- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
I once did a consulting job at a company that had a policy requiring all files to have names consisting solely of a string of random digits. They had a department responsible for assigning these file names/numbers to prevent duplicates. Their reasoning was that if a hacker broke in to their computer system, they wouldn't be able to figure out which files contained information worth stealing because all the names would be meaningless.
Of course, this meant that the programmers had to maintain lists of what the file names were and what they really contained, and if the programmer who created a file quit and you can't find his cheat sheet, you're pretty much out of luck.
To the suggestion that only sensitive files be given these meaningless names, they replied logically enough that any hacker would then know that the files with the meaningless names were the valuable ones. I suggested giving the sensitive files particularly innocuous names, like call the file with your top secret formula "letter.to.mom". That didn't fly. I also suggested that they carry this philosophy to the obvious next step, and require all paper files in the office of the manager who came up with this rule to have random numbers on the tabs. That wasn't well received either.
Admin
That actually sounds like it would be a hell of a lot of fun to implement, but fucking hilarious to maintain and actually use.
Admin
I'm just coming off a contract where we had a db system that was almost as bad as this smoking turd.
The idea was to start with a base class that could perform functions like select, update, etc., and then derive classes for every db table. In order to do this, each table class needed an elaborate array of constants for describing every aspect: fields, primary keys, foreign keys, indices, etc. When you wanted to write a WHERE clause, you had a Where class that needed to be filled using these constants, as well as several others that defined the logic. Combining Where objects in a particular order could create a very complicated WHERE clause, which could then be sent to the table class in question.
Of course, if you wanted to add a join or subquery, or if you needed fields from multiple tables returned by a single select, these things could be done... through commands so complex and questionable (and undocumented) that you might spend half a day developing the statement.
Adding a single field to a single table on this system could require an entire day. Adding a table might take nearly a week. The database itself was little more than a shell, with no referential integrity, no triggers, and no way to trace relationships through an ER Diagram.
The programmer who created this monstrosity (which management still backed as a solid system) was long gone, but had left his mark throughout the code. Aside from the frequent ASSERTs that were commented as "This shouldn't assert, but if it does, call Eric immediately," there was one pragma message buried in an obscure module that defined this guy's attitude: "Eric is God."
Admin
Sometimes I think the problem is that a lot of devs think that implementing something is as quick and easy as how the problem looks when they first think about it in their head. (That's when you can be sure that they've never really challenged themselves yet.) "Oh I'll just add some code here and here and here. No problem." So they want to tackle anything that sounds glitzy, impressive or important because they think everything is equally easy. At least that's what it seems like sometimes.
What's lame about this is that the more experienced people can sound like nay-sayers and/or not as qualified to do the work next to these guys who are convinced that they can do anything better than anyone else. Any shouldn't they believe that they can do anything, that's what TV tells them.
Admin
Having just finished an assignment at an organisation with a large collection of small-scale WTFs, reading this story (and some of the comments) suddenly makes me feel a whole lot better about my work.
Admin
The critical design flaw here is the small address space.
Only four hex digits? That can't possibly be enough.
No, no. They should be using GUIDs.
Admin
Admin
It takes some experience to realize how much more time it can take to actually implement and debug simple, straightforward functionality efficiently and correctly and handle all corner cases.
Admin
Admin
"All your base are belong to us." - classic, immortalized Engrish phrase. "All your credit cards and bank info are belong to us." - would have been a humorous quoting and reworking of the classic. "All you credit cards and bank info are belong us." - a mangling of the classic, due to the quoter's use of Engrish.
Admin
Perhaps they were using a non- SP DB such as MySQL until relatively recently?
Admin
Admin
I'll leave the verb well alone, but I suspect that you mean "querios." (Note for American readers: they're like "cheerios," but a little more chocolaty.)
And now, back to my regularly scheduled dose of morphine.
Really. Why does anybody expect people who claim to "understand databases" to be anything other than worse than useless, outside of a particularly egregious enterprisy environment?
