Keeping It Stupid Simple

« Return to Article
  • SteveB 2008-09-15 08:04
    If only he'd read last week's post on SQL injection...
  • amischiefr 2008-09-15 08:05
    Universal Password!!! Brilliant!
  • snoofle 2008-09-15 08:05
    So there is no key and the column "username" has the password.

    Methinks the coder was "simple"...
  • Xeron 2008-09-15 08:06
    If i had goggles, they would do NOTHING.
  • Buggz 2008-09-15 08:07
    I can't remember having seen a stronger invitation for a brute force attack. Logging in using a single piece of input..
  • notme 2008-09-15 08:10
    snoofle:
    So there is no key and the column "username" has the password.

    Methinks the coder was "simple"...


    I think TRWTF was that the actual authentication consisted of redirecting the user to index.php (not exactly a hard to guess name, either). He didn't even note down a session variable saying "the user belonging to this session is authenticated" or something to that effect.

    Since the index.php is the page that is normally served by default, I wouldn't be surprised if even non-tech-savvy users could "hack" the site - "hack" as in they won't even notice the site was supposed to be password protected.
  • ph 2008-09-15 08:12
    So I get it right:

    He runs through all usernames, and the last username in the list (in whatever order SELECT returns them) is the password?

    I am impressed.
  • snoofle 2008-09-15 08:15
    ph:
    So I get it right:

    He runs through all usernames, and the last username in the list (in whatever order SELECT returns them) is the password?

    I am impressed.
    That's what I thought; then I read the last line of the post!
  • summerian 2008-09-15 08:17
    He should be the dictionary definition of 'code monkey'.
  • Simple User 2008-09-15 08:17
    Not only is it simple, it is Easy To Use (TM). I so hate it when I have to log in to a site, navigate 20 clicks through some obscure trail, and when I finally get to my favorite page I can't bookmark it because next time the site forces me through all those convoluted steps again!

    This site supports bookmarks! Just login once and no revalidation next time! No wonder he got hired by another company, probably a bank or someone with lots of money to burn.

    On second thought, couldn't be a bank. They couldn't work out how to make a site usable if it was the last step between them and a Congressional bailout!
  • ParkinT 2008-09-15 08:17
    Perhaps the application never gained more than one user.
    Plenty of room for growth!!
  • Gorfblot 2008-09-15 08:18
    ph:
    So I get it right:

    He runs through all usernames, and the last username in the list (in whatever order SELECT returns them) is the password?

    I am impressed.


    Right. You would think this is a WTF, as SELECT without an ORDER BY clause does not guarantee order (As you stated). Except, as there is only a single username in that table, the order is relatively predictable.
  • Smash King 2008-09-15 08:34
    I like how descriptive he gets when naming his variables. Who wouldn't know the meaning of $q and $chumbawumba ?
  • BK 2008-09-15 08:37
    Classic example of bad naming. Had the table been named SingleWebPassword and its single column [password] , there wouldn't be WTF
  • Stephen Bayer 2008-09-15 08:42
    I call bs on this one.. no one would be that stupid.
  • Smash King 2008-09-15 08:47
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.
    You must be new here. Welcome.
  • java.lang.Chris; 2008-09-15 08:48
    This is exactly why my company rejects job applications from anyone who listens to Chumbawumba. Or the Scissor Sisters. You just can't trust them.
  • dpm 2008-09-15 08:48
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.
    Thank you, I needed a good hard laugh and the OP did not supply one, but you came through.
  • \ 2008-09-15 08:50
    SteveB:
    If only he'd read last week's post on SQL injection...


    If only last week's post read this - no user input gets sent to the query, 100% SQL Injection Proof!

    I'll be using this in all my endeavours.
  • JimM 2008-09-15 08:53
    summerian:
    He should be the dictionary definition of 'code monkey'.
    Nononono - he's only the dictionary definition of a very specific use of 'code monkey'. And frankly, I'd hoped a trained monkey wouldn't write code that bad...

    On the other hand, it does avoid the risk of SQL injection attacks... ;^) EDIT: Goodness, only three other people mentioned that whilst I was posting...
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.
    You're joking. Right? Please tell me you're joking?!? You MUST BE JOKING!?!?!?!?!?
  • java.lang.Chris; 2008-09-15 08:55
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.


    Nope. In a previous system I worked on, the original coder did the following to try and login a user:


    boolean login(String username, String password) {

    Statement s = c.createStatement();

    ResultSet rs = s.executeQuery("SELECT username, password FROM account");

    while (rs.next()) {
    if (rs.getString(1).equals(username) && rs.getString(2).equals(password)) {
    return true;
    }
    }

    return false;
    }


    The account table had 1.7 million entries, and there was a perfectly good index on the username column. Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
  • JimM 2008-09-15 09:00
    java.lang.Chris;:
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.

