• (cs)

    Bind variables? How do you guys insert data into the db? "Please select your bank account number from the list"?

  • Gijs (unregistered) in reply to Jesse

    Woh, you're jumping the gun here. SQL injection has nothing to do with concatenation perse. He didn't mention using user input or any other form of input that could be altered by someone with bad inetntions, for concetenating a query. Furthermore, even if you use user input concatenating can still be very useful as long as you know about the risks of SQL injection and prevent them from hapening.

    Concatenation of queries can easily be done without the risk of SQL injection. That would be why I wouldn't hire you.

  • sugarcoating (unregistered)

    what? hm, can I have the job, I didn't understand anything of this joke, so I couldn't plagiarize anything

  • A nanny moose (unregistered) in reply to Kiss me I'm Polish
    Kiss me I'm Polish:
    Bind variables? How do you guys insert data into the db? "Please select your bank account number from the list"?

    You were trying to be funny or just plain stupid?

    $sth = $dbh->prepare('insert into accounts(number) values(?)');
    $sth->execute($cgi->param('account_number'));
    

    Granted, that's perl (or thereabouts) but you should get the idea. Now you may freely set your account number to '; drop database' or whatever and you're SQL-injection proof. Of course you must validate the data anyway but for different reasons.

    BTW, I'm Polish too, but don't kiss me :P

  • Recoil (unregistered)

    Man what a bunch of jerks.

  • S. Nikolov (unregistered)

    I have seen worse. At university we had a test in material science, I think it was about wolfram steel. One girl had phenomenal memory and wrote an flawless essay describing production, use, etc. I mean she remembered all sorts of percentages, chemical equations and so on. The exam was a closed-book exam, where we were guarded by a number of people against copying.

    The professor failed her, because he meant that it was impossible to write such an essay without copying.

    Again - too good of an answer.

  • Sally (unregistered)

    They missed a talented programmer

    Sal http://www.prankvideoz.com

  • Da' Man (unregistered) in reply to Scott
    Scott:
    lostlogic:
    PHP5 does support parameterized queries.
    Thanks for this bit of info. PHP4 did not.
    No, but it did, in fact, support plagiarized queries :-)
  • oracle dude (unregistered)

    i think your answer is spot on. anything less is ... well not really impressive though. to Concatcorp, i think i wont get any product or service from them for hiring someone with sub-par knowledge -- that's me. peter is better off somewhere.

  • www.orvtech.com (unregistered)

    thats bullshit! dude, post the name of the company so we can send her some nice emails and call them to express our 'views'.

  • karlostjackal (unregistered) in reply to Cynical Bastage

    You may be right. Similar situation once for me: saw a posting on craigslist from a recruiter for a job in my city, sounded like an ideal sitch for me (apparently there aren't many Mac developers where I live). Recruiter informed me I'd have to take a test when I got there, to see if I qualified. He also mentioned it would be in an obscure, dead programming language (like Latin is a dead language), but he gave me links to the language description on the web, and I studied it. Had never heard of it before, but it was created in the 60's and - having done just about every major language since the late 70's through now - it was pretty easy to grok. Went in for the test, sat in a conference room for an hour, finished the 20-question test in 30 minutes (basically, if you can code in Z80 assembler and "think like a Z80", the test was a joke), worried about one answer but decided not to change it, and then at the end of the hour the HR person came in and went over my answers in front of me. I knew I'd gotten most of the answers right, but they were looking for 90% and you always miss something. The HR person seemed a bit shocked, and I asked him how I did. He told me I'd gotten every question right, and it sounded like I was the first person ever to do so. Then he had me take a "personality" test which showed that I was aggressive and "dominant", not surprising since (A) I am, and (B) I'd been working as a contractor for five years. I spoke with a technical guy after that, who indicated that he wanted me to talk to the company president at a follow-up interview. Didn't hear from them again. Decided I had nothing to lose, called the number of the HR guy, and was told they "went with someone else". No explanation.

    Epilogue: less than a year later the same recruiter "came across" my resume online and asked if I would be interested in this company in my city that was looking for someone with Mac skills and oh by the way they would make me take a programming test in an obscure language. I laughed at the email, called the recruiter up and reminded him of the previous year's experience. Told him that if they'd changed the HR person I might stand a better chance - the HR person seemed to have a dislike for me.

