• IE4 (unregistered)

    It's difficult to be too critical of this. Things like this are, after all, the original selling points of Internet Explorer as a 'platform to develop your applications on.' (circa IE4, I think).

    In other words, this sort of thing was exactly what Microsoft were encouraging at the time.

  • Michael (unregistered) in reply to chimaera
    chimaera:
    TRWTF is that Richard Dawkins can be described as 'controversial' as opposed to 'a proponent of the blindingly obvious'

    Here here!! This post made my day - I think he is only controversial among people who A: Never use their brain. or B: Still believe in the tooth fairy (or the flying spaghetti monster for that matter. "I have been touched by His noodly appendage!" Classic!)

    His book is interesting, but I wouldn't recommend it, except to those that need convincing. Reading a whole book about the 'blindingly obvious' becomes a bit dull, after a while.

  • arg.zero (unregistered)

    ...and I hope that it's at least a read-only database account. The username and password are in plain view.

  • Arioch (unregistered)

    Yes, we may say one should not re-connect to database on each request and better use connection pool. Same for the SQL statement, that rather be kept prepared wih variyng parameter rather than reconstructed. And will script die in the middle (or MSIE closed, or Windows BSODed) - will there be zombie connection, opened with no one to close, waiting for timeout to be killed? Hammering DB by create-zillion-connection script is highly unlikely within corporate intranet.

    However it is not told that this all caused perfomance problems, human speed was limiting, not the server's speed/resourses.

    Yes, VBScript is bad practice for WWW, but for internal middleware, if migration to non-Windows is not concerned is acceptable (i hate MSIE, but it IS acceptable as internal app)

    Yes, direct DB connection client<->server for WWW app is highly unusual, due to connectivity as one of the reasons. However in the same LAN there should not be problems, and since it is in the same corporate networks - no troubles with firewalls/routing as well (IT admins are in charge for it in the same way as they are for severs themselves). And if those page are wished to be enabled to be saved locally for whatever reason (for example - compiled into CHM) ?

    Yes, sending login/password as part of page is usually weird idea. However why not, assuming that this DB user has only read-only access to non-confidential tables? It is not more weird than to use the only SYSDBA/root/etc for al lthe operations/users as usual WWW-servlets do.

    So, bad design - proobably. WTF - no, not some definetly bad.

  • Arioch (unregistered) in reply to mendel
    This way, the client goes directly to the database, but the security is on the same level that you would have had with an AJAXy solution.

    Security against unauthorised data access - yes. Security against hammering and DDOS'ing - no.

    Imagine i have a bot-net and try to do 1000 DB conections per second from each of 1000 machines in my bot-net.

    Now Linux with IP connection in hashed mode have chances to survive. WWW-server like Yaws or nginx has chances to brake cruelly but still allow true users to work (they are designed to stand many-many connections at the same time with little resources used) and they can stand before mass-pop servers like IIS and Apache (server-side proxy, reverse proxy). Also all of those can be clustered to be multiple machines - so to spread hammering among different computers.

    Will any known SQL server - provided that clients and bot-net can connect to SQL server directly - be protected against connection flood in the same manner as described above ?

  • (cs) in reply to anon

    Yeees..

    But vman's comment that the specially bad part was passing the database connection string.

    To me, that's just something which follows on from the 'being able to send any query you want' bad part.

    If you get rid of THAT bad part, then the 'sending the database connection string' bad part isn't necessary.

    IYSWIM.

  • Tim from OHio (unregistered)

    The true WTF here? This person admitted to using Internet Explorer.

  • (cs) in reply to Michael
    Michael:
    chimaera:
    TRWTF is that Richard Dawkins can be described as 'controversial' as opposed to 'a proponent of the blindingly obvious'

    Here here!! This post made my day - I think he is only controversial among people who A: Never use their brain. or B: Still believe in the tooth fairy (or the flying spaghetti monster for that matter. "I have been touched by His noodly appendage!" Classic!)

    His book is interesting, but I wouldn't recommend it, except to those that need convincing. Reading a whole book about the 'blindingly obvious' becomes a bit dull, after a while.