    The account table had 1.7 million entries, and there was a perfectly good index on the username column. Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
    On the other hand: SQL Injection proof, AND it checks both the username and password! In the world of WTF, that's a WIN, surely? And we've all seen worse:
    <input type="button" onclick='
    
    if(document.getElementById("txtpass").value == "mypassword")
    document.location="mysecretpage.html"' />
  • itsmo 2008-09-15 09:01
    amischiefr:
    Universal Password!!! Brilliant!


    You mean Brillant!
  • eehoo 2008-09-15 09:06
    The real WTF here is the (common) misspelling of Chumbawamba. Who put the U in the wamba?
  • Rob 2008-09-15 09:08
    SteveB:
    If only he'd read last week's post on SQL injection...


    Where do you see the possibility for SQL injection in this code?
  • noone 2008-09-15 09:09
    java.lang.Chris;:
    This is exactly why my company rejects job applications from anyone who listens to Chumbawumba. Or the Scissor Sisters. You just can't trust them.

    I got knocked down by your company.
    But I got up again.
    You weren't ever gonna keep me down.
  • Bejesus 2008-09-15 09:13
    Sadly, that's significantly more elegant than most Single Sign On solutions I've encountered...
  • Bill 2008-09-15 09:21
    Don't knock down this developer. He'll just get back up again, you're never gonna keep him down.
  • summerian 2008-09-15 09:27
    JimM:
    Nononono - he's only the dictionary definition of a very specific use of 'code monkey'. And frankly, I'd hoped a trained monkey wouldn't write code that bad...


    I must agree. Perhaps there should be another term - sth like 'code baboon' ...
  • silent d 2008-09-15 09:27
    I get logged out, but I log in again, you're never gonna keep me out...
  • BrianK 2008-09-15 09:29
    To quote a great movie... "INCONCEIVABLE!"
  • Ken B 2008-09-15 09:32
    itsmo:
    amischiefr:
    Universal Password!!! Brilliant!
    You mean Brillant!
    No, he meant "Universal Pbuttword".
  • powerlord 2008-09-15 09:33
    Bejesus:
    Sadly, that's significantly more elegant than most Single Sign On solutions I've encountered...

    Interesting definition of "Single Sign On," though.
  • Smash King 2008-09-15 09:34
    eehoo:
    The real WTF here is the (common) misspelling of Chumbawamba. Who put the U in the wamba?
    The same coder we're bashing did.

    And I don't think it is nowhere near being the real WTF here
  • java.lang.Chris; 2008-09-15 09:34
    JimM:
    java.lang.Chris;:
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.

    The account table had 1.7 million entries, and there was a perfectly good index on the username column. Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
    On the other hand: SQL Injection proof, AND it checks both the username and password! In the world of WTF, that's a WIN, surely? And we've all seen worse ...


    The reason it came to mind was the same programmers refusal to use parameterised statements. I spent a long time demonstrating an SQL injection vulnerability to him, and how to avoid them with the JDBC PreparedStatement. However, all that happened was that his code went from:


    Statement s = c.createStatement();
    s.executeQuery("UPDATE foo SET x = " + userSuppliedString);


    to:


    PreparedStatement s = c.prepareStatement("UPDATE foo SET x = " + userSuppliedString);


    At which point I refused to have him work on any of my projects.
  • I walked the dinosaur 2008-09-15 09:35
    silent d:
    I get logged out, but I log in again, you're never gonna keep me out...


    LOL!!!!!!
  • I walked the dinosaur 2008-09-15 09:38
    Pissing the WHERE away, pissing the WHERE away!
  • mauhiz 2008-09-15 09:39
    Select commment from COMMENTS;
  • fruey 2008-09-15 09:45
    mauhiz:
    Select commment from COMMENTS;


    Shouldn't that read

    SELECT comment FROM comments WHERE grey_background = TRUE;

  • DaveK 2008-09-15 09:46
    java.lang.Chris;:

    Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
    I do not believe the "S" in "SOL" means what you think it means.

  • Aaron 2008-09-15 09:48
    I'm guessing that it started out with a hard-coded password (possibly even some pathetic JavaScript validation), and somebody told him he should be using a database for authentication, and he didn't really understand what that meant but figured he'd give it the old college try.
  • DaveK 2008-09-15 09:53
    eehoo:
    The real WTF here is the (common) misspelling of Chumbawamba. Who put the U in the wamba?


    JAM TIME! And a-one, and a-two, and a one-two-three-four :

    Who put the bomp in the bomp-a-bomp-a-bomp
    Who put the ram in the ram-a-lam-a-ding-dong
    Who put the bop in the bop-she-bop-she-bop
    Who put the dip in the dip-de-dip-de-dip
    Take it, eehoo!
    eehoo:
    Who put the U in the wa-a-amba?
    Who was that man, I'd like to shake his hand
    ...


