Good Answer... Perhaps TOO Good

  • IHaveNoName:-( 2007-08-22 14:05
    "[...]plagiarized it[...]"


    this statement makes my day :-D
  • J 2007-08-22 14:06
    I could have written most of that by my third quarter at school and the rest well before I graduated. Their technical interviewer must still be struggling with the concept of static.
  • Papper 2007-08-22 14:09
    Outrageous!
  • Welbog 2007-08-22 14:09
    Makes you wonder what kind of answer they would have considered "just good enough".

    String concatenation is making one string out of two strings?

    WTF indeed.
  • Digitalbath 2007-08-22 14:09
    "What is your favorite color?"

    "Blue, I mean red...aaarrrgghhh!"
  • Craig M. Rosenblum 2007-08-22 14:10
    Jeez, this happens so often.

    Do human resources or managers ever get a clue?

    Maybe instead of having hr hire/screen people it's technical people to do that job for technical employee's, then if they pass the tech guy's screening, then to hire/not hire by the manager.

    A lot less time, money and frustration would be going on...
  • Andy 2007-08-22 14:15
    I wouldn't want that job either.
    And it's somewhat appropriate that my CAPTCHA was alarm :)
  • Jesse 2007-08-22 14:15
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..
  • FredSaw 2007-08-22 14:18
    We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.
  • Snuggles 2007-08-22 14:18
    I think Pete the PHP guy should wait a month or so and then let ConcatCorp know they've been PUNK'd on WTF. :o)
  • bah 2007-08-22 14:19
    I think the real stupid part is they are doing this by email.. Anyone could have googled an answer.
  • Scott 2007-08-22 14:20
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.
  • Cory the Cobol guy 2007-08-22 14:21
    LOL, That's funny. Yep, no more dynamic sql generation...

    So tell me, you don't know how to prevent sql injection and use dynamic sql? Indeed there is someone that wouldn't be hired....
  • SomeCoder 2007-08-22 14:22
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..



    I was thinking this too. However, in answering the question I probably would have given a SQL concat example as well. It's a "real world" problem that can have concatenation applied to it.

    The part that disturbs me is that Peter said he does that all the time on real projects. That should be a little bit of a WTF.

    The main WTF is the company thinking he plagiarized it. Yeah, because no one on the planet could come up with a concat definition *eye roll*
  • Dwayne 2007-08-22 14:22
    Jesse:
    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.
  • M Diamond 2007-08-22 14:26
    The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.

    The second-most ridiculous aspect is that if they choose not to trust the results from the screening question in a case like this, then a moment's thought would have revealed to them that they need a new pre-screening process. The old one is unable to distinguish between someone ignorant but unscrupulous and someone extremely knowledgeable. That's about as broken as you can get.
  • akatherder 2007-08-22 14:27
    Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.






    Made you look!
  • dande 2007-08-22 14:33
    akatherder:
    Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.






    Made you look!


    I would have, had you not written 'Made you look!'
  • lostlogic 2007-08-22 14:35
    PHP5 does support parameterized queries.

    captcha: digdug -- man that was a good game.
  • Ken 2007-08-22 14:38
    Jesse:
    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Just because you don't know how to prevent injection attacks doesn't mean it can't be done. A proper followup might be "how do you prevent SQL injection attacks in your dynamic queries" before you dismiss him offhand.
  • seejay 2007-08-22 14:44
    Your web apps must be very static.

    It's not difficult to "fix" whatever comes in first before passing it on to the SQL command. Any developer worth their salt knows this.

    -- Seejay
  • matthewr81 2007-08-22 14:44
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...
  • dubbreak 2007-08-22 14:44
    Dwayne:
    Jesse:
    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.

    I have hemorrhoids you insensitive clod!!!
  • Michael McRorey 2007-08-22 14:49
    you can use the following:

    <?php
    $sql = sprintf
    (
    "SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC",
    addslashes($User->getID())
    );
    ?>
    you can also use the following if it is a MySQL db:
    mysql_real_escape_string($User->getID())

    sure, the above aren't the standard "." method of concatenation, but it is concatenation AND a cure for SQL injection.
  • AuMatar 2007-08-22 14:49
    matthewr81:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    Bind variables
  • bkendig 2007-08-22 14:50
    At least the question made sense!

    A year ago I applied for a contracting job with a local company. I was told that I had to take a specific JavaScript aptitude test online, through a service which manages these sorts of tests; once I began I would only have a half-hour to finish, I couldn't change an answer once given, my time spent on each question would be recorded, etc.

    The test turned out to be extremely difficult. The difficulty was entirely in trying to decipher what the test-maker actually *meant* for each question. Many of the questions didn't make sense or weren't in complete sentences or didn't use anything approximating valid grammar; others were so awkward that I couldn't tell whether the test-maker was trying to be coy and make a joke or whether he just couldn't get his point across.

    I answered the questions to the best of my ability, and afterwards, I submitted a 'fixed' copy of the test back to the hiring manager, explaining exactly which questions didn't parse and suggesting how they could be rewritten to be clearer.

    I was told that I had scored 'impressively high' on the test. Still, I wasn't offered an interview, and I never got any farther with the company.

    I think they didn't want someone who had a good command of the English language or who had a tendency to identify problems and offer solutions to them.

  • rbowes 2007-08-22 14:51
    Something similar happened to me in school. We were asked to do a research paper on a topic in security, which just happens to be my specialty. So I did a detailed overview of several different security vulnerabilities (stack overflow, etc) with detailed information on why it's exploitable, and even a demonstration of an exploitable program and the exploit for it. I got an A+.

    The next year, my friend took the course. Apparently, when given the paper, they were told "No more than 10 pages. Last year, we had an issue with some plagiarism." Apparently, although she couldn't prove it, the prof thought my paper had been plagiarized!
  • TheRubyWarlock 2007-08-22 14:51
    The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.
  • Scott 2007-08-22 14:52
    lostlogic:
    PHP5 does support parameterized queries.


    Thanks for this bit of info. PHP4 did not.
  • AdT 2007-08-22 14:55
    Scott:
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings.


    I have encountered the following statements:
    a) in defense of PHP: PHP does support parameterized queries
    b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries

    Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.

    Dwayne:
    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.


    And as usual, string escaping is the right answer to the wrong question, being "How do I prevent malicious users from exploiting the fact that I intermingle SQL code and data?".

    The right question is: "Why would I want to intermingle SQL code and data in the first place if my development environment does not force me to?"
  • tekiegreg 2007-08-22 15:00
    Hey, PLAGIARISM!!! I'm sending the Knights that say "Ni" after your @$$ immediately...go turn yourself in immediately or I'll accuse you a second time!

    (Paraphrase: Best answer ever...)
    (Captcha: gotcha)
  • Chris 2007-08-22 15:04
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..

    Oh piss off!

    The guy can stretch what is a very simple concept of concatenation into many paragraphs, including the syntax of other languages and a common SQL example. He even gave an example of $User object, all of which shows he's at least half way competent.

    While I wouldn't automatically assume he was aware of preventing SQL injection, I wouldn't automatically dismiss him of not knowing about it simply because he didn't mention it here.

    If you're the type of person that dismisses someone because they write an essay but miss out a word, then I really hope I never have to work for you.
  • AdT 2007-08-22 15:05
    M Diamond:
    The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.


    TheRubyWarlock:
    The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.


    This is what I was thinking, too. Though, maybe they had other reasons for dismissing him and didn't want to tell the truth. E.g. they might have thought him overqualified for the job and thus (probably) too expensive. Then maybe they were simply the morons that they appear to be.
  • AdT 2007-08-22 15:12
    Michael McRorey:

    <?php
    $sql = sprintf
    (
    "SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC",
    addslashes($User->getID())
    );
    ?>


    addslashes escapes ' as \', but the standard way to escape single quotes in SQL is to double them: '' (that's two single quote characters, not one double quote character).

    So if proper string escaping is as simple as sitting on a couch, here is the first example of someone who puts his head on the seat and his bottom on the back of the couch. (scnr!)
  • Bob 2007-08-22 15:14
    Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)
  • Rama Lama Ding Dong 2007-08-22 15:18

    Remember, the company's goal isn't to find you a good job, it's to find a good candidate for themselves.

    Particularly when the labor market gets thin, you find some absolute and completely useless people taking up your time.

  • ratsbane 2007-08-22 15:21
    I'm absolutely amazed at the number of so-called programmers who completely fail to grasp the concept of escaping or encoding as relates to SQL and injection attacks.

    Properly encoding (escaping) the strings you embed is the key.

    And you will be mingling SQL with data whether you like it or not - it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.

    Vote-ups to Dwayne and the original WTF.
  • Tim 2007-08-22 15:24
    PHP has always supported parameterized queries for some databases (although not mysql which I'm guessing is what you meant), there was just no standard. Most of us programmers have been using PEAR::DB or PDO (shipped with 5.1) to get parameterized queries in PHP for several years now.
  • Ryan 2007-08-22 15:25
    I wouldn't hire him either. Instead of answering the simple question he proceeded to give them a lecture. It shouldn't take that much space to explain concatenation. The back of a postage stamp would offer too much space.

    A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer.

    "concatenation is joining things together. I use it to put variables into sql statements."
  • iMalc 2007-08-22 15:28
    How dare they decide he copied it before actually interviewing him!

    He should have told her that he doesn't accept their accusation, and wont have the accusation they gave tarnishing his reputation. Then insist on an interview to prove he knows his stuff. Then go along, show that he knows his stuff, and demand too high a salary, and be turned down because they can't afford him instead.

    Bah, they probably thought he was overqualified anyway.
  • Not Bob 2007-08-22 15:31
    Bob:
    Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)


    Haha, the real WTF is about all the morons in here that don't know about subject-verb agreement :)
  • D 2007-08-22 15:34
    Yeah, just turn on Magic quotes :P
  • Mitch 2007-08-22 15:36
    The PHP question could have been: You, Jeepies?

  • Martin Ritchie 2007-08-22 15:39
    Oddly similar to a question I used to ask during interviews:
    Please write a C# function to concatenate 3 strings.

    For example the function would be passed "Martin", "Donald", "Ritchie" and should return "MartinDonaldRitchie".

    I would ask them to write the answer on a piece of paper. Only about one third of the interviewees were able to answer it. Even after saying that I accepted answers in vb c++ or any other language if they were not familiar with c#.
  • Cynical Bastage 2007-08-22 15:43
    The problem was that they were screening for something else. Did you read this guy's answer? The type of guy that probably would be a high salaried, hard to work with, troublemaker.

    They probably wanted an "average" PHP developer so they could at least guarantee some amount of leverage in pay/turnover/working hours.

    Sometimes the best is only trouble.
  • pitchingchris 2007-08-22 15:46
    Bob:
    Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)


    Hey guys, why are we arguing in here about parameterized queries, when the original article was about concatenation. Even if the test taker did know about parameterized queries, going into that topic would have deviated from the point at hand, and wouldn't help answer the question.
  • Mike 2007-08-22 15:46
    Welbog:
    Makes you wonder what kind of answer they would have considered "just good enough".

    String concatenation is making one string out of two strings?

    WTF indeed.


    Sadly, that is probably exactly what they were looking for.

    Captcha: gygax (my stomach filled that in with voice recognition....time for lunch)
  • Mike 2007-08-22 15:53
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );
  • Michael 2007-08-22 15:59
    AdT:
    I have encountered the following statements:
    a) in defense of PHP: PHP does support parameterized queries
    b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries

    Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.

    As a matter of fact, they can both be right, depending on your setup. PHP itself doesn't provide database access, you rely on modules for that. The mysql module, one of the most popular in php4, does not support parameterized queries. Pear::DB and PDO, in PHP5, provide database abstraction and parameterized queries.
  • QuestionC 2007-08-22 16:00
    Just because you can work around some of the issues of a kludge doesn't make it any less of a kludge. Even when it works, string escaping is a pretty ugly hack around a nonexistant problem.



    This doesn't even touch the efficiency issues with constructing SQL statements on the fly.
  • Gabe 2007-08-22 16:07
    FredSaw:
    We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.


    The reason is because no one that smart had ever applied for a job there before. Kind of like if you put "Nuclear Physics Researcher" as your last job on your application for gas station cashier.
  • zlogic 2007-08-22 16:07
    bah:
    I think the real stupid part is they are doing this by email.. Anyone could have googled an answer.

    And anyone could have googled the most interesting phrases from the email to find if that answer already exists.
  • Tyler 2007-08-22 16:11
    Mike:
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );


    sub UnnecessarySub { @_ }
  • Pony Gumbo 2007-08-22 16:11
    QuestionC:
    This doesn't even touch the efficiency issues with constructing SQL statements on the fly.


    DINGDINGDINGDINGDING! Winner!
  • Matt 2007-08-22 16:13
    AuMatar:
    matthewr81:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    Bind variables


    Variables = Dynamic data (Data that is not always the same)... again you both are reading into this way to much.
  • beagle 2007-08-22 16:14
    mmm...I smell lawsuit!

    Peter B. could very easily sue Concatcorp's pants off.
  • barfman 2007-08-22 16:14
    AdT:

    The right question is: "Why would I want to intermingle SQL code and data in the first place if my development environment does not force me to?"


    Finally, someone who phrased it right! Although sometimes I think people just don't phrase what they mean correctly, yet understand the point correctly, leading to the confusion.

    I have been guilty of this. :)
  • CDub 2007-08-22 16:17
    I can understand how a screener would get the impression that this was a cut-n-paste job. The reply *does* sound rather formal and verbose in the way an article or general reference might be. It also pulls in a reference to JS when the question was simply about PHP.

    There's also something to be said for the candidate who, while feeling the pressure to prove their worth and knowledge, is competent and confident enough to provide terse, yet accurate, replies.
  • PeriSoft 2007-08-22 16:17
    The real WTF is that as we speak, somebody from Concatcorp is googling "SQL concatenation" and has found this WTF, completing the circle and proving to himself that his instincts were dead on.
  • bshock 2007-08-22 16:19
    I'm mildly amazed they actually phoned to tell him he didn't get the job. I've missed quite a few positions, but no one has ever bothered calling to tell me.
  • rumpelstiltskin 2007-08-22 16:20
    beagle:
    mmm...I smell lawsuit!

    Peter B. could very easily sue Concatcorp's pants off.


    For what?
  • Ian 2007-08-22 16:23
    This could be challenged. I'd have loved to ask them where they thought he got the description from and to present the evidence to him.

    captcha: waffles...mmm, waffles.
  • Peter B. 2007-08-22 16:24
    Hey guys. Yes, it's really me. I'm the Peter B. that this story is about.

    I'd just like to quickly dismiss all this nonsense about SQL injection. The code snippet that was part of my answer is clearly not intended to showcase every best practice of web development, but merely got straight to the point of a common use of concatenation.

    These days it's all prepared statements, stored procedures, or libraries like Propel that help us not worry about basic security concerns like SQL injection.
  • mh 2007-08-22 16:28
    And 6 months later, their "other candidate" gives them this:

    string Paula = "Brillant";
    
    Paula = "Paula " + Paula;


    (And I know it's even the wrong language...)
  • plagiarist 2007-08-22 16:29
    Hey, I loved your answer so much that I used it when applying for a job! And I got it! Thanks!
  • BoredGuy 2007-08-22 16:32
    Something similar happened to me. They said my answers were too good, and I'd therefore be too advanced for the job. They figured I'd get bored and my attitude would suffer being stuck in a basic job (no matter how much it paid). I was prepared to take that chance ... finish my day's work by 10am and then surf the rest of the day ...
  • Doug 2007-08-22 16:33
    This reminds me of the time I had an interview with BellSouth. They were developing an internet applicatioin, apparently intending to use COM. I got asked to tell them what I knew about working with COM. I gave a pretty technical answer. After a few minutes of outlining COM practices with no feedback from the interviewer, I stopped and asked why they were building on a legacy technology. They had essentially no answer, and attempting to follow up with the guy interviewing me revealed that even though he was the development manager, he had no real clue on using COM. About 6 months later I heard on the local news that the whole division got canned for producing nothing. So I'm somewhat glad I turned out to be overqualified for the position, I can only imagine the quagmire I avoided.
  • Robert 2007-08-22 16:34

    Can I say SQL injection? That would be why I wouldn't have hired him..