    PS: Don't recall the name of the company, but the city is Boston and the dead programming language is "MUMPS", devised in the 1960's at/for Mass General Hospital.

  • Zero (unregistered)

    OMF thats not only funny, but the same thing happened to me

  • Random832 (unregistered) in reply to Franz Kafka
    Franz Kafka:
    The common solution is to implement a default deny policy - decide what's allowed and reject anything else. For instance, userID could be checked against (^[0-9]+$) and username against ^[a-zA-Z_-@ ]+$ and you'd be proof against sql injection.

    right, and useremailaddr can be checked against

    [\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\
    xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(
    \040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[\04
    0\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\
    n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\
    xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]
    *)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n
    \015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\(
    [^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)*@[
    \040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\x
    ff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040
    )<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\x
    ff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x8
    0-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\
    n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:"
    .\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x8
    0-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xf
    f][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)*|(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-
    \xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\01
    5"]*)*")[^()<>@,;:".\\\[\]\x80-\xff\000-\010\012-\037]*(?:(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([
    ^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)|"[^\\\x80-\xff\
    n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[^()<>@,;:".\\\[\]\x80-\xff\000-\010\012-\037]*)*<[\040\t]*
    (?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015
    ()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:@[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\
    ([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:
    [^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\0
    15\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*
    (?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80
    -\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\
    \x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\
    037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[
    ^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[
    \040\t]*)*)*(?:,[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80
    -\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*@[\040\t]*(?:\([^\\\x80-\xff\n\015()]*
    (?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015
    ()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|
    \[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([
    ^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.
    [\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\
    xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\04
    0)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\
    xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x
    80-\xff\n\015()]*)*\)[\040\t]*)*)*)*:[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff
    \n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)?(?:[^(\040)<>@,
    ;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80
    -\xff][^\\\x80-\xff\n\015"]*)*")[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\01
    5()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\
    \\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\)
    )[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\
    000-\037\x80-\xff])|"[^\\\x80-\xff\n\015"]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015"]*)*")[\040\t]*(?:\([^\\\x80-\
    xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x
    80-\xff\n\015()]*)*\)[\040\t]*)*)*@[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n
    \015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".
    \\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\[(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80
    -\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff
    ][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*(?:\.[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(
    ?:(?:\\[^\x80-\xff]|\([^\\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015(
    )]*)*\)[\040\t]*)*(?:[^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff]+(?![^(\040)<>@,;:".\\\[\]\000-\037\x80-\xff])|\
    [(?:[^\\\x80-\xff\n\015\[\]]|\\[^\x80-\xff])*\])[\040\t]*(?:\([^\\\x80-\xff\n\015()]*(?:(?:\\[^\x80-\xff]|\([^
    \\\x80-\xff\n\015()]*(?:\\[^\x80-\xff][^\\\x80-\xff\n\015()]*)*\))[^\\\x80-\xff\n\015()]*)*\)[\040\t]*)*)*>)
    
  • Joe (unregistered) in reply to Andy

    Very real possibility that they didn't want to pay enough to keep someone who really knows their stuff around.... also, the manager might be afraid of employees who are sharper than him.

  • Martin Leblanc (unregistered)

    What a crappy company!

  • Martyn (unregistered) in reply to Jesse

    I was thinking exactly the same thing.

  • Kim Bruning (unregistered) in reply to Language feature abuse is cool

    Hmph, python already has the latter built in.

    "".join("Beep", "Boop", "Bop")
    

    Grmbl, well at least I can still roll my own version of the former.

    def concat(*args):
        result=""
        for arg in args:
             result+=arg
        return result
    

    Argh. Just. Can't. Get. It. Ugly.

    How about lovely 6502 on an ancient Acorn 8-bitter, the Real Programmer way.

    {
    .string1%   EQUS "Beep"
    .string2%   EQUS "Boop"
    .string3%   EQUS "Fizzle"
    .start%
    LDA #&2C \ ASCII ','
    STA (string2%-1)
    STA (string3%-1)
    RTS
    }
    
    CALL start%
    print $string1%
    
    
    running gives:
    
    Beep,Boop,Fizzle
    
    

    Because EQUS creates 0 terminated strings and places them in memory sequentially, replacing the 0s with commas will effectively concatenate the strings in place. (though if you didn't want commas, you're out of luck :-P)

    Unfortunately this was for a "home computer". I'd have to think of a PDP-11 variant or something if I want to make that sound profound.... but unfortunately PDP-11 was just before my time :-(

  • pcarter (unregistered) in reply to bkendig
    bkendig:
    At least the question made sense!