  • anne 2008-09-15 09:57
    He didn't even spell "Chumbawamba" right.
  • delenit 2008-09-15 10:07
    fruey:
    mauhiz:
    Select commment from COMMENTS;


    Shouldn't that read

    SELECT comment FROM comments WHERE grey_background = TRUE;


    Don't be silly
    rs = execute("SELECT * FROM comments");
    while(rs.next()) {
    if(rs.get("grey_background") != FILE_NOT_FOUND){
    println(rs);
    }
    }
  • Nobody 2008-09-15 10:11
    Forgeting the login part for a moment I recognize this pattern. Using a table with one record as a kind of substitute for an Application variable.

    I see this more often than I'd like.
  • Meep3d 2008-09-15 10:11
    $q->query($sql);

    The real WTF, and something I see every day, is why just about everyone feels the need to abstract the mysql functions behind another layer of obfuscation?

    I've never heard a convincing reason for this and no doubt the first thing you have to do when looking at someone elses code is have to figure out the bizaare idiosyncrasies of their particular reimplementation.
  • M 2008-09-15 10:18
    Stephen Bayer:
    I call bs on this one.. no one would be that stupid.

    I've seen something almost as bad (single user, username and password set to the same string, which was the three-letter acronym for the organization.) The username/password was not intended to provide strong security, just to prevent casual access. The app was internal and read-only, so not as bad as it might sound.
  • Code Dependent 2008-09-15 10:32
    Nobody:
    Forgeting the login part for a moment I recognize this pattern.
    The Simpleton pattern?
  • java.lang.Chris; 2008-09-15 10:39
    DaveK:
    java.lang.Chris;:

    Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
    I do not believe the "S" in "SOL" means what you think it means.



    Damn shit it does.
  • Kermos 2008-09-15 10:44
    Meep3d:
    $q->query($sql);

    The real WTF, and something I see every day, is why just about everyone feels the need to abstract the mysql functions behind another layer of obfuscation?

    I've never heard a convincing reason for this and no doubt the first thing you have to do when looking at someone elses code is have to figure out the bizaare idiosyncrasies of their particular reimplementation.


    One convincing reason is that if you ever need to switch databases from MySQL to something else you don't have to rewrite all your code. Assuming that the SQL code is compatible you'd only need to rewrite the class that handles the API access.

    I also do it to simplify a few things. If for instance I know for an undeniable fact I will only receive a single value from a query then my database class has a function that can do exactly that: Return a single value from any given query.

    That takes a whole bunch of MySql function calls and reduces it to a single call from the application. Makes my life a whole lot easier.

    It also simplies cleanup as the moment my query class goes out of scope it is properly disposed of by the destructor. Same goes for database connections.

    So yea, there are a few reasons to put the API behind another layer. Hopefully however this layer is a layer that makes life easier, not obfuscates things.

  • jkupski 2008-09-15 10:48
    Smash King:
    I like how descriptive he gets when naming his variables. Who wouldn't know the meaning of $q and $chumbawumba ?

    $chumbawumba implies that if your server gets knocked down, it'll get up again, and that, in fact, you're never going to keep it down.
  • YAYitsAndrew 2008-09-15 10:58
    This must have been the login page for the system used by Lehman Brothers to purchase real estate
  • JarFil 2008-09-15 11:03
    Warning: $chumbawumba not equal $mambozambo in wongobongo::bingbing(boom, kaboom, woom)
  • Code Dependent 2008-09-15 11:16
    Kermos:
    Meep3d:
    The real WTF, and something I see every day, is why just about everyone feels the need to abstract the mysql functions behind another layer of obfuscation?

    I've never heard a convincing reason for this and no doubt the first thing you have to do when looking at someone elses code is have to figure out the bizaare idiosyncrasies of their particular reimplementation.


    One convincing reason is that if you ever need to switch databases from MySQL to something else you don't have to rewrite all your code. Assuming that the SQL code is compatible you'd only need to rewrite the class that handles the API access.
    Exactly. A couple of years back, I inherited an application which I call "the Frankenstein monster". It displays schedule information for multiple operating rooms in multiple hospitals of a large health care system. Display of this information is filtered based on the user's membership in various Active Directory groups.

    When it came to me, the app was several years old and had been maintained/updated by quite a few developers who had come and gone. Originally it had been written for two hospitals, which shared an Informix database. Later it was expanded to include several additional hospitals, some of which used the Informix database and some of which used Oracle; and so the data access section had been cobbled together to perform separate queries and then massage these into a single display. This had been done quite hurriedly, to judge from the quality of the code, which was a sickening spaghetti mess of string manipulation to create SQL queries in-line based on a huge amount of criteria which may or may not have been specified by the user.