Admin
Then again, I don't remember a dog pissing up against the wall for that. Probably because dogs have a sense of self-preservation. Millions of Scousers would have killed it.
Admin
That would be "#define". It tends to be deprecated amongst us C++ folk. I imagine that your IQ doesn't quite "reach" programming in C or C++, but, let me assure you: we Masters of the Universe would also agree that maintenance of stored procedures is fairly routine; in fact, trivial.
You may well have intended "explain to us," btw. I understand that the entry-level qualifications for this industry are going down by the day.
Admin
I work on a large enterprise(y) software package by a household-name company, and this is exactly how many of our DB tables work... these are people who should know better. The claim is that it supports "customization".
Admin
Wow just wow i'm looking after someones POS that does the exact same thing. Not only is it hard to maintain it's slow slow slow slow. but hey i don't have to recompile any code.....
Admin
I saw a coworker do something similar in Access. Using VB code to open an ADO connection to itself in order to retrieve the queries from the sentences table.
He would then open a connection to Oracle to execute the SQL sentence (an UPDATE query). Updating one record at a time, for each of the 70,000 rows that needed to be updated. Closing the connection right at the end of each iteration.
The statements were in the form of:
The VB code after getting the statement would replace parts of the SQL statement:
mySQL = rst.Fields(1).Value mySQL = Replace(mySQL, "<user_score>", rst2.Fields("user_score").Value) mySLQ = Replace(mySQL, "<user_lname>", rst2.Fields("user_lname").Value) mySQL = Replace(mySQL, "<user_fname>", rst2.Fields("user_lname").Value)... 5 hours later on execution, a crash!
The value in the field "user_fname" had an apostrophe.
It took him 5 more hours to figure it out. Once he did, his solution was to use one more Replace() to eliminate the apostrophes in "user_fname".
Brilliant!!
Admin
To avoid hardcoding the purpose of a variable in its name, I also suggest following the same naming methodology for all your variables: v_XXXX where XXXX is a unique hex number.
Admin
I heard there is no spoon?!
Admin
SQL Sentences? I feel sentenced to death.
Admin
The problem with making your SQL dynamically editable is that people will edit it on the live server directly. The same holds true of any other dynamically compiled language from JavaScript to batch files to bash scripts to ASP pages to any 'soft-coded' system. Then, it can become problematic to bring those changes back into the main code tree. Changes should only ever go forwards, from development to test to production, never the other way. The only possible exception is when doing so will fix a highly urgent, high impact bug that will simply take too long to go through the correct process, but the developer who makes the fix must ensure that it is immediately pushed through the correct process at a higher priority than any other work he's doing.
Stored procedures are great for when you need to employ a security boundary. I have a no-touch system where the user account normally used by the server software to connect to the database has no rights to even SELECT from tables - it can only use the stored procedures. That should cut off SQL injection/information disclosure/repudiation attacks at the knees. (This is SQL Server - the user account in the database is only a member of the public role and I've granted the public role only EXEC permissions on the required stored procs.) Stored procedures also enforce parameterization.
However, you can go too far. Stored procs work best when the shape of the query is fixed. I've seen people try to make a stored procedure change its shape in response to optional parameters, to avoid having to have multiple queries or IF statements within the procedure. This typically looks like:
This idea confuses SQL Server 2000's query optimizer completely and it will often build a plan which tries to use an index on col2 when @col2 was NULL, and vice versa. SQL Server 2005 does build a good initial plan but will cache and reuse the result; if the first query uses @col1 but not @col2, but a subsequent query uses @col2 but not @col1, the query processor will still try to use the first plan which used an index on col1, which is useless for these arguments.
If you need to do this, you should generate dynamic SQL strings and submit them to the database as text. However, you should always generate dynamic parameterized SQL. All the major RDBMS support parameterized queries where parameter markers can be replaced with actual parameter values, with a twist: the actual values do not need to be encoded to fit the SQL syntax. You can, like stored procedure parameters, pass native data types. The risk of SQL injection would suggest that you should never use an unparameterized query for any case where user data is supplied to the query.
