- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Even though information and data are often used interchangeably, they are actually very different. Data is a set of unrelated information, and as such is of no use until it is properly evaluated. Upon evaluation, once there is some significant relation between data, and they show some relevance, then they are converted into information. Now this same data can be used for different purposes. Thus, till the data convey some information, they are not useful.
Perhaps Wikipedia will be of assistance in the future.
Admin
While many email validation scripts do fail badly on mundane stuff like a + sign, well over half of what the infamous huge regex that always gets cited handles is not part of the address itself. Yes, comments are part of the syntax, but not allowing comments to be included does not prevent anyone from entering their address and having email delivered to them. because they're comments. Nobody needs a line break in their email address, yet the regex contains 134 occurences of (?:(?:\r\n)?[ \t]).
Admin
RFC822: Colon/semi-colon (":" and ";") are used in address specifications to indicate that the included list of addresses are to be treated as a group. - why should I accept a LIST of addresses?
Angle brackets ("<" and ">") are generally used to indicate the presence of a one machine-usable reference (e.g., delimiting mailboxes), possibly including source-routing to the machine. - so don't include anything that's NOT machine-usable.
Square brackets ("[" and "]") are used to indicate the presence of a domain-literal, which the appropriate name-domain is to use directly, bypassing normal name-resolution mechanisms. - I don't know what this means, but it doesn't sound like it's meaningful in the context of internet e-mail.
Admin
Dave, you suck.
Admin
"Ensure the data are valid"
Are the data valid? Yes, every single datum is valid. FFS
Admin
To the contrary, they're specific to e-mail. When you type @example.com , the host the message will be routed for is obtained from DNS MX record. it could be even on totally different domain. When you type @[example.com], or in that matter @[11.22.33.44], the message is delivered to that specific host (as in the A record) or directly to specified ip address.
Admin
I would expect TryCast to return a Boolean?
Admin
Sorry, it's not the same thing. First, I check if the data entered is at least credible (client side). Then, I check integrity DB side - and there the roundtrip is necessary of course. However, it's a matter of approach - or habit - nothing so wrong in doing it all at once. And, yes, you can have two cellphones, but you don't enter both in the same field - I have provided some nice "additional contact" inputs :P
Admin
True about my point #2 there is more then one way to skin a cat.
Admin
Admin
Admin
I think the captcha should be changed to require the identification of random words from (lots of) the previous comments, which fill a specific pattern. Perhaps then would the redundancy decrease a little. :-|
Read page 2 again, please. I guess your observation skills might be TRWTF...Or perhaps an alertness captcha? There are a number of those "i must be tired" posts, and IMO they're getting old.
No need to present us with your autobiography now... You could try to actually think about what was said before bashing it!Admin
What an idiot. Everyone knows the more cleverest way to evaluate a phone number in a database is to try to convert it to a date. On success report failure.
Admin
No, in fact database integrity is exactly what should be done in the database. Ensure foreign keys, enforce constraints, but don't run a 10000 line trigger with every insert/update to ensure a bunch of business rules.... And don't let the database be the ONLY source of data validation, as it is in this WTF. Balance and simplicity people....
Admin
Admin
Admin
Does anyone have a permanent email account at a server that has no MX record?
Admin
I'm just purple pleased that there is any validation in the database. You can tell a real developer didn't work on this app. If a real developer had worked on it, there would have been serious validation in the UI and the data stored in a text file.
Admin
probably why everyone should just learn rails, for f*** sake!
Admin
Reading VB code made me throw up in my mouth a little.
Admin
Woosh...
Admin
Well, in theory it could be useful for testing or for intranet mail systems. In practice, it seems to have been watered down already though.
At least in gmail, you can't send mails to adresses with bracket syntax (it says the adress is invalid). However, it will happily deliver mails if you put an IP adress without brackets behind the @. If a host doesn't have an MX record, it will also deliver the mail to the host from the A record.
Admin
Because of a poor db schema, it uses a clustered primary key so you can only have 1 type of phone number (Home, Cell, Other, etc).
In my opinion, the logical way to fix it would have been to change his binding Select query to only include valid options. For example, select phoneTypes from tlkpPhoneTypes where idphonetype not in (select idphonetype from tblPhone where idstudent=@idstudent). That would have completely eliminated the need to validate the phone types, since you were already having to query the db to get the phone types.
I think the real WTFs are that he's looking for specific SQL Error Numbers, instead of testing the data up front. FYI - there's no client side validation on it, masked textboxes, required field validators, or anything logical to save some backend code.
Admin
I am the author of this "WTF".
