• me (unregistered) in reply to campkev
    campkev:
    Actually, either is correct. Data can be plural or singular depending on how it is used. When used with a singular verb, it refers to a body of facts and is synonymous with the word "information".
    Actually, the word "data" is not synonymous with the word "information".

    Even though information and data are often used interchangeably, they are actually very different. Data is a set of unrelated information, and as such is of no use until it is properly evaluated. Upon evaluation, once there is some significant relation between data, and they show some relevance, then they are converted into information. Now this same data can be used for different purposes. Thus, till the data convey some information, they are not useful.

    Perhaps Wikipedia will be of assistance in the future.

  • Random832 (unregistered) in reply to Rhialto

    While many email validation scripts do fail badly on mundane stuff like a + sign, well over half of what the infamous huge regex that always gets cited handles is not part of the address itself. Yes, comments are part of the syntax, but not allowing comments to be included does not prevent anyone from entering their address and having email delivered to them. because they're comments. Nobody needs a line break in their email address, yet the regex contains 134 occurences of (?:(?:\r\n)?[ \t]).

  • Random832 (unregistered) in reply to Rhialto

    RFC822: Colon/semi-colon (":" and ";") are used in address specifications to indicate that the included list of addresses are to be treated as a group. - why should I accept a LIST of addresses?

    Angle brackets ("<" and ">") are generally used to indicate the presence of a one machine-usable reference (e.g., delimiting mailboxes), possibly including source-routing to the machine. - so don't include anything that's NOT machine-usable.

    Square brackets ("[" and "]") are used to indicate the presence of a domain-literal, which the appropriate name-domain is to use directly, bypassing normal name-resolution mechanisms. - I don't know what this means, but it doesn't sound like it's meaningful in the context of internet e-mail.

  • Anonymous (unregistered)

    Dave, you suck.

  • Dugeen (unregistered)

    "Ensure the data are valid"

    Are the data valid? Yes, every single datum is valid. FFS

  • Certified Coward (unregistered) in reply to Random832
    Random832:
    RFC822: Square brackets ("[" and "]") are used to indicate the presence of a domain-literal, which the appropriate name-domain is to use directly, bypassing normal name-resolution mechanisms. - I don't know what this means, but it doesn't sound like it's meaningful in the context of internet e-mail.

    To the contrary, they're specific to e-mail. When you type @example.com , the host the message will be routed for is obtained from DNS MX record. it could be even on totally different domain. When you type @[example.com], or in that matter @[11.22.33.44], the message is delivered to that specific host (as in the A record) or directly to specified ip address.

  • Shawn (unregistered)

    I would expect TryCast to return a Boolean?

  • _dew_ (unregistered) in reply to Watson
    Watson:
    But it's already necessary to do a round trip to the database to verify that the record doesn't already exist (what do you mean I can't have two cellphones?). So there's nothing weird about attempting to insert the record and responding to a collision. The alternative is like "Do you know what time it is?" "Yes."

    Sorry, it's not the same thing. First, I check if the data entered is at least credible (client side). Then, I check integrity DB side - and there the roundtrip is necessary of course. However, it's a matter of approach - or habit - nothing so wrong in doing it all at once. And, yes, you can have two cellphones, but you don't enter both in the same field - I have provided some nice "additional contact" inputs :P

  • Coward (unregistered) in reply to Sashlik

    True about my point #2 there is more then one way to skin a cat.

  • Coward (unregistered) in reply to Slartibartfast
    Slartibartfast:
    Sorry, above post was in reference to:
    Coward:
    The only 2 WTF's here are: 1. Giving the user the SQL error code and message. Should only be done in debug mode. 2. The hard coded error messages. These should come from a table which would be configurable by the end user. End user could which errors from be Error, Warning, to Valid if the needs change.

    Tired.

    Well it's an improvement.

  • (cs)
    If haveSqlErrorNumber AndAlso firstSqlErrorNumber = 9001 Then
            sb.Append("I'm sorry, Dave.  I can't do that");
    
  • C (unregistered) in reply to Another support tech

    I think the captcha should be changed to require the identification of random words from (lots of) the previous comments, which fill a specific pattern. Perhaps then would the redundancy decrease a little. :-|

    Another support tech:
    TRWTF is that nobody commenting here seems to have thought about how many layers of the application are involved here, and how this is going to affect the performance and throughput of the application.