    Gee, selecting based on an ID, which has probably already been parsed into an integer type (if it wasn't an integer, may have been set to 0, -1, null, etc.). Less likely, it may have been gotten from a source that already guaranteed an integer, as opposed to an input string. In either case, you wouldn't need to worry about SQL injection.

    My screening test was much more difficult - but at least I got the job.
  • Duke 2007-08-22 16:40
    My main problem with "Peter" is that he tends to over-think things. In the real-world this can sometimes become detrimental, sometimes being extremely counterproductive. However, you cannot tell from this basic interaction if it was not just him trying to showcase the depth of his knowledge, although it certainly shows tangential tendencies.

    Oh, and to this guy
    Jesse:
    Can I say SQL injection? That would be why I wouldn't have hired him..
    You're an idiot.
  • moskaudancer 2007-08-22 16:45
    Awww...
    Stop making us mere mortals feel so inadequate...
  • Random832 2007-08-22 16:52
    Mike:
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );


    [DllImport("msvcrt.dll")] static extern int sprintf(StringBuilder buf,string fmt,__arglist);
    [DllImport("msvcrt.dll")] static extern int strlen(string s);
    StringBuilder sb = new StringBuilder(strlen(string1)+strlen(string2)+strlen(string3)+1);
    sprintf(sb,"%s%s%s",string1,string2,string3);
    return sb.ToString();
  • Josh L. 2007-08-22 17:07
    Honestly, I wouldn't have hired the guy. After reading it, I would have thought he was either:
    1) A plagiarizer
    2) Someone who spends far too much time trying to solve a simple problem with something needlessly elegant
  • qdfqsdfqsdfqsdfqsdf 2007-08-22 17:09
    Tyler:
    Mike:
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );


    sub UnnecessarySub { @_ }


    I think you mean: sub UnnecessarySub { "@_" }
  • Anonymous Coward 2007-08-22 17:21
    Just goes to show what people expect of PHP programmers. And that's what you tend to get.
  • Chas 2007-08-22 17:21
    Wow. I said "brown".
  • Anonymous Coward 2007-08-22 17:24
    user_id = ; DROP TABLE Articles;
  • Mads Bondo Dydensborg 2007-08-22 17:27
    Hmm. Thats interessting. Although I have coded almost only C# (well, the occasional perl and shellscript too) for the last year or so, I am not actually sure I could write much of it outside emacs (or another editor). Not that I use intellisense or other stuff like that, but writing real code with a pen is not something I am sure I could.

    Of course, the example is trivial, but still. I think I need a keyboard to actually write some real code in a specific language, as opposed to pseudo.

    Perhaps I should try it out.
  • tieTYT 2007-08-22 17:29
    matthewr81:
    Jesse:
    WTF:
    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    Well this person, just like me, probably comes from a Java/C# background. This is an excerpt of how you'd do it in java:
    PreparedStatement ps = con.prepareStatement("SELECT a FROM t where b = ?");
    ps.setString(1, aString); //bind happens here
    ResultSet rs = ps.executeQuery();
    ... //get results

    (Yes yes yes, there is no try/catch/finally here, it's an excerpt) This is how you'd escape aString in Java code. This is better than using a special, separate method called addSlashes() or whatever because that makes it easier for programmer error:

    When did addSlashes get called? Maybe it was in the function that passed aString in? Maybe it was 5 lines above the concatenation? Maybe it's done in the concatenation itself? What if you're wrong and some code gets changed and now you haven't called it at all? What if you're wrong and you called it twice (does that break things?). All these questions are avoided by the Java way of doing it. You only have one option and, fortunately, it has to be done very close to the SQL itself.

    On a side note, one thing that really pisses me off with binding is that when an error occurs, it doesn't tell you what sql it attempted to run, it spits out the sql with the ?'s in it. This makes debugging a huge pain in the ass. Maybe this is done for security reasons but there should be an option to see useful sql.
  • Franz Kafka 2007-08-22 17:43
    Josh L.:
    Honestly, I wouldn't have hired the guy. After reading it, I would have thought he was either:
    1) A plagiarizer
    2) Someone who spends far too much time trying to solve a simple problem with something needlessly elegant


    Yeah right. Spitting out a couple paragraphs os standard behavior for something like this - better to be too verbose than too short when you don't have the chance to answer followup questions. If I were writing the response (and I don't know php, so I wouldn't), it's probably take about 5 minutes to give a thorough answer. Not bad for an essay type question.

    The alternative is that they have a laughably low bar for hiring.
  • Sparkfizt 2007-08-22 17:44

    public String concat(String a, String b, String c)
    {
    Vector<String> stringVec = new Vector<String>();
    stringVec.add(a);
    stringVec.add(b);
    stringVec.add(c);
    int alot = 100;//100 sure is alot
    String result = new String();

    for(int i = 0; i < alot; i++)
    {

    try
    {
    //strong error checking
    if(stringVec.get(i) != null)
    {
    for(int j = 0; j < alot; j++)
    {
    try
    {
    //very efficient
    result = result + stringVec.get(i).charAt(j);
    }
    catch(Exception e){break;}//something happened so prolly should break

    }
    }
    }
    catch(Exception e){break;}//something happened so prolly should break

    }
    return result;
    }
  • Franz Kafka 2007-08-22 17:44
    tieTYT:
    matthewr81:
    Jesse:
    WTF:
    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    Well this person, just like me, probably comes from a Java/C# background. This is an excerpt of how you'd do it in java:
    PreparedStatement ps = con.prepareStatement("SELECT a FROM t where b = ?");
    ps.setString(1, aString); //bind happens here
    ResultSet rs = ps.executeQuery();
    ... //get results

    (Yes yes yes, there is no try/catch/finally here, it's an excerpt) This is how you'd escape aString in Java code. This is better than using a special, separate method called addSlashes() or whatever because that makes it easier for programmer error:

    When did addSlashes get called? Maybe it was in the function that passed aString in? Maybe it was 5 lines above the concatenation? Maybe it's done in the concatenation itself? What if you're wrong and some code gets changed and now you haven't called it at all? What if you're wrong and you called it twice (does that break things?). All these questions are avoided by the Java way of doing it. You only have one option and, fortunately, it has to be done very close to the SQL itself.

    On a side note, one thing that really pisses me off with binding is that when an error occurs, it doesn't tell you what sql it attempted to run, it spits out the sql with the ?'s in it. This makes debugging a huge pain in the ass. Maybe this is done for security reasons but there should be an option to see useful sql.


    It does lead to problems with passowrds and other priveleged data, especially if you log things. I wrote a wrapper for prepared statements that dumped the parameters along with the query at one job, and had to make sure some queries weren't wrapped.
  • nwinches 2007-08-22 17:48
    tieTYT:


    On a side note, one thing that really pisses me off with binding is that when an error occurs, it doesn't tell you what sql it attempted to run, it spits out the sql with the ?'s in it. This makes debugging a huge pain in the ass. Maybe this is done for security reasons but there should be an option to see useful sql.


    It's possible in some cases to create a thin wrapper around the connection which will give you access to the statement after the variables have been bound. Makes it significantly easier to debug some things.
  • nwinches 2007-08-22 17:49
    I was too slow. :-\
  • Jeff 2007-08-22 17:51
    Jesse:
    Can I say SQL injection? That would be why I wouldn't have hired him..


    How do you know he didn't do something to prevent SQL injection? Probably would have been just a *little* out of scope for the question. Man, if he'd have included that, they would have really thought he *triple dog-dare plagiarized*?

    Jeff
  • Erik 2007-08-22 17:52
    It's a bit nicer to use sprintf to get your string done though, makes the query a bit more readable.

    Still need to escape it though :)
  • Aaron Bassett 2007-08-22 17:58
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    So he is using the getID method of the User object, you do not know what happens withing this method and as such can not say that it returns data likely to be used in sql injection.
    To me the method name "getID" (note the id) would hint towards the fact that it returns a numeric id so something as simple as:

    return (is_numeric($id)) ? $id : false;

    would be enough within that method to prevent injection.

    Had he said author_id = " . $_GET['userId']
    then I would have agreed with you, but as he did not instead I am going to call you an idiot.....idiot.
  • Darien H 2007-08-22 18:06
    Scott:
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.

    Michael had the right answer earlier. It's a module/library thing.

    At least with Postgres...

    $malicious_attempt = "'; insert into accounts (user,pass) values ('haxor','owned');";
    $dbconn = pg_connect("dbname=foodb");
    $query = "SELECT * FROM footable WHERE owner = $1;"
    $data = array($malicious_attempt);
    $result = pg_query_params($dbconn, $query, $data);
  • tieTYT 2007-08-22 18:13
    Peter B.:
    Hey guys. Yes, it's really me. I'm the Peter B. that this story is about.

    I'd just like to quickly dismiss all this nonsense about SQL injection. The code snippet that was part of my answer is clearly not intended to showcase every best practice of web development, but merely got straight to the point of a common use of concatenation.

    These days it's all prepared statements, stored procedures, or libraries like Propel that help us not worry about basic security concerns like SQL injection.
    I wouldn't take it personally. I think at this point were're discussing for the sake of education. At least that's why I replied. The question didn't ask you how to do it securely.
  • Russbo50 2007-08-22 18:14
    While I agree that the answer was a good one. I don't think anyone questioned that. They questioned the presentation of the answer. To be honest I would have questioned the response as well. The thing is that they shouldn't have just accepted the response as plagiarism. They could have called and got a response on the phone. Any idiot who asks a question like that in email is asking to get a plagiarized result.
  • skington 2007-08-22 18:24
    Aaron Bassett:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    So he is using the getID method of the User object, you do not know what happens withing this method and as such can not say that it returns data likely to be used in sql injection.
    To me the method name "getID" (note the id) would hint towards the fact that it returns a numeric id so something as simple as:

    return (is_numeric($id)) ? $id : false;

    would be enough within that method to prevent injection.

    Had he said author_id = " . $_GET['userId']
    then I would have agreed with you, but as he did not instead I am going to call you an idiot.....idiot.


    It's far easier - and safer - to assume that everything you're given could potentially be unsafe, and always use bind variables. (Which you get with Perl's standard DBI library, and probably exist in some form for all major languages - it's such an obvious help that I expect there's a database library for each platform that does The Right Thing.)
  • Nathan 2007-08-22 18:39
    Is there any particular reason to believe that variable contains user-supplied input?
  • That's Me! 2007-08-22 18:43
    Anonymous Coward:
    user_id = ; DROP TABLE Articles;

    Let me guess, you'd connect to SQL Server as 'sa', too...

    SQL injection relies on bad practices in DB security almost as much as it relies on bad practices in code. You can't just focus on the front end cause it's easier. If all your ever going to do from an application is select rows, why would you connect to a DB with a user that has privileges to DROP?

    Grrr...
  • Language feature abuse is cool 2007-08-22 18:43
    Nice gratuitous use of p/invoke...


    Remember kids, fixed length parameter lists are for chumps :P


    public static string Concatenate(params string[] strings)
    {
    StringBuilder result = new StringBuilder();

    for(int i=0; i<strings.Length; i++)
    {
    result.Append(strings[i]);
    }

    return result.ToString();
    }


    Or, for some tasty abuse of extension methods...


    public static string Concatenate(this string str, params string[] strings)
    {
    StringBuilder result = new StringBuilder(str);

    for(int i=0; i<strings.Length; i++)
    {
    result.Append(strings[i]);
    }

    return result.ToString();
    }

    ...

    string foo = "Beep".Concatenate("Boop", "Bop", "Fizzle");
  • Language feature abuse is cool 2007-08-22 18:46
    Yeaarrrg... it snipped the post i be replyin' to sez I!
  • Aaron Bassett 2007-08-22 18:48
    skington:
    Aaron Bassett:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    So he is using the getID method of the User object, you do not know what happens withing this method and as such can not say that it returns data likely to be used in sql injection.
    To me the method name "getID" (note the id) would hint towards the fact that it returns a numeric id so something as simple as:

    return (is_numeric($id)) ? $id : false;

    would be enough within that method to prevent injection.

    Had he said author_id = " . $_GET['userId']
    then I would have agreed with you, but as he did not instead I am going to call you an idiot.....idiot.


    It's far easier - and safer - to assume that everything you're given could potentially be unsafe, and always use bind variables. (Which you get with Perl's standard DBI library, and probably exist in some form for all major languages - it's such an obvious help that I expect there's a database library for each platform that does The Right Thing.)


    right so I have written a function getId who's purpose is to fetch an id from whatever source (user input, session, db, whatever) validate/cleanse it and return it yet I am to assume that it is potentially unsafe?

    But I wrote the method, I know that it returns a valid value. Why should I assume it is unsafe?

    And if I do assume it is unsafe what should I do? Cleanse/validate it again? But what if the methods I use to cleanse/validate it return an unsafe value, should I do it twice to be sure, three times....when does the madness end!!! ;)

    I understand what you are saying but it is not feasible for web applications (which is what php is going to be used for in the majority of cases) which may accept a large amount of user input. Instead it is better to rely data cleansing and validation.

    ie: Ensuring that when you are looking for a numeric id thats what you get (pssst which would be is_numeric($id) - you know like i said earlier)
  • Snor 2007-08-22 19:05
    Uhh, it's not hard to validate input.
  • gotitfirsttime 2007-08-22 19:11
    return "MartinDonaldRitchie";
  • tieTYT 2007-08-22 19:15
    Aaron Bassett:

    right so I have written a function getId who's purpose is to fetch an id from whatever source (user input, session, db, whatever) validate/cleanse it and return it yet I am to assume that it is potentially unsafe?
    Because there is no one-true-way to cleanse something. How do you know getID cleanses for SQL? Maybe it cleanses for XSS? Really, with a name like getID, it shouldn't be validating/cleaning anything. You may use it 6 months from now and be very confused about the results you got because they were validated/escaped even though the name of the method gave no indication that that was going to happen.


    But I wrote the method, I know that it returns a valid value. Why should I assume it is unsafe?
    What if you didn't write the method? What if someone else needs to use your method? What if you haven't used this method in 6 months? All of these force you to care about the implementation of the method instead of its interface: This is a bad thing.

    And if I do assume it is unsafe what should I do? Cleanse/validate it again? But what if the methods I use to cleanse/validate it return an unsafe value, should I do it twice to be sure, three times....when does the madness end!!! ;)
    You do it where it matters and/or where it improves responsiveness: You do it as it's being used in the sql and/or on the client's browser so you don't waste time sending it over the wire.
  • snoofle 2007-08-22 19:19
    BoredGuy:
    Something similar happened to me. They said my answers were too good, and I'd therefore be too advanced for the job. They figured I'd get bored and my attitude would suffer being stuck in a basic job (no matter how much it paid). I was prepared to take that chance ... finish my day's work by 10am and then surf the rest of the day ...

