• (cs) in reply to tdittmar
    tdittmar:
    Original Poster:
    For those of you that hate VB (which is apparently the entire WTF community),
    Oh, I always thought the people from the WTF community love VB about as much as they love C++ and PHP and that the ones who hate VB are the people in the TDWTF community?
    Ooooooh yes.

    There's something with the VB language that attracts WTF coders to it (remember the "Way to go, O.O!" WTF?), however the one that might take the crown for this would be MUMPS.

  • Brains First (unregistered)

    I thought that was the point of a database, to validate data and give simple answers to help guide the users of the system?

    1. Validate the database record for edit(record lock)
    2. Validate the data wishing to be written (to stop DB having to deal with 'bad' requests.
    3. Check when you've finished that it all adds up.
    4. If error then report what went wrong and rollback.
  • Bobby Tables (but everyone calls me James now) (unregistered) in reply to lowly school teacher
    lowly school teacher:
    I have to teach the concepts of validation and verification to 16/17 year olds - each year I decide on one student and at the start of the lesson on validation call them by the wrong name (always James for some reason). Little Bobby sits there proclaiming that his name is not James and after 3 or 4 'mistakes' by me the class finally realise that James is valid, but not correct.

    This usually works quite nicely (and humourously) apart from this year when the student I chose is still being called James by his class mates 6 months on!

    And you have no idea the self-esteem issues you have caused me...

  • c-sharper (unregistered) in reply to MrBester
    MrBester:
    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse)

    I can honestly that every programming language has its place in this world, including VB and its ugly stepsister VB.NET. But who, for the love of $deity, would add the keyword "IsNot"? Seriously?

  • drank (unregistered)

    The WTF seems to be entirely in the ignorance of the submitter. We don't see any validation code in this example. For all we know, the application had both client- and server-side validation of the phone number.

    What we do know for sure is:

    1. There is no opportunity for SQL injection since they are using parametrized queries.
    2. There is validation logic, with several defined custom error codes, in a trigger or sproc.
    3. The code here does a reasonable job of building a user-understandable message from the database validation error codes.

    (2) is a perfectly valid design choice, even advantageous if, say, multiple applications on different platforms must write to a single DB.

  • Anon (unregistered) in reply to BobB
    BobB:
    Data verification is for suckers. I wrote the account management software for a local bank and I didn't need any of that fancy mumbo jumbo. That's why on my accounts I am Ming the Merciless with a Checking account and Black Magic account with 17%%F bananas in Checking and a ½ cup of bleach in the other!

    Data verification, feh.

    You, sir, are my hero. I couldn't get the banana to fit through the ATM slot, and when I tried depositing the bleach, it wouldn't credit my account.

  • Mark Draughn (unregistered) in reply to c-sharper
    c-sharper:
    I can honestly that every programming language has its place in this world, including VB and its ugly stepsister VB.NET. But who, for the love of $deity, would add the keyword "IsNot"? Seriously?
    "IsNot" is the greatest keyword addition ever. Until then, your only choice was
        If Not User Is Nothing Then

    which is ugly as sin and makes you worry about the precedence. But adding explicit precedence just makes it uglier:

        If Not (User Is Nothing) Then

    You don't write

        If Not Count = 0 Then

    do you? No, you write

        If Count <> 0 Then

    Same thing:

        If User IsNot Nothing Then

    Alright, so maybe it's not the greatest keyword addition ever, but it does make the resulting code more readable and easier to type.

    P.S. For those of you who can't stand the suspense:

        End If
        End If
        End If
        End If
        End If
  • (cs) in reply to Mark Draughn
    Mark Draughn:
    "IsNot" is the greatest keyword addition ever. Until then, your only choice was

    No, you write

        If Count <> 0 Then

    Same thing:

        If User IsNot Nothing Then

    Or the equivalant C# syntax:

    if(Count != 0) if(User != Nothing)

    != is IsNot, basically meaning "is not equal to"

  • Jimmy Sixnutz (unregistered) in reply to campkev
    campkev:
    ...is synonymous with the word "information".