    I once had a HR person in an interview ask me to "describe the use of constructors in ANSI C." I tried to explain to them that C didn't have constructors, but C++ did. Of course, they did know anything about programming. Their "technical guy" had created the test.

    There was also a list of desired skills. From it, they asked me if I had E-M-A-C-S experience (they spelled it out).

    Wasn't upset when I never heard from them again.

  • Tov (unregistered)

    WTF KillKillKillKill

  • charon (unregistered) in reply to Digitalbath

    it was yellow imho

  • Tim Wallner (unregistered)

    This is a common problem being faced by every company. When the pioneer employees and management are inferior in knowledge, these people make it a point to here somebody inferior to them so as to safeguard their job. So the company suffers. It would be wise for every company to have their employee take some technical skill test from an outside company to check if they've employed lemons.

  • Loctar (unregistered)

    OUchhhhh.. what an answer...

  • (cs) in reply to Scott
    Scott:
    PHP doesn't support parameterized queries, so you actually have to concatenate the strings. He just left out the part where all user supplied data is passed through a method that escapes it.

    $stmt = $db->prepare("SELECT foo FROM bar WHERE braz = :lart"); $stmt->bindParam(':lart', $lart); $stmt->execute();

    or $stmt = $db->prepare("SELECT foo FROM bar WHERE braz = ?"); $stmt->bindParam(1, $lart); $stmt->execute();

    or

    $stmt = $db->prepare("SELECT foo FROM bar WHERE braz = ?"); $stmt->execute(array($lart));

    That's PDO which finally gives you some sane db-access in PHP. It's available since PHP 5.0 (via PECL) and default since 5.1.

    http://php.net/manual/ref.pdo.php

  • Cloak (unregistered) in reply to tieTYT
    tieTYT:
    matthewr81:
    Jesse:
    WTF: Can I say SQL injection? That would be why I wouldn't have hired him..

    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...

    Well this person, just like me, probably comes from a Java/C# background. This is an excerpt of how you'd do it in java: PreparedStatement ps = con.prepareStatement("SELECT a FROM t where b = ?"); ps.setString(1, aString); //bind happens here ResultSet rs = ps.executeQuery(); ... //get results

    (Yes yes yes, there is no try/catch/finally here, it's an excerpt) This is how you'd escape aString in Java code. This is better than using a special, separate method called addSlashes() or whatever because that makes it easier for programmer error:

    When did addSlashes get called? Maybe it was in the function that passed aString in? Maybe it was 5 lines above the concatenation? Maybe it's done in the concatenation itself? What if you're wrong and some code gets changed and now you haven't called it at all? What if you're wrong and you called it twice (does that break things?). All these questions are avoided by the Java way of doing it. You only have one option and, fortunately, it has to be done very close to the SQL itself.

    On a side note, one thing that really pisses me off with binding is that when an error occurs, it doesn't tell you what sql it attempted to run, it spits out the sql with the ?'s in it. This makes debugging a huge pain in the ass. Maybe this is done for security reasons but there should be an option to see useful sql.

    First, fuck Java! You need a 200 MB Java engine running in the back ground just to get that stuff done. And that with some 30% more code to write. You end up with a slow program that still needs at least some 100 MB on the client just for outputting "Hello World". Why not use a decent program in VB or Delphi which has quite good GUI editors (again: Java, aarrrrgh!!!) and the final exe is just less than 5 MB. Second, there should be an option to see useful debugging information for everything not just SQL.

  • Carl (unregistered)

    Take it from me, I'm in my 40s now. Nobody wants to work with someone smart. They just want to work with someone who would be cool to have a beer with.

    The right answer would have been- "It's when you add something to something else, like this-and-this-and-this."

    In my experience the smart people all work for the dumb people. I am not being cynical- this is how it really is. And I moved my way up in the company by making fun of the smart people and chumming around with the jocks and dummies. Now I'm CIO and I own a percentage of the company.

    My smart friends all make less than half of what I do.