    My first assignment was to update the application to add another hospital; one which used a SQL Server database.

    Given the timeline, I had no choice but to go in and copy the style used by my mad scientist predecessors, patching and stitching and hacking until the thing on the slab twitched and shuddered and opened its jaundiced eye. I did so, but I explained to my manager the condition of the application and advised him that it was in dire need of a complete redesign and rewrite from the ground up. He was sympathetic and even went as far as authorizing the project; but it had no champion and was shelved as soon as something more important came up.

    Fast-forward a year: the Informix database is being dropped and its data moved to the Oracle database. This means that all but one of the hospitals will now be using Oracle, with SQL Server the odd one out. At this time the application owners presented us with a request for some fairly extensive revisions to the data being displayed and to the UI. The project was fired up again, this time with a little muscle behind it, and I got the go-ahead to focus on abstracting the data access layer.

    What does all this have to do with the quotes above? My point is that abstracting the data access will prevent the necessity of hacking and patching the application in the future event of more database changes. Suppose they merge the SQL Server data into Oracle? Suppose they add a hospital that uses MySql? It should only be necessary to rework the data access layer. The application should never even know which database is being accessed. It sends a request based on specified criteria, and it gets the results back and displays them. It's the ol' "black box" approach.

    And that's why abstraction is a good thing.
  • Thunder 2008-09-15 12:21
    Meep3d:
    $q->query($sql);

    The real WTF, and something I see every day, is why just about everyone feels the need to abstract the mysql functions behind another layer of obfuscation?

    I've never heard a convincing reason for this and no doubt the first thing you have to do when looking at someone elses code is have to figure out the bizaare idiosyncrasies of their particular reimplementation.

    Some good reasons have been posted, but I typically have a simpler one - in real life, most applications don't tend to swap databases like old clothes. Instead, there's a lot of common housekeeping around error handling and query processing that would otherwise have to be coded separately for each query. When you're handling all of them in the same way, there's generally no reason to do that -- a simple abstraction layer can save a ton of repetitive coding.

    In other words, basic computer programming knowledge should answer that question for you. It's the same reason we make functions to contain /any/ oft-repeated chunk of code.
  • Matt Bradley 2008-09-15 12:23
    I imagine you snipped out the comment which immediately preceeded this code:

    // Replace the following with a proper user authentication mechanism once we've finished testing the application.

    No? Oh dear.
  • Zap Brannigan 2008-09-15 12:47
    Matt Bradley:
    I imagine you snipped out the comment which immediately preceeded this code:

    // Replace the following with a proper user authentication mechanism once we've finished testing the application.

    No? Oh dear.
    That's what I was thinking too. This was not intended to be production code.
  • Ben 2008-09-15 12:58
    Smash King:
    I like how descriptive he gets when naming his variables. Who wouldn't know the meaning of $q and $chumbawumba ?


    It is easier to remeber once you realize that the one item in the db is in fact 'chumbawumba'
  • Vessini 2008-09-15 13:05
    DaveK:
    java.lang.Chris;:

    Logging in was slow, and he leaked connections by not closing them - if the database ran out of connections before the garbage collector kicked in he was straight outta luck.
    I do not believe the "S" in "SOL" means what you think it means.



    BrianK:
    To quote a great movie... "INCONCEIVABLE!"
  • I walked the dinosaur 2008-09-15 13:23
    Rick Astley would never knock you down, so you wouldn't need to get back up again.
  • Al 2008-09-15 13:49
    ParkinT:
    Perhaps the application never gained more than one user.
    Plenty of room for growth!!


    I just wanted to point out the while loop- only the last record in the user database is ever checked. So no need to worry about concurrent logins by different users!
  • beltorak 2008-09-15 15:25
    Bejesus:
    Sadly, that's significantly more elegant than most Single Sign On solutions I've encountered...

    That doesn't say much. It is easy to be simple if you don't have to be right. "1 + 1 = 1" is very simple -- only 3 different symbols that require meaning.
  • anonymous 2008-09-15 15:47
    It DOES rule out SQL injection vulnerabilities, though. :)
  • ifatree 2008-09-15 16:28

    Classic example of bad naming. Had the table been named SingleWebPassword and its single column [password] , there wouldn't be WTF


    this was also my first thought... this looks like the kind of code you'd get from having someone work on a complicated logon solution for a few weeks, then drastically scaling back the requirements to such a degree it's easier to just chop out 90% of the code and leave what you see here.

    it says he's using a sesion variable, so more than likely there's an unshown, overcomplicated session management system to match the oversimplified login system. actually, that type of out-of-band session passing back to index IS how you do single sign on (you can't set a $_SESSION var on the login server and have Apache give it to your app on another server without passing it somehow through the request from the browser. personally, i'd make custom headers instead of passing through $_GET, but whatever's clever.
  • real_aardvark 2008-09-15 16:35
    Code Dependent:
    A couple of years back, I inherited an application which I call "the Frankenstein monster".
    I can see the accompanying Will now.

