• snoofle (cs)

    This is probably a comment.

  • Barry Bond (unregistered)

    I've always been of the opinion that data verification is a miguided effort at best.

    My preferred option is to skip on obtrusive and annoying validation rules and instead just record the user's ID along with any changes. Then you are allowed to beat any users that enter bad data with a stick.

    Everyone wins - you get valid data with less effort, and the pleasure of beating the crap out of people. The users get some good old fashioned Pavlovian training that will hold them in good stead in the future!

  • Meow (unregistered)

    That is why databases are for data and data only. Keep your layers separated kids!

  • jspenguin (cs)

    Where's the WTF? They're using parameterized queries (I assume that's what e.Command.Parameters does), so there are no injection attacks. There could very well be a trigger that does validation in the database itself. Triggers are a perfectly valid way to do validation, because even if you're manually creating queries (such as with an administration tool), you can't insert invalid data into the database.

    This code does proper error handling. Rather than simply dumping the database error code to the client, it interprets it for the user.

    The code may be a little funky (checking haveSqlErrorNumber multiple times, no indentation), but what it does is not a WTF.

    Oh, and <obligatory Little Bobby Tables reference>

    Addendum (2009-03-04 08:23): If e.Command.Parameters("@txtStudentFirstName").Value = "Robert'); DROP TABLE Students; --" Then sb.Append("Very funny, Mr. Monroe.") End If

  • Nick (unregistered)

    Validation should always be at the database level. Many large apps have multiple ways of entering data and you'd be duplicating logic if you put all the validation code in each one and hoped that no-one wrote a batch script to insert data.

    I do have time for the idea that you write the validation rules in a macro language that gets converted into SQL constraints and triggers as well a GUI validation rules.

    Then everything is kept in sync. I've worked on too many apps where the DB logic was different to the GUI.

    Keeping all the validation client side will bite you when things get out of sync or someone writes a bulk uploader.

  • ambrozija (unregistered) in reply to Barry Bond
    I've always been of the opinion that data verification is a miguided effort at best.

    My preferred option is to skip on obtrusive and annoying validation rules and instead just record the user's ID along with any changes. Then you are allowed to beat any users that enter bad data with a stick.

    Everyone wins - you get valid data with less effort, and the pleasure of beating the crap out of people. The users get some good old fashioned Pavlovian training that will hold them in good stead in the future!

    HAHAHA! Users are overrated as a category anyway!

  • m0ffx (unregistered) in reply to Barry Bond
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.
  • Addison (unregistered)

    I actually don't hate VB for some reason. Could be that I code it all day (ASP.NET with VB as the source files), and if I did hate it my job would be much less enjoyable. So I am willing to keep up appearances.

  • ClaudeSuck.de (unregistered)

    For those of you that hate datases (which is apparently the entire WTF community), ...

    Having the database hardened against invalid input means making the database independent of the way "users" and maybe admins change the data. Such a database needs validation only once on the db-level and not in many different interfaces or layers of "business logic".

  • cdosrun (cs) in reply to m0ffx
    m0ffx:
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    Which is why users need a publicly available, well documented API. Then we could query the API directly, rather than relying on them to fill out fields correctly.

  • ClaudeSuck.de (unregistered) in reply to cdosrun
    cdosrun:
    m0ffx:
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    Which is why users need a publicly available, well documented API. Then we could query the API directly, rather than relying on them to fill out fields correctly.

    Just use a Google-API, fill in your name and it will spit out everything found about you on the web, haha.

  • derby (unregistered) in reply to Meow

    err ... yeah ... that would be a separate layer. Maybe not one you like or endorse but definitely a separate layer.

  • Coward (unregistered)

    The only 2 WTF's here are:

    1. Giving the user the SQL error code and message. Should only be done in debug mode.
    2. The hard coded error messages. These should come from a table which would be configurable by the end user. End user could which errors from be Error, Warning, to Valid if the needs change.
  • darkmattar (cs) in reply to derby

    I agree with many of the above posters. There's no problem here, this isn't even validation code; it checks the returned SQL error and returns a user understandable error message to guide the user in fixing their input. If the wtf is that they have a special VB sub for every single user input field in the database then that may be a wtf I guess, but it seems to me like an extraordinarily well-done error message for at least the case pointed out here.

    -edit- Some good points by Coward, but still not the kind of WTFs that are front-page worthy. Maybe for a crappy sidebar post by someone who thinks they know what they're doing but turns out they read the code all wrong and it does something completely different from what they thought?

  • tdittmar (cs)
    Original Poster:
    For those of you that hate VB (which is apparently the entire WTF community),
    Oh, I always thought the people from the WTF community love VB about as much as they love C++ and PHP and that the ones who hate VB are the people in the TDWTF community?
  • KattMan (cs)

    Nothing wrong with this code as others have pointed out.

    Or maybe we are all missing something? Oh there it is... "For those of you that hate VB (which is apparently the entire WTF community)"

    If you think the language of choice is the WTF you are wrong, the WTF is you.