    Putting all validation on the backend means that every tier of the application is involved in something which could be caught before the user ever presses "submit"!

    In typical workloads, the database is the most heavily loaded layer. Especially if this is a high-transaction environment you have to consider the extra overhead of the transaction rollback required when the DB rejects invalid data.

    A better approach, both in terms of performance, throughput, scalability and user experience, would be to take the defensive programming approach, and handle validation and filtering at multiple levels:

    Read page 2 again, please. I guess your observation skills might be TRWTF...

    Or perhaps an alertness captcha? There are a number of those "i must be tired" posts, and IMO they're getting old.

    My Name:
    Mr.'; Drop Database --:
    So what? The comment field here on The Daily WTF isn't validated, yet you yourself just entered "'; DELETE FROM Logs WHERE userid=12345; --" into it. The website happily inserted that value into the database, as you can confirm by viewing your post.

    Would you like to try again?

    FAIL!
    No need to present us with your autobiography now... You could try to actually think about what was said before bashing it!

  • Anonymously Yours (unregistered)

    What an idiot. Everyone knows the more cleverest way to evaluate a phone number in a database is to try to convert it to a date. On success report failure.

  • 01001001011101000010011101110011001000000110110101100101 (unregistered) in reply to 13 million users at the last count, actually
    13 million users at the last count:
    01001001011101000010011101110011001000000110110101100101:
    For those of you who see nothing wrong with this, in the Real World™ you have something called performance and database utilization.....
    Uh-oh people. I fear we have one of these geniuses here who thinks database integrity is optional because it 'takes too long'.

    You use MySQL, right?

    No, in fact database integrity is exactly what should be done in the database. Ensure foreign keys, enforce constraints, but don't run a 10000 line trigger with every insert/update to ensure a bunch of business rules.... And don't let the database be the ONLY source of data validation, as it is in this WTF. Balance and simplicity people....

  • Mr.'; Drop Database -- (unregistered) in reply to My Name
  • Mr.'; Drop Database -- (unregistered) in reply to My Name
    My Name:
    Mr.'; Drop Database --:
    So what? The comment field here on The Daily WTF isn't validated, yet you yourself just entered "'; DELETE FROM Logs WHERE userid=12345; --" into it. The website happily inserted that value into the database, as you can confirm by viewing your post.

    Would you like to try again?

    FAIL!
    It accepts whatever you type into it -- even empty strings, as you can see from my post above. If it doesn't reject anything then there is no validation. It seems that you are the one who fails.

  • Random832 (unregistered) in reply to Certified Coward
    Certified Coward:
    Random832:
    RFC822: Square brackets ("[" and "]") are used to indicate the presence of a domain-literal, which the appropriate name-domain is to use directly, bypassing normal name-resolution mechanisms. - I don't know what this means, but it doesn't sound like it's meaningful in the context of internet e-mail.

    To the contrary, they're specific to e-mail. When you type @example.com , the host the message will be routed for is obtained from DNS MX record. it could be even on totally different domain. When you type @[example.com], or in that matter @[11.22.33.44], the message is delivered to that specific host (as in the A record) or directly to specified ip address.

    Does anyone have a permanent email account at a server that has no MX record?

  • maassql (unregistered)

    I'm just purple pleased that there is any validation in the database. You can tell a real developer didn't work on this app. If a real developer had worked on it, there would have been serious validation in the UI and the data stored in a text file.

  • jim (unregistered)

    probably why everyone should just learn rails, for f*** sake!

  • Hmm (unregistered)

    Reading VB code made me throw up in my mouth a little.

  • (cs) in reply to Mr.'; Drop Database --
    Mr.'; Drop Database --:
    It accepts whatever you type into it -- even empty strings, as you can see from my post above. If it doesn't reject anything then there is no validation. It seems that you are the one who fails.

    Woosh...

  • (cs) in reply to Random832
    Random832:
    Certified Coward:
    When you type @[example.com], or in that matter @[11.22.33.44], the message is delivered to that specific host (as in the A record) or directly to specified ip address.
    Does anyone have a permanent email account at a server that has no MX record?

    Well, in theory it could be useful for testing or for intranet mail systems. In practice, it seems to have been watered down already though.

