• (cs) in reply to Cloak

    hehe i think yahoo did something similiar (not sure if they still do) but they had a link on the webmail page that read: "If you are not Joe Blogs click here to log in as yourself".

    Logically this makes sense, but in reality it just makes you aware of the fact that you could potentially be logged in as someone else, on public terminals at least.

    [If you are not Junkieman click here to get of my interweb]

  • Flatline (unregistered) in reply to Paula Bean

    Deleting users is ALWAYS a bad idea, especially if you use userID anywhere in your database. (logs, etc)

    I wonder if another developer take a look at isDeleted = "Pink" will he immediately know what does it mean? Absolutely not. Your suggestion is a surefire way to an application that is horror to maintain. Statcodes are way better, especially if you use flags and descriptions.

  • Neomojo (unregistered)

    You guys arguing with Paula Bean know that it's pointless, right?

    You've bean here before and know of Paula's Brillance, surely?

  • Zygo (unregistered)

    For those of you who aren't familiar with the significance of the name "Paula Bean" or the term "brillant", please put those strings into the Search box at the top of the page and click on the "Site" button.

    Thank you.

  • (cs) in reply to CiPHER

    I'm glad I got a new frame-based sarcasm detector...

  • Chris Hayes (unregistered) in reply to Goplat

    Good thought... but the union doesn't work that way.

    The union means both table searches happen, and that table scan happens every time no matter what, since now there's two searches: one on the user password (optimizable), and one on the invitation password (not optimizable).

  • David (unregistered)

    wtf why isn't isActive and isDeleted just combined in an enum. Status = isActive would be a better choice imo.

  • (cs) in reply to Paula Bean
    Paula Bean:
    Ok so i see some of you are confused with the simple elegance of actually deleting a user when they are to be no longer available to the app...
    Yes... quite similar to the simple elegance of actually deleting a spouse when they are to be no longer a marriage partner.
    Paula Bean:
    So applying it to your example: you want to be able to show a treating doctors name on the patient record...well it stands to reason that when the doctor treats the patient the doctors name should be copied from the doctors record over onto the patients record...come on....its not rocket science...why would you want to go clutering up your database with old deleted data...
    Want to guess how many Dr. Joe Smiths there are? I see you're one of those self-described "skilled programmers who never use a database".
    Paula Bean:
    Oh yeah and that referential integrity thing...yeah we had some problems with that...but i solved that one as well, and significantly improved database performance at the same time....we removed all those uneccesary constraints that some noob had added.
    ...and you use empty catch blocks to prevent errors.
  • Zygo (unregistered) in reply to Cloak
    Cloak:
    crxs:
    jgayhart:
    I dunno. It might be possible to have an account that is not active nor deleted.
    ... until someone opens the box?

    just like Schrödinger's cat before you don't know if the user is existing or not :)

    Schrödinger's thought experiment actually suggested that the user exists and doesn't exist for a considerable interval of time (i.e., for minutes or hours, not femtoseconds).

    This is an important part of the thought experiment--if there was a single outcome of the experiment (deleted or not) and you just didn't know which outcome had occurred, the Copenhagen Interpretation wouldn't conflict with common sense. CI requires both apparently distinct states to occur simultaneously, which is why quantum mechanics is so counterintuitive to lay people.

    OTOH, we don't know the business requirements. For all we know, they've got a large number of users who live in opaque steel boxes with timers, Geiger counters, explosives and/or poisonous gases, so the database has to support users in these exotic superpositions of quantum states.

  • Zygo (unregistered) in reply to Chris Hayes
    Chris Hayes:
    Good thought... but the union doesn't work that way.

    The union means both table searches happen, and that table scan happens every time no matter what, since now there's two searches: one on the user password (optimizable), and one on the invitation password (not optimizable).

    Well, yes and no.

    The first part of the union can be optimized into an index scan (if there is an index, the optimizer supports automatic optimization by using index scans, etc).

    The second part is more interesting. SQL semantics require the WHERE condition to behave as if it was tested on every row in the table. It is possible to optimize this if (and only if) the database can logically prove that doing something other than scanning the whole table always produces the same result. For constant boolean expressions this is fairly straightforward, but for expressions involving UDFs it's not so simple. This is why "SELECT * FROM foo WHERE id_field = some_random_id()" behaves so differently from the way novices expect.

    UDFs on some database systems can be marked as volatile or not, so aggressive optimization is still possible (but given the coding skill displayed so far, not likely).

  • Ben (unregistered) in reply to campkev
    campkev:
    AdT:
    Storing plain text passwords in the user database is not such a bright idea either
    Ok, I'll bite. How can you tell from this that the password is stored in plain text?
    While it wasn't explicitly stated, yes, the passwords are stored in plain text.
  • Ryan (unregistered) in reply to Paula Bean

    The first rule of data storage is deletion is the last resort. Arching old user data and utilizing changelogs in databases are key to a smoothly running application.

