- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
This is probably a comment.
Admin
I've always been of the opinion that data verification is a miguided effort at best.
My preferred option is to skip on obtrusive and annoying validation rules and instead just record the user's ID along with any changes. Then you are allowed to beat any users that enter bad data with a stick.
Everyone wins - you get valid data with less effort, and the pleasure of beating the crap out of people. The users get some good old fashioned Pavlovian training that will hold them in good stead in the future!
Admin
That is why databases are for data and data only. Keep your layers separated kids!
Admin
Where's the WTF? They're using parameterized queries (I assume that's what e.Command.Parameters does), so there are no injection attacks. There could very well be a trigger that does validation in the database itself. Triggers are a perfectly valid way to do validation, because even if you're manually creating queries (such as with an administration tool), you can't insert invalid data into the database.
This code does proper error handling. Rather than simply dumping the database error code to the client, it interprets it for the user.
The code may be a little funky (checking haveSqlErrorNumber multiple times, no indentation), but what it does is not a WTF.
Oh, and <obligatory Little Bobby Tables reference>
Addendum (2009-03-04 08:23): If e.Command.Parameters("@txtStudentFirstName").Value = "Robert'); DROP TABLE Students; --" Then sb.Append("Very funny, Mr. Monroe.") End If
Admin
Validation should always be at the database level. Many large apps have multiple ways of entering data and you'd be duplicating logic if you put all the validation code in each one and hoped that no-one wrote a batch script to insert data.
I do have time for the idea that you write the validation rules in a macro language that gets converted into SQL constraints and triggers as well a GUI validation rules.
Then everything is kept in sync. I've worked on too many apps where the DB logic was different to the GUI.
Keeping all the validation client side will bite you when things get out of sync or someone writes a bulk uploader.
Admin
HAHAHA! Users are overrated as a category anyway!
Admin
Admin
I actually don't hate VB for some reason. Could be that I code it all day (ASP.NET with VB as the source files), and if I did hate it my job would be much less enjoyable. So I am willing to keep up appearances.
Admin
For those of you that hate datases (which is apparently the entire WTF community), ...
Having the database hardened against invalid input means making the database independent of the way "users" and maybe admins change the data. Such a database needs validation only once on the db-level and not in many different interfaces or layers of "business logic".
Admin
Which is why users need a publicly available, well documented API. Then we could query the API directly, rather than relying on them to fill out fields correctly.
Admin
Just use a Google-API, fill in your name and it will spit out everything found about you on the web, haha.
Admin
err ... yeah ... that would be a separate layer. Maybe not one you like or endorse but definitely a separate layer.
Admin
The only 2 WTF's here are:
Admin
I agree with many of the above posters. There's no problem here, this isn't even validation code; it checks the returned SQL error and returns a user understandable error message to guide the user in fixing their input. If the wtf is that they have a special VB sub for every single user input field in the database then that may be a wtf I guess, but it seems to me like an extraordinarily well-done error message for at least the case pointed out here.
-edit- Some good points by Coward, but still not the kind of WTFs that are front-page worthy. Maybe for a crappy sidebar post by someone who thinks they know what they're doing but turns out they read the code all wrong and it does something completely different from what they thought?
Admin
Admin
Nothing wrong with this code as others have pointed out.
Or maybe we are all missing something? Oh there it is... "For those of you that hate VB (which is apparently the entire WTF community)"
If you think the language of choice is the WTF you are wrong, the WTF is you.
Admin
How is that wrong?
Admin
TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse) While it's nice that there is some variety of short-circuiting (like even frickin JavaScript has had for years) was there anything wrong with implementing it on "And" and "Or" so there was parity? VB.Net is bad enough with its drippy handholding for lazy VB6ers without extra cruft.
Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?
Admin
Admin
He didn't state what is was his year of birth has 1963 of
Admin
Yeah, kind of a lame WTF. This isn't something "brillant" it's just exception handling. And as far as I can tell, it's being done correctly.
Admin
Admin
Admin
The only 1 WTF in this comment: an intrusion of the only correct way of error messages storing. Depending on business-context of app it may be more or less enterprisey, up to hardcode.