    At least in gmail, you can't send mails to adresses with bracket syntax (it says the adress is invalid). However, it will happily deliver mails if you put an IP adress without brackets behind the @. If a host doesn't have an MX record, it will also deliver the mail to the host from the A record.

  • Dave's Co-Worker (unregistered)

    Because of a poor db schema, it uses a clustered primary key so you can only have 1 type of phone number (Home, Cell, Other, etc).

    In my opinion, the logical way to fix it would have been to change his binding Select query to only include valid options. For example, select phoneTypes from tlkpPhoneTypes where idphonetype not in (select idphonetype from tblPhone where idstudent=@idstudent). That would have completely eliminated the need to validate the phone types, since you were already having to query the db to get the phone types.

    I think the real WTFs are that he's looking for specific SQL Error Numbers, instead of testing the data up front. FYI - there's no client side validation on it, masked textboxes, required field validators, or anything logical to save some backend code.

  • David Elliott (unregistered)

    I am the author of this "WTF".

    1. The code was indented properly.
    2. VB.NET isn't my choice, it is what we use. As another keen commenter pointed out VB.NET is just a bad syntax of C#. Hence the AndAlso OrElse IsNot and all that bad looking crap.
    3. The DB schema has a compound PK of IDStudent,IDPhoneType. Before I wrote this we talked about eventually adding a surrogate PK and allowing multiple phone types for the same student. We can't do this until the super-legacy VB6 program that this database was originally used for is taken out of service.

    By passing the validation of the PK off to the server and catching the SQL error I avoid having to do the validation in the code which I'd later have to remove when we finally change the schema.

    1. Since I had already written the code to catch the SQL error for the compound PK it didn't take much extra code to catch the errors that occur when you try to shove a NULL in a NOT NULL field or shove too long of a string into too small of a varchar field.

    2. Although it is true that I didn't myself write any formatters or validation code, when I passed it off to another coworker (not Josh) for addition into the project he replaced the plain text box with a formatted Telerik RAD text box. So before this code went into production it did do validation before sending the data off to the server.

    So, to answer Jake's question. In my opinion, "B" (Ensure the data are valid while writing to the database) is always necessary and happens because of proper constraints on the database. "A" (Ensure the data are valid before writing to the database) is nice to have for the user and in this case eventually got added, granted, not by me.

    Choice "C" (Ask the user to please not perform an injection attack since your system isn't designed to handle it ) is never a good idea which is why the code uses a parameterized query.

    Now, as for "D" (Do it the clever way). Yeah, I admit, I did it. But I also did B and knew that the other guy was going to do A. So in my opinion presenting B to the user in a clean way isn't exactly a bad thing.

    In my ideal world I'm using some sort of ORM that can do my validation for me. In the world I had to write this control in we're using plain SqlDataSource. So I didn't have the ability to "push the validation to another layer". I could either push it into the UI or make the DB do it. I wasn't going to pull in an ORM system for a simple control as part of a huge project so I decided to make the DB do it. The DB does it anyway, so it was only a matter of displaying the DB message to the user in a decent way.

    And one other thing: A few people have pointed out the apparent oddity of checking to see if sqlException IsNot Nothing. This is because the exception can be of any type but I can only do anything useful with it when it is a SqlException. Therefore I use TryCast to cast it to a SqlException. If it is not, then TryCast returns Nothing. Perhaps a better way to have written it would be If sqlException Is Nothing Then Exit Sub. And ordinarily I do write my code that way because I think it is cleaner. I just happened to write the inverse of it this time and put the code inside the if block with the opposite IsNot Nothing condition. TRWTF here is that apparently writing even moderately advanced VB.NET code makes it essentially incomprehensible to 99% of VB programmers who can't bother themselves with any of this sort of "advanced" stuff like, say, dynamic casting.

  • S (unregistered) in reply to MrBester
    MrBester:
    TRWTF: VB.Net with AndAlso (along with its hellspawn kin OrElse) While it's nice that there is some variety of short-circuiting (like even frickin JavaScript has had for years) was there anything wrong with implementing it on "And" and "Or" so there was parity? VB.Net is bad enough with its drippy handholding for lazy VB6ers without extra cruft.

    Yeah, I know And and Or are supposed to be equivalent to & and |, i.e. bitwise, but who has ever seriously done C-like bitwise comparisons in VB?