  • obvuscatesql (unregistered) in reply to Paula Bean

    It's awesome when tables are named using sql keywords and columns are named using sql system function names. :D

  • (cs) in reply to Paula Bean
    Paula Bean:
    OMG...why would you waste all that space of an extra flag?

    If you want to store something to show if the account is currently active AND whether its deleted...you just need to use a single isDeleted String!!!

    if isDeleted = "Yes" then the user is not active. else if isDeleted = "Pink" then they're not.

    To a fellow employee of Turkish origin:

    me:
    Ünal, I'm getting compiler warnings in your code: 
    gcc -O -Wall -pedantic -c modConfig.c
modConfig.c: In function `sym_createModConfig':
modConfig.c:126: warning: overflow in implicit constant conversion
modConfig.c: In function `handleConfigRequest':
modConfig.c:350: warning: comparison is always false due to limited range of data type

    Here's the code:

    126    theCfg->originalEchoState = ES_UNKNOWN;
    350    if ( theCfg->originalEchoState == ES_UNKNOWN )

    I had a look at originalEchoState and it's a bool. And here's the definition of ES_UNKNOWN:

    #define ES_UNKNOWN 0xBD  /* echo state */

    You're putting 0xBD into a bool? What is the meaning of 0xBD, and why try putting it into a bool?

    Ünal replied.

    Ünal:
    Needed a value that is different than 0 or 1 and choosen 0xBD meaning BAD. Somehow I skipped those warnings, anyway they will be fixed soon.

    Of course! Why didn't I think of that??? 0xBD needs no comment because it's bloody obvious!

    I don't know why I'm getting so upset. After all, since then he's fixed it:

    126	#define ES_UNKNOWN ((Bool)0xBD)  /* echo state */

    me bangs head on wall...

  • Jay (unregistered)

    I once came across a piece of code that said:

    ResultSet rs=stmt.executeQuery( "select userid from userlist where userid='"+userid+"' and pswd='"+pswd+"'");

    Where userid and pswd came straight from the input screen. Then it checked if any records were returned.

    So, umm, what if a user enters someone else's userid, and a password of, say, "whatever' or 'hello'='hello". (Where the single-quotes are part of what they type and the double quotes are not.)

  • (cs) in reply to Chris Hayes
    Chris Hayes:
    Did nobody else notice the unnecessary union on the same table?!

    Ignoring all the other wtfs in this post, couldn't the query have just been:

    SELECT USER_ID, FIRST_NAME + ' ' + LAST_NAME AS FULL_NAME, EMAIL, PSWD FROM USER WHERE (IS_ACTIVE = 1) AND (IS_DELETED = 0) AND (EMAIL = @EMAIL) AND ((PSWD = @PSWD) OR (DBO.GET_INVITATION_PWD() = @PSWD))

    I know I'm not missing anything. ;)

    God I hate to wade into this one... but this is the only intentional circumstance I've been able to come up with so far for using a self-referencing Union with different filter criteria to gererate this type of result set (*and please, I am in no way condoning this type of behaviour):
    1. Take one database with no pk
    2. Add duplicate e-mail/password records
    3. Inject into code that borks with multiple rowset results
    4. Mix thoroughly with a DBA that can't remember the DISTINCT keyword
    5. And then voi...

    Oh forget it. Even that doesn't make sense... this sh%t is just nonsense.

  • (cs) in reply to Paula Bean
    Paula Bean:
    Ok so i see some of you are confused with the simple elegance of actually deleting a user when they are to be no longer available to the app...

    So applying it to your example: you want to be able to show a treating doctors name on the patient record...well it stands to reason that when the doctor treats the patient the doctors name should be copied from the doctors record over onto the patients record...come on....its not rocket science...why would you want to go clutering up your database with old deleted data...

    Oh yeah and that referential integrity thing...yeah we had some problems with that...but i solved that one as well, and significantly improved database performance at the same time....we removed all those uneccesary constraints that some noob had added.

    k... There are two things I like about your posts:

    1. People seem to be glossing over the pseudonym you're posting under (nice touch, BTW)
    2. No one seems to get that your posts are tongue-in-cheek, posted from the point of view of your alter-ego

    /Many people here need to have their sarcasm-detectors readjusted...

  • (cs)

    Why did they use a UNION in this case anyway? Doesn't their SQL implementation support `OR'?

  • (cs) in reply to Zygo
    Zygo:
    Cloak:
    crxs:
    jgayhart:
    I dunno. It might be possible to have an account that is not active nor deleted.
    ... until someone opens the box?

    just like Schrödinger's cat before you don't know if the user is existing or not :)

    Schrödinger's thought experiment actually suggested that the user exists and doesn't exist for a considerable interval of time (i.e., for minutes or hours, not femtoseconds).

