- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Assuming this no troll....
Admin
Maybe you should hire from this site, then, if you've never had a candidate find that solution, yet about 5-10 people have opinions on the problme here similar to your own
Admin
Granted you may not need tosanitize at every level, but I would think the point where the SQL is being created is the most sensible place to sanitize - rather than relying on someone sanitizing just before calling (which is probably more difficult/error prone).
Once the statement is created, you have no (easy) way of knowing what has been added by the program, and what has been added by external forces, so sanitisation like escaping key characters is probably useless. It only really makes sense to sanitize input as it comes in...
Presumably, the SQL is built in one place, and this is where the sanitization belongs - at the point you xcan still shit yourself and get out...
Admin
Maybe different Dbs are different, I remember being told that count(1) is more efficient than count() (in an ingres course way back when (read: a couple of years ago)), but askTom (which I think is more oracle based) claims count() is at least equivalent and probably more efficient than isolating a single columne.
Admin
Just Remember - http://xkcd.com/327/, these types of people are out there
Admin
Or were you trying to prove you could see the reference.
On a totally unrelated topic, why does it seem like all registered users are trolls? Finally, is Hortical the original boog?
Admin
This horse has been beaten to death in this comment thread. The concept of what is "right" is a ephemeral as same-sex marriage. No one can say whether allowing MM or FF families to be full-fledged members of society is a bad thing, and no one can say whether a kid who is adopted in such scenarios will cause more damage to society than a "protected" application utility method. So why are we arguing? For some reason, we think we can be "right" or that society gives a damn about what my particular opinion is. Give it up. There is no right or wrong--this kind of feeling is what has kept males from being able to declare their union with other males to be as valid as a normal males union with a female. Are we really that dependant on a single chromosome or a slightly more safety-conscious view of a private API? The answer is no. Feel free to disagree, but in no way do I feel like my forward-thinking society is in any way subordinate to the standard American way of thinking.
Admin
I didn't even click on the link and knew it was some fag linking xkcd. It's not clever. It's not funny. Just the word "sanitation" with a link under it and the short, useless, one sentence post was all I needed to know that you were linking the cartoon where the family names their fag kid a name that will destroy the database.
It was funny to read when it came out. It's even funny when clicking on the Random button on the site and seeing it. It's NOT funny when someone links to it from a one-sentence post and thinks they're so fucking clever to have discovered xkcd.
You probably still use lmgtfy and think you're so damn clever.
It means in real life, you're an unoriginal hipster doofus.
Got anything to do with sanitizing inputs to a SQL database, etc.? Link to Bobby Tables. Got a nerd-project slow-ass turing machine? Like a minecraft logic circuit from redstone? Link to the one where it's some guy alone in the world making a computer out of rocks. Got a story about password security or encryption? Link to the one where they beat the password out of the guy with a wrench.
Fuck off. You're not clever. Unwiped Asshole.
Admin
Admin
This reminds me of http://xkcd.com/169/
Admin
This reminds me of http://xkcd.com/169/
Admin
That's just some lazy cut and paste scripting by a coder who hasn't done SQL before and lied about it in the job interview. I've seen far, far worse than this on every second contract role I've done by n00bs who just got out of university.
I've done plenty of this sort of cut-n-paste scripting for clients won't pay for me to do the job properly. Gives me alot of performance optimisation work down the road when the client is finally making money off the software.
Admin
For the problem of returning other columns in the row with the highest value of a given column, in Oracle I'd typically use the rank() analytic function. This also allows you to do grouping etc.
select col1, col2, col3 from (select col1, col2, col3, rank() over (order by col2 desc partition by col1) as rnk from my_table ) where rnk = 1
This will get you one record for each distinct value of col1, with a maximal value of col2, and the associated value of col3.
Apart from adding to the query complexity (especially if your "table" is actually several tables joined together), you're now returning multiple rows if the maximum is not unique. Of course you can get around this with a DISTINCT, as long as you're only after the maximum value itself. Yes, I bet that works really well for string or date columns.Admin
Wow... a prorammer who did not forget to close the connection!!
CAPTCHA: inhibeo (WTF???)
Admin
Admin
To be fair.. at least he used a DataReader to loop over the records.. I mean he could have used a DataSet which is a power of magnitude slower.. At least way back when I used to code .net.
Not that it excuses him from horrible database code. A return parameter would have done nicely.
Admin
There is a cost to splitting your code, just as there is a cost to using globals.
There is a cost to adding stored procedures to your data (even simple ones) just as there is a cost to keeping all your query language in your application.
I appreciate that for most people, using the tools most people use, the balance is for using only named procedures.
I was suprised at the code, so for me it was a WTF, but that doesn't mean it's wrong. I grew out of thinking that everything I didn't understand was wrong after the first couple of years.
Admin
--- How long was the contract, clearly he couldn't finish the development in time with that kind of code ---
SELECT COUNT(*) FROM dbTable
Admin
Interesting. Select top 1 returning more than 1 row? You might need a new "integer" unit for your hardware. Pentium 3.3333333333333333, anyone?