    The same thing happened to me in a recent job interview. The headhunter told me that they were really looking for a top-flight guy, and to go in with the intention of really impressing them with my accomplishments. They asked me about my responsibilities at my previous position. I mentioned that I had managed 25 people. It turns out that my prospective bosses boss only managed about 25 people, and they were just looking for a junior programmer. Sigh.
  • sas 2007-08-22 19:22
    AdT:


    ...

    This is what I was thinking, too. Though, maybe they had other reasons for dismissing him and didn't want to tell the truth. E.g. they might have thought him overqualified for the job and thus (probably) too expensive. Then maybe they were simply the morons that they appear to be.

    They would have to be incredible morons to libel him as an alternative to telling him they decided to hire someone else. So, I think this little story smells. While IANAL, being turned down with a spurious accusation sounds actionable to me.
    ---
    I signed in (sometime in 2005). No captcha, sorry.
  • Aaron Bassett 2007-08-22 19:27
    Because there is no one-true-way to cleanse something. How do you know getID cleanses for SQL? Maybe it cleanses for XSS? Really, with a name like getID, it shouldn't be validating/cleaning anything. You may use it 6 months from now and be very confused about the results you got because they were validated/escaped even though the name of the method gave no indication that that was going to happen.


    We are all making alot of assumptions here as we can never know the contents of this fake getId method. So I'll tell you my assumption. I am assuming that it returns an int, so that's cleansed against XSS and sql and its pretty easy to truly cleanse for that.

    What if you didn't write the method? What if someone else needs to use your method? What if you haven't used this method in 6 months? All of these force you to care about the implementation of the method instead of its interface: This is a bad thing.


    But in the example given we know that the author did write the method as he is the one who made it up, so thats a null point. As for all the other points..well lets look at a built in function within PHP like foreach. If I supply a string as the first argument to foreach it will cause an error as this is an unexpected argument type. Is this a mistake in the language design? No, it expects a specific argument type and thats what should be supplied to it by me now, in 6 months, in a yr, etc or by anyone else that uses it. The same goes for return values, if I specify that a function should return an int and someone else changes it to return a string then that is their mistake not mine.

    You do it where it matters and/or where it improves responsiveness: You do it as it's being used in the sql and/or on the client's browser so you don't waste time sending it over the wire.


    thats what am saying in the scenario I outlined it is not require and actually adds unnecessary over-head.
  • Defektiv 2007-08-22 19:31
    i love seeing comments to enries that say something like "*I* would have done it THIS way". like the point of the post was to give people a reason to pat themselves on the back and feel important. /rolleyes

    to the OP, you probably would have been working with schmucks just like this if they had hired you anyway.. you made out by my calculations. ;) the world is being populated by retards that value their own opinion of themselves more than anything else.

    start your own business and make a living without having to serve idiots.
  • Josh 2007-08-22 19:33
    PHP has a newer MySQL library which supports parameterized queries with http://au2.php.net/manual/en/function.mysqli-prepare.php
  • tieTYT 2007-08-22 19:55
    Aaron Bassett:
    Because there is no one-true-way to cleanse something. How do you know getID cleanses for SQL? Maybe it cleanses for XSS? Really, with a name like getID, it shouldn't be validating/cleaning anything. You may use it 6 months from now and be very confused about the results you got because they were validated/escaped even though the name of the method gave no indication that that was going to happen.


    We are all making alot of assumptions here as we can never know the contents of this fake getId method. So I'll tell you my assumption. I am assuming that it returns an int, so that's cleansed against XSS and sql and its pretty easy to truly cleanse for that.
    Sigh, I thought you were going to say that. That is a really bad way to argue against my point. Lets assume you had a getUsername method too, ok?

    Are you going to say that you'd cleanse it inside getUsername? If yes, all the negative stuff I already said now applies. Are you going to say you'd cleanse that outside getUsername (as I suggested you do for ALL getters)? If yes, then your webapp is pretty inconsistent. Sometimes you look in the getX to find cleansing, sometimes you look at what calls it: Not good design. Choose your poison, buddy. The only good solution is to cleanse everything where it matters.

    What if you didn't write the method? What if someone else needs to use your method? What if you haven't used this method in 6 months? All of these force you to care about the implementation of the method instead of its interface: This is a bad thing.


    But in the example given we know that the author did write the method as he is the one who made it up, so thats a null point.
    Uh ok. I can see you're in this discussion to pick apart insignificant technicalities instead of actually learning something.

    thats what am saying in the scenario I outlined it is not require and actually adds unnecessary over-head.
    Are you now? Maybe you should give a reason and an example for this statement like I'm doing.
  • Chris 2007-08-22 20:17
    Dude you all are some serious nerdz----

    Keep on nerdin' YO!
  • ron 2007-08-22 20:35
    Ryan:
    I wouldn't hire him either. Instead of answering the simple question he proceeded to give them a lecture. It shouldn't take that much space to explain concatenation. The back of a postage stamp would offer too much space.

    A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer.

    "concatenation is joining things together. I use it to put variables into sql statements."



    I agree almost completely.

    I would have looked for 2-3 sentences though, 4-5 words isn't enough to show aptitude and understanding of the concept.
  • Simmo 2007-08-22 21:17
    lostlogic:
    PHP5 does support parameterized queries.



    Only just...
  • jou 2007-08-22 21:21
    tieTYT:

    Well this person, just like me, probably comes from a Java/C# background. This is an excerpt of how you'd do it in java:
    PreparedStatement ps = con.prepareStatement("SELECT a FROM t where b = ?");
    ps.setString(1, aString); //bind happens here
    ResultSet rs = ps.executeQuery();
    ... //get results


    You can do it in PHP, too:

    $db = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
    $stmt = $db->prepare("SELECT a FROM t WHERE b = ?");
    $stmt->execute(array($aString));
    foreach ($stmt as $row) {
    // blah blah
    }
  • Simmo 2007-08-22 21:35
    Michael McRorey:
    you can use the following:

    <?php
    $sql = sprintf
    (
    "SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC",
    addslashes($User->getID())
    );
    ?>
    you can also use the following if it is a MySQL db:
    mysql_real_escape_string($User->getID())

    sure, the above aren't the standard "." method of concatenation, but it is concatenation AND a cure for SQL injection.

    This is not a cure for SQL injection. A carefully crafted attack could still slip something through. You need bind variables to be really safe (and even then...)
    Of course from an Oracle perspective bind variables massively improve performance anyway. There! I knew I could get an Oracle mention in here somehow!
  • Franz Kafka 2007-08-22 21:39
    Simmo:

    This is not a cure for SQL injection. A carefully crafted attack could still slip something through. You need bind variables to be really safe (and even then...)
    Of course from an Oracle perspective bind variables massively improve performance anyway. There! I knew I could get an Oracle mention in here somehow!


    The common solution is to implement a default deny policy - decide what's allowed and reject anything else. For instance, userID could be checked against (^[0-9]+$) and username against ^[a-zA-Z_-@ ]+$ and you'd be proof against sql injection.
  • BobH 2007-08-22 21:41
    God, is there anything more tiresome than a bunch of hypercompetitive developers arguing over who can write the best, tightest code -- and how every other programmer doesn't know what he's talking about.

    Grow up boys.
  • Bas 2007-08-22 21:58
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..

    I see. You develop your applications this way?
  • standgale 2007-08-22 22:01
    FredSaw:
    We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.


    Exactly what I was thinking. If somebody had to write it - why not this guy? Weird.
  • Pax 2007-08-22 22:04
    Dwayne:
    Jesse:
    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.


    You mean the act of lowering yourself onto a couch or the process of staying seated on the couch. If you meant the latter, you're doing something wrong.

    Captcha: sanitarium, where I'll no doubt end up.
  • ajk 2007-08-22 22:11
    bah:
    I think the real stupid part is they are doing this by email.. Anyone could have googled an answer.


    the real WTF was that they didn't ask him the question over phone directly lol.
  • Andrew 2007-08-22 22:27
    Scott:
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.


    No, I googled the "PHP Pear DB API", which supports dynamic SQL prepare & execute steps. The prepare allows the plain-old '?' parameters. I have written less than one full PHP file.

    More people should use search engines to prove their points. If we can cheat on hiring exams, then let's just use it to know out stuff.

  • Mr Steve 2007-08-22 22:40
    matthewr81:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...



    like this you moron:

    function insertNewUser($name) {

    if ($name == 'Bob') {
    $db->query("INSERT INTO tbl_users (name) VALUES ('Bob')");
    } else if ($name == 'Lisa') {
    $db->query("INSERT INTO tbl_users (name) VALUES ('Lisa')");
    } else {
    die('Hacking attempt!!!!');
    }

    }
  • Hank 2007-08-22 22:45
    I would of not hired you either. Your response was way to lonnnnnngggggggggg. People are idiots. Keep it short and simple. Also the person who called you back probably had no idea what you were talking about.
  • mattman206 2007-08-22 23:16
    LOL great one.

    Reminds me of this comic:
    http://pbfcomics.com/?cid=PBF225-Casting_Call.jpg#210
  • Pap 2007-08-22 23:35
    Mr Steve:
    matthewr81:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...



    like this you moron:

    function insertNewUser($name) {

    if ($name == 'Bob') {
    $db->query("INSERT INTO tbl_users (name) VALUES ('Bob')");
    } else if ($name == 'Lisa') {
    $db->query("INSERT INTO tbl_users (name) VALUES ('Lisa')");
    } else {
    die('Hacking attempt!!!!');
    }

    }


    Sir, I would like to shake your hand for making my night.

    Good day.
  • Darien H 2007-08-22 23:45
    Numeric types? Yes. Booleans? Sure. A-Z0-9? Yeah.

    Now try taking someone's blog post and ensuring that it only has the proper tags. Only only certain attributes. And no javascript in script tags. And no javascript in attribute values. And no PHP. And no UTF-7 XSS attack. And it needs to support unicode. And, and, and...

    No, it can most certainly be hard to validate (or worse, screen/convert) certain kinds of input.
  • gakn8r 2007-08-22 23:51
    after you reach a certain level of maturity, you develop an intuitive understanding of the important bits and how much effort to apply. Our subject, like many enginerds is not there yet. And the employer? Who knows.

    gak
    -----
    "When you have learned to snatch the error code from the trap frame, it will be time for you to leave." - The Tao of Programming
  • nwbrown 2007-08-23 00:46
    FredSaw:
    We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.


    Well he is a PHP programmer, that makes it unlikely that he would be able to answer it.

    Isn't fanning flames fun?

    On a more serious note, I imagine this isn't too uncommon. Employers don't want to hire overqualified candidates because they will be likely to leave as soon as something better comes up. Granted asking this particular question is a bit silly, but it does sort of sound like he spent way to much time answering it. And including a potential SQL injection vulnerability in your response couldn't have helped (yes, its still possible to have that execute safely, but please, at least mention that you would be sure to do that)...
  • FredSaw 2007-08-23 01:07
    BobH:
    God, is there anything more tiresome than a bunch of hypercompetitive developers arguing over who can write the best, tightest code -- and how every other programmer doesn't know what he's talking about.

    Grow up boys.
    Not more tiresome, but certainly AS tiresome. The hypercompetitive developers constitute the bottom, or datass layer. Above that, equally tiresome, resides the let's-quit-infighting-and-get-down-to business layer, in which you are an object. Finally, there is the all-unimportant U(are-not-as-holy-as)I layer, wherein I establish my supremacy by displaying your hypocrisy.
  • FredSaw 2007-08-23 01:26
    Josh L.:
    Honestly, I wouldn't have hired the guy. After reading it, I would have thought he was either:
    1) A plagiarizer
    2) blabbity blah blah blah...
    Paul Simon:
    ...but I'll repeat myself, at the risk of being crude...
    You would think he plagiarized it? Then you think somebody, somewhere, sometime, wrote it. Why not him? Give logical reasons.
  • Coward 2007-08-23 01:29
    That answer IS in fact very good. I have to remember it next time I'm asked about concatenation.
  • Jesse 2007-08-23 01:31
    Bas:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..

    I see. You develop your applications this way?


    Wow.. I didn't mean to hijack this whole discussion into a flamewar about SQL injection.

    1. The example of building this SQL query was fine as an example of string concatenation. What I was referring to was his comment about how he seems to build all his web applications that way.

    2. PHP supports parameterized queries. PEAR::DB does and has for quite awhile now. A bit of advice: Use Google before proclaiming that something absolutely can or cannot do something.

    3. I know that $User->getID() probably sanitizes the variable to ensure it's an integer, but it's still a bad habit to make these sorts of assumptions.
  • Talisha 2007-08-23 01:37
    Jesse:
    Bas:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..

    I see. You develop your applications this way?


    Wow.. I didn't mean to hijack this whole discussion into a flamewar about SQL injection.

    1. The example of building this SQL query was fine as an example of string concatenation. What I was referring to was his comment about how he seems to build all his web applications that way.

    2. PHP supports parameterized queries. PEAR::DB does and has for quite awhile now. A bit of advice: Use Google before proclaiming that something absolutely can or cannot do something.

    3. I know that $User->getID() probably sanitizes the variable to ensure it's an integer, but it's still a bad habit to make these sorts of assumptions.


    ...sigh. Generally, when you apologize for starting a flame war, you shouldn't continue to fuel it. Accept that (many in this case) people disagree with you.

  • Random newb 2007-08-23 01:40
    Dwayne:
    Jesse:
    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.


    As a newb who has wondered this for a while, can you give an example of string escaping?
  • FredSaw 2007-08-23 02:08
    Random newb:
    As a newb who has wondered this for a while, can you give an example of string escaping?
    _______________________
    
    | |
    | _________________ |
    | | | |
    | | ____________| |
    | | | |
    | | | ____________|__
    | | | | |cape = "I'm out!";
    | | | | ____|s ___ __
    | | | | | |e |
    | | | | | |
    | | | | | ring | |
    | | | | | t | | |
    | | | s | | |
    | | |_____ ___|__| |
    | | | |
    | |____________ | | |
    | | |
    |__________________|__|
  • Andy 2007-08-23 02:22
    Random newb:

    As a newb who has wondered this for a while, can you give an example of string escaping?


    Why bother? It degrades database performance and doesn't prevent all forms of SQL injection. It is astoundingly bad practice, given that parameterized queries have been around for eons.

    The real WTF is the number of 'developers' that still defend the practice.
  • ORB 2007-08-23 02:28
    Cant believe people are finding this surprising. When companies come to my college campus for placements, every one goes through this dilemma whether to say sufficient, more, or even wrong. Many of my friends got kicked out of the interview bcoz they were too good for the company.
  • AC 2007-08-23 02:52
    I don't see anything that indicates that he didn't sanitize the input first...
  • coditza 2007-08-23 03:02
    Ok, funny thing: my name is Peter, my family name starts with B, I worked as a php dev and in 2005 I changed my job. Ofcourse, the story has nothing to do with me :D But I was confused for a couple of seconds when I started reading.
  • Fixme 2007-08-23 04:07
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    That would have been rash, given that the topic wasn't security but concatenation. Examples should always go easy on irrelevant stuff, for clarity. Imagine that snippet bloated with anti-injection stuff - the point would be completely lost.

    Of course, it's mostly their loss (the morons), but still Peter made an effort and they shat on it. They deserve some public shame.

    Thinking of which - what's with this zealous anonymization anyway? Give us company names, give us public ridicule. At least when it's as deserved as this.
  • sarge 2007-08-23 04:18
    Reminds me of one that happened to me...

    I had to take a test as the first stage of an interview for a lead dev gig with a large telco. It was a complete doddle, and I apparently got the highest score of anyone they had interviewed. Needless to say I got the job.

    Only once I'd joined did I tell them how I'd achieved such a score - I'd written the test! Someone from my previous employer had obviously 're-used' it.

