- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
We are all making alot of assumptions here as we can never know the contents of this fake getId method. So I'll tell you my assumption. I am assuming that it returns an int, so that's cleansed against XSS and sql and its pretty easy to truly cleanse for that.
But in the example given we know that the author did write the method as he is the one who made it up, so thats a null point. As for all the other points..well lets look at a built in function within PHP like foreach. If I supply a string as the first argument to foreach it will cause an error as this is an unexpected argument type. Is this a mistake in the language design? No, it expects a specific argument type and thats what should be supplied to it by me now, in 6 months, in a yr, etc or by anyone else that uses it. The same goes for return values, if I specify that a function should return an int and someone else changes it to return a string then that is their mistake not mine.
thats what am saying in the scenario I outlined it is not require and actually adds unnecessary over-head.
Admin
i love seeing comments to enries that say something like "I would have done it THIS way". like the point of the post was to give people a reason to pat themselves on the back and feel important. /rolleyes
to the OP, you probably would have been working with schmucks just like this if they had hired you anyway.. you made out by my calculations. ;) the world is being populated by retards that value their own opinion of themselves more than anything else.
start your own business and make a living without having to serve idiots.
Admin
PHP has a newer MySQL library which supports parameterized queries with http://au2.php.net/manual/en/function.mysqli-prepare.php
Admin
Are you going to say that you'd cleanse it inside getUsername? If yes, all the negative stuff I already said now applies. Are you going to say you'd cleanse that outside getUsername (as I suggested you do for ALL getters)? If yes, then your webapp is pretty inconsistent. Sometimes you look in the getX to find cleansing, sometimes you look at what calls it: Not good design. Choose your poison, buddy. The only good solution is to cleanse everything where it matters.
Uh ok. I can see you're in this discussion to pick apart insignificant technicalities instead of actually learning something. Are you now? Maybe you should give a reason and an example for this statement like I'm doing.Admin
Dude you all are some serious nerdz----
Keep on nerdin' YO!
Admin
I agree almost completely.
I would have looked for 2-3 sentences though, 4-5 words isn't enough to show aptitude and understanding of the concept.
Admin
Only just...
Admin
You can do it in PHP, too:
$db = new PDO('mysql:host=localhost;dbname=test', $user, $pass); $stmt = $db->prepare("SELECT a FROM t WHERE b = ?"); $stmt->execute(array($aString)); foreach ($stmt as $row) { // blah blah }
Admin
Admin
The common solution is to implement a default deny policy - decide what's allowed and reject anything else. For instance, userID could be checked against (^[0-9]+$) and username against ^[a-zA-Z_-@ ]+$ and you'd be proof against sql injection.
Admin
God, is there anything more tiresome than a bunch of hypercompetitive developers arguing over who can write the best, tightest code -- and how every other programmer doesn't know what he's talking about.
Grow up boys.
Admin
Admin
Exactly what I was thinking. If somebody had to write it - why not this guy? Weird.
Admin
You mean the act of lowering yourself onto a couch or the process of staying seated on the couch. If you meant the latter, you're doing something wrong.
Captcha: sanitarium, where I'll no doubt end up.
Admin
the real WTF was that they didn't ask him the question over phone directly lol.
Admin
No, I googled the "PHP Pear DB API", which supports dynamic SQL prepare & execute steps. The prepare allows the plain-old '?' parameters. I have written less than one full PHP file.
More people should use search engines to prove their points. If we can cheat on hiring exams, then let's just use it to know out stuff.
Admin
like this you moron:
function insertNewUser($name) {
if ($name == 'Bob') { $db->query("INSERT INTO tbl_users (name) VALUES ('Bob')"); } else if ($name == 'Lisa') { $db->query("INSERT INTO tbl_users (name) VALUES ('Lisa')"); } else { die('Hacking attempt!!!!'); }
}
Admin
I would of not hired you either. Your response was way to lonnnnnngggggggggg. People are idiots. Keep it short and simple. Also the person who called you back probably had no idea what you were talking about.
Admin
LOL great one.
Reminds me of this comic: http://pbfcomics.com/?cid=PBF225-Casting_Call.jpg#210
Admin
Sir, I would like to shake your hand for making my night.
Good day.
Admin
Numeric types? Yes. Booleans? Sure. A-Z0-9? Yeah.
Now try taking someone's blog post and ensuring that it only has the proper tags. Only only certain attributes. And no javascript in script tags. And no javascript in attribute values. And no PHP. And no UTF-7 XSS attack. And it needs to support unicode. And, and, and...
No, it can most certainly be hard to validate (or worse, screen/convert) certain kinds of input.
Admin
after you reach a certain level of maturity, you develop an intuitive understanding of the important bits and how much effort to apply. Our subject, like many enginerds is not there yet. And the employer? Who knows.
gak
"When you have learned to snatch the error code from the trap frame, it will be time for you to leave." - The Tao of Programming
Admin
Well he is a PHP programmer, that makes it unlikely that he would be able to answer it.
Isn't fanning flames fun?
On a more serious note, I imagine this isn't too uncommon. Employers don't want to hire overqualified candidates because they will be likely to leave as soon as something better comes up. Granted asking this particular question is a bit silly, but it does sort of sound like he spent way to much time answering it. And including a potential SQL injection vulnerability in your response couldn't have helped (yes, its still possible to have that execute safely, but please, at least mention that you would be sure to do that)...
Admin
Admin
Admin
That answer IS in fact very good. I have to remember it next time I'm asked about concatenation.
