- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
wrongeous
not spam
Admin
Select Count('frist') from dbo.comments
Admin
s/richeous indigation/righteous indignation/
I wish I was some richeous . . . well, just about anything! . . . right now.
Admin
Can friendly plz post Java version for this?
Admin
Fourth
NOT SPAM DAMNIT!!!
Admin
OK, I'll bite:
I'm not a coder, just a lowly network grunt. Can someone explain the WTF here?
Admin
So if Brian rewrites this to let the DB tell him how many records were returned, is he "taking over the counter"?
Admin
BentFranklin: It's looping trough individual, adding each to a freaking long var where it should only wuery for count(1) :S my 2 cents
Admin
Not sanitizing the input Using * in the query when all he needs is a COUNT
Admin
Wow, just wow!
I am not coder of SQL, except for the few little odd-jobs I have knocked up hear and there for home use or similar, but my first thought was "Why isn't he using SELECT COUNT()"
Admin
Not only is it looping over the return of a select statement to get a count (when that's what the count function is for) its also not using place-holder variables. Vulnerable to SQL injection attacks.
Admin
SELECT count(*) FROM tblleads WHERE homenum = " + myHomeID + " AND reviewed = " + myStatus;
Would be much faster as the DB can calculate it without fetching the whole (!) table with all (!!) data fields over the DB connection only to ignore the fields and count the rows...
Opening the DB connection only close it right afterwards is not very performant either. But that's another WTF...
Admin
Admin
That's what Brian gets for using a nouveau richeous contractor.
Admin
The issue is not so much that most of the code sucks (it does) but that rather letting the SQL return the number of rows, he selects the data set, and then iterates over it counting the records.
This is all in a function so the dataset is going to go out of scope, he is not using it for anything else; its big waste, of time retrieving it. Its also worth pointing out that the adodb object has a count property. The loop is likely not needed even running the query he did, but in fairness sometime that value is not correct until the movelast() method/function gets called.
Oh and he is using cmdtext rather than calling a procedure with position parameters, usually not ideal. I don't see any input validation but depending on where myHomeID and MyStatus are coming from that may or may not be a WTF as well.
Admin
Well, querying for the Lead data isn't necessarily a bad thing. If there are few columns, it's well-indexed, and easy to build the Lead objects, there's nothing wrong with having a count-type method go ahead and build those objects into a List<Lead>-type property, and have this method return List.Count.
Then future accesses don't have to return to the database when the details of the Leads are needed.
Having completely failed to set himself up for that kind of aproach, though, it certainly seems this particular developer is an incompetent buffoon.
Captcha: persto: see, this returns a count like magic.
Admin
Does he get points for using Dispose() and Close()? That's far more than we can expect around here on a regular basis.
Admin
Well, that's one way of doing it...
Admin
Aside from the already mentioned WTFs, gotta love this line, too:
string rsLeadID = "";
rsLeadID isn't used anywhere in that function. Not really a WTF, but a definite sign of sloppiness.
Admin
MORON! MORON! MORON!
Admin
Ok, skipping the typos on "richeous indigation" for now... but isn't indignation righteous by definition?
Admin
Admin
TRWTF is long instead of int. Did they seriously expect more then 2,147,483,647 lines to be returned?
Admin
At least he isn't swalling an exception. Oh, wait a minute...
Admin
Is this a troll? TopCod3r, is that you?
Admin
Don't forget, his way is the BEST way. Don't question it!
Admin
But I'm with you on the count thing. I'm no squill expert, but at the only place I've worked that did much of it (where we called it squill, ok, so don't get at me...) we used count() a lot. I always had a vague disquiet, because it felt like count(*) should return N times the number of rows, where N is the number of columns. Fortunately, the people who built SQL had more sense than me in that respect...
Admin
How can you not love such an impeccable algorithm?
Never fall for premature optimization!
Admin
you only get points for putting everything inside a using{} block and THEN calling dispose+close
Admin
Admin
Actually, this code is not all that bad. It may take an incorrect approach, but it does so behind a reasonable method signature so this can be refactored quite easily. Likely written by an otherwise decent programmer who has little to no experience coding against a database.