    - sarge
  • Tom_fan_DK 2007-08-23 04:18
    matthewr81:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    ... and now repeat with me: BIND VARIABLES, BIND VARIABLES, BIND VARIABLES... You can continue for the next three days...
  • Skizz 2007-08-23 04:38
    "Cake or Death?"
    "Death...no, wait, Cake."

    Skizz

    Captcha: "sanitarium" - probably where they need to go.
  • peaked 2007-08-23 04:56
    I call BS. No company calls you back to tell you that you didn't get the job. Funny story, but probably not true.
  • Sharkey 2007-08-23 05:29
    qdfqsdfqsdfqsdfqsdf:
    Tyler:
    Mike:
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );


    sub UnnecessarySub { @_ }


    I think you mean: sub UnnecessarySub { "@_" }


    No, treating it as a string would return a space separated string (not what was aked for).
  • Cloak 2007-08-23 05:41
    Ryan:
    I wouldn't hire him either. Instead of answering the simple question he proceeded to give them a lecture. It shouldn't take that much space to explain concatenation. The back of a postage stamp would offer too much space.

    A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer.

    "concatenation is joining things together. I use it to put variables into sql statements."


    This is the answer I was waiting for. Ryan you got THE point. Who wants to have somebody who is talking and talking but maybe won't understand that his boss wants the simple answer (and then goes back to work: allez, go, go, go, and implement it...)
  • Daniel Welborn 2007-08-23 05:57
    I was going to say something similar.... that this is a case of trying too hard. If I were the screener, I'd be looking for a shorter down-to-earth answer, rather than a mini-thesis on concanetation that wanders into other programming topics just for the sake of impressing with the knowledge. Granted, in a job interview situation you want to sell yourself and demonstrate your knowledge, but there's a lot to be said for just answering the question and leaving it at that.
  • The Blotch 2007-08-23 05:59
    Sue! :-)
  • D 2007-08-23 06:15
    Chris:
    Dude you all are some serious nerdz----

    Keep on nerdin' YO!

    How to spot someone who came from Digg.
  • Martin London Dude 2007-08-23 06:22
    Hahahahaha! I once went for an interview at a well known energy company in the UK, and was firstly interviewed by the techies on the energy trading team... This is where I knew I had the job, being technically estute and impressnig the hell out of them...

    Then the HR interview...

    Considering my (would be) bosses asked HR to bypass this stage, the outcome is quite funny. They made me do role play. ROLE PLAY??? The job was for Senior Developer on the trading floor.... WTF?? So anyway, at that point I mentioned that perhaps this wasn't too relevant to the job I was going to be doing (the role play was on something really random, cant remember now). I then said that I am glad I didn't do drama at school / college and concentrated on academic subjects......

    I didn't get the job.

    Funny thing is, the next job I did get was for a very well respected software company who's products are the world leaders in investment banking and asset management. Think HR at Gentrixa should all be fired, as they could have hired me for a lot less money than I am paid now! HAHAHAHA!

    Thats what HR should be called - HAHA!

    Captcha - mentalist (sanitarium)
  • Elp 2007-08-23 06:34
    Thats why good php developers use a DB library like ADODB (http://adodb.sourceforge.net/) that supports it and is DB neutral. Bye Bye SQL injection, hello reusable funtions and a LOT of extra utility functions.
  • Frank 2007-08-23 06:41
    Talk about tiresome comments. Who cares about the SQL injection possibility! It was just an example of concatenation, one that he didn't even need to include. Get over it already!
  • Robbie 2007-08-23 06:45
    That code sample he made makes it possible for SQL injection attacks. Lol
  • Charlie Beltram 2007-08-23 06:48
    This actually could be grounds for a lawsuit. This is why employers give out form letters when letting you know you didn't get a job, and won't state specific reasons.

    "Your qualifications are impressive, however, we have decided to pursue other candidates"

    Same thing happens if an employer calls one of your old jobs for a reference, 99.9% of the time anymore a smart business will only answer questions that are absolutely able to be objectively evaluated.

    "How many times were they late to work, how many sick days, what were their sales figures"

    Questions like:

    "How did they perform at ____ task?"

    Can lead to subjective answers, then a fun slander lawsuit.
  • Azeroth 2007-08-23 06:48
    Just a little remainder for people who use packages like PEAR::DB to prepare MySQL queries since this improves performance - thing is, even PEAR doesn't do this properly, it simulates the expected behaviour by doing string escaping. Sorry!

    If you want to do it properly, use PDO or mysqli.
  • Kiss me I'm Polish 2007-08-23 06:48
    Bind variables?
    How do you guys insert data into the db?
    "Please select your bank account number from the list"?
  • Gijs 2007-08-23 06:49
    Woh, you're jumping the gun here. SQL injection has nothing to do with concatenation perse. He didn't mention using user input or any other form of input that could be altered by someone with bad inetntions, for concetenating a query. Furthermore, even if you use user input concatenating can still be very useful as long as you know about the risks of SQL injection and prevent them from hapening.

    Concatenation of queries can easily be done without the risk of SQL injection. That would be why I wouldn't hire you.
  • sugarcoating 2007-08-23 07:01
    what? hm, can I have the job, I didn't understand anything of this joke, so I couldn't plagiarize anything
  • A nanny moose 2007-08-23 07:02
    Kiss me I'm Polish:
    Bind variables?
    How do you guys insert data into the db?
    "Please select your bank account number from the list"?


    You were trying to be funny or just plain stupid?


    $sth = $dbh->prepare('insert into accounts(number) values(?)');
    $sth->execute($cgi->param('account_number'));


    Granted, that's perl (or thereabouts) but you should get the idea. Now you may freely set your account number to '; drop database' or whatever and you're SQL-injection proof. Of course you must validate the data anyway but for different reasons.

    BTW, I'm Polish too, but don't kiss me :P
  • Recoil 2007-08-23 07:05
    Man what a bunch of jerks.
  • S. Nikolov 2007-08-23 07:07
    I have seen worse. At university we had a test in material science, I think it was about wolfram steel. One girl had phenomenal memory and wrote an flawless essay describing production, use, etc. I mean she remembered all sorts of percentages, chemical equations and so on. The exam was a closed-book exam, where we were guarded by a number of people against copying.

    The professor failed her, because he meant that it was impossible to write such an essay without copying.

    Again - too good of an answer.
  • Sally 2007-08-23 07:09
    They missed a talented programmer


    Sal
    http://www.prankvideoz.com
  • Da' Man 2007-08-23 07:15
    Scott:
    lostlogic:
    PHP5 does support parameterized queries.

    Thanks for this bit of info. PHP4 did not.

    No, but it did, in fact, support plagiarized queries :-)
  • oracle dude 2007-08-23 07:18
    i think your answer is spot on. anything less is ... well not really impressive though. to Concatcorp, i think i wont get any product or service from them for hiring someone with sub-par knowledge -- that's me. peter is better off somewhere.
  • www.orvtech.com 2007-08-23 07:20
    thats bullshit! dude, post the name of the company so we can send her some nice emails and call them to express our 'views'.
  • karlostjackal 2007-08-23 07:20
    You may be right. Similar situation once for me: saw a posting on craigslist from a recruiter for a job in my city, sounded like an ideal sitch for me (apparently there aren't many Mac developers where I live). Recruiter informed me I'd have to take a test when I got there, to see if I qualified. He also mentioned it would be in an obscure, dead programming language (like Latin is a dead language), but he gave me links to the language description on the web, and I studied it. Had never heard of it before, but it was created in the 60's and - having done just about every major language since the late 70's through now - it was pretty easy to grok. Went in for the test, sat in a conference room for an hour, finished the 20-question test in 30 minutes (basically, if you can code in Z80 assembler and "think like a Z80", the test was a joke), worried about one answer but decided not to change it, and then at the end of the hour the HR person came in and went over my answers in front of me. I knew I'd gotten most of the answers right, but they were looking for 90% and you always miss *something*. The HR person seemed a bit shocked, and I asked him how I did. He told me I'd gotten every question right, and it sounded like I was the first person ever to do so. Then he had me take a "personality" test which showed that I was aggressive and "dominant", not surprising since (A) I am, and (B) I'd been working as a contractor for five years. I spoke with a technical guy after that, who indicated that he wanted me to talk to the company president at a follow-up interview. Didn't hear from them again. Decided I had nothing to lose, called the number of the HR guy, and was told they "went with someone else". No explanation.

    Epilogue: less than a year later the same recruiter "came across" my resume online and asked if I would be interested in this company in my city that was looking for someone with Mac skills and oh by the way they would make me take a programming test in an obscure language. I laughed at the email, called the recruiter up and reminded him of the previous year's experience. Told him that if they'd changed the HR person I might stand a better chance - the HR person seemed to have a dislike for me.

    PS: Don't recall the name of the company, but the city is Boston and the dead programming language is "MUMPS", devised in the 1960's at/for Mass General Hospital.
  • Zero 2007-08-23 07:21
    OMF thats not only funny, but the same thing happened to me
  • Random832 2007-08-23 07:28
    Franz Kafka:
    The common solution is to implement a default deny policy - decide what's allowed and reject anything else. For instance, userID could be checked against (^[0-9]+$) and username against ^[a-zA-Z_-@ ]+$ and you'd be proof against sql injection.


    right, and useremailaddr can be checked against




    [\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\
    xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(
    \040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[\04
    0\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\
    n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\
    xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]
    *)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n
    \015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\(
    [^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)*@[
    \040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\x
    ff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040
    )<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\x
    ff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x8
    0-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\
    n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:"
    .\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x8
    0-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xf
    f][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)*|(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-
    \xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\01
    5"]*)*")[^()<>@,;:".\\\[\]\x80-\xff\000-\010\012-\037]*(?:(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([
    ^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)|"[^\\\x80-\xff\
    n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[^()<>@,;:".\\\[\]\x80-\xff\000-\010\012-\037]*)*<[\040\t]*
    (?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015
    ()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:@[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\
    ([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:
    [^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\0
    15\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*
    (?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80
    -\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\
    \x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\
    037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[
    ^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[
    \040\t]*)*)*(?:,[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80
    -\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*@[\040\t]*(?:\([^\\\x80-\xff\n\015()]*
    (?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015
    ()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|
    \[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([
    ^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.
    [\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\
    xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\04
    0)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\
    xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x
    80-\xff\n\015()]*)*\)[\040\t]*)*)*)*:[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff
    \n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)?(?:[^(\040)<>@,
    ;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80
    -\xff][^\\\x80-\xff\n\015"]*)*")[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\01
    5()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\
    \\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\)
    )[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\
    000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[\040\t]*(?:\([^\\\x80-\
    xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x
    80-\xff\n\015()]*)*\)[\040\t]*)*)*@[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n
    \015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".
    \\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80
    -\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff
    ][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(
    ?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015(
    )]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\
    [(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^
    \\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)*>)

  • Joe 2007-08-23 07:35

    Very real possibility that they didn't want to pay enough to keep someone who really knows their stuff around.... also, the manager might be afraid of employees who are sharper than him.
  • Martin Leblanc 2007-08-23 07:39
    What a crappy company!
  • Martyn 2007-08-23 07:42
    I was thinking exactly the same thing.
  • Kim Bruning 2007-08-23 07:47
    Hmph, python already has the latter built in.


    "".join("Beep", "Boop", "Bop")


    Grmbl, well at least I can still roll my own version of the former.


    def concat(*args):
    result=""
    for arg in args:
    result+=arg
    return result


    Argh. Just. Can't. Get. It. Ugly.


    How about lovely 6502 on an ancient Acorn 8-bitter, the Real Programmer way.

    {
    .string1% EQUS "Beep"
    .string2% EQUS "Boop"
    .string3% EQUS "Fizzle"
    .start%
    LDA #&2C \ ASCII ','
    STA (string2%-1)
    STA (string3%-1)
    RTS
    }

    CALL start%
    print $string1%


    running gives:

    Beep,Boop,Fizzle



    Because EQUS creates 0 terminated strings and places them in memory sequentially, replacing the 0s with commas will effectively concatenate the strings in place. (though if you didn't want commas, you're out of luck :-P)

    Unfortunately this was for a "home computer". I'd have to think of a PDP-11 variant or something if I want to make that sound profound.... but unfortunately PDP-11 was just before my time :-(
  • pcarter 2007-08-23 07:52
    bkendig:
    At least the question made sense!



    I once had a HR person in an interview ask me to "describe the use of constructors in ANSI C." I tried to explain to them that C didn't have constructors, but C++ did. Of course, they did know anything about programming. Their "technical guy" had created the test.

    There was also a list of desired skills. From it, they asked me if I had E-M-A-C-S experience (they spelled it out).

    Wasn't upset when I never heard from them again.
  • Tov 2007-08-23 07:57
    WTF
    KillKillKillKill
  • charon 2007-08-23 08:02
    it was yellow imho
  • Tim Wallner 2007-08-23 08:11
    This is a common problem being faced by every company. When the pioneer employees and management are inferior in knowledge, these people make it a point to here somebody inferior to them so as to safeguard their job. So the company suffers. It would be wise for every company to have their employee take some technical skill test from an outside company to check if they've employed lemons.
  • Loctar 2007-08-23 08:27
    OUchhhhh.. what an answer...
  • swapo 2007-08-23 08:31
    Scott:
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.


    $stmt = $db->prepare("SELECT foo FROM bar WHERE braz = :lart");
    $stmt->bindParam(':lart', $lart);
    $stmt->execute();

    or
    $stmt = $db->prepare("SELECT foo FROM bar WHERE braz = ?");
    $stmt->bindParam(1, $lart);
    $stmt->execute();

    or

    $stmt = $db->prepare("SELECT foo FROM bar WHERE braz = ?");
    $stmt->execute(array($lart));


    That's PDO which finally gives you some sane db-access in PHP. It's available since PHP 5.0 (via PECL) and default since 5.1.

    http://php.net/manual/ref.pdo.php
  • Cloak 2007-08-23 08:39
    tieTYT:
    matthewr81:
    Jesse:
    WTF:
    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    Well this person, just like me, probably comes from a Java/C# background. This is an excerpt of how you'd do it in java:
    PreparedStatement ps = con.prepareStatement("SELECT a FROM t where b = ?");
    ps.setString(1, aString); //bind happens here
    ResultSet rs = ps.executeQuery();
    ... //get results

    (Yes yes yes, there is no try/catch/finally here, it's an excerpt) This is how you'd escape aString in Java code. This is better than using a special, separate method called addSlashes() or whatever because that makes it easier for programmer error:

    When did addSlashes get called? Maybe it was in the function that passed aString in? Maybe it was 5 lines above the concatenation? Maybe it's done in the concatenation itself? What if you're wrong and some code gets changed and now you haven't called it at all? What if you're wrong and you called it twice (does that break things?). All these questions are avoided by the Java way of doing it. You only have one option and, fortunately, it has to be done very close to the SQL itself.

    On a side note, one thing that really pisses me off with binding is that when an error occurs, it doesn't tell you what sql it attempted to run, it spits out the sql with the ?'s in it. This makes debugging a huge pain in the ass. Maybe this is done for security reasons but there should be an option to see useful sql.


    First, fuck Java! You need a 200 MB Java engine running in the back ground just to get that stuff done. And that with some 30% more code to write. You end up with a slow program that still needs at least some 100 MB on the client just for outputting "Hello World". Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB.
    Second, there should be an option to see useful debugging information for everything not just SQL.
  • Carl 2007-08-23 08:41
    Take it from me, I'm in my 40s now. Nobody wants to work with someone smart. They just want to work with someone who would be cool to have a beer with.

    The right answer would have been- "It's when you add something to something else, like this-and-this-and-this."

