- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
1st post, yay! ok, setting and "fixing" sql is a major no no, ouch, it hurts to look at this...
Admin
[image]
Argh! My eyes!
The goggles, they do nothing!
Admin
Function fncSetSQL_good(ByVal strSQL As String) As String
Dim strReMade As String
strReMade = Replace(strSQL, " ", "_")
strReMade = Replace(strReMade, "#", "~")
fncSetSQL_good = strReMade
End Function
Same deal for fncFixSQL, just switch the last two parameters of each Replace function call.
I can't even list all the WTF's with this code (if you're going to ignore the obvious "Why TF was this created?") Creating a separate variable to track the length of a string instead of just using Len(str) as the loop criteria, looping through a string character-by-character instead of using the Replace function, that useless intSave variable which serves only to show that this VBA moron doesn't know how to nest functions...
OW dammit I got so mad I just burst a blood vessel in my eye!
Admin
The best part is if you call these one after the other (in any order), you get what you started with.
Admin
This design takes advantage of some of the more advanced compression algorithms in today's processors.
Admin
Is this some sort of weird attempt at preventing injection attacks?
Admin
hey - i get it - the wtf is that they forgot to tokenize "-" and "_" first, right!?
Admin
As far as I understood, when you push the input first through fncSetSQL and then through fncFixSQL, the effect is that it replaces "_" with " " and "~" with "#". WTF?
Admin
I think it's safe to assume it also calls a function that converts the units to metric then calls another to convert them back to English. But did they remember to change any critierion value that's "green" to "hedgehog" and back again?
--Rank
Admin
On second thought, I'll use my own advice of nesting functions and eliminating useless variables and reduce the function to one line:
Function fncSetSQL_kickass(ByVal strSQL As String) As String
fncSetSQL_kickass = Replace(Replace(strSQL, "#", "~"), " ", "_")
End Function
Ooh yeah that feels much better, like wiping your ass with an angel's wing.
Admin
Not if your query happens to include '_' or '~'. Then it'll come back broken after you 'fix' it.
Admin
So, if I start with:
select
from table_with_common_naming_convention
I get
select_
from_table_with_common_naming_convention
which translates to
select *
from table with common naming convention
and gives me a syntax error. I love it. Hunt that bug down, if you can.
Admin
I'm wondering... what is the purpose of encoding an SQL and then decoding it (besides the fact it won't work if the original SQL contains '_' and '~', as previously mentioned)?
Admin
Wow, I really must be a total idiot, because I can't see for the life of me why you would want to use these functions. Could someone please explain this for me?
Thank you.
Admin
One word: Job Security
Admin
Oh, come on. Can NOBODY see the reason for this code??
He's passing the SQL from the front end to the back end as a URL parameter. This is a poor implementation of a URLEncode.
(Generates a whole other universe of WTFs, but I think it explains it!!!)
That or the system USED TO pass the SQL inside a URL, but someone looked at the code and said "WTF??" and fixed it to be a little more secure, but didn't change all the "surrounding" helper functions.
Wait, what's wrong with passing SQL strings in user-visible URLs ??? ;)
Admin
I'm gonna guess that the SQL queries are stored in the filesystem (perhaps for easier cross-DB conversion?), and the "strSQL" is the filename, so space or tilde might cause trouble with some filesystems and are replaced with _ and #. I hope. Otherwise, somebody is just nutso.
Admin
Wouldn't that be: Job_Security ?
Admin
This was most likely an act of espionage from a disgruntled employee against the evil soulless corporation that burned down his house, slept with his wife, and kicked his dog. That's the only explanation for an atrocity like this. That or rampant stupidity.
Admin
But what can we suggest for our operative Jon on how to comment this code? I mean, other than just:
<FONT face="Courier New" color=#008000 size=2>'WTF?</FONT>
How about:
<FONT face="Courier New"><FONT size=2>Function fncSetSQL(strSQL)
<FONT color=#008000>'Sneak up on database with cleverly disguised query string.</FONT></FONT></FONT>
And
<FONT face="Courier New"><FONT size=2>Function fncFixSQL(strSQL)
<FONT color=#008000>'Remove disguise at the last minute and surprise the database. Boo.</FONT></FONT></FONT>
--RA
Admin
Come on Jon, where's the professional explanation?
Admin
I'm waiting for the_guy_who_likes_underscores_in_names to show up and talk about how fatally broken this is.
With a softball bat, I'm waiting.
Admin
<font size="2">Wow... Can I suggest an obvious refactoring... rename "fncSetSQL" to "fncBreakSQL".</font>
Admin
My first thought as well. He was, at some point, passing the SQL through a webserver and the functions were used to make the string pass through properly.
Then somebody later saw it, and after changing their pants, removed that bit without removing these wrapper-esque type functions sprinkled throughout the code.
Admin
That's two words.
Admin
This would mean they would have to actually read a manual or KNOW something about the language they are developing in. How many times have we seen this? Why does it seem so hard to as a simple question like, "Hey does anyone know if [insert language here] has a function to [insert request here]?". NO! They just go around and continue to reuse code they once developed while learning C, FORTRAN, or COBOL back in college or at their first job. Computer languages have actually evolved and continue to. Replace, Substring, Len, Split, Join, etc. They actually exist! USE THEM!
(the whole time I was writing this I was imagining myself shaking this person)
Back to taking my pills before I really fly off the handle.
Crazy Joe Devolia!
Admin
I love how the encoding is not one-to-one and the decoding is not onto.
Admin
I don't think the code was meant to mangle SQL, probably just used to mangle the values of an SQL and then try to unmangle them again when extracting from the database. Of course, this will not work if the original data includes '_' og '~'.
thus do something like
"INSERT INTO xxx VALUES ( " & mangle(value1) & "," & mangle(value2) ...& ");"
Why on earth anyone would believe removing " " and "#" from values is any good is in my oppinion the WTF in this, but then again it may be due to company policy.
