- Feature Articles
- CodeSOD
-
Error'd
- Most Recent Articles
- Secret Horror
- Not Impossible
- Monkeys
- Killing Time
- Hypersensitive
- Infallabella
- Doubled Daniel
- It Figures
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
"[...]plagiarized it[...]"
this statement makes my day :-D
Admin
I could have written most of that by my third quarter at school and the rest well before I graduated. Their technical interviewer must still be struggling with the concept of static.
Admin
Outrageous!
Admin
Makes you wonder what kind of answer they would have considered "just good enough".
String concatenation is making one string out of two strings?
WTF indeed.
Admin
"What is your favorite color?"
"Blue, I mean red...aaarrrgghhh!"
Admin
Jeez, this happens so often.
Do human resources or managers ever get a clue?
Maybe instead of having hr hire/screen people it's technical people to do that job for technical employee's, then if they pass the tech guy's screening, then to hire/not hire by the manager.
A lot less time, money and frustration would be going on...
Admin
I wouldn't want that job either. And it's somewhat appropriate that my CAPTCHA was alarm :)
Admin
WTF:
Can I say SQL injection? That would be why I wouldn't have hired him..
Admin
We know that somebody, somewhere had to write it; otherwise, it couldn't be plagiarized. For no discernable reason, we just choose to assume that someone is not you.
Admin
I think Pete the PHP guy should wait a month or so and then let ConcatCorp know they've been PUNK'd on WTF. :o)
Admin
I think the real stupid part is they are doing this by email.. Anyone could have googled an answer.
Admin
PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.
Admin
LOL, That's funny. Yep, no more dynamic sql generation...
So tell me, you don't know how to prevent sql injection and use dynamic sql? Indeed there is someone that wouldn't be hired....
Admin
I was thinking this too. However, in answering the question I probably would have given a SQL concat example as well. It's a "real world" problem that can have concatenation applied to it.
The part that disturbs me is that Peter said he does that all the time on real projects. That should be a little bit of a WTF.
The main WTF is the company thinking he plagiarized it. Yeah, because no one on the planet could come up with a concat definition eye roll
Admin
Admin
The most ridiculous aspect was that this was ostensibly a PRE-SCREENING question. If they'd hauled him in they would have seen that he knew his stuff. Heck, if they'd given him a phone call and quizzed him for 5 minutes they would have seen he knew his stuff.
The second-most ridiculous aspect is that if they choose not to trust the results from the screening question in a case like this, then a moment's thought would have revealed to them that they need a new pre-screening process. The old one is unable to distinguish between someone ignorant but unscrupulous and someone extremely knowledgeable. That's about as broken as you can get.
Admin
Hey, that's the same definition you get when you Google for "php concatenation" and click the "I'm Feeling Lucky" button.
Made you look!
Admin
I would have, had you not written 'Made you look!'
Admin
PHP5 does support parameterized queries.
captcha: digdug -- man that was a good game.
Admin
Admin
Your web apps must be very static.
It's not difficult to "fix" whatever comes in first before passing it on to the SQL command. Any developer worth their salt knows this.
-- Seejay
Admin
I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.
I am curious how you do insert statements without dynamic data...
Admin
Admin
you can use the following:
<?php $sql = sprintf ( "SELECT article_id, article_body FROM Articles WHERE author_id = '%s' ORDER BY article_date DESC", addslashes($User->getID()) ); ?>you can also use the following if it is a MySQL db: mysql_real_escape_string($User->getID())
sure, the above aren't the standard "." method of concatenation, but it is concatenation AND a cure for SQL injection.
Admin
Bind variables
Admin
At least the question made sense!
A year ago I applied for a contracting job with a local company. I was told that I had to take a specific JavaScript aptitude test online, through a service which manages these sorts of tests; once I began I would only have a half-hour to finish, I couldn't change an answer once given, my time spent on each question would be recorded, etc.
The test turned out to be extremely difficult. The difficulty was entirely in trying to decipher what the test-maker actually meant for each question. Many of the questions didn't make sense or weren't in complete sentences or didn't use anything approximating valid grammar; others were so awkward that I couldn't tell whether the test-maker was trying to be coy and make a joke or whether he just couldn't get his point across.
I answered the questions to the best of my ability, and afterwards, I submitted a 'fixed' copy of the test back to the hiring manager, explaining exactly which questions didn't parse and suggesting how they could be rewritten to be clearer.
I was told that I had scored 'impressively high' on the test. Still, I wasn't offered an interview, and I never got any farther with the company.
I think they didn't want someone who had a good command of the English language or who had a tendency to identify problems and offer solutions to them.
Admin
Something similar happened to me in school. We were asked to do a research paper on a topic in security, which just happens to be my specialty. So I did a detailed overview of several different security vulnerabilities (stack overflow, etc) with detailed information on why it's exploitable, and even a demonstration of an exploitable program and the exploit for it. I got an A+.
The next year, my friend took the course. Apparently, when given the paper, they were told "No more than 10 pages. Last year, we had an issue with some plagiarism." Apparently, although she couldn't prove it, the prof thought my paper had been plagiarized!
Admin
The REAL WTF is that common sense (I know, it's severely lacking) would have been to call him up and TALK to him about it (or better yet call him in for an interview!), not automatically assume he's lying and plagiarized his response, and thus disqualify him from consideration.
