• Laura (unregistered)

    That's simply 'Brillant'!

  • QueQueg (unregistered)

    Not sure that this is completely WTF. I can imagine a scenario where this wouldn't be horrible, involving a 3-tier architecture where a low-access security user validates the credentials of the logging-in user, and then returns a custom connection string (that will hopefully be encrypted before transmission).

    Although I guess if the logging-in user were getting thier own custom connection string, it wouldn't be 3-tier anymore, because they'll be connecting directly to the database, circumventing a middle tier.

  • J. (unregistered)

    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.

  • Jonh Robo (unregistered)

    ...maybe this information is kept in different database???

  • SqlGuru (unregistered) in reply to QueQueg

    Except that they're not selecting from a column. They're just building a string in the select statement that's static.

  • QueQueg (unregistered) in reply to SqlGuru

    I figured those <removed> bits were for the sake of the post.

    If not, and its just returning a static string, then that it is definately WTF.

  • (cs)

    No WTF - er, I mean, not the same WTF if it's poor access control! I can imagine it now...

    ERROR

    You require SELECT privileges for the 'users' table in order to retrieve the connection string

    'driver={SQL Server};user id=<removed>;pwd=<removed>;Network=dbms;server=127.0.0.1;database=<removed>;'

    Please contact your administrator if you require sufficient privileges to retrieve the above connection string.

  • (cs) in reply to QueQueg
    QueQueg:
    I figured those <removed> bits were for the sake of the post.
    They were. But what was removed was a part of a static string - after all, they wouldn't have had to remove it if it were concatenation operators and column names, right?
    If not, and its just returning a static string, then that it is definately WTF.
  • egal (unregistered)

    it can make sense with distributed databases

  • Auto Enthusiast (unregistered) in reply to J.
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.
    Where do you park your car? What color is it? What's the License number?
  • Jim (unregistered)

    The real WTF is the people who submit comments that try to justify a query like that.

  • (cs)

    So it returns one copy of the connectionstring for each row in the Users table. If they're just testing for access rights, perhaps "select top 1" (T-SQL) or " where rownum = 1" (Oracle)?

  • (cs) in reply to Auto Enthusiast
    Auto Enthusiast:
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.
    Where do you park your car? What color is it? What's the License number?

    Directions to J's car:

    Drive to New York City. Swim East 3400 miles Nearest parking lot, nearest car, plate 456-123

  • (cs) in reply to J.
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.
    Yeah, and besides, if you've locked your keays in the ignition and it's starting to rain and all your windows are down and your seats are going to get all wet, you can reach in through the window to retrieve the spare set from the glove box.

    (Clicking stopwatch...)

  • bubba (unregistered) in reply to Jim

    That's what scares me. Everytime a WTF is posted, there's WAY too many people trying to justify it.

    It's like the old joke says:

    1 out of every 3 people are crazy. Look to your right, then look to your left. If those people are sane...

  • Barry (unregistered)

    In theory if you're connecting to a second database it does make SOME sense. However sending the username and password to the database only to have it sent back is pretty damn stupid.

  • George (unregistered)

    << So it returns one copy of the connectionstring for each row in the Users table. If they're just testing for access rights, perhaps "select top 1" (T-SQL) or " where rownum = 1" (Oracle)? >>

    Or just ommitt the FROM clause entirelty... Duh!

  • QueQueg (unregistered)

    Many people just try to differentiate between bad code and WTF.

    Bad code isn't necessarily WTF.

  • data (unregistered)

    Well connection string might be viewed as data. And for data we have databases. So we have fetch the connection stiring from the database even if we use teh database only for concating the string ;-)

    captcha: sanitarium = realy matches

  • Brimstar (unregistered)

    I can say I've done this. The reason being that I've got an application where there are two different databases. No non-development user has a reason to access the other database except in a read-only mode (handled through a common login). The database connection is established based on which one the user is authorized to work in after checking permissions and retrieving the connection string in a general database. It's a hack, but given that I don't have full control over the client application login function works I can't just allow them to select what database to connect to.

  • Auto Enthusiast (unregistered) in reply to pitchingchris
    pitchingchris:
    Auto Enthusiast:
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.
    Where do you park your car? What color is it? What's the License number?

    Directions to J's car:

    Drive to New York City. Swim East 3400 miles Nearest parking lot, nearest car, plate 456-123

    I expected the plate number to be ID10T or Paula

  • Cope with IT (unregistered)

    And was

    server=127.0.0.1
    really in the original? 127.0.0.1? localhost?

    This in fact would be ... extremely production ready.

  • barfman (unregistered) in reply to QueQueg
    QueQueg:
    Not sure that this is completely WTF. I can imagine a scenario where this wouldn't be horrible, involving a 3-tier architecture where a low-access security user validates the credentials of the logging-in user, and then returns a custom connection string (that will hopefully be encrypted before transmission).

    Although I guess if the logging-in user were getting thier own custom connection string, it wouldn't be 3-tier anymore, because they'll be connecting directly to the database, circumventing a middle tier.

