- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Meh! He should have earned peer respect by revealing this function.
Admin
Just return 'false' would have done it I suppose.
Maybe than whatever compiler would be used would optimize this function out.
Also, those names look to be not allowed as column names or to-be-searched-for data either. Could cause heaps of troubles down the road ...
Admin
"Wolfram and Hart"? "Joss"?
I see what you did there.
Admin
I hope he also added a snarky comment above the function.
Admin
Fixed it for you.
Admin
Not unless someone actually writes an invalid query. The real WTF is validating queries yourself. The database does that just fine on its own, and even tells you what was wrong with it (most of the time).
Admin
EXECUTE IMMEDIATE foo USING OUT bar; -- Hey, validator, pretend this is a SELECT statement!
Admin
The simple solution would appear to be to name all of your SPs things like insert_foo or update_bar.
Admin
Jep ... not a lot of checking if you could fool it with a comment after semi-comma. Just return True and comment the rest. The job is done as good as before for injections and you don't have the restraint for your sql statements other than sql it self.
for parsing sql for sql injection you have to work a little harder.
Admin
throw new IllegalSciFiException("Unexpected One Ring");Admin
SELECT that developer AND EXECUTE him!
Admin
or maybe craft your statements like: "SELECT 1; EXEC SP_foo bar1, bar2, bar3;"
Admin
Admin
Did you just mix Buffy with Lord of the Rings? You, sir, disgust me.
Admin
Angel, not Buffy......
Admin
If I recall correctly, the universe in which both shows reside is known as the Buffyverse. Presumably on the basis that that was the popular show that people liked, and Angel was the also-ran spin-off that people mostly ignored.
Either way, mixing it with LOTR makes you a bad, bad person.
Admin
This. We need to throw somebody in Mount Doom for this egregious offense to geekdom. Hell, it's an offense to God Himself.
Somebody get me a pot and melt down some gold. We're giving this guy a golden crown to "reward" him for this "greatness".
Admin
I would think it would be preferable to remove the function and references to the function call.
Admin
return int(rand(true/false))
Admin
This is the type of situation where my team uses the George Bush Mission Acomplished guideline to 'finished.' GBMA is considered a viable(and in some ways preferable) alternative to Definition of Done when stumbling over this kind of ugliness.
Admin
This reminds me of an email validation routine we used to have at work that verified the address had both an "@" and a ".". It allowed such things as "foo@bar.", "foo.bar@", "foo@[email protected]", or just ".@". It also failed to strip even non-printable characters. I re-wrote the routine myself. Unfortunately, the platform was truly ancient and did not support regular expressions.
Admin
The shame's on you. You do know that there were LOTR books before the movie, right? Just like a typical movie bandwagon-hopped. Peter Jackson directed the movies, but Joss Whedon wrote the original books.
Admin
It seems to be missing a line somewhere...
Ah, much better.
Admin
INSERT INTO THE_VICE_PRESIDENTS_SICK_DAUGHTER
Admin
Admin
Admin
Admin
Captcha: nobis, as in "pubis pro nobis". Her pubis, I mean. For us. For the world.
Admin
Admin
Seeing as he recognized the total uselessness of the validator function, why did he add the execute keyword at all?
Why not comment out the code and replace it with
return true;
Admin
The Usenet was only mentioned in the Simarillion. I don't consider canon any of the postmortem work written by Brandon Sanderson.
I'm not saying it's bad fiction, but it's disrespectful. Tolkien's will clearly stated that he wanted all his unpublished work cremated with his body, and scatted from the International Space Station-- a fitting end for the Starfleet Engineer he portrayed in TV and film.
Admin
Admin
There is simply not excuse for not using prepared statements. No excuse. And this code demonstrates that they do not use it.
Admin
Admin
Admin
And "SELECT * FROM update WHERE stmnt LIKE '%insert%';" should also be fine.
Admin
No that's no good. That means you will be able to try it again with the same command and in due course you'll get the "true".
Here's a way to really spoil a developer's day.
What you want to do is set up a map whose key is the command, and whose value is True or False. The first time you call the SQL function, it check to see if it is in this map. If it is, then it returns True or False accordingly. If not, it randomly assigns either True or False and puts it in the map.
The upshot is that every SQL command will consistently either pass this stage of validation or not. Which one it will be when you write your SQL command is undetermined.
Admin
Disgraceful. You'll have Commander Vimes on your tail at this rate.
What do you mean you ain't got no tail? You're a code monkey, aren't you?
Admin
SELECT one_ring FROM star_trek WHERE jedi_mind_meld = true AND DATE(blue_girls)
Admin
Oh man, that is just so Evil... :-)
You just need to bury it sufficiently deep that a casual debugging do not find it..
Yazeran
Plan: To go to Mars one day with a hammer
Admin
I just want to add that I loved the sketchy references to everything and what not. Keep it up:-) Made my day!
Admin
You all just broke my brain.
Now I have no idea what characters did who, where, or why in anything I've ever read, seen or heard.
Or indeed, what order it happened.
:o(
Admin
Admin
Once the mainframes ruled middle earth. But deep in the forests of mirkwood something was stirring. At first, it looked innocent and helpful. A pc, a "personal computer". Then a young wiz kid came along and forged one ring to bind them all and ruled for aeons, erm, decades. But the ring was lost. Nothing happened for a while. Then a young hobbit named Steve discovered it, picked it up and used it occassionally but to no great harm. Nevertheless it attracted the attention of the great wizzard Obi Wan, who understand only to well the power of that ring. On Obi Wan's request, Steve passed the ring on to the young Tim who set out on an epic journey to destroy it. After a while, Obi Wan and Tim were joined by the elf Han, the dwarf (erm, vertically challenged person) gimli and the doctor "Bones"...
There, did that help?
Admin
Admin
FTFY: return int(rand(true/false))
I like: return mod(sum(lower(ascii values of statement)),2)?true:false
This way the same statement will result in the same truthyness
Admin
Prepared statements have a fixed number of placeholders, so if you want to INSERT the values cached over like 5 minutes, you would have to use some kind of workaround.
Also there is a server limit for the number of prepared statements allowed, which can be surpassed depending on the number of statements per connection and the numbers of connections you need.
But for 99% of the cases I agree with you.
But wasn't this about stored procedures rather than prepared statements?
In our company we don't use stored procedures either because that would lead to code being stored in the database rather than in svn, which opens up a lot more possibilities for version conflicts.
Admin
Admin
Admin