- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
That's simply 'Brillant'!
Admin
Not sure that this is completely WTF. I can imagine a scenario where this wouldn't be horrible, involving a 3-tier architecture where a low-access security user validates the credentials of the logging-in user, and then returns a custom connection string (that will hopefully be encrypted before transmission).
Although I guess if the logging-in user were getting thier own custom connection string, it wouldn't be 3-tier anymore, because they'll be connecting directly to the database, circumventing a middle tier.
Admin
I keep a spare set of keys in my car??? Whats wrong with that? They are safe in there.
Admin
...maybe this information is kept in different database???
Admin
Except that they're not selecting from a column. They're just building a string in the select statement that's static.
Admin
I figured those <removed> bits were for the sake of the post.
If not, and its just returning a static string, then that it is definately WTF.
Admin
No WTF - er, I mean, not the same WTF if it's poor access control! I can imagine it now...
ERROR
You require SELECT privileges for the 'users' table in order to retrieve the connection string
'driver={SQL Server};user id=<removed>;pwd=<removed>;Network=dbms;server=127.0.0.1;database=<removed>;'
Please contact your administrator if you require sufficient privileges to retrieve the above connection string.
Admin
Admin
it can make sense with distributed databases
Admin
Admin
The real WTF is the people who submit comments that try to justify a query like that.
Admin
So it returns one copy of the connectionstring for each row in the Users table. If they're just testing for access rights, perhaps "select top 1" (T-SQL) or " where rownum = 1" (Oracle)?
Admin
Directions to J's car:
Drive to New York City. Swim East 3400 miles Nearest parking lot, nearest car, plate 456-123
Admin
(Clicking stopwatch...)
Admin
That's what scares me. Everytime a WTF is posted, there's WAY too many people trying to justify it.
It's like the old joke says:
1 out of every 3 people are crazy. Look to your right, then look to your left. If those people are sane...
Admin
In theory if you're connecting to a second database it does make SOME sense. However sending the username and password to the database only to have it sent back is pretty damn stupid.
Admin
<< So it returns one copy of the connectionstring for each row in the Users table. If they're just testing for access rights, perhaps "select top 1" (T-SQL) or " where rownum = 1" (Oracle)? >>
Or just ommitt the FROM clause entirelty... Duh!
Admin
Many people just try to differentiate between bad code and WTF.
Bad code isn't necessarily WTF.
Admin
Well connection string might be viewed as data. And for data we have databases. So we have fetch the connection stiring from the database even if we use teh database only for concating the string ;-)
captcha: sanitarium = realy matches
Admin
I can say I've done this. The reason being that I've got an application where there are two different databases. No non-development user has a reason to access the other database except in a read-only mode (handled through a common login). The database connection is established based on which one the user is authorized to work in after checking permissions and retrieving the connection string in a general database. It's a hack, but given that I don't have full control over the client application login function works I can't just allow them to select what database to connect to.
Admin
Admin
And was
really in the original? 127.0.0.1? localhost?This in fact would be ... extremely production ready.
Admin
I'm sure if we knew more about the actual reason why they were querying to a table, perhaps we'd truly know the wtf. Obviously, select 'some connection info' would have sufficed if they honestly were idiots and really wanted a hard coded string. otherwise, why the custom conn info to be pulled from a users table? (looks like someone had intentions for the table, and never followed through perhaps) I honestly wish there was more of a background story on that. Then we'd know for sure if it is a wtf.
if the only wtf is the hardcoded sql string, come on... no one is that stupid. if the wtf is pulling conn info out of the users table, I need more background info on what in hells name these ppl were trying to accomplish.
select wtf from worsethanfailure where rest_of_story is not null.
Admin
And useful if you have AAA and lock the other set in your house by accident.
Admin
You require SELECT privileges for the 'users' table in order to retrieve the connection string
'driver={SQL Server};user id=SuperCoolGuy;pwd=hunter2;Network=dbms;server=127.0.0.1;database=WTF;'
Please contact your administrator if you require sufficient privileges to retrieve the above connection string.
Admin
But this is really, really bad code. People trying to justify it missed something... there may be valid scenarios for retrieving one conn string from another database, etc., but this...
You take what could be a simple assignment of a static string (little or no potential for error), and wrap it in a layer that could fail for a number of reasons and adds several lines of code (creating the SQL, executing the SQL, and finally assigning it/using it.)
It's like saying: "On this paper I have an important piece of information. I'm putting it in an envelope. In order to read it, I will mail it to myself then open the letter when it arrives."
Admin
Cinco Vilas, Portugal - I'm on my way. Damn, this water is cold!
Admin
Is it just me or did like everyone just totally MISS the WTF. It is not a WTF to have connection strings in a database. You have a master server and child servers. You can bring up and bring down child servers without having to write any sort of UI for it.
The WTF is it seems that they are trying to identify users by using full connection strings.
So.. I guess this WTF posting is kind of a WTF in itself...
Admin
Bad example. That sort of thing is common in mystery novels. "It will be sitting in my post office box. Now, if you kill me, the authorities will discover it and know what I know and your nefarious plans will be uncovered. You're foiled! Foiled I say!"