    I'm sure if we knew more about the actual reason why they were querying to a table, perhaps we'd truly know the wtf. Obviously, select 'some connection info' would have sufficed if they honestly were idiots and really wanted a hard coded string. otherwise, why the custom conn info to be pulled from a users table? (looks like someone had intentions for the table, and never followed through perhaps) I honestly wish there was more of a background story on that. Then we'd know for sure if it is a wtf.

    if the only wtf is the hardcoded sql string, come on... no one is that stupid. if the wtf is pulling conn info out of the users table, I need more background info on what in hells name these ppl were trying to accomplish.

    select wtf from worsethanfailure where rest_of_story is not null.

  • J. (unregistered) in reply to J.

    And useful if you have AAA and lock the other set in your house by accident.

  • Zolcos (unregistered)

    You require SELECT privileges for the 'users' table in order to retrieve the connection string

    'driver={SQL Server};user id=SuperCoolGuy;pwd=hunter2;Network=dbms;server=127.0.0.1;database=WTF;'

    Please contact your administrator if you require sufficient privileges to retrieve the above connection string.

  • BlueKnot (unregistered) in reply to QueQueg
    QueQueg:
    Many people just try to differentiate between bad code and WTF.

    Bad code isn't necessarily WTF.

    Yeah.

    But this is really, really bad code. People trying to justify it missed something... there may be valid scenarios for retrieving one conn string from another database, etc., but this...

    You take what could be a simple assignment of a static string (little or no potential for error), and wrap it in a layer that could fail for a number of reasons and adds several lines of code (creating the SQL, executing the SQL, and finally assigning it/using it.)

    It's like saying: "On this paper I have an important piece of information. I'm putting it in an envelope. In order to read it, I will mail it to myself then open the letter when it arrives."

  • rd (unregistered) in reply to pitchingchris
    pitchingchris:
    Auto Enthusiast:
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.
    Where do you park your car? What color is it? What's the License number?

    Directions to J's car:

    Drive to New York City. Swim East 3400 miles Nearest parking lot, nearest car, plate 456-123

    Cinco Vilas, Portugal - I'm on my way. Damn, this water is cold!

  • Jon (unregistered)

    Is it just me or did like everyone just totally MISS the WTF. It is not a WTF to have connection strings in a database. You have a master server and child servers. You can bring up and bring down child servers without having to write any sort of UI for it.

    The WTF is it seems that they are trying to identify users by using full connection strings.

    So.. I guess this WTF posting is kind of a WTF in itself...

  • (cs) in reply to BlueKnot
    BlueKnot:
    It's like saying: "On this paper I have an important piece of information. I'm putting it in an envelope. In order to read it, I will mail it to myself then open the letter when it arrives."

    Bad example. That sort of thing is common in mystery novels. "It will be sitting in my post office box. Now, if you kill me, the authorities will discover it and know what I know and your nefarious plans will be uncovered. You're foiled! Foiled I say!"

    That does beat the climactic scenario of gathering the suspects together and the protagonist reaching out of the open window and grabbing a completely new character who is then revealed to be the true villain. Based of course on information in a safety deposit box that was never mentioned previously in the text. I never read another one of that series of books after that.

  • barfman (unregistered) in reply to Zolcos
    Zolcos:
    You require SELECT privileges for the 'users' table in order to retrieve the connection string

    'driver={SQL Server};user id=SuperCoolGuy;pwd=hunter2;Network=dbms;server=127.0.0.1;database=WTF;'

    Please contact your administrator if you require sufficient privileges to retrieve the above connection string.

    lol, now that is funny.

  • AC (unregistered)

    There must be a reason for this code. Maybe the code selects connection information for another, user-specific, database?

    I've worked with an application that needed to select the name of the DBMS from a configuration table in the database. The reason was the the database access functions were so heavily abstracted that there was no way for the application to know to which database it was connecting to (the info was stored in a config file somewhere that the application itself could not read).

  • Josh (unregistered)

    Thanks Jake, you just reminded me where I left my car keys.

  • dataCowboy (unregistered)

    It's KINDA like keeping your spare keys in your car. Yes, you already have to have the keys to get to your spare key. However, since he doesn't select from dual or do some type of "select top 1" or "where rownum <=1", it's more analagous to keeping one set of spare keys in your car PER BOLT IN THE CAR (20000 bolts in the car == 20000 spare keys!). Truly BRILLIANT.

  • Kinglink (unregistered)

    My last employer (before my current one) did the same thing, it was in code at the very least but when I mentioned the insecurity they starred at me blankly. That's not a WTF yet.

    They then also sent these applications out of house some times. This was a major clearing house that handled a couple million dollars of transactions a day at least.

    The account that was used was for the MAIN (and only) Database, and it was the administration account and it was only backed up once a day at the end of the day.

  • (cs) in reply to Auto Enthusiast
    Auto Enthusiast:
    I expected the plate number to be ID10T or Paula

    PEB-KAC.

    -- Seejay

  • Loren Pechtel (unregistered)

    I think I understand what's really going on here--we are looking at a case of security through obscurity and it might actually be the best answer for the problem.

    I think we are looking at an attempt to give the program access to the database that the user does not have via other means.

    The user's credentials are used to retrieve the login information for the account with more access.