By passing the validation of the PK off to the server and catching the SQL error I avoid having to do the validation in the code which I'd later have to remove when we finally change the schema.
Since I had already written the code to catch the SQL error for the compound PK it didn't take much extra code to catch the errors that occur when you try to shove a NULL in a NOT NULL field or shove too long of a string into too small of a varchar field.
Although it is true that I didn't myself write any formatters or validation code, when I passed it off to another coworker (not Josh) for addition into the project he replaced the plain text box with a formatted Telerik RAD text box. So before this code went into production it did do validation before sending the data off to the server.
So, to answer Jake's question. In my opinion, "B" (Ensure the data are valid while writing to the database) is always necessary and happens because of proper constraints on the database. "A" (Ensure the data are valid before writing to the database) is nice to have for the user and in this case eventually got added, granted, not by me.
Choice "C" (Ask the user to please not perform an injection attack since your system isn't designed to handle it ) is never a good idea which is why the code uses a parameterized query.
Now, as for "D" (Do it the clever way). Yeah, I admit, I did it. But I also did B and knew that the other guy was going to do A. So in my opinion presenting B to the user in a clean way isn't exactly a bad thing.
In my ideal world I'm using some sort of ORM that can do my validation for me. In the world I had to write this control in we're using plain SqlDataSource. So I didn't have the ability to "push the validation to another layer". I could either push it into the UI or make the DB do it. I wasn't going to pull in an ORM system for a simple control as part of a huge project so I decided to make the DB do it. The DB does it anyway, so it was only a matter of displaying the DB message to the user in a decent way.
And one other thing: A few people have pointed out the apparent oddity of checking to see if sqlException IsNot Nothing. This is because the exception can be of any type but I can only do anything useful with it when it is a SqlException. Therefore I use TryCast to cast it to a SqlException. If it is not, then TryCast returns Nothing. Perhaps a better way to have written it would be If sqlException Is Nothing Then Exit Sub. And ordinarily I do write my code that way because I think it is cleaner. I just happened to write the inverse of it this time and put the code inside the if block with the opposite IsNot Nothing condition. TRWTF here is that apparently writing even moderately advanced VB.NET code makes it essentially incomprehensible to 99% of VB programmers who can't bother themselves with any of this sort of "advanced" stuff like, say, dynamic casting.
Admin
The original (beta) versions of VB.net had "And" and "Or" as short-circut operators. They also had arrays declared by length (like every other modern language), not by highest-subscript (like VB6). Unfortunately, too many stuck in the mud idiots complained; unable to wrap their minds around this shift.
http://discuss.joelonsoftware.com/default.asp?joel.3.86737.18 summarises the situation fairly well, and http://vb.mvps.org/vfred/breaks.asp is the list of one of the more vocal protestors. As you can see, the very point you raise was conceeded by Microsoft between Beta 1 and Beta 2.
Admin
FTFY
Admin
So what Mr Pedia is saying is information is only information if it is useful? Therefore there is no useful information?
Mr Pedia knows a lot, but not everything he knows or says is 100% correct. At one time he says Data and Information are "closely related", than he turns around and says they are "very different."
Admin
Admin
Bye! Don't let the door hit you on the way out! ... What, still here? Having trouble finding the door? Let me help by just tossing you out.
Admin
Admin
I have. All vb naming conventions suck, you're throwing a pebble into the ocean with your comment.
Admin
"Anyone who says they "hate vb" is probably not a good enough developer to work in any shop I've ever been a part of. "
So essentially you are saying that braindead tools are good things and do not introduce braindead coding habits.
Whatever suits you, sir, but I won't agree.
You see, if you use, let's say Pascal (or any other tightly structured language), you can't just clobber something together and expect it to work like an real application, like in Basic. Probably you wouldn't even get it through compiler.
VB and C are naturally suited for shooting coder's own foot. Everything else requires a lot of administrative work and careful coders.
WTF of the article is that DB isn't front end sanity checking tool, it has enough load in checking values put in. Cleaning most of the crap from the input must be done in application (and not with db procedure as somebody suggested, but in plain code).
At least two reasons:
Admin
I like VB. /Well-written/ VB...
Admin
oh, that reminds me of a program i wrote for school-actually a set of programs, where the output from the first one becomes the input for the second, and so on...the first program, of course, was to validate the input, and make sure every field is valid...BUT i made ONE mistake: i forget to make sure the Month field was a number was in the 1-12 range! so one file, with a "month" of "30" slipped through. then the second program tried to look up a table using the month field...CORE DUMP! quite embarrassing...