Admin
But it consistently passes unit testing.
Admin
I'll list the WTF's here:
Can't think of anything else right now, but I'm sure it'll come to me.
Admin
I don't know the language/libraries, but I'd wager "i" doesn't need to be a long.
Must admit this all doesn't seem particularly WTFy. It's more like a lot of little naive things. I suppose the WTF is supposed to be the context of this guy thinking he's awesome.
Admin
[quote user="PerlPlexed"]...Vulnerable to SQL injection attacks. [/quote]
[quote user="andrew"...]Not sanitizing the input...[/quote]
I think it depends on where the input is coming from. Input isn't always coming from a user over other internet. Depending on what's calling this method, sensitization might not be necessary.
Or more generally, not every form of security measure is necessary is every situation.
Admin
I'd argue that not using COUNT() isn't as bad as the potential for a SQL injection attack. If you don't know what a prepared/parameterized statement is, please read about them.
Admin
I'm mostly reminded of a job interview where the technical portion of the interview asked a SQL question about getting the largest value from a given column. Max() being the answer, of course. I asked if it was a trick question or if they were after something obscure involving OLAP or something, it seemed too obvious when the job description specified SQL experience.
Now, I see that my faith in humanity is just too high.
Admin
Concatenating strings is NEVER ok, especially when writing a SQL query.
Admin
So what they need to do is wrap this in another function that times how long it takes to get the result, divides the time by the (average) time that it takes to get one row and return that as the count. It should be accurate enough most of the time.
To improve accuracy, open another database connection and call "select top 1 * from tblleads where ...". Time how long it takes to return that result, then divide the time to compute the count by the time to get the one result. That way if the network is slow or they upgrade the database hardware it automatically compensates for the change.
Admin
Wow, you thought about that way too much. :)
Admin
Tbh you should have said 2^32-1 (for unsigned types) ;)
Admin
Yes, Sir!
Admin
Man, I can almost hear the dripping superiority: "Well, you should know, that if the index is corrupt, COUNT(*) might not return the correct value. So this is the best way to count. The only reliable way to count."
And, of course, he would be wrong: Certainly wrong.
Admin
To all of the people crying over possible SQL injection attacks, while it should be using prepared/parameterized statements, I would venture to say that unless there is evidence otherwise it is probably safe to assume that there is no possibility of such attacks. First, this looks like inner library code. The values passed in were probably pulled directly from the database (myHomeID) or from some hard-coded enumeration (myStatus). Assuming that this is the case, it would be a big WTF if those values did contain some "extra sql" (though that could explain why they were concatenating strings rather than using prepared statements - oh, how the thought makes my brain hurt). Second, if this were somehow exposed to user input, it is probably safe to assume that it is under a layer or two of (most likely WTF-worthy) sanitization/validation code which makes sure that the values conform to some format. That they are using the values as filter conditions in the where clause leads me to believe that neither is linked to a free-form, user-exposed field.
Admin
I try ;)
Admin
This has nothing to do with SQL injection. Do all you people who thing it does actually believe that the users are going to be inputting their own homeID/status? Even in the very small chance that they are, who's to say that this isn't sanatized at a much earlier stage.. such as the logical point when it is read in - or would you geniuses parse the input every single time it is used rather than once when it is entered?
The slightest mention of sql on this site and all the kiddies start thinking "I've heard of sql injection.. let me impress everyone by bringing it up over and over again".
Yes the implementation is stupid and smacks of someone fresh out of school, but it isn't "wtf" levels of stupid.
Admin
TRWTF is Word® doesn't recognize the words richeous or indigation. Clicks Add...
Admin
I always like to ask candidates who claim to have problem solving skills and/or sql experience the following question:
What is an sql query you could use to return (only) the largest value in a particular column without using the max function. (they have an example table in front of them which I use for other simple questions also). I don't think anyone has ever given me a correct answer.. despite it being ridiculously simple.
I was once asked this in an interview many years ago and the answer seemed trivial.
Admin
Admin
Guessing here . . . something like:
SELECT TOP 1 column FROM table ORDER BY column DESC;
?
My SQL is rusty . . .