Admin
Its only one word after processing it with fncSetSQL.
Admin
Well, they are, provided that the unencoded domain excludes strings with # and ~.
Admin
... er, _ and ~.
Admin
Admin
The real WTF is the manager who thought a productive use of Jon's time was to force him to document other people's code. This WTF entry is aptly titled indeed.
What we have is a manager who fucked up by not requiring the original developer to comment and to produce quality code (or just submit to a code review). The manager clearly doesn't understand that trying to document someone else's code is the slowest, most wasteful activity into which a programmer can sink his time.
The whole reason OO was conceived was because some smart people noticed this, and realized development would go a hell of a lot faster if classes were opaque and a programmer didn't have to poke through another's code just to learn how to make use of the stuff.
Admin
I love this code, and for those believing that this is an URL-decoder, whaa? There are no # in urls, and _ are _ not " ".
... maybe something translates this somewhere, I use PHP.
Admin
I haven't read the source code for Microsoft Foundation Class Libraries lately, but back in the mid-1990s, there was similar code in MFC's CRecordset to turn a collection of fields into an SQL SELECT statement, then go back and fix up the punctuation in the constructed string, because it had gotten it wrong the first time.
Admin
What are you talking about, # (fragment identifiers) have always been part of URL encoding.
Admin
Only a VB programmer could have done such a dumb thing. VB programmers are absolutely dumbest among all. They should prohibit using that dumb language, so dumbsters would go to find out they aren't able to code in anything less dumb than VB, let's say simple C, and go washing pools instead.
Admin
That's the point, I think. The "set" function replaces "#" and " " characters - neither of which are valid in URLs - with "~" and "_". "Fix"ing the SQL does the opposite. Well, except that it mangles your other _ and ~ characters, of course.
Not trying to defend this WTF, just replying.
Admin
I like that the two functions contain the same casing here:
Obviously they're copy & paste, which makes it even more fun.
Admin
Damn VB or C# every time. Does no one have any LISP or FORTRAN WTFs to share?
Admin
No that would be nounJobSecurity
Admin
It says "comment on", not "comment". It sounds to me like Jon was just doing a code review, which is a good practice.
Admin
This could be a valuable clue.
To be fair, it is also a few others. Older programming languages do not make it here too often.
Sincerely,
Gene Wirchenko
Admin
That or it one of the rare new managers with a clue about managing, who thinks Jon is a good judge of code. Thus Jon was asked to review code that might or might not be bad, to see where he needs to find time to fix code before it becomes a problem.
Hey, we can all dream, can't we? Of all the managers in the world there must be one that is this smart. (though dreaming of 2 would be going too far)
Admin
The # character is valid. It is used to point to anchors inside the HTML document. That's how to get the browser to move to a certain point inside the page when the page is loaded, instead of starting always at the top of the page. You can put an invisible anchor at the top of the page:
...and then put a link to the anchor at the bottom of a very long page:...so users can go back to the navigation menu at the top of the page without scrolling.
I have found that anchors generally confuses users a lot because they don't understand that a link can bring you back to the same page you were in, and they don't look at the URL as a geek would do. Also, if the anchor and the link are very near to each other, nothing appears to happen, so they click several times in a row with no apparent effect :) It gets better then, because they hit "back" and they get brought back to the same place, then they hit it again several times and they keep getting brought back several times to the same place until they get back to the expected behaviour :)
Admin
Admin
The real WTF is not so much the verbosity of the functions nor the futility of such functions. It's all about SQL Injection Attacks!
"A system is only as secure as your dumbest programmer developing the self-same system."
Admin
You guys have it all wrong. The original *ahem* programmer meant to do this:
<FONT size=2></FONT><FONT color=#0000ff size=2>Function</FONT><FONT size=2> putItIn(</FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> wtf </FONT><FONT color=#0000ff size=2>As</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>String</FONT><FONT size=2>)
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Function
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>Function</FONT><FONT size=2> putItOut(</FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> wtf </FONT><FONT color=#0000ff size=2>As</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>String</FONT><FONT size=2>)
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Function</FONT>
<FONT color=#0000ff size=2>
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>Function</FONT><FONT size=2> shakeItAllAbout(</FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> wtf)
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Function
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>Function</FONT><FONT size=2> doTheHokeyPokey(</FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> wholeSelf, </FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> wtf)
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Function
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>Function</FONT><FONT size=2> turnYourselfAround(</FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> wholeSelf)
</FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Function
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>Function</FONT><FONT size=2> andThatsWhatItsAllAbout(</FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> rightFoot, </FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> leftFoot, </FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> rightHand, </FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> leftHand, </FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> rightSide, </FONT><FONT color=#0000ff size=2>ByVal</FONT><FONT size=2> leftSide)
</FONT><FONT size=2></FONT><FONT color=#0000ff size=2>End</FONT><FONT size=2> </FONT><FONT color=#0000ff size=2>Function</FONT>
<FONT color=#0000ff size=2></FONT>
<FONT color=#0000ff size=2><FONT color=#000000>Sorry for the length of this post and especially if it does not format correctly (first timer here) but I couldn't resist ;)</FONT></FONT><FONT color=#0000ff size=2>
</FONT>Admin
I love VB programmers. They've obviously never taken even an entry-level programming class, only know one form of flow control, and have only a tenuous grasp of any API.
It's obvious that this guy only knows while/do, and can't grasp nesting precedence (inside-out!).
For the record, I could point to my first quarter Pascal project and we could all laugh at "mr. doesn't get pass-by-reference or scope, so let's make everything a global variable"
Admin
There's a reason that the new (read: dumbed down) languages are so heavily represented here...