  • jordanwb (unregistered) in reply to m0ffx
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    How is that wrong?

  • MrBester (cs)

    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse) While it's nice that there is some variety of short-circuiting (like even frickin JavaScript has had for years) was there anything wrong with implementing it on "And" and "Or" so there was parity? VB.Net is bad enough with its drippy handholding for lazy VB6ers without extra cruft.

    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?

  • IByte (unregistered) in reply to Barry Bond
    Barry Bond:
    I've always been of the opinion that data verification is a miguided effort at best.

    My preferred option is to skip on obtrusive and annoying validation rules and instead just record the user's ID along with any changes. Then you are allowed to beat any users that enter bad data with a stick.

    Everyone wins - you get valid data with less effort, and the pleasure of beating the crap out of people. The users get some good old fashioned Pavlovian training that will hold them in good stead in the future!

    So that's option C, then?

  • 1963What?Elephants? (unregistered) in reply to jordanwb
    jordanwb:
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    How is that wrong?

    He didn't state what is was his year of birth has 1963 of

  • Matt (unregistered)

    Yeah, kind of a lame WTF. This isn't something "brillant" it's just exception handling. And as far as I can tell, it's being done correctly.

  • ThomsonsPier (cs) in reply to jordanwb
    jordanwb:
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    How is that wrong?

    I imagine he wasn't born in 1963.

  • Zapp Brannigan (unregistered) in reply to jordanwb
    jordanwb:
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    How is that wrong?

    Because I was born in 1965.

  • Sashlik (unregistered) in reply to Coward
    Coward:
    The only 2 WTF's here are: 1. Giving the user the SQL error code and message. Should only be done in debug mode. 2. The hard coded error messages. These should come from a table which would be configurable by the end user. End user could which errors from be Error, Warning, to Valid if the needs change.

    The only 1 WTF in this comment: an intrusion of the only correct way of error messages storing. Depending on business-context of app it may be more or less enterprisey, up to hardcode.

  • Right tool for the right job (unregistered)

    Anyone who says they "hate vb" is probably not a good enough developer to work in any shop I've ever been a part of. That kind of small-minded snobbery is a big red flag when we're hiring new developers - and we're a Java shop!

  • campkev (cs) in reply to MrBester
    MrBester:
    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?

    Um, I have. But I agree with you that AndAlso and OrElse are hellspawn.

  • Tom_fan_DK (unregistered) in reply to m0ffx
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    How can you say that??? For me it's right, I've checked my passport right now! :-D

  • EatenByAGrue (unregistered) in reply to Barry Bond
    Barry Bond:
    My preferred option is to skip on obtrusive and annoying validation rules and instead just record the user's ID along with any changes. Then you are allowed to beat any users that enter bad data with a stick.

    Unfortunately, some jerk entered in something like "'; DELETE FROM Logs WHERE userid=12345; --" in that field you decided not to validate.

  • ShatteredArm (unregistered)

    Isn't the option he took actually choice 'B' since it was validated while it was being written to the database?

  • Pim (cs) in reply to 1963What?Elephants?
    1963What?Elephants?:
    He didn't state what is was his year of birth has 1963 of

    BEEP Does not compute! Fatal grammar flaw! Division by 1963 error!

  • KattMan (cs) in reply to MrBester
    MrBester:
    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse) While it's nice that there is some variety of short-circuiting (like even frickin JavaScript has had for years) was there anything wrong with implementing it on "And" and "Or" so there was parity? VB.Net is bad enough with its drippy handholding for lazy VB6ers without extra cruft.

    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?

    I have and I'm glad for the difference. Who cares what you call the keywords, in C you have operators that are distinctive. Would you have preferred that they changed the functionality of AND and OR and instead created BAND and BOR for the bitwise operators? The creators of the language took the right approach, just because you don't like the word they choose doesn't matter, they finally gave you the option other languages had. It's just the languages syntactic suger.

    On a separate but related note, You could have just had nested IF's. The IL compiles down to the same thing no matter if you use nested IF's or use ANDALSO.

  • KattMan (cs) in reply to ShatteredArm
    ShatteredArm:
    Isn't the option he took actually choice 'B' since it was validated while it was being written to the database?

    We really don't know. He could have validated that there was data within a certian range at the object level, then the database validated that the data was correct during save, then when an exception occured he threw a more informative message back.

    Or he could have ignored all validation and the database simply gave a failure and he was lucky. At least nothing could have been injected to change those rules though.

  • Sashlik (unregistered) in reply to ShatteredArm
    ShatteredArm:
    Isn't the option he took actually choice 'B' since it was validated while it was being written to the database?

    Depends on meaning of word "written". Data was validated after being sent to database and before actually be persisted

  • Matt (unregistered)

    We don't hate VB. We love VB. We're just not in love with VB.

  • Anonymouse (unregistered) in reply to 1963What?Elephants?
    1963What?Elephants?:
    He didn't state what is was his year of birth has 1963 of

    You started drinking awfully early today.