    If you ever met my old lecturer, you'd get a slap for saying data is synonymous with information

  • bored (unregistered)

    bah more vb | vb.net bashing...useless; I would code all day on papyrus with eagles blood if that is what the shop had as a standard.

  • Jimmy Sixnutz (unregistered) in reply to bored
    bored:
    bah more vb | vb.net bashing...useless; I would code all day on papyrus with eagles blood if that is what the shop had as a standard.

    how would you compile that?

  • (cs) in reply to Jimmy Sixnutz
    Jimmy Sixnutz:
    bored:
    bah more vb | vb.net bashing...useless; I would code all day on papyrus with eagles blood if that is what the shop had as a standard.

    how would you compile that?

    On the top of a step pyramid during the summer solstice. Jeesh, you would think these new guys don't learn about legacy application development.

  • Dredge Slug (unregistered) in reply to Barry Bond
    Barry Bond:
    I've always been of the opinion that data verification is a miguided effort at best.

    My preferred option is to skip on obtrusive and annoying validation rules and instead just record the user's ID along with any changes. Then you are allowed to beat any users that enter bad data with a stick.

    Everyone wins - you get valid data with less effort, and the pleasure of beating the crap out of people. The users get some good old fashioned Pavlovian training that will hold them in good stead in the future!

    I'm a user and I've mistyped my name. Please beat me!

  • grammernazee (unregistered) in reply to Meow
    Meow:
    That is why databases are for data and data only. Keep your layers separated kids!
    No they're not. It's perfectly reasonable to put rules and code in databases. And we're not kids.
  • (Visitor) (unregistered) in reply to campkev
    campkev:
    MrBester:
    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?

    Um, I have. But I agree with you that AndAlso and OrElse are hellspawn.

    I like AndAlso and also OrElse. Unlike && and ||, they make explicit the fact that their predicates are treated asymmetrically.

  • (cs) in reply to Jimmy Sixnutz
    Jimmy Sixnutz:
    campkev:
    ...is synonymous with the word "information".

    If you ever met my old lecturer, you'd get a slap for saying data is synonymous with information

    Why, is he retarded or something? If he slapped me, I'd slap him back with the American Heritage Dictionary(data - 1. Factual information) then I'd shove a Webster's (data - 1 : factual information) down his throat. Is there a minute, pedantic difference between the two? Sure. But they are, for just about all intents and purposes, synonymous.

  • (cs)

    It's not that I don't like VB. I just like it better when it's not around.

  • 01001001011101000010011101110011001000000110110101100101 (unregistered)

    For those of you who see nothing wrong with this, in the Real World™ you have something called performance and database utilization.....

    Sure, for database applications that have multiple inputs doing some light validation in the DB is fine. I wouldn't push it though, 10 digits in a phone number is fine. KISS and less is more.

    The app should first validate on the client. Yes, javascript. Do there, give feedback quick. Then validate (yes, again) on the app server. This is for your users that turn JS off, or are attempting to mess with your sysytem. Then finally, when JS and your app code say the data is good, feed it to the DB. Vastly better user experience, way less processing required on both the application server and the DB server.

    You think your DB server can handle it? Sure, try 100000 or million users then get back to me....

  • C (unregistered) in reply to MrBester
    MrBester:
    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?
    When The F* did And and Or become bitwise? What happened with the symmetrical logical operators?!? (Or, if you knew about that use, too, Why The F* change the subject? It was about logical conjunction and disjunction!)
  • hmmm (unregistered) in reply to Jimmy Sixnutz
    Jimmy Sixnutz:
    campkev:
    ...is synonymous with the word "information".

    If you ever met my old lecturer, you'd get a slap for saying data is synonymous with information

    campkev:
    ...When used with a singular verb, it refers to a body of facts and is synonymous with the word "information".

    When you read the whole quote, Information = a body of facts(data).

  • Steven (unregistered)

    The real WTF is the use of VB in something other then a high school classroom.

  • (cs)

    Haha, VB.NET... Let me tell you something. There is no such thing as VB.NET. It's really C#, only with different words, to make it look like it's VB. There.