  • Anonymous (unregistered)

    I was out of work a few years ago and heard about an opening with a local company. I called and went through a fairly extensive interview over the phone. They were very interested. I had all the skill sets they needed. A second phone call went well, but they needed a resume to pass around to the top brass. I agreed to drive one over the next morning since it was late in the day. The next morning I delivered the resume, took a tour of the company, and left with the assurance that I'd receive good news later in the day. The call that afternoon was quite a shock. They couldn't hire me because I was acquainted with too many people currently employed there. I never found out the reason for the sudden about face.

  • Belinda (unregistered)

    Corporations are simply out of control. . . I have been associated with this industry for the past 20 years and mostly they no longer want employees who can think, they want employees who are very compliant.

    Compliance trumps intellect far too many times. Ask yourself: Is this the type of company you would really WANT to spend 8+ hours a day with??? (PUKE)

  • Michael (unregistered)

    Typical response from supposed HR professional people who have no clue what IT workers really do.

  • Markus Diersbock (unregistered)

    On the surface I would have thought he cribbed the answer too -- it was an informal question, why not a 20 word answer?

    If I got an answer like that, I would worry that the person was answering through rote memory, rather than having an understanding the topic being discussed.

    At the very least, more emails should have been exchanged. Reply

  • Orion Darkwood (unregistered)

    I have two jobs opps that was similar.

    1. Employer passed me over because I was not wearing a tie didn't say I had to have on suit and tie, not to mention any company that directions include turn left after the junkyard, the road we are on has no name..

    2. Employer choose someone else because I was too cute.. Excuse me if I turn you on, doesn't mean I am bad for the job

  • Lawk Salih (unregistered)

    That's what I call bad recruiting. Sorry Pete, I guess it was your unlucky day.

  • (cs) in reply to Fixme
    Fixme:
    Thinking of which - what's with this zealous anonymization anyway? Give us company names, give us public ridicule. At least when it's as deserved as this.

    Give us absolute without-a-doubt proof that the actual incident/conversation/whatever happened exactly as written, so we can defend against the lawsuits filed against us for libel/slander/defamation of character/loss of income/whatever other reason.

    Gee, if "Fixme" was your real name, and you did something stupid, and I posted about it in a public place and exposed you to ridicule, and you lost money or whatever, would you be really happy? I'd suspect not.

  • Luke Werner (unregistered)

    Sometimes you just can't win :(

  • IT Contractor (unregistered)

    _<

    I feel your pain.

    The other one is being turned down for a three month contract because you're too senior.

    Give me the job and I'll do a good job of it.

  • san2000 (unregistered)

    What a bunch of loosers... Probably the boss didn't understand your answer and that scared him. Believe me, you deserve better that being with those looser...

  • Bel-Aero (unregistered)

    I would sue the for slander/defamation.

  • Cloak (unregistered) in reply to Mr Steve
    Mr Steve:
    matthewr81:
    Jesse:
    WTF:
    SQL queries are rarely generated without some sort of dynamic data to alter their structure, so this is a very common task that I've used in just about every web application I've written.

    Can I say SQL injection? That would be why I wouldn't have hired him..

    I really hope that was a joke... if you validate your dynamic date before inserting it you would be fine.

    I am curious how you do insert statements without dynamic data...

    like this you moron:

    function insertNewUser($name) {

    if ($name == 'Bob') { $db->query("INSERT INTO tbl_users (name) VALUES ('Bob')"); } else if ($name == 'Lisa') { $db->query("INSERT INTO tbl_users (name) VALUES ('Lisa')"); } else { die('Hacking attempt!!!!'); }

    }

    Hello Paula, back again?

  • mikko (unregistered) in reply to Robbie

    I may be in error, but doesn't the code sample shown contain a possible opening for SQL injection attack? I learned all about them in school, and that's why I only use text files to store data - you can't attack MY code!

  • (cs) in reply to Skizz
    Skizz:
    "Cake or Death?" "Death...no, wait, Cake."

    Skizz

    Captcha: "sanitarium" - probably where they need to go.

    "Cake or death?"

    "Cake please"

    "Well, we are all out of cake"

    "So my choices are death or death?"

    "Well we didn't expect such a run on cake, we only had three pieces."

    I love Eddie Izzard

  • (cs) in reply to peaked
    peaked:
    I call BS. No company calls you back to tell you that you didn't get the job. Funny story, but probably not true.

    The company didn't call him back, his recruiter did. And recruiters will call to tell you that the company in question hired someone else.