Admin
Wow.. I didn't mean to hijack this whole discussion into a flamewar about SQL injection.
The example of building this SQL query was fine as an example of string concatenation. What I was referring to was his comment about how he seems to build all his web applications that way.
PHP supports parameterized queries. PEAR::DB does and has for quite awhile now. A bit of advice: Use Google before proclaiming that something absolutely can or cannot do something.
I know that $User->getID() probably sanitizes the variable to ensure it's an integer, but it's still a bad habit to make these sorts of assumptions.
Admin
...sigh. Generally, when you apologize for starting a flame war, you shouldn't continue to fuel it. Accept that (many in this case) people disagree with you.
Admin
As a newb who has wondered this for a while, can you give an example of string escaping?
Admin
Admin
Why bother? It degrades database performance and doesn't prevent all forms of SQL injection. It is astoundingly bad practice, given that parameterized queries have been around for eons.
The real WTF is the number of 'developers' that still defend the practice.
Admin
Cant believe people are finding this surprising. When companies come to my college campus for placements, every one goes through this dilemma whether to say sufficient, more, or even wrong. Many of my friends got kicked out of the interview bcoz they were too good for the company.
Admin
I don't see anything that indicates that he didn't sanitize the input first...
Admin
Ok, funny thing: my name is Peter, my family name starts with B, I worked as a php dev and in 2005 I changed my job. Ofcourse, the story has nothing to do with me :D But I was confused for a couple of seconds when I started reading.
Admin
That would have been rash, given that the topic wasn't security but concatenation. Examples should always go easy on irrelevant stuff, for clarity. Imagine that snippet bloated with anti-injection stuff - the point would be completely lost.
Of course, it's mostly their loss (the morons), but still Peter made an effort and they shat on it. They deserve some public shame.
Thinking of which - what's with this zealous anonymization anyway? Give us company names, give us public ridicule. At least when it's as deserved as this.
Admin
Reminds me of one that happened to me...
I had to take a test as the first stage of an interview for a lead dev gig with a large telco. It was a complete doddle, and I apparently got the highest score of anyone they had interviewed. Needless to say I got the job.
Only once I'd joined did I tell them how I'd achieved such a score - I'd written the test! Someone from my previous employer had obviously 're-used' it.
Admin
... and now repeat with me: BIND VARIABLES, BIND VARIABLES, BIND VARIABLES... You can continue for the next three days...
Admin
"Cake or Death?" "Death...no, wait, Cake."
Skizz
Captcha: "sanitarium" - probably where they need to go.
Admin
I call BS. No company calls you back to tell you that you didn't get the job. Funny story, but probably not true.
Admin
No, treating it as a string would return a space separated string (not what was aked for).
Admin
This is the answer I was waiting for. Ryan you got THE point. Who wants to have somebody who is talking and talking but maybe won't understand that his boss wants the simple answer (and then goes back to work: allez, go, go, go, and implement it...)
Admin
I was going to say something similar.... that this is a case of trying too hard. If I were the screener, I'd be looking for a shorter down-to-earth answer, rather than a mini-thesis on concanetation that wanders into other programming topics just for the sake of impressing with the knowledge. Granted, in a job interview situation you want to sell yourself and demonstrate your knowledge, but there's a lot to be said for just answering the question and leaving it at that.
Admin
Sue! :-)
Admin
Admin
Hahahahaha! I once went for an interview at a well known energy company in the UK, and was firstly interviewed by the techies on the energy trading team... This is where I knew I had the job, being technically estute and impressnig the hell out of them...
Then the HR interview...
Considering my (would be) bosses asked HR to bypass this stage, the outcome is quite funny. They made me do role play. ROLE PLAY??? The job was for Senior Developer on the trading floor.... WTF?? So anyway, at that point I mentioned that perhaps this wasn't too relevant to the job I was going to be doing (the role play was on something really random, cant remember now). I then said that I am glad I didn't do drama at school / college and concentrated on academic subjects......
I didn't get the job.
Funny thing is, the next job I did get was for a very well respected software company who's products are the world leaders in investment banking and asset management. Think HR at Gentrixa should all be fired, as they could have hired me for a lot less money than I am paid now! HAHAHAHA!
Thats what HR should be called - HAHA!
Captcha - mentalist (sanitarium)
Admin
Thats why good php developers use a DB library like ADODB (http://adodb.sourceforge.net/) that supports it and is DB neutral. Bye Bye SQL injection, hello reusable funtions and a LOT of extra utility functions.
Admin
Talk about tiresome comments. Who cares about the SQL injection possibility! It was just an example of concatenation, one that he didn't even need to include. Get over it already!
Admin
That code sample he made makes it possible for SQL injection attacks. Lol
Admin
This actually could be grounds for a lawsuit. This is why employers give out form letters when letting you know you didn't get a job, and won't state specific reasons.
"Your qualifications are impressive, however, we have decided to pursue other candidates"
Same thing happens if an employer calls one of your old jobs for a reference, 99.9% of the time anymore a smart business will only answer questions that are absolutely able to be objectively evaluated.
"How many times were they late to work, how many sick days, what were their sales figures"
Questions like:
"How did they perform at ____ task?"
Can lead to subjective answers, then a fun slander lawsuit.
Admin
Just a little remainder for people who use packages like PEAR::DB to prepare MySQL queries since this improves performance - thing is, even PEAR doesn't do this properly, it simulates the expected behaviour by doing string escaping. Sorry!
If you want to do it properly, use PDO or mysqli.