    In my experience the smart people all work for the dumb people. I am not being cynical- this is how it really is. And I moved my way up in the company by making fun of the smart people and chumming around with the jocks and dummies. Now I'm CIO and I own a percentage of the company.

    My smart friends all make less than half of what I do.
  • Anonymous 2007-08-23 08:44
    I was out of work a few years ago and heard about an opening with a local company. I called and went through a fairly extensive interview over the phone. They were very interested. I had all the skill sets they needed. A second phone call went well, but they needed a resume to pass around to the top brass. I agreed to drive one over the next morning since it was late in the day. The next morning I delivered the resume, took a tour of the company, and left with the assurance that I'd receive good news later in the day. The call that afternoon was quite a shock. They couldn't hire me because I was acquainted with too many people currently employed there. I never found out the reason for the sudden about face.
  • Belinda 2007-08-23 08:51
    Corporations are simply out of control. . . I have been associated with this industry for the past 20 years and mostly they no longer want employees who can think, they want employees who are very compliant.

    Compliance trumps intellect far too many times. Ask yourself: Is this the type of company you would really WANT to spend 8+ hours a day with??? (PUKE)
  • Michael 2007-08-23 08:54
    Typical response from supposed HR professional people who have no clue what IT workers really do.
  • Markus Diersbock 2007-08-23 08:55
    On the surface I would have thought he cribbed the answer too -- it was an informal question, why not a 20 word answer?

    If I got an answer like that, I would worry that the person was answering through rote memory, rather than having an understanding the topic being discussed.

    At the very least, more emails should have been exchanged.
    Reply
  • Orion Darkwood 2007-08-23 09:09
    I have two jobs opps that was similar.

    1. Employer passed me over because I was not wearing a tie didn't say I had to have on suit and tie, not to mention any company that directions include turn left after the junkyard, the road we are on has no name..

    2. Employer choose someone else because I was too cute.. Excuse me if I turn you on, doesn't mean I am bad for the job
  • Lawk Salih 2007-08-23 09:15
    That's what I call bad recruiting. Sorry Pete, I guess it was your unlucky day.
  • KenW 2007-08-23 09:16
    Fixme:
    Thinking of which - what's with this zealous anonymization anyway? Give us company names, give us public ridicule. At least when it's as deserved as this.


    Give us absolute without-a-doubt proof that the actual incident/conversation/whatever happened exactly as written, so we can defend against the lawsuits filed against us for libel/slander/defamation of character/loss of income/whatever other reason.

    Gee, if "Fixme" was your real name, and you did something stupid, and I posted about it in a public place and exposed you to ridicule, and you lost money or whatever, would you be really happy? I'd suspect not.
  • Luke Werner 2007-08-23 09:16
    Sometimes you just can't win :(
  • IT Contractor 2007-08-23 09:17
    >_<

    I feel your pain.

    The other one is being turned down for a three month contract because you're too senior.

    Give me the job and I'll do a good job of it.
  • san2000 2007-08-23 09:19
    What a bunch of loosers... Probably the boss didn't understand your answer and that scared him. Believe me, you deserve better that being with those looser...
  • Bel-Aero 2007-08-23 09:19
    I would sue the for slander/defamation.
  • Cloak 2007-08-23 09:22
    Mr Steve:
    matthewr81:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...



    like this you moron:

    function insertNewUser($name) {

    if ($name == 'Bob') {
    $db->query("INSERT INTO tbl_users (name) VALUES ('Bob')");
    } else if ($name == 'Lisa') {
    $db->query("INSERT INTO tbl_users (name) VALUES ('Lisa')");
    } else {
    die('Hacking attempt!!!!');
    }

    }


    Hello Paula, back again?
  • mikko 2007-08-23 09:25
    I may be in error, but doesn't the code sample shown contain a possible opening for SQL injection attack? I learned all about them in school, and that's why I only use text files to store data - you can't attack MY code!
  • KattMan 2007-08-23 09:27
    Skizz:
    "Cake or Death?"
    "Death...no, wait, Cake."

    Skizz

    Captcha: "sanitarium" - probably where they need to go.


    "Cake or death?"

    "Cake please"

    "Well, we are all out of cake"

    "So my choices are death or death?"

    "Well we didn't expect such a run on cake, we only had three pieces."

    I love Eddie Izzard
  • KattMan 2007-08-23 09:28
    peaked:
    I call BS. No company calls you back to tell you that you didn't get the job. Funny story, but probably not true.


    The company didn't call him back, his recruiter did. And recruiters will call to tell you that the company in question hired someone else.
  • KattMan 2007-08-23 09:31
    Daniel Welborn:
    I was going to say something similar.... that this is a case of trying too hard. If I were the screener, I'd be looking for a shorter down-to-earth answer, rather than a mini-thesis on concanetation that wanders into other programming topics just for the sake of impressing with the knowledge. Granted, in a job interview situation you want to sell yourself and demonstrate your knowledge, but there's a lot to be said for just answering the question and leaving it at that.


    But on a sent home, pre-screening question, what makes you think one sentence is the right way to go. A single sentence is good for a phone screening, but for a take-home screening question, the attitude that this should be an essay question should be the norm. Otherwise why make it a take home question? Giving a single sentence on something like this could very well mean you don't feel like the opportunity is worth your time.
  • JGM 2007-08-23 09:35

    Can I say SQL injection? That would be why I wouldn't have hired him..


    Wow! Do you even write code for a living? Or are you one of the hr people from that story?

    The subject was concatenation, and thats what he focused his answer on, rather than going off on a tangential discussion of user input validation and sanitizing data.
  • SinzenStudios 2007-08-23 09:36
    I had this happen to me about a week ago as well. They stated that my answers were too academic and I didn't know a thing about any CMS nor did I have any business writing for any business. I'm sure my past clients would disagree with it all but that's just how it goes sometimes.
  • ParkinT 2007-08-23 09:40
    So, in the 'real world' (when I was on the job) if I encountered something about which I had NO understanding what is this employer expecting me to do?
    I should DEFINITELY NOT do some research (on the web) to get the answer. Afterall, applying knowledge and experience (not to mention using the rare skill of adequately explaining it to someone else) to solving a problem is NOT the reason you were hired!!

    This sort of bureaucratic nonsense outrages me!
  • DBG 2007-08-23 09:45
    Last time I applied for work I went through a hiring agency focusing on tech-jobs (aka sysadmining, programming etc).
    This temp-agency uses an online-test to check your aptitude in whatever field you want to work inn (Win2003 server, C#, C++, jscript, whatever).

    Dumb thing about this onlinesite is that you can register temp accounts to "check out their tests" and I found most of them to be quite simple except that they always put in some stuff I knew i couldn't answer, such as insane templates and pointers and what not.

    This was aptly solved with the use of a debugger to freeze the firefox.exe instance running the website (which in turn froze the timer on the test) which gave me a couple mins to google whatever I had problems with :P Turned out i scored very high on all tests and landed me a 35$/h job.

    In my own logic the fact that I managed to freeze the test with a debugger and find the answer, thus showing a "high problemsolving aptitude" justified every single bit of it :P

    (ironicaly the captcha for this submission is: darwin).
  • ijit 2007-08-23 09:52
    bind variables are dynamic
  • FredSaw 2007-08-23 10:02
    karlostjackal:
    - it was pretty easy to grok.
    Sounds like if they'd hired you, you'd have been a stranger in a strange land.
  • Paul 2007-08-23 10:05
    I like you! Lets have a beer and ill send you my internship application :P
  • Paul 2007-08-23 10:06
    my previous message was meant to be a reply to Carl's message.
  • alexgieg 2007-08-23 10:13
    bkendig:
    I answered the questions to the best of my ability, and afterwards, I submitted a 'fixed' copy of the test back to the hiring manager, explaining exactly which questions didn't parse and suggesting how they could be rewritten to be clearer.
    Some years ago, I was approached by a 4th-year student of social science who were interviewing people to answer a multiple-choice questionnaire on the persons opinion on ecological and related matters. It was for his graduating research paper.

    I browsed the questions and available answers, and couldn't help it but to start lecturing him on what was so wrong with the whole thing. To be short: all questions were ambiguous, not clear-cutting a single subject; and worse, all of them, even when interpreted in the most generous way as "almost" non-ambiguous, had only a subset of the relevant answers he might come across. I explained some of the errors, giving examples of how one question should be in fact three, what should be the answers offered, etc., and completed by informing him that whatever statistical results he derived from those questions, they would be meaningless, and thus useless and not scientific. He thanked me and walked away.

    Some minutes later, I noticed him asking a couple to answer the exact same questionnaire...
  • Michel Parisien 2007-08-23 10:16
    This happened to me in high school. I was part of an advanced program which required you to spend a year working on a project. Then, three judges were to judge, and their grades averaged to come to the final mark. The project I initially was going to take was to write a report on Japanese culture and history. I was asked to make my project something a bit less monotonous, so after discussing it a bit, we agreed I should make a manga.

    Well this was a year long project, so, focused as I was, I logged about 400 hours into it. I went from having no clue of how to draw to being pretty good. I completed the 32 page full colour manga, and submitted it and defended it in front of the judges. I even had 500+ hand drawings showing my progress as I taught myself how to draw.

    Thing is, in high school, even in advanced programs, kids are lazy. Most people didn't start their project until the last week before it was due. I found a lot of these people got 80s and such, while I got a 70. I thought maybe what I did wasn't really of much interest until graduation day, when one of the judges approached me.

    "I should tell you, you really didn't deserve the mark you got. Me and the principal", who was also a judge, "gave you 100%, but [[insert name here]] failed you for forgery because she was convinced no one could improve that much in a year."

    I think there was something going on there, involving more than just the disbelief in my skill (she has historically hated me for bigoting reasons), but still, I feel good knowing it was the best 70 I've ever received.
  • me 2007-08-23 10:16
    wow, what a useless article.

    was this written by "Peter" in order to show how smart he is?

  • Darryl 2007-08-23 10:23
    Cloak:
    tieTYT:
    matthewr81:
    Jesse:
    WTF:
    Can I say SQL injection? That would be why I wouldn't have hired him..


    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...


    Well this person, just like me, probably comes from a Java/C# background. This is an excerpt of how you'd do it in java:
    PreparedStatement ps = con.prepareStatement("SELECT a FROM t where b = ?");
    ps.setString(1, aString); //bind happens here
    ResultSet rs = ps.executeQuery();
    ... //get results

    (Yes yes yes, there is no try/catch/finally here, it's an excerpt) This is how you'd escape aString in Java code. This is better than using a special, separate method called addSlashes() or whatever because that makes it easier for programmer error:

    When did addSlashes get called? Maybe it was in the function that passed aString in? Maybe it was 5 lines above the concatenation? Maybe it's done in the concatenation itself? What if you're wrong and some code gets changed and now you haven't called it at all? What if you're wrong and you called it twice (does that break things?). All these questions are avoided by the Java way of doing it. You only have one option and, fortunately, it has to be done very close to the SQL itself.

    On a side note, one thing that really pisses me off with binding is that when an error occurs, it doesn't tell you what sql it attempted to run, it spits out the sql with the ?'s in it. This makes debugging a huge pain in the ass. Maybe this is done for security reasons but there should be an option to see useful sql.


    First, fuck Java! You need a 200 MB Java engine running in the back ground just to get that stuff done. And that with some 30% more code to write. You end up with a slow program that still needs at least some 100 MB on the client just for outputting "Hello World". Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB.
    Second, there should be an option to see useful debugging information for everything not just SQL.


    Oh look, a troll. A stupid one too by looks of it. Go back to your bridge little troll, there's no place for you here.

    CAPTCHA: kungfu (kick that troll in the teeth)
  • Bob 2007-08-23 10:37

    Peter answer is not what they were looking for. From Peters answer I would get the impression that he would be an in effective worker. Sometimes the straight answer is the best.

    Keep it simple stupid.


    This world needs more funtional programmers.
  • M. Ulysses Stanley 2007-08-23 10:40
    If they had a clue, they wouldn't be in HR.

    M.
  • Pat 2007-08-23 10:46
    roflmao, certainly is a good thing that they don't want "good developers"

    --
    http://free-iphone-apple.blogspot.com/
  • stupid old me 2007-08-23 10:48
    bkendig:
    I think they didn't want someone who had a good command of the English language or who had a tendency to identify problems and offer solutions to them.



    Yeah, I really hate that quality in an applicant too!
  • Anthony B. 2007-08-23 10:55
    To all of you individuals who have stated "if I were a screener, I would have come to the same conclusions", let us review and then do a basic analysis.

    You have just asked a potential candidate for a job, someone seeking a new job and hoping to impress the potential employer, to answer a three part question.

    1) What is it?
    2) Use in PHP?
    3) Your experience with it?

    How you could possibly hope to get less than what Peter had given and expect a good candidate for the position, I am not to sure. A screener that recommended a vague two to three sentence response from this would have been fired by my boss for incompetency. I have had the advantage of seeing applications and hearing interviews in my position and knowing how they turned out as an employee in the end. Someone who is not willing to put forth the effort for this screening question, which due to its simplicity is the only reason I can think it would be used, is not someone that I would want working on projects with me, or as part of my team. Being a written statement, I'd expect more, not less. And anyone who is qualified in their field can write a response like the one given in the OP. Businesses wishing to compete and gain economic profit have to be picky, look for highly qualified people, willing to work within the bounds of the salary alloted to that position by the executives who can bring methods of increased efficiency. Peter would have gotten a call for an interview from me to see exactly what he knew. Probably been one of the more hopeful applications too.

    On a more aggressive note: remember this is programming, once the company has the efficient code and the employee
    becomes to hard to handle, they still have the code and can find someone else.
  • schmichael 2007-08-23 11:06
    My god.... he submitted one of the most causes of SQL Injection attacks as a code sample!

    There may be nothing wrong with PHP as a language, but as far as I can tell 90% of PHP developers and lazy and braindead.
  • redSHIFT 2007-08-23 11:06
    Your search - +"Concatenation is the process to sequentially join multiple pieces of data, usually literal strings with non-string-literal data (most commonly, variables or other literals)." -peter - did not match any documents.


    Doesn't look like he plagarized then :) The company should try something more than email though...
  • schmichael 2007-08-23 11:09
    "most causes" > "most common causes"

    Seems I should work on my English before I critique other's PHP.
  • nnl 2007-08-23 11:18
    >> PHP doesn't support parameterized queries

    Yes, it does. Has done for a while.
  • LiquidFire 2007-08-23 11:19
    Sharkey:
    qdfqsdfqsdfqsdfqsdf:
    Tyler:
    Mike:
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );


    sub UnnecessarySub { @_ }


    I think you mean: sub UnnecessarySub { "@_" }


    No, treating it as a string would return a space separated string (not what was aked for).


    Yeah but just returning @_ isn't really concatenation, since it just returns the list back. You mean one of these:

    sub semiUnnecessarySub { join '', @_ }
    sub semiUnnecessarySub { local $" = undef; "@_" }
  • Gray 2007-08-23 11:20
    karlostjackal:
    [...] He also mentioned it would be in an obscure, dead programming language [...]it was pretty easy to grok. [...] and the dead programming language is "MUMPS"[...]


    Not quite dead. I know and worked on a system (I think in English it's an ERP system - managing buying/storing/selling wares) programmed in M.

    Additionally, I understand that it's still not uncommon in medical and financial institutions. Examples, taken from wikipedia, include the US Veteran Administration or large parts of the US DoD CHCS hospital system.