    This is an important part of the thought experiment--if there was a single outcome of the experiment (deleted or not) and you just didn't know which outcome had occurred, the Copenhagen Interpretation wouldn't conflict with common sense. CI requires both apparently distinct states to occur simultaneously, which is why quantum mechanics is so counterintuitive to lay people.

    OTOH, we don't know the business requirements. For all we know, they've got a large number of users who live in opaque steel boxes with timers, Geiger counters, explosives and/or poisonous gases, so the database has to support users in these exotic superpositions of quantum states.

    Don't be so condescending to us lay people.

    First of all, there's no obvious distinction between minutes, hours, or femtoseconds. Nor need there be. Who, other than the cat (provided you have s self-aware cat that would prefer to live for hours or minutes, rather than femtoseconds) would care? Superposition within a quantum probability field is superposition within a quantum probability field. Even morons like me, who rely on whatever version of common sense might be on special offer through Readers Digest at this particular time of day, can understand that.

    Secondly, there's a point to "thought experiments," otherwise they remain simply Gedankenexperimenten (I leave Ernst Mach's usage of the phrase to one side for these purposes). Einstein's "thought experiments" resulted in the Special Theory of Relativity (although not, as far as I am aware, the General). Schrodinger's Cat resulted in nothing more than an amusing joke at cocktail parties for theoretical physicists and associated dweebs.

    Incidentally, what was the cat's point of view on the observer outside the box?

  • Don (unregistered) in reply to Jay
    Jay:
    I once came across a piece of code that said:

    ResultSet rs=stmt.executeQuery( "select userid from userlist where userid='"+userid+"' and pswd='"+pswd+"'");

    Where userid and pswd came straight from the input screen. Then it checked if any records were returned.

    So, umm, what if a user enters someone else's userid, and a password of, say, "whatever' or 'hello'='hello". (Where the single-quotes are part of what they type and the double quotes are not.)

    Congratulations. You have just discovered SQL Injection - http://en.wikipedia.org/wiki/SQL_injection.

  • David (unregistered) in reply to Paula Bean

    That's an awfully simplistic way of looking at things.

    The IsActive flag is to verify that all the "necessary" account information is in place and maybe that their email is validated or something similar. It can serve a completely different purpose than IsDeleted. Now, the state never should be Active and Deleted, but it's just good defensive programming.

    Secondly, I'd hate to see your code if you're just deleting things willy-nilly. Hopefully nobody ever accidentally disables their account and has to call you for support to re-activate it.

    ...Jeeze you like to make things unrealistically simple.

  • tobi (unregistered) in reply to Paula Bean

    What? Oh well yeah i remember that requirement that you need to be >able to restore a deleted user if they were deleted by accident....Yes >ofcourse my solution fullfills it...after all thats what database >backups are for... and we definately do one of those....were very >particular...each morning i check that the back up tape has been >ejected...ie backup succesfull and then i push it back in to make sure >its all ready for the next one.....

    g Are you a ghost writer for Alex?

  • MinimumWage (unregistered) in reply to Paula Bean
    Paula Bean:
    OMG...why would you waste all that space of an extra flag?

    If you want to store something to show if the account is currently active AND whether its deleted...you just need to use a single isDeleted String!!!

    if isDeleted = "Yes" then the user is not active. else if isDeleted = "Pink" then they're not.

    To indicate the deleted state, well heck you never heard of DELETE FROM...? we can just remove them from the database. If its there its not deleted...Come on thats obvious...

    What? Oh well yeah i remember that requirement that you need to be able to restore a deleted user if they were deleted by accident....Yes ofcourse my solution fullfills it...after all thats what database backups are for... and we definately do one of those....were very particular...each morning i check that the back up tape has been ejected...ie backup succesfull and then i push it back in to make sure its all ready for the next one.....

    ... Jeeze you lot like to make things complicated.

    And how would you refer to an account that is not activated, nor deleted? I would question you further, to demonstrate the inaneness of your comment, but I deem it unworthy of my time.

  • MattK (unregistered) in reply to Paula Bean

    Actually, DELETE FROM is generally bad practice. Perhaps you want to drop that user, but want to retain records linked to this user.

    For instance user may have unpaid expenses linked elsewhere. You may want to retain records to sue his/her a$% later, who knows.

    Good SQL practice is generally to mark something as 'Deleted', or perhaps to have an inactive date.

  • Bonk (unregistered) in reply to Paula Bean

    Paula Bean

    And tape backups always work so perfectly.

Leave a comment on “Easy Authentication”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article