    The original (beta) versions of VB.net had "And" and "Or" as short-circut operators. They also had arrays declared by length (like every other modern language), not by highest-subscript (like VB6). Unfortunately, too many stuck in the mud idiots complained; unable to wrap their minds around this shift.

    http://discuss.joelonsoftware.com/default.asp?joel.3.86737.18 summarises the situation fairly well, and http://vb.mvps.org/vfred/breaks.asp is the list of one of the more vocal protestors. As you can see, the very point you raise was conceeded by Microsoft between Beta 1 and Beta 2.

  • csm (unregistered) in reply to ClaudeSuck.de
    ClaudeSuck.de:
    # Ensure all teh codez aer email 2 me plz

    FTFY

  • (cs) in reply to me
    me:
    campkev:
    Actually, either is correct. Data can be plural or singular depending on how it is used. When used with a singular verb, it refers to a body of facts and is synonymous with the word "information".
    Actually, the word "data" is not synonymous with the word "information".

    Even though information and data are often used interchangeably, they are actually very different. Data is a set of unrelated information, and as such is of no use until it is properly evaluated. Upon evaluation, once there is some significant relation between data, and they show some relevance, then they are converted into information. Now this same data can be used for different purposes. Thus, till the data convey some information, they are not useful.

    Perhaps Wikipedia will be of assistance in the future.

    So what Mr Pedia is saying is information is only information if it is useful? Therefore there is no useful information?

    Mr Pedia knows a lot, but not everything he knows or says is 100% correct. At one time he says Data and Information are "closely related", than he turns around and says they are "very different."

  • pvm (unregistered) in reply to chrismcb
    chrismcb:
    Mr Pedia knows a lot, but not everything he knows or says is 100% correct. At one time he says Data and Information are "closely related", than he turns around and says they are "very different."
    Each Mr. Pedium has their own opinion and their collaboration is usually unorganized. He needs your publishing editor skills.
  • (cs) in reply to JM
    JM:
    This is such a stupid and uninformed WTF that I think I will just stop reading the DailyWTF until someone tells Jake Vinson to fuck off.

    Bye! Don't let the door hit you on the way out! ... What, still here? Having trouble finding the door? Let me help by just tossing you out.

  • Mr.'; Drop Database -- (unregistered) in reply to PSWorx
    PSWorx:
    Mr.'; Drop Database --:
    It accepts whatever you type into it -- even empty strings, as you can see from my post above. If it doesn't reject anything then there is no validation. It seems that you are the one who fails.
    Woosh...
    No.
  • AB (unregistered) in reply to MrBester

    I have. All vb naming conventions suck, you're throwing a pebble into the ocean with your comment.

  • Thomas (unregistered) in reply to Right tool for the right job

    "Anyone who says they "hate vb" is probably not a good enough developer to work in any shop I've ever been a part of. "

    So essentially you are saying that braindead tools are good things and do not introduce braindead coding habits.

    Whatever suits you, sir, but I won't agree.

    You see, if you use, let's say Pascal (or any other tightly structured language), you can't just clobber something together and expect it to work like an real application, like in Basic. Probably you wouldn't even get it through compiler.

    VB and C are naturally suited for shooting coder's own foot. Everything else requires a lot of administrative work and careful coders.

    WTF of the article is that DB isn't front end sanity checking tool, it has enough load in checking values put in. Cleaning most of the crap from the input must be done in application (and not with db procedure as somebody suggested, but in plain code).

    At least two reasons:

    1. You don't feed anything random to DB, ever. Not even to a procedure.
    2. Any real world db has (or at least should have) very complicated key and foreign key network and business logic rules to check any input against, so it's just stupid to load db with simple sanity checks, while it has to do these much more complicated checks anyway.
  • Calculator ftvb (unregistered)

    I like VB. /Well-written/ VB...

  • eric bloedow (unregistered)

    oh, that reminds me of a program i wrote for school-actually a set of programs, where the output from the first one becomes the input for the second, and so on...the first program, of course, was to validate the input, and make sure every field is valid...BUT i made ONE mistake: i forget to make sure the Month field was a number was in the 1-12 range! so one file, with a "month" of "30" slipped through. then the second program tried to look up a table using the month field...CORE DUMP! quite embarrassing...

Leave a comment on “Input Validation... The Clever Way”

Log In or post as a guest

Replying to comment #:

« Return to Article