  • DOA (cs) in reply to snoofle
    snoofle:
    This is probably a comment.
    Note to self: fill snoofle's cubicle with styrofoam.
  • Zecc (cs)

    Nice trick you did there, Jake Vinson, first posting with numbered options and then re-posting with letters. Only the feed subscribers did see "Dave" choosing option D from among options 1, 2, 3 & 4.

    I'm giving you the benefit of the doubt and believe you did this on purpose. :)

  • dkf (cs) in reply to Zapp Brannigan
    Zapp Brannigan:
    jordanwb:
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.
    How is that wrong?
    Because I was born in 1965.
    That can't be true. It says you were born in 1963, and it's in the database which enforces validation rules so it must be right...

    (My bête noire is people who insist on “correcting” my name in their databases…)

  • BobB (cs)

    Data verification is for suckers. I wrote the account management software for a local bank and I didn't need any of that fancy mumbo jumbo. That's why on my accounts I am Ming the Merciless with a Checking account and Black Magic account with 17%%F bananas in Checking and a ½ cup of bleach in the other!

    Data verification, feh.

  • Bosshog (unregistered)
    If sqlException IsNot Nothing Then

    ... do something ...

    Else

    ... wonder why you are standing here, staring at nothing...

  • g nazi (unregistered)

    Ensure the data IS valid before writing to the database

    Ensure the data IS valid while writing to the database

    there, fixed it for you

  • Harrow (unregistered) in reply to Barry Bond
    Barry Bond:
    ...you are allowed to beat any users that enter bad data with a stick.
    What may I do to users that enter bad data with a keyboard?

    -Harrow.

  • Charles400 (cs) in reply to ClaudeSuck.de
    ClaudeSuck.de:
    Having the database hardened against invalid input means making the database independent of the way "users" and maybe admins change the data.

    Ditto.

  • shepd (cs) in reply to g nazi
    g nazi:
    # Ensure the data IS valid before writing to the database # Ensure the data IS valid while writing to the database

    there, fixed it for you

    g nazi, you are incorrect. Alex lives in the United States of America, and therefore writes in an American style. Correctly, he follows the US standard for his writing. As his writing is technical, he should follow the scientifically preferred method of using data as a plural noun.

    He would be incorrect to be using the UK preference of data as a singular noun in his writing. Besides that, UK scientific writing still recognizes the use of data as a plural noun as legitimate.

    Perhaps Wikipedia will be of assistance in the future.

  • another g nazi (unregistered) in reply to g nazi

    really? so what's the plural of datum then? (oh, and check schema while you're at it...)

  • hikari (cs) in reply to jordanwb
    jordanwb:
    m0ffx:
    Barry Bond:
    data verification...validation rules...
    Validation and verification are not the same thing. If I enter my year of birth has 1963, that's valid, but wrong.

    How is that wrong?

    I'm going to go with "they weren't born in 1963 so, while it is valid, it is incorrect".

  • B3ST Cod3r (unregistered)

    Ahhh I see the WTF, he didnt use AppendFormat(

    Am I right?

  • hikari (cs) in reply to g nazi
    g nazi:
    # Ensure the data IS valid before writing to the database # Ensure the data IS valid while writing to the database

    there, fixed it for you

    I think you'll find using "data" as a plural is entirely valid. Especially as "data" is the plural form in Latin; "datum" is the singular.

    In fact if you look up "data" in the OED, you'll be directed to the entry for "datum", which lists "data" as its plural form.

  • campkev (cs) in reply to shepd
    shepd:
    g nazi:
    # Ensure the data IS valid before writing to the database # Ensure the data IS valid while writing to the database

    there, fixed it for you

    g nazi, you are incorrect. Alex lives in the United States of America, and therefore writes in an American style. Correctly, he follows the US standard for his writing. As his writing is technical, he should follow the scientifically preferred method of using data as a plural noun.

    He would be incorrect to be using the UK preference of data as a singular noun in his writing. Besides that, UK scientific writing still recognizes the use of data as a plural noun as legitimate.

    Perhaps Wikipedia will be of assistance in the future.

    Actually, either is correct. Data can be plural or singular depending on how it is used. When used with a singular verb, it refers to a body of facts and is synonymous with the word "information".

    So, you are correct in saying that gNazi is wrong for correcting Alex.

  • lowly school teacher (unregistered) in reply to hikari

    I have to teach the concepts of validation and verification to 16/17 year olds - each year I decide on one student and at the start of the lesson on validation call them by the wrong name (always James for some reason). Little Bobby sits there proclaiming that his name is not James and after 3 or 4 'mistakes' by me the class finally realise that James is valid, but not correct.

    This usually works quite nicely (and humourously) apart from this year when the student I chose is still being called James by his class mates 6 months on!

Leave a comment on “Input Validation... The Clever Way”

Log In or post as a guest

Replying to comment #:

« Return to Article