• iceland (unregistered) in reply to Anonymous
    Anonymous:
    Then again, why bother? Just print it on the label and have the postman figure it out.

    This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

    Answer: They send to the localities post office, the post man knows everyone by name and where they live.

  • Sehe (unregistered) in reply to drake
    drake:
    If he had used Regular Expressions, he would have had 10 problems

    In reality, that would have been 25 problems at minimum, 32 problems in likelihood

  • Sehe (unregistered) in reply to Norman Diamond
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.

    Please indicate which non-slavic country in Europe uses ý, named in the the example?

  • Sehe (unregistered)

    What intrigues me the most is that the implementor and all commenters get the specifications all reversed:

    "ensure that all five lines of a shipping address contains valid characters."

    To me this means that any check beyond finding the first 'valid character' would be redundant. Also, empty string cannot be accepted, as they would contain no valid characters.

    People need to learn how to read specs :)

  • Anonymous (unregistered) in reply to configurator

    Java doesn't put this requirement on you. Of course, people like to blame the tools instead of the developer.

    You can just use a boolean to return true or false, then that method is reusable and the caller of the method could decide whether to throw an exception or how to further handle it.

  • Rufus T. Firefly (unregistered) in reply to ObiWayneKenobi

    ^c^v is way more efficient than thinking.

  • Cencored (unregistered) in reply to Sehe
    Sehe:
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.

    Please indicate which non-slavic country in Europe uses ý, named in the the example?

    Iceland does.
  • Norman Diamond (unregistered) in reply to Sehe
    Sehe:
    Norman Diamond:
    Foo Bar:
    If Cedille, Eszett, and Y acute are all considered valid address characters, either the company expects to ship all over Europe, or the "programmer" is having too much fun with keyboard symbols.
    Not really. The company expects to ship to Scandinavia and Germany but not to Greece, Turkey, and some Slavic countries.
    Please indicate which non-slavic country in Europe uses ý, named in the the example?
    Well, the absence of letters such as đ and ş made me guess that the company didn't intend to ship to Slavic countries, but someone else already pointed out that I missed the inability to ship to Norway and Denmark. So the company's selection of destination companies doesn't really seem to follow any geographic rule.
  • Norman Diamond (unregistered) in reply to iceland
    iceland:
    Anonymous:
    Then again, why bother? Just print it on the label and have the postman figure it out.
    This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

    Answer: They send to the localities post office, the post man knows everyone by name and where they live.

    It's the same in a lot of countries. It's the same in villages where my wife used to live, her relatives live (some better known than others), and maybe including me in the future. It's not quite the same in Canada because the rural route number had to be written.

    In some countries that have addresses, often there's no street name but district numbers, block numbers, and lot numbers narrow down the destination. If there are two or more buildings on a single lot then it's wise to include the name of the building (and it does not mean that you can just name the building and leave out the rest of the address).

    In some countries that have addresses, often there are street names but no numbers, so again the building should be named.

    The only correct way to handle this is ^C^V. Try to refrain from guessing that the customer doesn't know their state or city, because you'll just screw it up if you rearrange stuff instead of doing ^C^V. (If anyone in this forum works for a court in the US, please try to teach this to your employer.)

  • instigator (unregistered) in reply to moreON
    moreON:
    why not just

    return !expr;

    Because you don't want to break from the for loop if the expression is false.

  • Anon (unregistered) in reply to argle bargle
    argle bargle:
    But a blacklist would have been easier to get right since it would have been a lot shorter than a whitelist.

    In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.

    And you, please stay far away from me. Form validation is for basic sanity checks in order to be more user friendly. It is not where the application should be secured.

  • Anon (unregistered) in reply to Anon

    Agreed - concerns over injection attacks means your data access code has been written poorly and left to rot for too long.

    An escape character won't allow an attacker to clear you database if you use placeholders/named parameters properly and I'm not aware of any escape sequence that opens a terminal to give attackers root access to a machine.

    Let users enter whatever they want and record it exactly as keyed.

  • McMuffin (unregistered) in reply to Anon
    In the name of all that is holy, stay far away from me. Blacklists are a great way to ensure that your code is insecure. The fact that it may be easier to get right doesn't make it the right option. The submitter's code is terrible, but only because it is redundant, difficult to maintain, and needlessly inefficient. Doing it with a blacklist would make it redundant, difficult to maintain, inefficient AND insecure.