    By the way, I don't understand why people hate AndAlso and OrElse that much. Why? it's just one choice of keywords. Would you rather this functionality wasn't there?

  • _dew_ (unregistered) in reply to 01001001011101000010011101110011001000000110110101100101
    01001001011101000010011101110011001000000110110101100101:
    For those of you who see nothing wrong with this, in the Real World™ you have something called performance and database utilization.....

    Sure, for database applications that have multiple inputs doing some light validation in the DB is fine. I wouldn't push it though, 10 digits in a phone number is fine. KISS and less is more.

    The app should first validate on the client. Yes, javascript. Do there, give feedback quick. Then validate (yes, again) on the app server. This is for your users that turn JS off, or are attempting to mess with your sysytem. Then finally, when JS and your app code say the data is good, feed it to the DB. Vastly better user experience, way less processing required on both the application server and the DB server.

    You think your DB server can handle it? Sure, try 100000 or million users then get back to me....

    I was about to write more or less the same. You beat me... I don't really think it's a WTF, but having input data do a roundtrip to the DB before you can tell the user he/she is not supposed to type his/her SSN instead of a phone number, well, that's not what I would call "resource usage optimization".

    BTW, the best approach here is

    Data verification is for suckers. I wrote the account management software for a local bank and I didn't need any of that fancy mumbo jumbo. That's why on my accounts I am Ming the Merciless with a Checking account and Black Magic account with 17%%F bananas in Checking and a ½ cup of bleach in the other!

    Data verification, feh.

  • Negative0 (unregistered) in reply to KattMan
    KattMan:

    Or the equivalant C# syntax:

    if(Count != 0) if(User != Nothing)

    != is IsNot, basically meaning "is not equal to"

    The correct C# syntax is

    if(User != null)

    In VB.Net IsNot is used for object comparison. Usually you are checking to be sure the object has a reference before you do something with it, which is why you usually see Object IsNot Nothing.

  • Mr.'; Drop Database -- (unregistered) in reply to EatenByAGrue
    EatenByAGrue:
    Unfortunately, some jerk entered in something like "'; DELETE FROM Logs WHERE userid=12345; --" in that field you decided not to validate.
    So what? The comment field here on The Daily WTF isn't validated, yet you yourself just entered "'; DELETE FROM Logs WHERE userid=12345; --" into it. The website happily inserted that value into the database, as you can confirm by viewing your post.

    Would you like to try again?

  • (cs)

    BOBBY TABLES

    Sorry, I have Tourettes.

  • (cs) in reply to Zapp Brannigan
    Zapp Brannigan:
    jordanwb:
    How is that wrong?
    Because I was born in 1965.
    What day and month? Also, what's your drivers license number?
  • 13 million users at the last count, actually (unregistered) in reply to 01001001011101000010011101110011001000000110110101100101
    01001001011101000010011101110011001000000110110101100101:
    For those of you who see nothing wrong with this, in the Real World™ you have something called performance and database utilization.....
    Uh-oh people. I fear we have one of these geniuses here who thinks database integrity is optional because it 'takes too long'.

    You use MySQL, right?

  • (cs) in reply to Pim
    Pim:
    By the way, I don't understand why people hate AndAlso and OrElse that much. Why? it's just one choice of keywords. Would you rather this functionality wasn't there?

    It's not that we hate them so much as it is we hate that they are made necessary by the fact that the AND and OR operators don't act like we think they should.

    Namely, in the statement "IF boolA AND boolB", boolB should never be evaluated if boolA is false

  • (cs) in reply to KattMan
    MrBester:
    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse) While it's nice that there is some variety of short-circuiting (like even frickin JavaScript has had for years) was there anything wrong with implementing it on "And" and "Or" so there was parity? VB.Net is bad enough with its drippy handholding for lazy VB6ers without extra cruft.

    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?

    IIRC, when VB.Net first came out, And and Or were short circuited but it caused compatibility problems because some programmers liked to write code like this:

    If Function1 Or Function2 Then End If

    And they expected both function calls to occur. Obviously, if Function1 returned True, then Function2 was never executed.