    "Dear Codey,
    I know you were expecting my book shop, or perhaps your uncle's little place in Marlow, but what with this internet thing absolutely killing the book trade, and the credit crunch putting a bit of a damper on the property market, we had to trade those in for a video on vegetarian cookery.

    I hope you'll be pleased with the contents of the casket (enclosed) as a token of our love. Your uncle rummaged around in the tool box to try to find the wall wart, but we seem to have misplaced it somehow. Never mind. Lightning seems to work just as well, and it's so much more environmentally friendly, don't you think? The villagers offered to chip in with some firewood, which I think was simply sweet of them.

    Your Auntie Wooly and Uncle Bish"

    Mind you, I do think that "Look on my works, Ye mighty, and despair" sums up the code in the OP quite well.
  • real_aardvark 2008-09-15 16:39
    BrianK:
    To quote a great movie... "INCONCEIVABLE!"
    Actually, even Fezzik would have done a better job than this.
  • ifatree 2008-09-15 16:45
    simple you say? i'd argue that understanding the rightness "1+1=1" is beyond the ability of most humans, much less modern computers. ;)

    also, if you "don't have to be right", and only care about simplicity, "1 + 1 = 1" can be represented in your program as a single symbol and it doesn't have to worry about symbolic meaning at all. if you have "1", "+", and "=" in your bag, though, and think you have a meaningful program, you're probably not talking about the mathematical/symbolic meaning either.
  • Code Dependent 2008-09-15 16:50
    real_aardvark:
    Mind you, I do think that "Look on my works, Ye mighty, and despair" sums up the code in the OP quite well.
    When I get finished, it will be more like, "Nothing beside remains round the decay of that colossal wreck."
  • Jiff jensen 2008-09-15 17:07
    Brilliant. New meaning to the word simple! LOL

    Jiff
    www.anonymize.us.tc
  • Steve 2008-09-15 18:13
    ParkinT:
    Perhaps the application never gained more than one user.
    Plenty of room for growth!!

    I worked for a startup that *wished* we had one user.

  • Daniel 2008-09-15 21:46
    Very simple indeed... the password is actually the username.
  • werdan 2008-09-15 22:37
    jkupski:
    Smash King:
    I like how descriptive he gets when naming his variables. Who wouldn't know the meaning of $q and $chumbawumba ?

    $chumbawumba implies that if your server gets knocked down, it'll get up again, and that, in fact, you're never going to keep it down.


    And here I was thinking it was because Chumbawumba were a one(password)hit wonder.
  • Death 2008-09-16 03:30
    Ive actually written something like this. For debugging purposes. With a big FAT waning in the config file to NOT turn it on unless you are beyond doubt sure its your testing server and you know what you are doing. With this bit, I refuse to believe this snippet was not wrapped in if(AUTH_DEBUG){<your simple bitA>}
  • Valerion 2008-09-16 04:36
    $chumbawumba?

    "I get kicked out, but I login again, they're never gonna keep me out..."


    Reminds me of a guy we had who used to name all his variables after fish: $pilchard = $turbot + $halibut

  • uncomprehending 2008-09-16 09:49
    so he checked the password against the user name? that IS 'simple'.
  • Chris 2008-09-16 23:47
    Code Dependent:
    Kermos:
    Meep3d:
    The real WTF, and something I see every day, is why just about everyone feels the need to abstract the mysql functions behind another layer of obfuscation?

    I've never heard a convincing reason for this and no doubt the first thing you have to do when looking at someone elses code is have to figure out the bizaare idiosyncrasies of their particular reimplementation.


    One convincing reason is that if you ever need to switch databases from MySQL to something else you don't have to rewrite all your code. Assuming that the SQL code is compatible you'd only need to rewrite the class that handles the API access.
    Exactly. A couple of years back, I inherited an application which I call "the Frankenstein monster". It displays schedule information for multiple operating rooms in multiple hospitals of a large health care system. Display of this information is filtered based on the user's membership in various Active Directory groups.

    When it came to me, the app was several years old and had been maintained/updated by quite a few developers who had come and gone. Originally it had been written for two hospitals, which shared an Informix database. Later it was expanded to include several additional hospitals, some of which used the Informix database and some of which used Oracle; and so the data access section had been cobbled together to perform separate queries and then massage these into a single display. This had been done quite hurriedly, to judge from the quality of the code, which was a sickening spaghetti mess of string manipulation to create SQL queries in-line based on a huge amount of criteria which may or may not have been specified by the user.