SQL Server still caches the query plans for dynamic parameterized queries. It also caches plans for non-parameterized queries, but has a feature called 'auto-parameterization' where it tries to deduce what's a replaceable parameter. It weights the query plans in its cache so that in general, stored procedure plans will outlast parameterized queries, which are superior to auto-parameterized plans, which in turn outweigh non-parameterized plans. That's the only real difference among these features.
I personally don't like SQL text to be included in other programming language code, because it can't be validated in there. I generally prefer stored procedures.
Admin
Really? How did you deal with the requirement for an infinite tape? I bet you used some lame approximation of infinity there...
PS. black characters on a very dark purple background for the captcha? Yes, I can almost make that out...
Admin
Hey, Hibernate criteria queries!
On the subject, this whole story reminds me of my experience with almost every Java framework I've worked with, especially the high-profile ones. There are so many layers of abstraction piled on top of one another that the thing becomes slow as molasses, bloated like hell, and it becomes a hell of a job to find out where some part of the behavior really comes from. And in the end your code is still tied to that framework, so all the abstractions have bought you exactly nothing.
Admin
So they invented their own very of Hibernate, except ten times less comprehensible and one million times slower. Brillant
Admin
In a statically compiled language I see nothing bad and plenty of good about using constants for table and column names. Especially if you build a tool to extract them from the DB schema and generate your header file (or equivalent in whatever language).
It's a lot quicker to find out that you misspelled a table name from the compiler, than having to compile and run the code before you get feedback. Table and column names are less than intuitive in many databases.
The basic idea here is good, but it sounds like it was executed really badly.
Admin
Sentences?! Sentences are sooo simple. I want to read SQL essays, poems and drama!
http://en.wikipedia.org/wiki/Abbas_I_of_Safavid
Admin
The beauty of this approach is that there is no way for SQL server to ever optimize any query. Complex and slow too! Double head slap!
Admin
If you have to employ cowboy coders who would edit stuff on the production server if given the chance, don't give them that chance (i.e. the logins for the production server).
Admin
It's still not enterprisey enough. They need to add, umm, flips to random page of nearby database book off-site replication via a data warehouse.
I was going to say 'denormalization', but I don't think it was very normal to begin with.
Admin
In Access95-days, I learned my first DB skills from a guy who was too lazy to write out every query time and again he needed it. So he stored the most useful queries (not every) in text form into a separate table and keyed them with a short, but meaningful name. At least this guy did this to ease life on himself (It actually saved him time) and there was no redundancy involved... I still owe him for willing to teach me.
Admin
In a lot of larger organizations you need to engage a DBA through some insane bureaucratic process in order to write, test, debug, implement, or change a stored proc. It's just easier and cheaper to build the SQL inside the application. It may not be the right thing to do in terms of security or performance, but in some organizations it's really not practical to do otherwise.
Admin
Because hierarchies and over specialization kill meritocracies where this would have been rooted out.
Admin
nd you comment is ?
Admin
This reminds me of an interview I had with a law firm. After pretty much every technical answer I gave they asked, "Yeah, but how fast does the code run?"
I finally had my fill and replied, "While it is important that code runs quickly, I've found that it's more important that code be maintainable than fast." And everyone at the table laughed at me. And this was after the lead programmer said he had trouble instantiating objects in .NET 2.0.
Since I had just been in a situation where I worked 60+ hours a week to maintain super-dee-duper-fast code that had at least one major problem daily, I opted out of that position when they offered it to me.
Sharing is caring.
Admin
I've done something similar, but with different low-level details:
Of course, there were sensible names and no hard-coded SQL and none of the in other weirdness shown here that system.
It was all in a college project a long time ago. Of course, these days, I have more and better options.