    KattMan:
    Would you have preferred that they changed the functionality of AND and OR and instead created BAND and BOR for the bitwise operators?

    Again, IIRC, when VB.Net first came out, they had BitAnd and BitOr for bitwise purposes but again, the VB's complained because it broke compatibility so they changed it.

  • Great link for WTF source material buried in this article (unregistered) in reply to MrBester
    MrBester:
    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse) While it's nice that there is some variety of short-circuiting (like even frickin JavaScript has had for years) was there anything wrong with implementing it on "And" and "Or" so there was parity? VB.Net is bad enough with its drippy handholding for lazy VB6ers without extra cruft.

    Think about it for a second before you knock it. MS wanted to finally give the VB developers shortcut boolean evaluation (good for them), but maintain backwards compatibility with existing code so you didn't have to go through every frickin AND/OR statement and confirm that it won't break if evaluated with the new behavior. They have had enough trouble getting VB6 developers to move to a new platform, creating a million hard to diagnose logic bugs into working code after converting to VB.NET wouldn't have helped matters much and would have led to some extremely bad press.

  • (cs) in reply to campkev
    campkev:
    Data... is synonymous with the word "information".
    I disagree, there's an important difference. Computer systems store data (i.e. numbers or strings which are basically meaningless out of context), but we give out information, which is something that means something to someone. So if I say to you "45000", that's data. If I say "Salary:$45,000 per annum", that's information. Not quite the same thing. The first you store on a database; the second you print on a report.
  • Slartibartfast (unregistered) in reply to Coward

    So you're suggesting generating SQL Error Messages from values held in a table, accessed with SQL?

  • Slartibartfast (unregistered) in reply to Coward

    Sorry, above post was in reference to:

    Coward:
    The only 2 WTF's here are: 1. Giving the user the SQL error code and message. Should only be done in debug mode. 2. The hard coded error messages. These should come from a table which would be configurable by the end user. End user could which errors from be Error, Warning, to Valid if the needs change.

    Tired.

  • Joe Schmoe (unregistered) in reply to MrBester

    So by your own admission && and || are hell spawns. Additionally, bitwise operations are equally viable and important in any language, regardless of the syntax.

  • ClaudeSuck.de (unregistered) in reply to g nazi
    g nazi:
    # Ensure the data IS valid before writing to the database # Ensure the data IS valid while writing to the database

    there, fixed it for you

    Ensure all your data are belong to us before writing to the database

    Ensure all your data are belong to us while writing to the database

    Ensure all your data are belong to us after writing to the database

    Ensure all your codez aer send 2 us

    CAPTCHA: cogo, hipps!

  • ModernProgramming (unregistered) in reply to Jimmy Sixnutz
    Jimmy Sixnutz:
    bored:
    bah more vb | vb.net bashing...useless; I would code all day on papyrus with eagles blood if that is what the shop had as a standard.

    how would you compile that?

    You equip he eagle's beak with a needle and, gently squeezing the eagle's throat, peek it directly on the disk.

  • Watson (unregistered)

    For those of you that hate VB, here is the same thing in C#. Not that it makes a difference, except sociologically, but some people get hung up over trivialities.

    protected void StudentPhoneNumberRecordDataSource_HandleErrors(
    	object sender,
    	System.Web.UI.WebControls.SqlDataSourceStatusEventArgs e,
    	string CommandDescription)
    {
    	SqlException sqlException = e.Exception as SqlException;
    	if(sqlException != null)
    	{
    		object txtPhone = e.Command.Parameters["@txtPhone"].Value;
    		StringBuilder = new StringBuilder();
    		bool haveSqlErrorNumber = sqlException.Errors.Count >= 1;
    		int firstSqlErrorNumber;
    