    And you, please stay far away from me. Form validation is for basic sanity checks in order to be more user friendly. It is not where the application should be secured.

    If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.

  • Bill C. (unregistered)

    But the wrongs felt so right! But then again, I have unprintable character.

    Now what about the character at my former position? Is he on the black list, white list, both, or neither?

  • Toby (unregistered)

    I think you're all skipping the obvious reason for having those characters: The reason for stripping the characters is probably that the printer is not utf-8 compliant (probably a simple iso8859-1 printer that chokes/interprets special characters) 2) The nitwit writing this POS didn't know all the characters used in Denmark and Norway and either way, eastern Europe isn't part of iso8859-1 anyway afaik.

    Correct me if I'm wrong, but with all those null checks and weird logic, it has to be an Indian working in Europe (the good Indian programmers all stay in India or work in the USA).

  • Paul (unregistered) in reply to Worf
    Worf:
    And this makes it a lot easier. If the country is your own, most post offices offer an address validation system - either online or offline subscription which will contain every valid address in the country.

    Except when they don't, or when they are wrong.

    Our address didn't used to be in the UK post office database (it is now, thankfully), which caused problems with some suppliers.

    Also, our address is like:

    111 Acacia Drive MyVillage MyTown AB1 2CD

    There is also a 111 Acacia Drive MyTown AB1 5XY

    Some databases miss out the 'MyVillage' part of the address (it's not strictly necessary, because of the postcode), and we can't add it when ordering (since the database is the 'definitive' source of data).

    So, unless the delivery man is careful and checks the post code, things end up going to the wrong address... (This usually happens with couriers - the post office generally gets it right, because they automate the sorting to smaller delivery runs)

  • Anon (unregistered) in reply to McMuffin
    McMuffin:
    If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.

    Sure. Because users who disable javascript do not deserve a friendly UI?

    And yeah, go ahead and cludge together security throughout the layers. Afterall, if you nest together enough seives, the sand will stop flowing through.

    Security within Form validation is often a symptom of security being "thrown on top at the end". The correct approach for SQL injection is to implement it in the DAL from the beginning.

  • TortoiseWrath (unregistered) in reply to Norman Diamond
    iceland:
    Anonymous:
    Then again, why bother? Just print it on the label and have the postman figure it out.
    This reminds me of my holiday in Iceland. I asked someone how they get their mail when theres no streetname/house numbers. (in the outlands)

    Answer: They send to the localities post office, the post man knows everyone by name and where they live.

    I live in the rural US, where the USPS delivers only to post office boxes, but courier services will deliver only to street addresses. This tends to cause problems when ordering things.

    Probably the greatest issue I've had here was ordering something from AT&T (because Verizon doesn't work here, either). They yelled at me for giving them a non-deliverable street address, then yelled at me for giving them a PO Box, and there was only one address field.

    The solution ended up being to have them send it to the post office with my name on it and hope that it ended up in my PO Box. (It did.)

  • TortoiseWrath (unregistered) in reply to Anon
    Anon:
    McMuffin:
    If it's only for "user friendliness", why put it on the server side? Use Javascript instead. And security should be integrated and layered throughout the application, not thrown on top at the end.

    Sure. Because users who disable javascript do not deserve a friendly UI?

    People who deliberately disable functions on their computer for no reason deserve less of a friendly UI than those who don't.

  • RICHARD SMITH (unregistered)

    Dear Sir/Madam

    Are you a business man or woman? Do you need a Loan of any Amount for funding for any reason contact us today [email protected]

    a) Personal Loan,Business Expansion, b) Business Start-up ,Education, c) Debt Consolidation , Home Improvement Loans d) Hard Money Loans, Investment Loans, e) X-mas preparation Loan

    We offer loan at low interest rate of 2% and with no credit check CONTACT EMAIL us now [email protected]

    Fill out the below information for procedure.

    Full Name: Address: Country: Loan Amount Needed: Loan Duration: Purpose For Loan: Phone Number:

    Thanks Management Mr(Richard.Smith)

Leave a comment on “Classic WTF: Five Wrongs Don't Make a Right”

Log In or post as a guest

Replying to comment #:

« Return to Article