    Short of setting up an intermediate server between the user and the database how else would you accomplish this?

  • mexi-fry (unregistered)

    about the "Where you park your car" thing... The Mexi in me wants to swim... the programmer in me is too lazy!

    About the connection string...

    Considering that you already have a connection string to connect... this implies retreiving user credentials (based on what I saw... using some deep... dark... jedi stuff I have never heard of) ... seems like it would be prefferable to use the user's actual credentals and avoid such an ugly security hole. Good thing sql doesn't have things like slammer worms that allow other people to connect to your server as and execute queries without authenticating.... oh... wait... it does. NM.

    Catcha: burned ... too many directions to go from there.

  • UFie (unregistered)

    It's obviously intended to be used on a quantum computer.

    You select the information out of the database, and then use that information to connect to the database!

  • dataCowboy (unregistered) in reply to Loren Pechtel
    Loren Pechtel:
    Short of setting up an intermediate server between the user and the database how else would you accomplish this?

    SET ROLE "ROLENAME"

    Captcha: dubya (seriously!) I knew georgie was behind this!

  • (cs) in reply to J.
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.

    In all seriousness, a friend was at a wedding about 200 miles from home, and broke his car key off in a cork, trying to open a wine bottle.

    He called a tow-truck operator who came out and jimmied his door open, then he used the spare he kept in the car to get home. If it wasn't for that spare, he'd have been stranded a long way from home...

  • GrandmasterB (unregistered)

    I was going to say that without context you cant tell if its a wtf, since they may legitimately be storing connection information to many different servers. For example, a reporting system may need to connect to db servers dispersed across the company.

    BUT, after looking at it, barring any additional info on this query (was there a 'where' clause?), it looks like they're just using the select statement to concatinate a string. Which is wtf worthy. The table is arbitrarily included in the query because some db's wont do a select without one.

  • (cs)

    Or he could not have done something as silly as using his car key to pry out a cork.

  • Darien H (unregistered)

    Hrm. I do some code where we have one database that coordinates managing access to other databases (virtual hosts on the same machine, etc.), in which context pulling db connection strings from a database isn't unusual...

    But as others have pointed out, it's not actually selecting data from a table. In fact, the "From users" part appears entirely superfluous.

    It's just concatenating data that gets put in. Perhaps an artifact of some refactoring?

  • eokyere (unregistered)

    that earlier posts in the thread do not see wtf is w[indeed is]tf

  • (cs) in reply to merreborn
    merreborn:
    J.:
    I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.

    In all seriousness, a friend was at a wedding about 200 miles from home, and broke his car key off in a cork, trying to open a wine bottle.

    He called a tow-truck operator who came out and jimmied his door open, then he used the spare he kept in the car to get home. If it wasn't for that spare, he'd have been stranded a long way from home...

    The smart thing to do is carry your spare key somewhere that it won't get locked in. When I travel, I carry spare car keys in case I lose mine or lock it in the car, but I always keep it in my purse or in my luggage. Sure, there's the possibility I lock my purse in the car, but that's not a guarantee that I'll do that, whereas locking my main key in the car and having my spare in the glove compartment means I'm really SoL.

    (And for the record, the only time I locked myself out of the stupid car wasn't when I was travelling... and I had to get someone to drive me home to get my spare key, leaving my running vehicle at a set of lights at 2 am in the morning. Yeah, that wasn't a lot of fun.)

    -- Seejay

  • levi_h (unregistered)

    I don't think that the selected connection string is ever used, but that this query is used to test whether the database is available or not. At least, I really want to think that.

  • el jaybird (unregistered) in reply to seejay

    [quote user="seejayand I had to get someone to drive me home to get my spare key, leaving my running vehicle at a set of lights at 2 am in the morning.[/quote]

    Eh? You stepped outside of your car while at a stoplight at 2am? You got impatient and went to push the little "walk" button or what?

  • (cs) in reply to barfman
    barfman:
    Zolcos:
    You require SELECT privileges for the 'users' table in order to retrieve the connection string

    'driver={SQL Server};user id=SuperCoolGuy;pwd=hunter2;Network=dbms;server=127.0.0.1;database=WTF;'

    Please contact your administrator if you require sufficient privileges to retrieve the above connection string.

    lol, now that is funny.

    Guess I should add the injokes first time before somebody else steals my joke :)

  • James Schend (unregistered)

    We have a database full of connection strings. It's our Admin database that consists of a list of all our clients and their projects. For each project, there's a different database (all copied from a common model DB), and the connection string points to it. It's a handy solution, and I've never thought of it as a WTF. It also allows us to point our tools to DBs on other servers if needed.

    Sure, in theory we could add a few more layers of tables and make one huge table to store all that, but it's easier to keep projects contained in their own DB.

  • Definitely (unregistered) in reply to QueQueg
    QueQueg:
    I figured those <removed> bits were for the sake of the post.

    If not, and its just returning a static string, then that it is definately WTF.

    The Real WTF (TM) is that you can't spell definitely.

Leave a comment on “SELECT [Connection_String] FROM [WTF]”

Log In or post as a guest

Replying to comment #:

« Return to Article