    Nowadays it's usually not plain M anymore but its successor which is named Cache. Cf http://en.wikipedia.org/wiki/Caché_(software), but where I once worked this came after my time there ended.
  • Gray 2007-08-23 11:22
    ... and damn, I forgot, but - yes, it is a rather simple language. The 'single letter command' style was standard for the system mentioned above. Made for short lines :)
  • Someone You Know 2007-08-23 11:25
    alexgieg:
    Some years ago, I was approached by a 4th-year student of social science...


    A computer science professor once told me that if you have to put "science" in the name, it ain't really science.
  • Richard 2007-08-23 11:28
    I would have answered it to the best of my ability too. And if it were detailed like his, I too, would not have even considered the response he was given. Don't worry Peter, it's their loss... you can do better!

    Always do the best in everything you do -- someday, you may get rewarded for it.
  • Steve 2007-08-23 11:37
    Thorough answer, but I would have been wary of the SQL example you used in every web app you have coded. A technical reviewer might have been suspicious of plagiarism because that kind of example is the kind you find in a beginners book, not what you would hope to find in the real world, i.e. a complete book understanding, but not a practical understanding probably raised some flags.
  • John 2007-08-23 11:49
    Ryan:

    A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer."


    I think Ryan here is the only one who gets it. There is such thing as a "too good" answer. An A+ candidate is a threat to most employers. Someone who knows your job beter than you do is a potential embarrasment and probably incongruent with the wage you're offering. That means they're perceived as likely to leave as soon as they get a better offer. To put it bluntly, a large number of people working in high positions in IT these days are fucking idiots. One of the greatest challenges for smart people is knowing how to dumb themselves down to an acceptable level. Ryan gets it because Ryan is one of them, part of the malingering incompetent fat that blocks up the arteries of our businesses and government departments. Too proud to step aside and let the better man through, too afraid of being exposed, the only recourse they have is to keep the good people down.
  • Mustafa 2007-08-23 11:54
    hehe, I AM Not suprised///

    --> you may ask why ? because it happend to me all the time during my last 134 interviews. they ask me stupid question and I answer them with a quality answer, and yet they refuse to give you the position, i think most the managers are arrogant selfish dogs, they don't understand the concept of being smart
  • seejay 2007-08-23 12:06
    Michel Parisien:
    "I should tell you, you really didn't deserve the mark you got. Me and the principal", who was also a judge, "gave you 100%, but [[insert name here]] failed you for forgery because she was convinced no one could improve that much in a year."

    I think there was something going on there, involving more than just the disbelief in my skill (she has historically hated me for bigoting reasons), but still, I feel good knowing it was the best 70 I've ever received.


    Just wanted to say that this was a very awesome and heart-warming story. :) Sucks about the 70% (I remember lazy-arsed people getting high marks in highschool as well when I'd put in tonnes of time for either the same or lower mark) but it wound up paying off in university where it was a lot more difficult to pull that off.

    On the same vein of the topic discussion, I had signed myself up with a temp company while I was between jobs a few years ago. I signed up for anything technical, but also included secretarial work (hey, I was getting desperate for any sort of job to keep the mortgage paid). I had ample experience in secretarial work from the jobs I had prior to university, plus my computer experience meant that 99% of any office software thrown at me wasn't an issue... something most offices are very happy to see.

    I got a call from my temp manager who said a place was looking at hiring me for 2 months to do office management. It was the best lead I'd had so far and I was excited about it. She just had to fax my resume over. I sent her an updated copy of my "secretarial" version. A week later, she called to say the company had changed their mind... I was far too over-qualified. Based on my modified secretarial version of my resume. And they couldn't deal with that for *only* 2 months. WTF??

    Needless to say, it was another blow to my ego at the time... I was already having an extremely difficult time finding employment as my programming skills were out-of-date and my specialization was a very niche-market that usually doesn't have a lot of openings. Under-qualified as a programmer, over-qualified as a secretary, and few jobs in my specialization.... yeah, it was a pretty rough summer.

    -- Seejay
  • Timtimes 2007-08-23 12:09
    They could have 'googled' a phrase in that answer to see if it returned any hits. If not, then the odds that he plagarized it are probably pretty long.

    Enjoy.
  • Stefan W. 2007-08-23 12:18
    Good comment on page 2: "Email questions is begging for plagiarism".

    But WTF:
    SQL-Injection, too qualified, answer too long, ...

    Why should the company hide their real reason behind an offending insult?
    "Sorry - we found another candidate which matched better", "you didn't focus on security which is an important ...", "we guess you're overqualified", "we don't comment on refusal" - those would be appropriate answers.

    The story is a classic WTF, while my first thought was indeed "SQL-Injection".

    Here is my own story:
    Live interview at the company, Java programming.
    Talked about this and that. Then the manager asked questions about performance improvements.
    I mentioned common mistakes and general ideas (performance by design, use profilers instead of speculation, 80:20 rule, and so on).
    He wanted to hear something else, and presented 3 obscure techniques: some obscure bitmask thing, one thing which I have forgotten, and reverse-itering through a for-loop:
    instead of:
    for (int i = 0; i < x.size (); ++i)
    he suggested:
    for (int i = x.size () - 1; i >= 0; --i)

    Well - I argued, that you should really test, whether there is a penalty in the first approach, which is better readable. If there is some real work inside the loop, the improvemennt will not matter, and nowadays compiler and jit-compiler being very good in optimisation themselfes.

    Well - I couldn't convince him, and my salary expectations didn't fit.
    On my way home I bought the newest Java magazine, and found an article: Performance improvements, explaining all his lousy tricks.

    At home I tested them and found none of them working - everything was antic voodoo art, working with java-1.1.8 or something - not with java-1.4.

    Lesson learnt: Be sure to read the newest Language magazine _before_ your interview. :)
  • Pete 2007-08-23 12:23
    How do we know he didn't fake it?

    Go to AnusJuice.com for webcams.
  • AskTheAdmin 2007-08-23 12:26
    Dont you hate when you need to dumb stuff down for idiots!

    Thanks for the chuckle from your friends over at http://www.askTheAdmin.com
  • loco 2007-08-23 12:31
    my guess is, the guy from the company evaluating the answers is also a PHP programmer, and doesn't want somebody smarter than him taking over his job.
  • Mike 2007-08-23 12:36
    Has no one realized he had to have typed all that in 30 seconds per the email instructions?
  • John 2007-08-23 12:42
    I feel your pain, I really do.

    I've worked in the field for ages and am constantly getting hit by guys offering me the latest position, reeling me in for long talks only to turn around and say they'd rather get someone more junior for the role.

    Really kicks you in the heart.

    Hope you have more luck,


    John.

    http://www.red91.com
  • John 2007-08-23 12:45
    agree,

    got totally kicked sideways by a guy asking java questions i'd never heard about.

    ugh.....
  • Horseonovich 2007-08-23 13:00
    Those Guys are Assholes
  • Veretax 2007-08-23 13:04
    peaked:
    I call BS. No company calls you back to tell you that you didn't get the job. Funny story, but probably not true.


    I hate to burst your bubble but it sounds like the job was being hired through a recruiter (subcontracter perhaps) Someone like a TekSystems or a Mantech Professional Service that make money in finding folks. Its likely that Company which told him he didn't get the job. Funny how so many folks missed that.
  • Carl 2007-08-23 13:11
    How cute is your ass?
  • Tyler 2007-08-23 13:30
    Sharkey:
    qdfqsdfqsdfqsdfqsdf:
    Tyler:
    Mike:
    Oooh Oooh! I know that one:

    1) return string1 + string2 + string3;

    2) StringBuilder sb = new StringBuilder();
    sb.Append( string1 );
    sb.Append( string2 );
    sb.Append( string3 );
    return sb.ToString();

    3) return string.Concat( string1, string.Concat( string2, string3 ) );

    4) return string.Format( "{0}{1}{2}", string1, string2, string3 );


    sub UnnecessarySub { @_ }


    I think you mean: sub UnnecessarySub { "@_" }


    No, treating it as a string would return a space separated string (not what was aked for).


    Yeah, but the way I originally put it would return it as an array, which is definitely not what was asked for...not sure what I was thinking. You'd actually want to set $" to "" and then return "@_"
  • Darien H 2007-08-23 13:31
    [quote user="Cloak"]Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!)[/quote]
    I take it you've never used Netbeans to create a GUI before.[/quote]
  • steve 2007-08-23 13:39
    i think this story is BS.
  • poochner 2007-08-23 14:07
    Mike:
    Has no one realized he had to have typed all that in 30 seconds per the email instructions?

    That was only in the imaginary question he did not get.

    I think almost every pedantic programmer has gotten this kind of response ("must have plagiarized it") at some point in their life, whether on a term paper or whatever. Even if the powers that be never tell you, they think it when the answer's too formal, too grammatical. Also, if the company told the recruiter that they thought it was plagiarized, that's definitely slanderous, but maybe not actionable. Maybe the recruiter was lost in the anonymizing process?
  • AdT 2007-08-23 14:07
    ratsbane:
    And you will be mingling SQL with data whether you like it or not


    Assuming a von Neumann system architecture, well, of course. But to what degree? If the DBMS is embedded (I use embedded Firebird for instance), no network transmission is necessary, no serialization will occur and the degree of mingling is certainly less when you use parameterized queries.

    Even if network transmission is involved, so it will probably be necessary to serialize SQL code and data into the same stream (rsp. datagram), they will likely still be separated to the extent of not being encoded in the same string, greatly diminishing the chance that some of the data will accidentally get executed as SQL.

    And even if the DBMS or the driver actually does not support parameterized queries directly, so it has to generate an SQL string that contains the actual, escaped data, it is still better to let the low-level driver routines take care of this for at least two reasons: Forward compatibility (If they fix this deficiency, you will benefit from this fix without rewriting your code) and separation of concerns. SQL string escaping, even if it is necessary at all, is a serialization issue and simply does not belong in program modules that use SQL queries to store and retrieve data. These should neither care nor have to care about network serialization. It's simply not their business and will only complicate code reuse and maintenance as well as encourage bug proliferation.

    ratsbane:
    it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.


    If you use open source database drivers, then, no, they're not a magical black box. Anyone can download the source code to the client libraries of PostgreSQL, MySQL, Firebird and others. The way they handle parameterized queries is no more "black box" than PHP's mysql_real_escape_string.

    If you use closed source drivers and distrust their ability to do their job correctly, then I wonder why you would use them at all in a production system.

  • redwizard 2007-08-23 14:14
    "[...]plagiarized it[...]"

    Wow.

    The company may as well have said, "Coud you pweeze tell it to us in Engrish? This too techy, you can't be dat smart." WTF indeed.

    Lesson learned: find out who your audience is, and tailor your communication accordingly. You don't want them to refuse to hire you because of THEIR misunderstoods.
  • redwizard 2007-08-23 14:17
    steve:
    i think this story is BS.


    You should know something about life: when writing fiction, the story has to be BELIEVABLE. Truth has no such requirement.

    This does not alter the fact that we do not know for certain if the story is BS or not - I am simply reinforcing that fact.
  • tieTYT 2007-08-23 14:20
    Cloak:

    This is the answer I was waiting for. Ryan you got THE point. Who wants to have somebody who is talking and talking but maybe won't understand that his boss wants the simple answer (and then goes back to work: allez, go, go, go, and implement it...)


    I think you miss the point. This is an email. It's the first email he's ever had with this person. It's not a phone conversation where you can gauge someone's reaction as you speak to them. On a phone call, all these criticisms are all completely valid. But the first time you email someone, you don't know WTF they want from you! Just look at these comments. Half of them say that this was a really good answer, the other half say that his answer was way too long and they wouldn't hire him. He has a 50% chance of answering the question the way you want thanks to the format.

    The SMART people say, "this should have been done over the phone". The DUMB people say, "this answer was too long and I wouldn't have hired him".
  • Ean 2007-08-23 14:21
    The CONCATENATION operator?

    Wow, it makes me wonder what kind of monkey got the job?

    Remind me to never, ever use a web app. that company makes.

    Bonus points for pointing out a better way than the concatenation operator for joining bits on an echo line.

    Honestly, you are better off in a job that actually challenges your skill set.

    I program PHP daily but I don't consider myself an expert. I consider this screening question to be ludicrous. Why not ask people how to avoid cross-site scripting vulnerabilities or SQL injections?

    Hahah... all in all, this is just too funny.
  • Eeve 2007-08-23 14:22
    Oh man, this brings back memories- in grade 4 I got an F on an essay on chimpanzees because the teacher thought I copied it from a book. Turns out I just had above average writing skills and I actually researched, and filled my essay with facts instead of the "I like chimpanzees because they are cute" stuff my classmates wrote.

    My Mom stormed into the school and showed the teacher our books on animals we had in the house and demonstrated where I got the info from and how I put it into my own words as we were instructed. Bam, A+. A five minute conversation with me by the teacher would have shown her that I knew the topic.

    Ok, I'm rambling... but the other commenters who pointed out that the company lost a strong candidate because they were too lazy to talk to the guy are all exactly right. I hate it when people jump to conclusions.

    Captcha: stinky
  • Zygo 2007-08-23 14:33
    Cloak:
    Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB.


    Holy shit...

    puts("Hello, World!\n") in C (GCC 4.1, default compile options): 7021 bytes.

    Same source code compiled with C++: 7486 bytes.

    std::cout << "Hello, World!\n" in C++: 8477 bytes.

    Statically linked: 495K, 557K, and 1186K, respectively.

    Recompile in C++ with coverage analysis, profiling, debugging, inline functions, exceptions, RTTI, and unrolled loops: 1234K.

    Delphi produces a 5MB executable. Presumably you're not building Delphi apps with options intentionally chosen to produce the largest possible exe, so we're comparing the 8K executable with a just-less-than-5MB one.

    WTF is the just less than 5 MB for?
  • Zygo 2007-08-23 14:33
    Random832:
    Franz Kafka:
    The common solution is to implement a default deny policy - decide what's allowed and reject anything else. For instance, userID could be checked against (^[0-9]+$) and username against ^[a-zA-Z_-@ ]+$ and you'd be proof against sql injection.


    right, and useremailaddr can be checked against


    [something which I presume is an attempt at the RFC822 regexp]



    And don't forget, valid email addresses can contain SQL injections, mismatched HTML tags, shell commands, and Javascript, depending on what part of the system you want to inject code into.
  • Zygo 2007-08-23 14:33
    A nanny moose:


    $sth = $dbh->prepare('insert into accounts(number) values(?)');
    $sth->execute($cgi->param('account_number'));

    Now you may freely set your account number to '; drop database' or whatever and you're SQL-injection proof.


    Somewhere, there is a bank with an accounts database that has an account with the number "; drop database" or whatever. It probably has very interesting monthly statements. ;-)
  • Zygo 2007-08-23 14:33
    ratsbane:
    And you will be mingling SQL with data whether you like it or not - it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.


    Parameterization can be slower than concatenation:

    1. Sometimes an extra round-trip to the server is required to generate the parameterized query handle, so if you are only going to execute the query once it is probably faster to concatenate strings (unless the string is huge and full of escape characters, or your RDBMS's query parser is extremely slow).

    2. Some RDBMS query optimizers only optimize the parameterized query, and lose opportunities to optimize for specific constant values. For example if a CHECK constraint on a table makes a particular parameter value impossible, then the optimizer may figure out that specific parameter values are impossible and optimize the entire query out of existence--but it can't do that if it doesn't know what the parameter value is.

    3. Some client toolkits implement parameterized queries in O(n^2) time on the number of parameters. String concatenation, if done correctly, runs in O(n) time. If there are many parameters and they're mostly small integer or short strings, the parameterization and data marshalling cost can exceed the benefit, especially in cases like multi-row INSERTs.