    My first assignment was to update the application to add another hospital; one which used a SQL Server database.

    Given the timeline, I had no choice but to go in and copy the style used by my mad scientist predecessors, patching and stitching and hacking until the thing on the slab twitched and shuddered and opened its jaundiced eye. I did so, but I explained to my manager the condition of the application and advised him that it was in dire need of a complete redesign and rewrite from the ground up. He was sympathetic and even went as far as authorizing the project; but it had no champion and was shelved as soon as something more important came up.

    Fast-forward a year: the Informix database is being dropped and its data moved to the Oracle database. This means that all but one of the hospitals will now be using Oracle, with SQL Server the odd one out. At this time the application owners presented us with a request for some fairly extensive revisions to the data being displayed and to the UI. The project was fired up again, this time with a little muscle behind it, and I got the go-ahead to focus on abstracting the data access layer.

    What does all this have to do with the quotes above? My point is that abstracting the data access will prevent the necessity of hacking and patching the application in the future event of more database changes. Suppose they merge the SQL Server data into Oracle? Suppose they add a hospital that uses MySql? It should only be necessary to rework the data access layer. The application should never even know which database is being accessed. It sends a request based on specified criteria, and it gets the results back and displays them. It's the ol' "black box" approach.

    And that's why abstraction is a good thing.
    A database abstraction layer is a good thing. A home-grown database abstraction layer is rarely a good thing. I've seen both (and had to work on both), including a system that used a home-grown database abstraction layer on TOP of a pre-built abstraction later (ADODB) and the home-grown stuff can easily turn into a mess if you don't have a clear purpose to what you are doing beforehand.

    The real problem is that a lot of the crap that you see where people tried to write their own database abstraction functions is that they obviously didn't plan very well and it shows.

    That being said, I usually use ADODB for all my PHP projects. Why reinvent parameterized queries or force my clients to use mysqli? Why waste time writing my own database abstraction layer when their is a proven one out there already?

    To the original poster of this "real WTF": $object->query($sql); is 10:1 a call to the ADODB query method, not something home-grown.
  • ron 2008-09-17 03:18
    Evil IT Resources page http://resursi.wordpress.com
    (IT management in Eastern Europe, HR, politics and other things)
  • OBloodyhell 2008-09-18 13:49
    Simple User:


    On second thought, couldn't be a bank. They couldn't work out how to make a site usable if it was the last step between them and a Congressional bailout!


    To be honest, Bank of America's website is at least moderately well done.

    *And* it works fine with Opera.
  • Brian 2008-09-18 16:02
    That code not only features Security Through Obscurity, it also has a great password policy. Assuming a new user gets added at least every 90 days!
  • Wolf 2008-09-20 10:12
    I can do better than that... No user, no passwords, no content... Hell, I can do it without web page...

    Setting a new standard for "simple" XD
  • real_aardvark 2008-09-20 14:54
    Code Dependent:
    real_aardvark:
    Mind you, I do think that "Look on my works, Ye mighty, and despair" sums up the code in the OP quite well.
    When I get finished, it will be more like, "Nothing beside remains round the decay of that colossal wreck."
    A rather late reply; but, OK, you beat me.