    Might I point out that, within the past thousand years, it was "blindingly obvious" that the earth was flat and the sun revolved around it...

    Since when has science bowed to the cult of the popular or been done by a raise of hands? Don't be one of the mindless sheeple you rail about.

  • B (unregistered)

    s/Brilliant/Brillant/

  • (cs) in reply to Tim from OHio
    Tim from OHio:
    The true WTF here? This person admitted to using Internet Explorer.
    And this is why you read the thread before posting to it, lest you end up looking more than a little stupid.
  • Andrew Badera (unregistered) in reply to proko
    proko:
    I have read lot of WTFs from this site, but this kind of things still make me wonder, if person who wrote that were really complete moron or was there some other reason. I mean, i have'nt learn security or even programming in university( I learn physics), but even at the beginning of my programmer profession I did'nt wrote this kind on WTF. I mean..... well i can't even think anything after that thing.

    If you've never written anything you'd consider a WTF, then you'll never be much of a software engineer. We all do it, it's just a matter of degree and frequency, and the ability to recognize it, admit culpability, and deal with it.

    PS nobody in the modern world is a "programmer."

  • (cs) in reply to Andrew Badera
    Andrew Badera:
    PS nobody in the modern world is a "programmer."
    Because every job title sounds more impressive when you can stick "Engineer" at the end, amiright?
  • wfweff (unregistered)

    I worked with a guy that did this all the time. He couldn't figure out how form submits worked, so he just did this instead.

  • (cs) in reply to J
    J:
    Just a few years ago, I took a job at a place that hadn't made the jump from classic ASP yet. One developer there was very proud of his code to dynamically sort tables on a webpage. I noticed that resorting the table refreshed the page with a new querystring variable such as "?order=lname" and soon discovered that he was dynamically creating SQL queries and just swapping out the "ORDER BY" field. (Of course, the queries always began with "SELECT * FROM" and let the ASP do the filtering work.)

    Luckily I found a new job by the time clients started getting attacked by the most elementary form of SQL injections.

    So, you couldn't offer the simple fix of changing adLockReadOptimistic/Pessimistic to the default of adLockReadOnly? Or Replace(Request.QueryString("order"),"'","")?

    The question is, did you leave, or did they ask you to go?

  • (cs) in reply to GalacticCowboy
    GalacticCowboy:
    Might I point out that, within the past thousand years, it was "blindingly obvious" that the earth was flat and the sun revolved around it...

    Since when has science bowed to the cult of the popular or been done by a raise of hands? Don't be one of the mindless sheeple you rail about.

    12th Century Scientist: "The Earth is round." 12th Century Pope: "The Earth is flat." 12CS: "No, actually it's quite round." 12CP: "It's flat or we'll boil you in oil." 12CS: "You're quite right actually, the Earth is VERY flat. Let me try and rewrite all of my equations to help you prove that."

  • (cs) in reply to caffeinatedbacon
    caffeinatedbacon:
    GalacticCowboy:
    Might I point out that, within the past thousand years, it was "blindingly obvious" that the earth was flat and the sun revolved around it...

    Since when has science bowed to the cult of the popular or been done by a raise of hands? Don't be one of the mindless sheeple you rail about.

    12th Century Scientist: "The Earth is round." 12th Century Pope: "The Earth is flat." 12CS: "No, actually it's quite round." 12CP: "It's flat or we'll boil you in oil." 12CS: "You're quite right actually, the Earth is VERY flat. Let me try and rewrite all of my equations to help you prove that."

    http://en.wikipedia.org/wiki/Flat_Earth_mythology

  • Steve B (unregistered) in reply to IE4
    IE4:
    It's difficult to be too critical of this. Things like this are, after all, the original selling points of Internet Explorer as a 'platform to develop your applications on.' (circa IE4, I think).

    In other words, this sort of thing was exactly what Microsoft were encouraging at the time.

    Exactly, This is intended to run on a LAN and the only problem is the permissions of the user account.

  • kristaps (unregistered)

    I would actually call this AVAS - Asinchronus VBScript And SQL

Leave a comment on “Not Exactly AJAX”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article