    4. Some (evil or broken) client toolkits implement parameterized queries by client-side escaping and concatenation. If you can't upgrade the client toolkit, and you're not trying to be portable, it's probably going to be faster to do the escaping and concatenation yourself.
  • Zygo 2007-08-23 14:33
    Chris:
    If you're the type of person that dismisses someone because they write an essay but miss out a word, then I really hope I never have to work for you.


    If the someone is a lawyer, then it's certainly possible. It would depend on which word was missing.

    My lawyer: "My client pleads guilty, your honor."
    Me: "Missing word! You're fired!"
    My lawyer: "I only missed out one word! I really hope I never have to work for you again."
    Me: "NOT guilty! I want to plead NOT guilty!"
    Judge: "Too late." <strikes gavel> "Ha ha."
    Me: "Crap!"
  • tieTYT 2007-08-23 14:34
    Cloak:

    First, fuck Java! You need a 200 MB Java engine running in the back ground just to get that stuff done. And that with some 30% more code to write. You end up with a slow program that still needs at least some 100 MB on the client just for outputting "Hello World". Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB.
    Second, there should be an option to see useful debugging information for everything not just SQL.
    If you think the size of the "executable" and the amount of RAM the application takes up is top priority... we have different priorities. Sorry, but I don't write code for cell phones or hardware. The code I write can easily handle those requirements.
  • Doug Renner 2007-08-23 14:45
    Something similar happened to me with a Calculus final exam.

    They couldn't believe I could compute simple third order definite integrals in my head, presumed I was cheating, and disqualified my test.

    Only the professor could change the exam results, and since he was on vacation this ridiculous result was permanent.

    I dropped out after that, and never regretted it.
  • lucius 2007-08-23 15:00
    Goodness! An educated programmer gives a quality response and is shut down. That's pathetic. Makes me then wonder why they would ask via e-mail...
  • Q 2007-08-23 15:25
    That is one pitiful, uncommitted recruiter. If I had a client hit me with a concern like that about one of my candidates, my reaction would be "okay, here's his phone number, call him and ask him another question!"
  • The DOg 2007-08-23 15:37
    The answer was boring and unimaginative...no elan in the delivery...drone-like repetition of something memorised. Who wants a geek like that working for them...
  • AdT 2007-08-23 15:37
    Zygo, you are conflating parameterized with prepared queries. To my knowledge, points 1 and 2 apply only to prepared queries, not all parameterized queries. Not that I would think they were particularily relevant in any case. I only use command preparation when I have good reason to believe the command will be used numerous times. In this case, the extra work required for the one-time preparation is outweighed by the time saved on every single execution.

    Zygo:
    3. Some client toolkits implement parameterized queries in O(n^2) time on the number of parameters. String concatenation, if done correctly, runs in O(n) time.


    This is tantamount to saying that some ways to handle query parameters are broken, while some ways to concatenate strings are not. It's an irrelevant tautology.

    My suggestion would be to use parameterized queries and a sane client library. It is possible.

    Zygo:

    4. Some (evil or broken) client toolkits implement parameterized queries by client-side escaping and concatenation. If you can't upgrade the client toolkit, and you're not trying to be portable, it's probably going to be faster to do the escaping and concatenation yourself.


    Faster maybe, but less maintainable, less reusable and more error prone. Even if performance considerations should override all these objections, you should rather use a better client library.
  • Pidgeot 2007-08-23 15:57
    Zygo:
    Cloak:
    Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB.


    Holy shit...

    puts("Hello, World!\n") in C (GCC 4.1, default compile options): 7021 bytes.

    Same source code compiled with C++: 7486 bytes.

    std::cout << "Hello, World!\n" in C++: 8477 bytes.

    Statically linked: 495K, 557K, and 1186K, respectively.

    Recompile in C++ with coverage analysis, profiling, debugging, inline functions, exceptions, RTTI, and unrolled loops: 1234K.

    Delphi produces a 5MB executable. Presumably you're not building Delphi apps with options intentionally chosen to produce the largest possible exe, so we're comparing the 8K executable with a just-less-than-5MB one.

    WTF is the just less than 5 MB for?


    C:\tmp>type hello.dpr
    program Hello;

    begin
    Writeln('Hello, World!');
    end.

    C:\tmp>dcc32 hello.dpr
    Borland Delphi for Win32 compiler version 17.0
    Copyright (c) 1983,2004 Borland Software Corporation
    hello.dpr(6)
    7 lines, 0.08 seconds, 10476 bytes code, 1797 bytes data.

    C:\tmp>dir hello.exe
    (...)
    23-08-2007 21:47 15.360 hello.exe

    Native Win32, no need for any kind of libraries. So we're really comparing your 495K+ to 15K. ;)

    The point is that you might want to review what a GUI is, because your example isn't. (Even so, 5MB gets you quite far in Delphi - I think the minimal GUI app that doesn't rely on Win32 is 3-400KB, depending on version)
  • jbrock 2007-08-23 15:57
    weak. man that sucks


    Weak man
    very weak
  • Molly 2007-08-23 16:14
    What she said is legally actionable. Peter can sue for damages.

    If he can prove that his blurb on concatenation was original, he can get that company (or at least its HR department) in ALOT of trouble. Essentially what they did was to assume fraud when there was none.
  • gus, the 2007-08-23 16:47
    that's boneheaded! what - you can anticipate the exact wording of all your sql queries? if you don't know how to filter data before putting it in a sql query, you probably should be asking people if they want fries with the products you deliver.

    and my captcha was bathe - what, do Labtec webcams have odor analyzers now?
  • Zygo 2007-08-23 16:58
    AdT:
    Zygo, you are conflating parameterized with prepared queries. To my knowledge, points 1 and 2 apply only to prepared queries, not all parameterized queries.


    Thanks, I forgot about those...

    5. You could be using an (evil or broken) toolkit where the only way to bind variables to a parameterized query is to create a temporary prepared query object, then call bindValue() on the prepared query object.

    6. You could also be using an embedded SQL system which can't avoid preparing any queries that aren't of the form "execute(string_variable)". "Embedded" here means the old-school technique of writing "SELECT INTO cVar * FROM FOO;" in the middle of C code, then running the source through some kind of preprocessor which replaces the SQL statements with machine-generated C code.

    AdT:
    My suggestion would be to use parameterized queries and a sane client library.


    Yes. Often it's possible to make your program go faster or be more maintainable by avoiding utterly lame technology in your dependencies. But that's an irrelevant tautology too.
  • quake 2007-08-23 17:06
    My Real Experience.

    Along with my diploma thesis, I have another task to translate a lengthy article, actually I realized afterwards that it was a big chapter from a book, from English to my native language, I worked very hard on it.

    And when I submitted my work, the guy said that he suspect the translation was from internet. i.e., plagiarized.

    That guy was a professor I didn't know him before that, immediately, my respect to him went away, down to the hell.
  • Turtle 2007-08-23 17:17
    The problem with the dude wasn't his answer. Following most methodology used by interviewers, the proper way to test for plagiarism is to do a follow-up interview.

    I believe the root of the dude not getting the job was because the employer already had their heart on hiring someone else. The excuse that they used to justify their means of not "wasting their time" interviewing someone they don't want to hire is to say that his answer was plagiarized. By saying that, other's involved in knowing about the interview will believe that the their manager is weeding out loser "plagiarists". Obviously the manager doesn't want to be seen by people around him/her as "unfair" and not giving everyone "an equal chance" because that can cause tension. The most beneficial way, from the manager's perspective, is to simply make a false excuse of "plagiarism".
  • EllisGL 2007-08-23 17:33
    What's wrong with doing it this way? (I can read it just fine. =))

    if(!is_int($_POST['pid']))
    {
    die('How dare you stick a non interger in there!);
    }

    $sql = 'SELECT `id`, `var`, `text` FROM `table` WHERE
    `whatever` = \''.mysql_real_escape_string($_POST['monkey']).'\' AND `pid` = \''.$_POST['pid'].'\' LIMIT 1';



    captcha: burned
  • poochner 2007-08-23 17:40
    Molly:
    What she said is legally actionable. Peter can sue for damages.

    Only if there were damages. Slander and libel tend to get under that "no harm, no foul" category. If they never told anyone other than him (i.e., never told another hiring manager or wrote it on his resume) then it's not slander in the first place. OTOH, if they have a website where they make their evaluations available (can you say "idiots?), they could be hosed.
  • JohnFx 2007-08-23 17:53
    Molly:
    What she said is legally actionable. Peter can sue for damages.

    If he can prove that his blurb on concatenation was original, he can get that company (or at least its HR department) in ALOT of trouble. Essentially what they did was to assume fraud when there was none.


    Uhh. No. Just no. Go back to programming and leave the legal advice to the professionals.
  • JohnFx 2007-08-23 17:56
    You might have been better off using the SCIgen Automatic CS Paper Generator. (http://pdos.csail.mit.edu/scigen/) for the lazy reader, these are pretty convincing!
  • David 2007-08-23 17:58
    I always thought the best way to avoid SQL injection in PHP was to write in Perl :-) Not forgetting to set -t (taint).
  • Greg 2007-08-23 18:00
    I would've been soooooo pissed. WTFFF
  • Peter B. 2007-08-23 18:01
    Hey guys, it's me again. Back here because of the Digg attention.

    First of all, you have to understand that this specific event took place early in March of 2005. It's a new story to all of you, but until a buddy emailed me yesterday, I had forgotten I even submitted the story to wtf (which was done many months ago when this was still thedailywtf).

    Regarding libel. Technically it never could have been libel, I was told this over the phone, so slander would have been my option. But with no decent way to prove it, there was no point in going to that much hassle. Our culture is too trigger-happy with lawsuits as it is.

    I'm now the Sr. Software Engineer at a top marketing agency, so don't worry about my employment status as a result of this tale =P

    Also, some of you may remember me as the developer of fValidate, a now long-defunct javascript library for "validating" forms.

    Anyway, carry on =)

    captcha: waffles. mmmmm, yum!
  • KhAoZ 2007-08-23 18:25
    Well I definetly wouldn't hire you if you made such a stupid comment. Just because your using dynamic data in sql queries does not mean sql injection 100%. If you code your program safely (ie escaping characters), then your sql queries with dynamic data will be fine.
  • Mikey 2007-08-23 19:09
    Well I think Peter deserved the job, I think next time just answer the question without expanding on it.

    You can come work for me at www.WhichWebsite.com
  • Q Wang 2007-08-23 19:26
    I think he did a better job demonstrating his ability to write clearly and cohesively. That's a fine piece of writing of a caliber you don't normally see in many programming tutorials.
  • Franz Kafka 2007-08-23 20:01
    Random832:
    Franz Kafka:
    The common solution is to implement a default deny policy - decide what's allowed and reject anything else. For instance, userID could be checked against (^[0-9]+$) and username against ^[a-zA-Z_-@ ]+$ and you'd be proof against sql injection.


    right, and useremailaddr can be checked against

    <bigass regex>



    fail. user email address can't be represented with a regex. you could parse them with a grammar if you like, or just remove anything potentially hazardous.
  • Paul 2007-08-23 21:26
    Sounds like it would have been a boring job anyway
  • V 2007-08-23 21:46
    English is not my native language so bear with me here...

    I think it actually sound more like a text book answer than a response to a job interview question. The answer sounds like someone teaching someone else something.

    Not going into the technical details, there are just too many "you" used in the write-up.

    The question asked for a demo of your skill, hence instead of being sounding like a teacher, he should have sound like a demo. First round of review of this answer would likely be HR staff who won't really understand PHP anyway, might as well make the write up sound soooo difficult hence discouraging them from even reading pass the 2nd line.
  • Josh 2007-08-23 22:47
    HR people are the worst to do interviews, especially concerning IT
  • Professional 2007-08-24 00:12
    I would have hired the guy.... Based on his answer I can tell that he seeks a challenge and would be the type of developer that work well in a team. The simple fact that he went beyond a simple answers tells me that he would go above and beyond simple tasks that would be assigned to him.

    And as far as the preventing against the whole sql injection thing.... I would have just used Coldfusion.
  • Khushi 2007-08-24 00:26
    :) i love the last line........
  • ub 2007-08-24 00:46
    M Diamond:
    The second-most ridiculous aspect is that if they choose not to trust the results from the screening question in a case like this, then a moment's thought would have revealed to them that they need a new pre-screening process. The old one is unable to distinguish between someone ignorant but unscrupulous and someone extremely knowledgeable. That's about as broken as you can get.


    +5 on that one! I couldn't agree more.
  • Kuba 2007-08-24 00:50
    rbowes:
    The next year, my friend took the course. Apparently, when given the paper, they were told "No more than 10 pages. Last year, we had an issue with some plagiarism." Apparently, although she couldn't prove it, the prof thought my paper had been plagiarized!


    That prof needs attitude adjustment. What sort of a scientist/researcher is she if she'll believe her own precoceived ideas more than hard facts? You have a bright student, get over it, idiot...

    Sighs in disbelief...
  • Kuba 2007-08-24 01:10
    Martin Ritchie:
    Oddly similar to a question I used to ask during interviews:
    Please write a C# function to concatenate 3 strings.

    For example the function would be passed "Martin", "Donald", "Ritchie" and should return "MartinDonaldRitchie".

    I would ask them to write the answer on a piece of paper. Only about one third of the interviewees were able to answer it. Even after saying that I accepted answers in vb c++ or any other language if they were not familiar with c#.


    Thank $DEITY there's someone else who thinks (like me) that programming recruits are actually supposed, to, you know, have a clue about programming.

    Thank you again.
  • Irrelevant 2007-08-24 07:54
    The issue with PHP and parametrised queries isn't that you could always do them, it's that the setup that came bundled with PHP couldn't until PHP5.

    If you bundle one particular module and not another, Joe User is gonna use the one you bundled. It'll improve portability by eliminating an "unnecessary" dependency, and many would assume that you, as the maintainer of your project, are knowledgeable enough about it to pick the best module for the task.

    And "oh, it's fine, we're bundling the functionality now" doesn't magically fix everything. There's a lot of legacy projects, and PHP programmers who've learnt bad habits, and they're not gonna disappear overnight.
  • Nathan 2007-08-24 09:28
    EllisGL:
    What's wrong with doing it this way? (I can read it just fine. =))

    if(!is_int($_POST['pid']))
    {
    die('How dare you stick a non interger in there!);
    }


    is_int() tests the internal variable type; it doesn't actually check the value to see if it's an integer:

    is_int("10") // returns false; "10" is a string.
    is_int( (int)"foo" ) // returns true; typecast converts to int value 0

    To actually test, you have to do a regex, i.e.:

    if( preg_match('/[^0-9]/', $_POST['pid']) )
    die('PID must be an integer.');

    Nathan
  • FredSaw 2007-08-24 10:32
    Kuba:
    Thank $DEITY there's someone else who thinks (like me) that programming recruits are actually supposed, to, you know, have a clue about programming.
    Shortly after I was hired at my present position, I watched as the manager of another development team hired two totally worthless posers in rapid succession. The first one was sent packing after two weeks (he asked a teammate why his VBScript code rendered as text rather than executing in his ASP web page; it was because he had used an .htm extension). The second one was kept for a year, during which time he produced one (count it... one) completed project, which consisted of a single web page which accepted user input and emailed it to a specified address. Even this one app was so terrible that we scrapped his work and started over from scratch after they finally fired him. We all knew that the reason he was kept for a year was so that the manager who hired him would not look incompetent for having hired two losers in a row.

    I knew how those guys got hired. It was the same way I did; the interviewer sat and chatted with them for an hour trying to "get a feel for their skills".