That does beat the climactic scenario of gathering the suspects together and the protagonist reaching out of the open window and grabbing a completely new character who is then revealed to be the true villain. Based of course on information in a safety deposit box that was never mentioned previously in the text. I never read another one of that series of books after that.
Admin
lol, now that is funny.
Admin
There must be a reason for this code. Maybe the code selects connection information for another, user-specific, database?
I've worked with an application that needed to select the name of the DBMS from a configuration table in the database. The reason was the the database access functions were so heavily abstracted that there was no way for the application to know to which database it was connecting to (the info was stored in a config file somewhere that the application itself could not read).
Admin
Thanks Jake, you just reminded me where I left my car keys.
Admin
It's KINDA like keeping your spare keys in your car. Yes, you already have to have the keys to get to your spare key. However, since he doesn't select from dual or do some type of "select top 1" or "where rownum <=1", it's more analagous to keeping one set of spare keys in your car PER BOLT IN THE CAR (20000 bolts in the car == 20000 spare keys!). Truly BRILLIANT.
Admin
My last employer (before my current one) did the same thing, it was in code at the very least but when I mentioned the insecurity they starred at me blankly. That's not a WTF yet.
They then also sent these applications out of house some times. This was a major clearing house that handled a couple million dollars of transactions a day at least.
The account that was used was for the MAIN (and only) Database, and it was the administration account and it was only backed up once a day at the end of the day.
Admin
PEB-KAC.
-- Seejay
Admin
I think I understand what's really going on here--we are looking at a case of security through obscurity and it might actually be the best answer for the problem.
I think we are looking at an attempt to give the program access to the database that the user does not have via other means.
The user's credentials are used to retrieve the login information for the account with more access.
Short of setting up an intermediate server between the user and the database how else would you accomplish this?
Admin
about the "Where you park your car" thing... The Mexi in me wants to swim... the programmer in me is too lazy!
About the connection string...
Considering that you already have a connection string to connect... this implies retreiving user credentials (based on what I saw... using some deep... dark... jedi stuff I have never heard of) ... seems like it would be prefferable to use the user's actual credentals and avoid such an ugly security hole. Good thing sql doesn't have things like slammer worms that allow other people to connect to your server as and execute queries without authenticating.... oh... wait... it does. NM.
Catcha: burned ... too many directions to go from there.
Admin
It's obviously intended to be used on a quantum computer.
You select the information out of the database, and then use that information to connect to the database!
Admin
SET ROLE "ROLENAME"
Captcha: dubya (seriously!) I knew georgie was behind this!
Admin
In all seriousness, a friend was at a wedding about 200 miles from home, and broke his car key off in a cork, trying to open a wine bottle.
He called a tow-truck operator who came out and jimmied his door open, then he used the spare he kept in the car to get home. If it wasn't for that spare, he'd have been stranded a long way from home...
Admin
I was going to say that without context you cant tell if its a wtf, since they may legitimately be storing connection information to many different servers. For example, a reporting system may need to connect to db servers dispersed across the company.
BUT, after looking at it, barring any additional info on this query (was there a 'where' clause?), it looks like they're just using the select statement to concatinate a string. Which is wtf worthy. The table is arbitrarily included in the query because some db's wont do a select without one.
Admin
Or he could not have done something as silly as using his car key to pry out a cork.
Admin
Hrm. I do some code where we have one database that coordinates managing access to other databases (virtual hosts on the same machine, etc.), in which context pulling db connection strings from a database isn't unusual...
But as others have pointed out, it's not actually selecting data from a table. In fact, the "From users" part appears entirely superfluous.
It's just concatenating data that gets put in. Perhaps an artifact of some refactoring?
Admin
that earlier posts in the thread do not see wtf is w[indeed is]tf
Admin
The smart thing to do is carry your spare key somewhere that it won't get locked in. When I travel, I carry spare car keys in case I lose mine or lock it in the car, but I always keep it in my purse or in my luggage. Sure, there's the possibility I lock my purse in the car, but that's not a guarantee that I'll do that, whereas locking my main key in the car and having my spare in the glove compartment means I'm really SoL.
(And for the record, the only time I locked myself out of the stupid car wasn't when I was travelling... and I had to get someone to drive me home to get my spare key, leaving my running vehicle at a set of lights at 2 am in the morning. Yeah, that wasn't a lot of fun.)
-- Seejay
Admin
I don't think that the selected connection string is ever used, but that this query is used to test whether the database is available or not. At least, I really want to think that.
Admin
[quote user="seejayand I had to get someone to drive me home to get my spare key, leaving my running vehicle at a set of lights at 2 am in the morning.[/quote]
Eh? You stepped outside of your car while at a stoplight at 2am? You got impatient and went to push the little "walk" button or what?
Admin
Guess I should add the injokes first time before somebody else steals my joke :)
Admin
We have a database full of connection strings. It's our Admin database that consists of a list of all our clients and their projects. For each project, there's a different database (all copied from a common model DB), and the connection string points to it. It's a handy solution, and I've never thought of it as a WTF. It also allows us to point our tools to DBs on other servers if needed.
Sure, in theory we could add a few more layers of tables and make one huge table to store all that, but it's easier to keep projects contained in their own DB.
Admin
The Real WTF (TM) is that you can't spell definitely.