  • (cs) in reply to Daniel Welborn
    Daniel Welborn:
    I was going to say something similar.... that this is a case of trying too hard. If I were the screener, I'd be looking for a shorter down-to-earth answer, rather than a mini-thesis on concanetation that wanders into other programming topics just for the sake of impressing with the knowledge. Granted, in a job interview situation you want to sell yourself and demonstrate your knowledge, but there's a lot to be said for just answering the question and leaving it at that.

    But on a sent home, pre-screening question, what makes you think one sentence is the right way to go. A single sentence is good for a phone screening, but for a take-home screening question, the attitude that this should be an essay question should be the norm. Otherwise why make it a take home question? Giving a single sentence on something like this could very well mean you don't feel like the opportunity is worth your time.

  • JGM (unregistered) in reply to Jesse
    Can I say SQL injection? That would be why I wouldn't have hired him..

    Wow! Do you even write code for a living? Or are you one of the hr people from that story?

    The subject was concatenation, and thats what he focused his answer on, rather than going off on a tangential discussion of user input validation and sanitizing data.

  • SinzenStudios (unregistered)

    I had this happen to me about a week ago as well. They stated that my answers were too academic and I didn't know a thing about any CMS nor did I have any business writing for any business. I'm sure my past clients would disagree with it all but that's just how it goes sometimes.

  • (cs)

    So, in the 'real world' (when I was on the job) if I encountered something about which I had NO understanding what is this employer expecting me to do? I should DEFINITELY NOT do some research (on the web) to get the answer. Afterall, applying knowledge and experience (not to mention using the rare skill of adequately explaining it to someone else) to solving a problem is NOT the reason you were hired!!

    This sort of bureaucratic nonsense outrages me!

  • DBG (unregistered)

    Last time I applied for work I went through a hiring agency focusing on tech-jobs (aka sysadmining, programming etc). This temp-agency uses an online-test to check your aptitude in whatever field you want to work inn (Win2003 server, C#, C++, jscript, whatever).

    Dumb thing about this onlinesite is that you can register temp accounts to "check out their tests" and I found most of them to be quite simple except that they always put in some stuff I knew i couldn't answer, such as insane templates and pointers and what not.

    This was aptly solved with the use of a debugger to freeze the firefox.exe instance running the website (which in turn froze the timer on the test) which gave me a couple mins to google whatever I had problems with :P Turned out i scored very high on all tests and landed me a 35$/h job.

    In my own logic the fact that I managed to freeze the test with a debugger and find the answer, thus showing a "high problemsolving aptitude" justified every single bit of it :P

    (ironicaly the captcha for this submission is: darwin).

  • ijit (unregistered) in reply to AuMatar

    bind variables are dynamic

  • (cs) in reply to karlostjackal
    karlostjackal:
    - it was pretty easy to grok.
    Sounds like if they'd hired you, you'd have been a stranger in a strange land.
  • Paul (unregistered) in reply to Carl

    I like you! Lets have a beer and ill send you my internship application :P

  • Paul (unregistered) in reply to Paul

    my previous message was meant to be a reply to Carl's message.

  • alexgieg (unregistered) in reply to bkendig
    bkendig:
    I answered the questions to the best of my ability, and afterwards, I submitted a 'fixed' copy of the test back to the hiring manager, explaining exactly which questions didn't parse and suggesting how they could be rewritten to be clearer.
    Some years ago, I was approached by a 4th-year student of social science who were interviewing people to answer a multiple-choice questionnaire on the persons opinion on ecological and related matters. It was for his graduating research paper.

    I browsed the questions and available answers, and couldn't help it but to start lecturing him on what was so wrong with the whole thing. To be short: all questions were ambiguous, not clear-cutting a single subject; and worse, all of them, even when interpreted in the most generous way as "almost" non-ambiguous, had only a subset of the relevant answers he might come across. I explained some of the errors, giving examples of how one question should be in fact three, what should be the answers offered, etc., and completed by informing him that whatever statistical results he derived from those questions, they would be meaningless, and thus useless and not scientific. He thanked me and walked away.

    Some minutes later, I noticed him asking a couple to answer the exact same questionnaire...

Leave a comment on “Good Answer... Perhaps TOO Good”

Log In or post as a guest

Replying to comment #:

« Return to Article