    Eventually I became an interviewer, and the first thing I did was put together a test consisting of simple questions that would allow the interviewee to demonstrate elementary skills in C#, ADO.Net, SQL, Javascript and HTML. A couple of examples:

    Table Customer has 3 fields (CustID, FirstName, LastName). Table Order has 4 fields (OrderID, CustID, PartNo, Qty) There is a foreign key constraint in place between the Customer and Order tables on the CustID field. Write a query that returns all the Order records for customers with a last name of "Jones".
    And...
    Can you open a new browser window from within server-side code? How would you do this, or if no, why not?
  • AdT 2007-08-24 11:05
    Zygo:
    Thanks, I forgot about those...

    5. You could be using an (evil or broken) toolkit where the only way to bind variables to a parameterized query is to create a temporary prepared query object, then call bindValue() on the prepared query object.

    6. You could also be using an embedded SQL system which can't avoid preparing any queries that aren't of the form "execute(string_variable)". "Embedded" here means the old-school technique of writing "SELECT INTO cVar * FROM FOO;" in the middle of C code, then running the source through some kind of preprocessor which replaces the SQL statements with machine-generated C code.


    You still forgot

    7. You could get lost in handwaving and speculation as you try to argue against parameterized queries in futility.

    Zygo:
    Yes. Often it's possible to make your program go faster or be more maintainable by avoiding utterly lame technology in your dependencies. But that's an irrelevant tautology too.


    Too bad it's not lame technology. Parameterized queries are conceptually sound. That there are some lame implementations (not that you actually named any, but I won't base my objections on that) doesn't disprove this in any way.
  • IHaveNoName:-( 2007-08-24 12:49
    Michael McRorey:
    you can use the following:

    <?php
    $sql = sprintf
    (
    "SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC",
    addslashes($User->getID())
    );
    ?>
    you can also use the following if it is a MySQL db:
    mysql_real_escape_string($User->getID())

    sure, the above aren't the standard "." method of concatenation, but it is concatenation AND a cure for SQL injection.


    That's all pointless, everyone of you who is thinking that there is a possible source of sql injection assumes, that getID retrieves tainted data. But there is absolutely no clue that this is tainted data.
    If you use untainted data for sql generation you don't need to escape it...
  • dpk 2007-08-24 14:48
    You serious? You've never had to take user input and generate a query based on it? I am picturing Jesse's code including tables and tables of millions or billions of queries, one for every possible user input. Heh.

    There's no reason to believe that dynamic data absolutely leads to SQL injection. It would make a good follow-up question, though.
  • Ren 2007-08-24 15:48
    Heh. I seriously feel for whoever they pick out for the job. Anyone who's even tried programming beyond "Hello world" level can answer that. I guess you could say that this is a very advanced screening question: You're looking for someone to do a trained monkey's job for $5 an hour. It's not that you want your "coders" to be stupid, but they shouldn't be *too* bright, right?

    It never occurred to me before, but yes, screening questions can apparently have a lowpass filter as well.

  • Akira 2007-08-25 16:45
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..


    umm.. that's what escaping is for. If you can't enter new data, your application is pretty useless.
  • Mason 2007-08-25 17:50
    That's the issue with:

    A) Managers who aren't programmers and
    B) Recruiters with English majors.

    A programmer with his weight in salt/gold/silver/RAM will have good communication skills, and be able to explain a concept thoroughly and clearly.

    This response had little jargon apart from the expected technologies associated with PHP... "query", "SQL", etc. Problem is, if a recruiter/screener/manager was told that concatenation is "the joining of two sequences of characters", his response looks like an encyclopedia.

    That's just crazy.

    http://www.vazav.com
  • Per 2007-08-25 19:33
    Well his code is fine. Let me quote from php.net:

    "The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this."
  • ATC 2007-08-25 20:19
    yea thats how it is. because if u are too good, you gonna make others look dumb and probably desire for a higher salary when you realize that your co-workers are idiots.
  • Ron 2007-08-26 10:29
    With only 30 seconds...he did plagurize it. He may have known the answer. As a programmer, myself, concat is a very easy thing to describe. But i don't know anyone that could give that detail in 30 seconds. Cut and Paste he did. he should have just said, 'using an concat operator to combine two strings.
  • andr3w 2007-08-27 09:50
    It is easy to check if the answer has been plagiarized - just take a phrase from the text you suspect and google it. In this case "sequentially join multiple pieces" is enough.
    I regularly check my student's work. A phrase of four uncommon words is normally sufficient to find the source.
  • Cloak 2007-08-27 11:39
    Zygo:
    Cloak:
    Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB.


    Holy shit...

    puts("Hello, World!\n") in C (GCC 4.1, default compile options): 7021 bytes.

    Same source code compiled with C++: 7486 bytes.

    std::cout << "Hello, World!\n" in C++: 8477 bytes.

    Statically linked: 495K, 557K, and 1186K, respectively.

    Recompile in C++ with coverage analysis, profiling, debugging, inline functions, exceptions, RTTI, and unrolled loops: 1234K.

    Delphi produces a 5MB executable. Presumably you're not building Delphi apps with options intentionally chosen to produce the largest possible exe, so we're comparing the 8K executable with a just-less-than-5MB one.

    WTF is the just less than 5 MB for?


    This post was to critisize Java, not a reasonable language. Delphi will for sure not produce a 5MB .exe to output "Hello World". I was talking/writing about an entire application and how much memory this will approximately need. A Java executable might "need" less but the fact that you have to run at least 100MB of Java engine stuff, that was the point.
    And, of course, using C++ should consume even less than 5MB as you tried to point out (though >1MB for "Hello World" is a WTF on its own) but it is less comfortable to write this in 10 seconds.

    QED
  • Cloak 2007-08-27 11:43
    Zygo:
    ratsbane:
    And you will be mingling SQL with data whether you like it or not - it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.


    Parameterization can be slower than concatenation:

    1. Sometimes an extra round-trip to the server is required to generate the parameterized query handle, so if you are only going to execute the query once it is probably faster to concatenate strings (unless the string is huge and full of escape characters, or your RDBMS's query parser is extremely slow).

    2. Some RDBMS query optimizers only optimize the parameterized query, and lose opportunities to optimize for specific constant values. For example if a CHECK constraint on a table makes a particular parameter value impossible, then the optimizer may figure out that specific parameter values are impossible and optimize the entire query out of existence--but it can't do that if it doesn't know what the parameter value is.

    3. Some client toolkits implement parameterized queries in O(n^2) time on the number of parameters. String concatenation, if done correctly, runs in O(n) time. If there are many parameters and they're mostly small integer or short strings, the parameterization and data marshalling cost can exceed the benefit, especially in cases like multi-row INSERTs.

    4. Some (evil or broken) client toolkits implement parameterized queries by client-side escaping and concatenation. If you can't upgrade the client toolkit, and you're not trying to be portable, it's probably going to be faster to do the escaping and concatenation yourself.


    Use stored procs for f***s sake. 6 pages of comments, all about parametrized queries. But no one of you high-level-top-gurus ever thought of stored procedures. It's a shame.
  • http://resh.im 2007-08-27 13:38
    Thanks for this cool peace of info.
  • bahodir 2007-08-27 16:20
    don't worry Peter, i'll give you a job (lol)
  • Rahul 2007-08-28 00:31
    A recuiter rejected me because I fell short of bits in my programming experience. She asked me how many bits of programming experience I had. When I asked what she meant, she asked whether I had programmed in more than 16 bits. Thinking that this was a hopeless place, I joked that I had programmed in 23 bits max and was trying to get my 24th bit. She didn't understand the joke and said the minimum bits required for the job was 32.
  • apos 2007-08-29 14:27
    Hmmmm nice fake story

    a) rejections always comes through emails
    b) Even if the HR person called, she wouldn't have mentioned the real reason why he didnt get the job because they can never be 100% sure so it would be highly offensive for the applicant in the case of a wrong accusation.

  • tieTYT 2007-08-29 14:34
    Cloak:

    Use stored procs for f***s sake. 6 pages of comments, all about parametrized queries. But no one of you high-level-top-gurus ever thought of stored procedures. It's a shame.


    Every guru (and I don't consider myself one) knows that this is a religious debate. Some say use them, some say don't. I personally don't like to use stored procs if I don't have to. First of all, the store proc languages of database X usually sucks. Second, the code will almost never be portable to database Y. Third, it's yet-another-language-to-learn which makes your app harder to grok.
  • Elliotte Rusty Harold 2007-08-30 09:50
    What most folks are missing here is that it's not merely that the answer is correct and complete; it's that it's well-written. Relatively few programmers have this level of facility with the written language. Written communication skills are severely undervalued in our profession, but they're very important.

    If I received this answer from a job applicant, I would Google a few phrases to see if it seemed to be plagiarized from somewhere. However, assuming it wasn't, that candidate would be rated much more highly than one who merely knew the correct answer.
  • omfg. 2007-08-30 15:34
    I'm in the wrong industry. I hate computers.
  • Dallas Freeman 2007-09-03 18:14
    OMG, bad luck buddy. I didn't see that one coming.
  • Gilles 2007-09-06 09:56
    It reflects pretty well the sad state of IT recruitment. Bounty-driven recruitment agencies are the industry's number one plague.

    People who don't understand a thing about IT are making decisions on who gets through these screening processes.

    You end up as a candidate with your CV not even reaching employers that have positions that fit you perfectly because "you're missing one keyword". And as a company you end up receiving people for interviews that don't fit your profile at all, but that made it through the net by bloating their CVs with exagerations.

    It's so revealing when "head hunters" call you for a position. During the part of the conversation that makes you look like the ideal candidate you can hear the "sweet, I'm getting my $1000 bounty today" tone of voice. But as soon as you don't tick one of their key points you're treated as a second-class citizen and you never hear from them again.

    I loathe incompetent recruitment agencies.
  • Jeff Barron 2007-09-16 15:55
    Chris:
    Jesse:
    WTF:


    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.


    Can I say SQL injection? That would be why I wouldn't have hired him..

    Oh piss off!

    The guy can stretch what is a very simple concept of concatenation into many paragraphs, including the syntax of other languages and a common SQL example. He even gave an example of $User object, all of which shows he's at least half way competent.

    While I wouldn't automatically assume he was aware of preventing SQL injection, I wouldn't automatically dismiss him of not knowing about it simply because he didn't mention it here.

    If you're the type of person that dismisses someone because they write an essay but miss out a word, then I really hope I never have to work for you.


    SQL Injection is very serious and I certainly wouldn't have dismissed the candidate but I'd make a note to have a talk with him about the issue just in case he wasn't familiar with the threat. But if they thought he copied his answer or it was just to "ingenius" for him to come up with on his own then the guy is way better off for ignoring such an ignorant company. Probably a spam agency, porn site or viagra dealership. lol.

    Jeff
  • Mkdir 2007-09-19 14:10
    Once in an interview I was actually asked to define what string concatenation was and I laughed out loud. Once I contained myself, I asked if they were really serious about that question and they responded that they were. Of course I answered and after getting the job, one of the interviewers said that my disbelief about something so simple was exactly what they were looking for.

    As a side note, that also was the interview that I went through half of with my fly open. Thankfully they didn't notice and I was able to discretely zip up while pulled up to the table.

    Ahhh, memories.
  • Kalaith 2007-09-20 05:31
    All stuff i know

    but i can't answer questions that well thought thru *claps*

    My answer would have been along the lines of
    "joining two strings togheter" like
    "hello" + "World"

    lol
  • Fuck Yeah 2007-10-28 21:13
    <b style="color:black;background-color:#ffff66">Horseonovich</b>:
    Those Guys are Assholes


    Fuck Yeah
  • Nico 2007-11-03 14:25
    Hahaha, i knew that he will be rejected. To complicated answer.
  • john celenza 2007-11-20 11:42
    Plagerizing is a valuable talent. At least twenty percent, if not more, of any code i produced has been lifted from earlier work or the internet. If a company is big on paying for wheel reinvention, you have to wonder about the company.
  • ginger 2007-12-04 14:17
    its a good job.!
  • Yanman 2008-01-08 09:04
    "on a PB349 microprocessor, if memory address 0xa9f00c contains a MOV instruction to memory address 0x8ad9da, what is the magnetic force dispensed by a 64KB memory module for the next 600 instructions?


    Around 0.83E^-10 Newton.
  • Brunty 2008-01-23 19:01
    I can honestly say I'm shocked, "They think you plagiarized it. I'm sorry." - they've got no definite proof - but I think Peter's better off without that company!
  • Kireas 2008-02-27 13:46
    ...I honestly can't think how I'd make a script work without dyanamically driven data. I'm not a professional (I.E. I don't get paid), so perhaps that's it.

    But why don't you think before you say something like that? Can't you sanitize the data before putting into the query? I know I can.
  • Brandon 2008-04-10 15:49
    Dwayne:
    Jesse:
    WTF:

    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    Can you say "string escaping"? Preventing injection attacks is roughly as difficult as sitting on a couch.


    Can I say *Insert spiffy new string lingo*? *Insert spiffy explanation while laying on the sarcasm so that the previous poster feels studpid*
  • maomwl 2008-05-31 00:07
    Well perhaps if he had explained the uses more in the context of "how he had used it in the past", it would dispel suspicions that he just plagerised it...
  • Johan 2008-07-01 04:58
    Hello! I want to inform you about new interesting project.

    "DesireFotos" is intended for processing digital photos in accordance with your wishes. This is initiative of professionals with wide experience in photography and related activities. You can use "DesireFotos" to make your photos qualitative. Do you think there is nothing to improve in your photos? It's not so!

    Go to www.desirefotos.com and make sure ourselves.

    If you want to have really good photos, this service for you!
  • me 2010-09-07 12:32
    Good answer but your query is open to sql injection.
  • HonoreDB 2010-12-30 15:46
    The answer is not open to SQL injection. It's concatenating in a server-side variable, and there's no reason to assume user ids can be be arbitrary strings.
  • someone 2011-12-13 07:33
    My way of preventing sql injection,
    is to prevent the ' and " of even making it to the query!
    e.g:
    Say your db table looks like this:
    +----+------+
    |USER|PASSWD|
    +----+------+
    |JOE |<sha2>|
    |JOHN|<sha2>|
    +----+------+

    (replace <sha2> with an sha2 hash of their password)
    In books they tell you to do it this way (my sql is a little rusty, forgive me for that):

    $sql = "SELECT USER FROM USERS WHERE PASSWD=SHA2('$password') and USER='$username';";

    While i usualy do (the table has an added column containing an sha2 hash of the username called HASHUSER):

    $hashuser = sha2($username); //this is php, sha2 is an function which i'm not feeling the need for to discuss (it's pretty obvious)
    $hashpass = sha2($password);
    $sql = "SELECT USER FROM USERS WHERE PASSWD='$hashpass' AND HASHUSER='$hashuser';";
    //process the sql and split the columns in arrays (1 column per array, the array contains the resulting rows), in this case this results in 1 array containing the column USER and the entry's are the items sorted by row
    if ($result_USER[0] == $username /*and some other login logic (user priv's, already logged in?, etc)*/)
    {
    //do stuff because we're logged in!!!
    }
    else
    {
    //do stuff when login fails
    }

    See? No bad chars make it to the sql query, only sha2 hashes.
    And as double safety, the input username has to match the unencrypted one retreived by the query (so collisions are also taken care of).
    That and other custom (as in: case specific) logic make logins secure (that and a good ssl connection, verified before even attempting an login of showing a loginbox).
  • Pakistan Drama 2012-10-01 05:28
    Totally agree with your suggestion... Very nice post and good information here... Thanks for posting that....

    http://teavdrama.com/