    Care to play a game of Hive? I'm absurdly good at that.
  • OhDear 2008-09-25 21:05
    At least it is immune to an SQL injection attack.
  • moe 2008-10-14 15:08
    chumbawumba? wtf
  • rebecca 2008-10-24 21:04
    Welcome to our website for age of conan and rs gold service.
  • �ӹ���Ĥ��λ 2008-11-27 03:19
    �Ϻ��ӹ���Ĥ��λ��˾��ͬ���ӹ���Ĥ��λ(TD)�ӹ���Ĥ��λ��˾�ر�ע�����ĵ��ӹ���Ĥ��λ������Ŀǰ�Ϻ��ӹ���Ĥ��λ��˾�ɶ����ṩӢ���ӹ���Ĥ��λ�й��ӹ���Ĥ��λ֢֢״�ܿ���һ���ӹ���Ĥ��λ֢֢״��רҵ��ϵͳ���ӹ���Ĥ��λ֢֢״B 2B����ƽ̨���ӹ���Ĥ��λ֢֢״���á������ӹ���Ĥ��λ֢֢״���£��ӹ���Ĥ��λ֢֢״˫����һ���������ӹ���Ĥ��λ֢״�� ���ӹ���Ĥ��λ֢״�ƹ㣬���ӹ���Ĥ��λ֢״Ʒ�ƣ� ����ӹ���Ĥ��λ֢״�г�. ���ӹ���Ĥ��λ֢״. ���ӹ���Ĥ��λ֢״. Ů���ӹ���Ĥ��λ֢״�����ṩ���ӹ���Ĥ������ý���,�ӹ���Ĥ����˾�⣬�ӹ���Ĥ�������飬�ӹ���Ĥ�����Ʒ���ӹ���Ĥ���񲩿��йܵȷ����ӹ���Ĥ�����ԭ�򷢲���������ӹ���Ĥ�����ԭ������ḻ���ӹ���Ĥ�����ԭ��ý������Ա��׼ȷ���ӹ���Ĥ�����ԭ��Ͷ��ϵͳ���ӹ���Ĥ�����ԭ�����Ϊ�ӹ���Ĥ�����ԭ��ͻ��й��ӹ���Ĥ�����֢״�������ȫ�й��ӹ���Ĥ�����֢״�������,�й��ӹ���Ĥ�����֢״��ͼ��ȫ��λ��ѯ�й��ӹ���Ĥ�����֢״���㡢�й��ӹ���Ĥ�����֢״��ͼ�й��ӹ���Ĥ�����������,���������ӹ���Ĥ����������ȵ��ӹ���Ĥ�����������Ϣ,�������,,�����ӹ���Ĥ��������Ʒ���,�ӹ���Ĥ�����������·����,�ӹ���Ĥ���������Ԥ��, CHINA �ӹ���Ĥ��������ƹ����ӹ���Ĥ������ô���, �Ѻ��ӹ���Ĥ������ô��Ƶ��, ��;�ӹ���Ĥ������ô����, �������ӹ���Ĥ������ô���� ... �й������ӹ���Ĥ������ô����, �ӹ���Ĥ������ô��ҵ_�ƾ�_������, �����ӹ���Ĥ������ô����
  • dvd to mp4 2009-01-12 07:47
    ���ǽ߳�Ϊ���ṩ����dvd to mp4,����dvd to mp4,����dvd to mp4������ȫʡ��ȫ��λ��dvd to mp4���񡣱���,dvd to mp4��˾��dvd to mp4��˾.�������dvd to mp4��������ʿ��ɵ�һ��רҵdvd to mp4��˾��dvd to mp4��˾.������dvd to mp4Ƶ���ṩ�Ŷ�dvd to mp4���Լ��Σ��Ƶ�Ԥ����dvd to mp4���з����Ϻ�dvd to mp4���㽭dvd to mp4������dvd to mp4��dvd to mp4��·������ѡ�����˽�dvd to mp4���˽��룬�������dvd to mp4�ĸ���������й���dvd to mp4�����˽⡣��ӭѡ��dvd to mp4�����硣
    �۴�dvd to mp4����dvd to mp4��Ѷ��dvd to mp4չʾ��dvd to mp4�г����飬dvd to mp4Ӫ����dvd to mp4�����г���dvd to mp4��ѯ��dvd to mp4��̳
    �ṩ��dvd to mp4��ý���,dvd to mp4��˾�⣬dvd to mp4���飬dvd to mp4��Ʒ��dvd to mp4�����йܵȷ���չ��ý��,ed hardy bags�޺��,��Ļ��ʾ,��չ����,ed hardy bags��Ʒ,ed hardy bagsý��,ed hardy bags����,ed hardy bags�豸.�й�ed hardy jeansЭ��,ed hardy jeans����,ed hardy jeans��Ѷ,��Ʒ,ed hardy jeans��,ed hardy jeans�˲�,ed hardy jeans����
  • ������ѧ 2009-02-07 03:01
    �й�������ѧ�������ۺ��Ե�������ѧ��ҵ��վ,������������ѧý�顢������ѧ���⡢������ѧ�г���������ѧ���º�������ѧ�������ṩ������������·,��������������,��������������,��������������,����̽��������,�����չ����,����������,�������������ű�������������������������Ϣ���Ͼ��ձ�����ҽԺ���� �� �����������ҽԺ���� �� �����̱�����ҽԺ���� �� �����̱�����ҽԺ���� �� ��ĩ������ҽԺ���� ����Ϊһ���רҵ����Ժ��վ���°�����Ժ���Ŷӽ��������佨����ϵ����Ժ��˾������Ժ��������������Ժ�˴����ԴȪ����ȥ����Ժ��Ϊ���ṩ����ʵ������Ժ������ܡ�����Ժ�������С���������Ժ������Ժ������·������Ժ��������·������Ժ����·�߹��ԣ��л������������л���ս�Ժ��������;����������ȫ����Ӫ���ṩ����������·��ѯ����ȫ��λ�������η����Լ���Ȩ��������������Ѷ��Ϣ�й���������ҽԺ��Ʒ��Ϊ��������ҽԺ��������ҵ��λרҵ������������ҽԺ���ྭ��ʵ�á�������������������ҽԺ��Ʒ��������Ʒ����������ҽԺ��Ʒ