    		if(haveSqlErrorNumber)
    			firstSqlErrorNumber = sqlException.Errors[0].Number;
    		if(haveSqlErrorNumber && firstSqlErrorNumber == 2627)
    		{
    			sb.Append(CommandDescription);
    			sb.Append(" failed. You cannot have two phone numbers with the same type \"");
    			sb.Append(e.Command.Parameters["@IDPhoneType"].Value);
    			sb.Append("\" Sorry.");
    		}
    		else if(haveSqlErrorNumber && firstSqlErrorNumber == 8152)
    		{
    			sb.Append(CommandDescription);
    			sb.Append(" failed.  The entered phone number is probably too long.");
    		}
    		else if(haveSqlErrorNumber && firstSqlErrorNumber == 515)
    		{
    			sb.Append("You must enter a phone number for ");
    			sb.Append(CommandDescription);
    			sb.Append(".");
    		}
    		else
    		{
    			sb.Append("Unknown SQL Exception ");
    			sb.Append(sqlException.ErrorCode);
    			sb.Append(": ");
    			sb.Append(sqlException.Message);
    		}
    		InsertionErrorPanel.Visible = true;
    		InsertionErrorLabel.Text = sb.ToString();
    		e.ExceptionHandled = true;
    	}
    }
    

    Personally, the most glaring things about it are the repeated tests for haveSqlErrorNumber and the gratuitously explicit use of a StringBuilder instead of String.Format() or just concatenation.

    01001001011101000010011101110011001000000110110101100101:
    The app should first validate on the client. Yes, javascript. Do there, give feedback quick. Then validate (yes, again) on the app server. This is for your users that turn JS off, or are attempting to mess with your sysytem. Then finally, when JS and your app code say the data is good, feed it to the DB.
    From what I can see, all this is already being done. Or maybe not. I can't see as much as you.
    _dew_:
    but having input data do a roundtrip to the DB before you can tell the user he/she is not supposed to type his/her SSN instead of a phone number, well, that's not what I would call "resource usage optimization".
    But it's already necessary to do a round trip to the database to verify that the record doesn't already exist (what do you mean I can't have two cellphones?). So there's nothing weird about attempting to insert the record and responding to a collision. The alternative is like "Do you know what time it is?" "Yes."
  • ModernProgramming (unregistered) in reply to ModernProgramming
    ModernProgramming:
    Jimmy Sixnutz:
    bored:
    bah more vb | vb.net bashing...useless; I would code all day on papyrus with eagles blood if that is what the shop had as a standard.

    how would you compile that?

    You equip he eagle's beak with a needle and, gently squeezing the eagle's throat, peek it directly on the disk.

    You equip he eagle's beak with a needle and, gently squeezing the eagle's throat, poke it directly on the disk.

  • Robert '; DROP TABLE xkcd_comics -- (unregistered)

    In soviet russia, SQL injects YOU!

  • Mr.'; Drop Database -- (unregistered) in reply to ModernProgramming
    ModernProgramming:
    Jimmy Sixnutz:
    bored:
    bah more vb | vb.net bashing...useless; I would code all day on papyrus with eagles blood if that is what the shop had as a standard.
    how would you compile that?
    You equip he eagle's beak with a needle and, gently squeezing the eagle's throat, peek it directly on the disk.
    If you tried that, it wouldn't just be eagle blood on the papyrus.
  • Another support tech (unregistered)

    TRWTF is that nobody commenting here seems to have thought about how many layers of the application are involved here, and how this is going to affect the performance and throughput of the application.

    Putting all validation on the backend means that every tier of the application is involved in something which could be caught before the user ever presses "submit"!

    In typical workloads, the database is the most heavily loaded layer. Especially if this is a high-transaction environment you have to consider the extra overhead of the transaction rollback required when the DB rejects invalid data.

    A better approach, both in terms of performance, throughput, scalability and user experience, would be to take the defensive programming approach, and handle validation and filtering at multiple levels:

    1. Client-sid: Either JavaScript attached to onchange or onsubmit events in the case of a web application, or VB/C#/etc for desktop applications. This allows immediate feedback to the user with very little latency or interruption of their workflow.

    2. Application-tier: Since client-side validation cannot be trusted to have been executed, the application should validate all information coming into it. This is good practice not just for information going to the database, but for ANY parameters being passed in from the user. Not having a consistent parameter validation framework in the application could allow for any number of different bugs or security weaknesses. Validating ALL input data in a consistent manner is a best practice for any application.