Admin
Thanks for this bit of info. PHP4 did not.
Admin
I have encountered the following statements: a) in defense of PHP: PHP does support parameterized queries b) in defense of intermingling SQL code and data using string concatenation: PHP does not support parameterized queries
Both can't be right. I suppose actually a) is right, although most PHP users are ignorant of this fact.
And as usual, string escaping is the right answer to the wrong question, being "How do I prevent malicious users from exploiting the fact that I intermingle SQL code and data?".
The right question is: "Why would I want to intermingle SQL code and data in the first place if my development environment does not force me to?"
Admin
Hey, PLAGIARISM!!! I'm sending the Knights that say "Ni" after your @$$ immediately...go turn yourself in immediately or I'll accuse you a second time!
(Paraphrase: Best answer ever...) (Captcha: gotcha)
Admin
The guy can stretch what is a very simple concept of concatenation into many paragraphs, including the syntax of other languages and a common SQL example. He even gave an example of $User object, all of which shows he's at least half way competent.
While I wouldn't automatically assume he was aware of preventing SQL injection, I wouldn't automatically dismiss him of not knowing about it simply because he didn't mention it here.
If you're the type of person that dismisses someone because they write an essay but miss out a word, then I really hope I never have to work for you.
Admin
This is what I was thinking, too. Though, maybe they had other reasons for dismissing him and didn't want to tell the truth. E.g. they might have thought him overqualified for the job and thus (probably) too expensive. Then maybe they were simply the morons that they appear to be.
Admin
addslashes escapes ' as ', but the standard way to escape single quotes in SQL is to double them: '' (that's two single quote characters, not one double quote character).
So if proper string escaping is as simple as sitting on a couch, here is the first example of someone who puts his head on the seat and his bottom on the back of the couch. (scnr!)
Admin
Haha, the real WTF is about all the morons in here that doesn't know about parameterized queries :)
Admin
Remember, the company's goal isn't to find you a good job, it's to find a good candidate for themselves.
Particularly when the labor market gets thin, you find some absolute and completely useless people taking up your time.
Admin
I'm absolutely amazed at the number of so-called programmers who completely fail to grasp the concept of escaping or encoding as relates to SQL and injection attacks.
Properly encoding (escaping) the strings you embed is the key.
And you will be mingling SQL with data whether you like it or not - it's just a question whether you should use a magical black box of parameterization (which likely will be slightly faster) or concatenation.
Vote-ups to Dwayne and the original WTF.
Admin
PHP has always supported parameterized queries for some databases (although not mysql which I'm guessing is what you meant), there was just no standard. Most of us programmers have been using PEAR::DB or PDO (shipped with 5.1) to get parameterized queries in PHP for several years now.
Admin
I wouldn't hire him either. Instead of answering the simple question he proceeded to give them a lecture. It shouldn't take that much space to explain concatenation. The back of a postage stamp would offer too much space.
A long winded answer like that shows know-it-allism. I hate people that drone on and on about unrelated stuff when all you want is a 4 or 5 word answer.
"concatenation is joining things together. I use it to put variables into sql statements."
Admin
How dare they decide he copied it before actually interviewing him!
He should have told her that he doesn't accept their accusation, and wont have the accusation they gave tarnishing his reputation. Then insist on an interview to prove he knows his stuff. Then go along, show that he knows his stuff, and demand too high a salary, and be turned down because they can't afford him instead.
Bah, they probably thought he was overqualified anyway.
Admin
Haha, the real WTF is about all the morons in here that don't know about subject-verb agreement :)
Admin
Yeah, just turn on Magic quotes :P
Admin
The PHP question could have been: You, Jeepies?
Admin
Oddly similar to a question I used to ask during interviews: Please write a C# function to concatenate 3 strings.
For example the function would be passed "Martin", "Donald", "Ritchie" and should return "MartinDonaldRitchie".
I would ask them to write the answer on a piece of paper. Only about one third of the interviewees were able to answer it. Even after saying that I accepted answers in vb c++ or any other language if they were not familiar with c#.
Admin
The problem was that they were screening for something else. Did you read this guy's answer? The type of guy that probably would be a high salaried, hard to work with, troublemaker.
They probably wanted an "average" PHP developer so they could at least guarantee some amount of leverage in pay/turnover/working hours.
Sometimes the best is only trouble.
Admin
Hey guys, why are we arguing in here about parameterized queries, when the original article was about concatenation. Even if the test taker did know about parameterized queries, going into that topic would have deviated from the point at hand, and wouldn't help answer the question.
Admin
Sadly, that is probably exactly what they were looking for.
Captcha: gygax (my stomach filled that in with voice recognition....time for lunch)
Admin
Oooh Oooh! I know that one:
return string1 + string2 + string3;
StringBuilder sb = new StringBuilder(); sb.Append( string1 ); sb.Append( string2 ); sb.Append( string3 ); return sb.ToString();
return string.Concat( string1, string.Concat( string2, string3 ) );
return string.Format( "{0}{1}{2}", string1, string2, string3 );
Admin
Admin
Just because you can work around some of the issues of a kludge doesn't make it any less of a kludge. Even when it works, string escaping is a pretty ugly hack around a nonexistant problem.
This doesn't even touch the efficiency issues with constructing SQL statements on the fly.