- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Frist frist.
Admin
second!
. . . .not spam
Admin
The worst part is probably all the variables defined at the start of the code, especially those commented out. Only two of them are actually used, while the rest imply that some sort of heavy-duty database punching was attempted at some point.
Admin
Anyway, I'm not a seasoned .NET programmer, but it's possible they were trying to avoid any potential issues with an empty or null return value.
Admin
Maybe they tried putting all the connection strings in a database table?
Not removing the obviously useless code is definitely a WTF. Also, who the heck is still using hungarian notation? sHere, sThere, sEverywhere.
Admin
Another WTF is how ASP.Net defaults breaks PCI compliance.
Connection strings have usernames and passwords in them in plain text when usign them this way. Either encrypt them or do not use the config file to store them, have the config file point to something else that has them and that is encrypted.
Another possible way of getting them is through some service call, or maybe not getting them at all, let the service call access the data instead of the Asp.net application. Of course then you have the config file for the service that needs to be cleaned, but that is easier to point to a resource that has encrypted data instead of that resource being accessable from your web server.
Admin
$var for jQuery objects? Kinda useful in weakly typed languages with similar types.
Admin
Read the chapter on "Integrated Security."
Admin
Well, you can encrypt them in the config file, so I assume "this way" refers to this (unused) part:
Encryption is less of a big deal if you're dealing with an intranet app, or if the login only has read access to data that you want to share with the general public anyway.
Admin
Admin
The Real WTF is that they do not have a string variable called HitCount (or anything that begins with Hit ...)
Admin
Admin
That's much more of a WTF than doing something that works but in a unnecessarily roundabout way.
Admin
Admin
I'm glad you said this, cause that's how I am reading it too.
Admin
"Dim x, y, z As String" creates z as a string but x and y as variants.
Admin
Not always, I've had Informix databases sitting behind and ASP.Net app.
I agree, the inetuser should be the one with access and use authentication, but not always easy with certian databases.
Admin
Some Manager probably said
"The Key is the Connection"
And it was.
Admin
Or you can encrypt the data in your web.config file.
Admin
Or you could have one file that has this that all the web.configs point to and simply change that one file.
Granted, if your company is small enough to only have one site or service then this isn't a problem.
Admin
Agreed. A place I know uses asp.net backed by oracle everywhere. In fact, many of the separate oracle database servers were recently 'upgraded' to a single exadata server. Now all the apps get to share in the fun on those occasions when oracle flakes out, i.e. often.
Admin
This is a total WTF. They should have looked up a key by position that would tell them the position of the database connection key. That way, they could move the database key by changing the first key.
As it is, the database key is stuck forever at position 0. Where's the configurability?
Admin
Aside from being out-of-context for this method - both variables are only being assigned to and are never read?!
Admin
Admin
Not since vb6.
Admin
It's even worse than I thought at first. If the connection string is not the first configuration line, it doesn't even return the first configuration value but the first key. Someone really has messed this up big time.
Admin
Admin
Aspnet_regiis -pdf "connectionStrings" <<change password>> Aspnet_regiis -pef "connectionStrings"
Also, creating a parent web.config that multiple applications inherit from is a built-in feature of ASP.Net, so you don't have to write customer code to create a pointer to a single configuration. The code is entirely unaware of the inheritance.
Admin
PCI compliance? Who the hell care about that?!
Admin
Where's the WTF? They are simply making a mechanism to point at different dbs by config. The enterprise library does something similar by it's default connection string mechanism. Sure, they should have had a named key for the default connection string key, however, not a huge issue.
Admin
Admin
Unless the web site is meant to be accessed from outside your network.
Admin
Too many people don't know that .net lets you encrypt connection strings, besides which, your IIS should be configured in such a way that httprequests to web.config are denied by default.
Does anyone else take issue with the way the data access layer is called "DAL"? shit like that makes my blood boil, like calling your business layer "BLL" - what does that class do again? oh yeah, it logics your business layer, how silly of me.
Admin
Well, since PCI compliance unambiguously guarantees impenetrable security, you simply implement PCI, then you don't need to think about security and best practices any more. It's a huge saving, and a great deal of peace of mind, for any company.
The more you know.
Admin
TRWTF. Idiots like you are what lead to code like the OP.
Admin
Wow...
Just wow, seriously, you said this?
PCI is more a minimum requirement for not being as holey as a leaky sieve.
Dothing nothing but meeing the minimum requirements of PCI DSS means you qualify to call yourself more secure than than a firevault made of chocolate, nothing more.
Admin
Admin
-100 internets for falling for obvious troll...
Admin
Admin
Answer a technical question with a buzzword.
Assurance that it "is secure" -- an unachievable state, but a nice marketing term.
No discussion of how this magic might achieve its lofty promise.
Admin
We must work at the same place, because I swear I've heard that before in the past few months.
Admin
TRWTF is not doing this in Perl. Then nobody would expect it to be right anyway, so no disappointment.
[I actually like Perl. It's like python for people who aren't afraid of punctuation.]
Admin
Admin
Admin
Willing to hazard good money that all the commented out crap was an initial effort to store all their configuration in a database, including the connection strings.
All was going well until, hang on, seem to be getting some deep recursion here...
Admin
Admin
Oh come on! Get the joke right. "HitList".
Admin
Admin
Admin
You don't have to have the user name and password in the connection string. Most places I worked that required PCI compliance used a trusted connection and has the app/service run with the active directory identity of a user that was setup with access to the database.