  • huojia 2009-03-02 00:51
    &nbsp;&nbsp;
    货架racking.&nbsp;&nbsp; 仓储货架
    南京货架设备要产品包括:重型货架
    ,阁楼货架,超市Shelf,重量型货架,横梁式货架,驶入式货架... 仓储笼
    货架的形式与材料 · 立体仓库 · 货架厂
    物流规划设计的步骤与程序(货架的设计... 中国物流行业呈现三足鼎立抢市场 · 亚洲第三方物流的现状和发展 ... 托盘
    抽出式货架系列 · 重力式 货架/推入式货架钢托盘
    移动式货架 · 阁楼式货架 · 悬臂式货架
    系列 长件物料储存货架&nbsp;货架公司
  • �ƥ�ީ`���ƥ��� 2009-04-18 23:08
    �����ƥ�ީ`���ƥ���,����ƥ�ީ`���ƥ���,�����ƥ�ީ`���ƥ���,����ƥ�ީ`���ƥ���,�ƥ�ީ`���ƥ���ý��,�ƥ�ީ`���ƥ����豸,�ƥ�ީ`���ƥ��󥰹�˾,�ƥ�ީ`���ƥ�����,�ƥ�ީ`���ƥ�������,�ˤ���,������,�ˤ�����,�й��ˤ����Ż���վ���ṩ�ˤ���http://www.spmktg.com/���ˤ����������棬�ˤ���http://www.spmktg.com/��ȫ�����ؤˤ�����רҵ�Хå����å�����������˾�ɲ��Ź��ݥХå����å׹�˾�����ŷ�ɽ�Хå����å׹�˾�����Ŷ�ݸ�Хå����å׹�˾��������ɽ�Хå����å׹�˾��ɡ��ӱ��ԥ����ӱ�ʡ�ԥ���|�ӱ��ԥ�����|�ӱ�ʡ�ԥ�����|�ӱ��ԥ��ι�˾|�ӱ�ʡ�ԥ��ι�˾���ӥӥ��˥饤��Ӱ���ӥ��˥饤��ý�����ý�巢���ӥ��˥饤�����ӥ��˥饤�󷢲��ӥ��˥饤��߻���ֽ�ӥ��˥饤��ý�屨��ý�������ӥ��ͥ���`�����޹�˾��һ�ҳ���ʮ�����רҵ�ӥ��ͥ���`�������ҵ,���ǥӥ��ͥ���`��ҵ��Χ,�ӥ��ͥ���`���˲�, �ӥ��ͥ���`��֪ʶ��ֽ�ܥ����ȥ�`�˥�,���ӥܥ����ȥ�`�˥�,��־�ܥ����ȥ�`�˥�,����ܥ����ȥ�`�˥�,�ܥ����ȥ�`�˥���,�ܥ����ȥ�`�˥����ҷ��۩`��ک`�������ҷ����ߥ۩`��ک`��������ɱID��IP, �۩`��ک`��������̳��Ƹ���İ����� .... �۩`��ک`������ģ��. - �۩`��ک`������ר���ṩ����۩`��ک`��������ģ��
  • d248 2009-05-14 04:31
    Wondershare dvd ripper for mac is an all-in-one mac dvd ripper software program. This dvd ripper mac is an excellent tool for Mac users to rip DVD to various video formats (including MP4, AVI, M4V, MOV, 3GP, MPG, FLV) and audio formats (MP3, M4A, AAC, WAV, OGG, APE, etc.) for playback on iPod touch, iPod classic, iPod nano, iPhone, Apple TV, PSP, PS3, Youtube (web), Creative Zen, iRiver PMP, Archos, all kinds of video cell phones and digital video and audio players. It is everything you need to put your DVD movies on your mobile devices.
    This the best dvd ripper for Mac software lets you select DVD subtitle and audio track, choose any DVD chapters/titles you want to convert, trim any DVD chapters/titles, and even merge more than one DVD chapter/title into a single file.
    Wondershare dvd ripper for Mac is the most powerful dvd converter ever. It is a combination of dvd to mkv ripper for mac, dvd to mov ripper for mac, dvd to mp4 ripper for mac and dvd to m4v ripper for mac. It can not only rip dvd, but also convert video into popular formats, such as mp4, mov, avi, mpg etc.

    mac dvd ripper
    dvd to avi for mac
    dvd to mov for mac
    dvd to mp4 for mac
    dvd to mp3 for mac
    dvd to m4a for mac
    dvd to iMovie for mac
    dvd to quicktime for mac
    dvd ripping software for mac