Admin
Or, for fun, try reading the comment. Admittedly off-topic, it does not appear to say "gay = bad".
Admin
Fair enough. If you can give me an example of when it's OK to intentionally write SQL injectable code via string concatenation, then I will withdraw my NEVER statement. Otherwise, you're the idiot...
Admin
You don't know how many rows to expect before you've fetched all of them.
In my personal opinion, input validation in an API (presuming, again, that this is an API) is something I never do. If you don't know what parameters to pass to my method, don't invoke it to begin with.Input from an end user, now that is a different story.
Admin
No he didn't, it's complete coincidence. If he did, the girl would be named Jen.
Admin
Meta-arguing. One of internet's finest inventions.
Admin
Admin
Admin
When the input comes in
When the input goes into an SQL statement
is so you won't have any other problems anywhere in your code (like trying to divide by 0, or using a string as an int in strongly-typed languages). This is mainly so all the code that handles it, will get the right input.
is in case some input slipped the net in 1. or gets messed up during its way to arrive here.
Any other sanitization is either necessary or not, depending on the type of project and how it's managed. If it's me doing all the code, or me and two other guys whom I know for sure will do a proper job, then there's no point. If it's a team of 50, all programming against interfaces others write, then you better do sanitization at every level.
Admin
Follows the pseudocode equivalent of some code I came across way back. The original was in C with libraries for variable length strings and arrays.
Select an integer column from a table fetch loop sprintf the integer in to a string append a pointer to the string to a variable-lenth array
initialise a running total to zero Then a second loop went through the array, for each Convert the string to an integer Add the integer to a running total
return the running total
Admin
I'm amazed that you've never got a correct answer(unless you've only asked it once or twice). Fair enough if its an entry-level job, not if its for a DB guy, because it is trivial
Admin
Of course, it is. All you need is some correction fluid to cover it up on the screen.
SELECT MAX(whatever) FROM whereverAdmin
Results count is 0. You are not the first and definitely not the frist.
Admin
"120."
"What?"
"120. It's the largest value in that column."
"?!?."
"Look, right here in the table you're showing me. 12, 43, 1, 17, 12, 22, 75, 8, 120, 54, 86, 2. The largest value is 120."
"Ah. Um, OK, fair enough. Let's see, next question..."
Addendum (2011-06-28 08:10): "Oh, hang on - you asked me to come up with an SQL query to return the largest value in that column."
"Yes I did. I'm glad you've realised that.
"Select 120;"
"What?!?"
"Select 120;"
"Oh."
etc
Admin
Sure it is a WTF level of stupid. There is no reason to not use a prepared statement. If you follow best practices every time, you are less likely to fail to follow them when it counts.
Plus, you are assuming that there is no layer where a disgruntled Dev might be able to insert harmful SQL. Sure, peer reviewed code would prevent that, but obviously that isn't really something that happens at the place this code resides.
Couple that with the fact from the story that the contractor is no a novice, but an "expert" and you start to see why his code is a WTF.
Is the SQL injection the only WTF? No. Is it one in a litany of others, yes!
Admin
Admin
Who cares?
Damn you, askimet!
Admin
We have something similar here in the old code. Get first record:
DbCommand.CommandText = "select * from tblleads where homenum = " + myHomeID + " and reviewed = " + myStatus + " order by whatever desc; OdbcDataReader DbReader = DbCommand.ExecuteReader();
string firstRecordVal = ""; while( DbReader.Read()) { firstRecordVal = DBReader(0); }
Admin
I don't get it. sp_executesql, which is used by SqlCommand parameters, existed in SQL Server 2000. The SqlParameter class exists since .net 1.1.
Admin
No wait. Your not dumb! But I do have a bridge to sell you...
Admin
Returning all columns of all rows rather than a COUNT(*) is more than a little thing. Of course, it's possible that this function runs once a day as part of some daily process which takes hours and so if it (the function) runs in, say, 2 minutes vs. 1 second nobody will care.
Admin
If, on the other hand, this function is the ONLY highly inefficient part of code, it doesn't matter indeed.
Admin
Admin
A few more flavors for kicks:
SELECT column FROM table ORDER BY column DESC LIMIT 1;
SELECT column FROM table ORDER BY column DESC FETCH FIRST 1 ROWS ONLY;
Admin
Naturally "all registered users" (as you say) would at some point seem like a troll, since they aren't constantly changing their names to hide from their prior offenses, as is common among some (not all) unregistered users.
No. I have only one registered username, and the only time I ever post with a different, unregistered username is when referring to featured WTFs that I submitted. In such cases I use my real first name, which isn't "Hortical".Admin
Admin
There's a possibility that it did, but there's a fair probability that it didn't. Keep your bridge for yourself, you might need it.
Admin
I never realized I had so many fans.
Admin
In case you don't realize the reference: the "bridge" is similar to the idea of "ocean-front property in Arizona". The fact that I offered it to you shows that I don't think you're smart enough to realize that neither exists.
Admin
Admin
Surely I have registered usernames at other websites too.
Admin