    3. Data-tier: This should be the final gatekeeper only, acting as a check that the application itself doesn't have any errors in its logic which would subvert the data model.

    In short, none of the tiers should trust the tier above them, and none of the tiers should pass unverified data to the one below them. That doesn't mean that each tier has to have exactly the same validations as the next. In an application I worked on recently, the client layer validated email addresses by a regex; the application layer validated them by regex and domain verification; and the database validated only the allowed characters. It all depends on the needs of the particular tier and the purpose to which the data is being put.

    Working with multiple validations may be more complex than lumping it all together in a single location, but a proper specification of all data items, and cross-group code reviews to ensure consistent operation will take a lot of the pain out of it. The benefit of cleanly separating each tier and validating at each point will show itself in responsiveness to the user, reducing unnecessary cross-tier communication, reducing resource usage, and limiting security concerns.

  • My Name (unregistered) in reply to Mr.'; Drop Database --
    Mr.'; Drop Database --:
    EatenByAGrue:
    Unfortunately, some jerk entered in something like "'; DELETE FROM Logs WHERE userid=12345; --" in that field you decided not to validate.
    So what? The comment field here on The Daily WTF isn't validated, yet you yourself just entered "'; DELETE FROM Logs WHERE userid=12345; --" into it. The website happily inserted that value into the database, as you can confirm by viewing your post.

    Would you like to try again?

    FAIL!

  • (cs) in reply to Slartibartfast
    Slartibartfast:
    So you're suggesting generating SQL Error Messages from values held in a table, accessed with SQL?
    I *think* he's suggesting putting validation error messages on a table, rather than messages referring to sql errors. This *might* be worth doing if you had similar validation errors raised in different areas, as you could store 1 error string and edit it in just one place as required. Sybase kind of encourages you to do this with raiserror and sysusermessages table. But it's pretty abstruse, and in 20 years I haven't seen it used to good effect. I think error messages should just be burped out by the code that found the error; apart from anything else, it gives you a string to search for in the code.
  • db (unregistered) in reply to Matt
    Matt:
    We don't hate VB. We love VB. We're just not in love with VB.
    Only if VB is Victoria Bitter, and even then XXXX is a better beer.
  • Rhialto (unregistered) in reply to (Visitor)
    (Visitor):
    I like AndAlso and also OrElse.
    OrElse: also known as the conditional threat.
  • JM (unregistered)

    This is such a stupid and uninformed WTF that I think I will just stop reading the DailyWTF until someone tells Jake Vinson to fuck off.

  • Rhialto (unregistered) in reply to Another support tech
    Another support tech:
    In an application I worked on recently, the client layer validated email addresses by a regex; the application layer validated them by regex and domain verification; and the database validated only the allowed characters.
    Of course, a n email address cannot be fully validated with a regex, as I believe has been treated on TDWTF before. See the grammar in section 3.4 of RFC 5322 (the current version of RFC 822).

    Also, many websites that try to validate my email address seem to think that a '+' sign is not allowed, which is incorrect and very very annoying. The '+' is in fact allowed (and so are many other characters; see sections 3.2.3, 3.2.4 and 3.4) and many mail systems have the convention that if you place a '+' and some tag after your mailbox name, you get the tag passed through so that you can use it for example to create a sort of sub-mailboxes.

    "{}=Hello_:-)"@example.com is (thanks to the quotes) a perfectly valid email address, if I read the syntax right.

  • Uhh (unregistered) in reply to c-sharper
    c-sharper:
    MrBester:
    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse)

    I can honestly that every programming language has its place in this world, including VB and its ugly stepsister VB.NET. But who, for the love of $deity, would add the keyword "IsNot"? Seriously?

    Is it complemented by a IsToo! keyword?

  • Bobbo (unregistered) in reply to DOA
    DOA:
    snoofle:
    This is probably a comment.
    Note to self: fill snoofle's cubicle with styrofoam.

    Did you mean Chloroform?

Leave a comment on “Input Validation... The Clever Way”

Log In or post as a guest

Replying to comment #:

« Return to Article