer so they could at least guarantee some amount of leverage in pay/turnover/working hours.

    Sometimes the best is only trouble.

  • pitchingchris (cs) in reply to Bob
    Bob:
    Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)

    Hey guys, why are we arguing in here about parameterized queries, when the original article was about concatenation. Even if the test taker did know about parameterized queries, going into that topic would have deviated from the point at hand, and wouldn't help answer the question.

  • Mike (unregistered) in reply to Welbog
    Welbog:
    Makes you wonder what kind of answer they would have considered "just good enough".

    String concatenation is making one string out of two strings?

    WTF indeed.

    Sadly, that is probably exactly what they were looking for.

    Captcha: gygax (my stomach filled that in with voice recognition....time for lunch)

  • Mike (unregistered) in reply to Martin Ritchie

    Oooh Oooh! I know that one:

    1. return string1 + string2 + string3;

    2. StringBuilder sb = new StringBuilder(); sb.Append( string1 ); sb.Append( string2 ); sb.Append( string3 ); return sb.ToString();

    3. return string.Concat( string1, string.Concat( string2, string3 ) );

    4. return string.Format( "{0}{1}{2}", string1, string2, string3 );

  • Michael (unregistered) in reply to AdT
    AdT:
    I have encountered the following statements: a) in defense of PHP: PHP does support parameterized queries b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries

    Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.

    As a matter of fact, they can both be right, depending on your setup. PHP itself doesn't provide database access, you rely on modules for that. The mysql module, one of the most popular in php4, does not support parameterized queries. Pear::DB and PDO, in PHP5, provide database abstraction and parameterized queries.
  • QuestionC (unregistered) in reply to Dwayne

    Just because you can work around some of the issues of a kludge doesn't make it any less of a kludge. Even when it works, string escaping is a pretty ugly hack around a nonexistant problem.

    This doesn't even touch the efficiency issues with constructing SQL statements on the fly.

Leave a comment on “Good Answer... Perhaps TOO Good”

Log In or post as a guest

Replying to comment #:

« Return to Article