Admin
Anyone who says they "hate vb" is probably not a good enough developer to work in any shop I've ever been a part of. That kind of small-minded snobbery is a big red flag when we're hiring new developers - and we're a Java shop!
Admin
Um, I have. But I agree with you that AndAlso and OrElse are hellspawn.
Admin
How can you say that??? For me it's right, I've checked my passport right now! :-D
Admin
Unfortunately, some jerk entered in something like "'; DELETE FROM Logs WHERE userid=12345; --" in that field you decided not to validate.
Admin
Isn't the option he took actually choice 'B' since it was validated while it was being written to the database?
Admin
BEEP Does not compute! Fatal grammar flaw! Division by 1963 error!
Admin
I have and I'm glad for the difference. Who cares what you call the keywords, in C you have operators that are distinctive. Would you have preferred that they changed the functionality of AND and OR and instead created BAND and BOR for the bitwise operators? The creators of the language took the right approach, just because you don't like the word they choose doesn't matter, they finally gave you the option other languages had. It's just the languages syntactic suger.
On a separate but related note, You could have just had nested IF's. The IL compiles down to the same thing no matter if you use nested IF's or use ANDALSO.
Admin
We really don't know. He could have validated that there was data within a certian range at the object level, then the database validated that the data was correct during save, then when an exception occured he threw a more informative message back.
Or he could have ignored all validation and the database simply gave a failure and he was lucky. At least nothing could have been injected to change those rules though.
Admin
Depends on meaning of word "written". Data was validated after being sent to database and before actually be persisted
Admin
We don't hate VB. We love VB. We're just not in love with VB.
Admin
You started drinking awfully early today.
Admin
Admin
Nice trick you did there, Jake Vinson, first posting with numbered options and then re-posting with letters. Only the feed subscribers did see "Dave" choosing option D from among options 1, 2, 3 & 4.
I'm giving you the benefit of the doubt and believe you did this on purpose. :)
Admin
(My bête noire is people who insist on “correcting” my name in their databases…)
Admin
Data verification is for suckers. I wrote the account management software for a local bank and I didn't need any of that fancy mumbo jumbo. That's why on my accounts I am Ming the Merciless with a Checking account and Black Magic account with 17%%F bananas in Checking and a ½ cup of bleach in the other!
Data verification, feh.
Admin
... do something ...
... wonder why you are standing here, staring at nothing...
Admin
Ensure the data IS valid before writing to the database
Ensure the data IS valid while writing to the database
there, fixed it for you
Admin
-Harrow.
Admin
Ditto.
Admin
g nazi, you are incorrect. Alex lives in the United States of America, and therefore writes in an American style. Correctly, he follows the US standard for his writing. As his writing is technical, he should follow the scientifically preferred method of using data as a plural noun.
He would be incorrect to be using the UK preference of data as a singular noun in his writing. Besides that, UK scientific writing still recognizes the use of data as a plural noun as legitimate.
Perhaps Wikipedia will be of assistance in the future.
Admin
really? so what's the plural of datum then? (oh, and check schema while you're at it...)
Admin
I'm going to go with "they weren't born in 1963 so, while it is valid, it is incorrect".
Admin
Ahhh I see the WTF, he didnt use AppendFormat(
Am I right?
Admin
I think you'll find using "data" as a plural is entirely valid. Especially as "data" is the plural form in Latin; "datum" is the singular.
In fact if you look up "data" in the OED, you'll be directed to the entry for "datum", which lists "data" as its plural form.
Admin
Actually, either is correct. Data can be plural or singular depending on how it is used. When used with a singular verb, it refers to a body of facts and is synonymous with the word "information".
So, you are correct in saying that gNazi is wrong for correcting Alex.
Admin
I have to teach the concepts of validation and verification to 16/17 year olds - each year I decide on one student and at the start of the lesson on validation call them by the wrong name (always James for some reason). Little Bobby sits there proclaiming that his name is not James and after 3 or 4 'mistakes' by me the class finally realise that James is valid, but not correct.
This usually works quite nicely (and humourously) apart from this year when the student I chose is still being called James by his class mates 6 months on!