- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
the WTF is how many people can't see the problem, even with the title
Admin
I don't see the problem either. Its just an extension of Spring style dependency injection all the way to the database.
Admin
No profit at all, since you were only working thirty-six days a year. Sweet deal, wish I had been in on it.
ok
dpm
Admin
Now I'm marrying Jane from Susanville / Or am I suing Jane from Marysville? / Well if I am better call Ernie my attorney from Burney Falls ...
Sorry, today is random association day at work ...
Admin
Holy shit, it's a disease. You actually sign your posts not once, but twice! Fucking brilliant.
Admin
How about using MSSQL FOR XML, then the users don't have to write SQL or XML. All query parts could be stored in the database, then the UI can present some controls, the user makes selections, clicks a button, XML is generated, and the XML file is stored on the network. Periodically the Entity Manager will search for new files and then run the queries and send the results to the user.
You now have a DataWarehouse with a user interface. Lauch it company wide as the new Data Consolidation Solution and give yourself credit for resolving the company's data consolidation issues.
Admin
I'm sure you meant Brillant.
Paula,
Paula.
Admin
Admin
You mean JaVBaScript?
Admin
Why, I do that every day - throwing up simple, dirty solutions (because our customers can't afford properly written software), but I never have to compromise on security. I don't see why anyone should.
Oh wait, people who abuse XML are the same who don't get XML. Something like <query proc="bills"><date><interval from="{SOMETHING}" to="{SOMETHING}"/></date></query> is beyond their comprehension, I guess.
I never needed to use XML. Perhaps because I *do* get it.
Cheers,
Felix
Admin
Sounds like a smelly 2 weeks
Admin
I think the biggest wtf here is that people miss the actual point and take their chance to complain about xml. According to my experience hating xml is usually strongly connected with ignorance, but hey! You can invent another text-format for every project you build and make a parser for it, for all I care. Ok, passing parameters as xml is quite dumb, but parsing the return value using xpath will be sweet!
Admin
Even if you throw up something simple and dirty, you should at least keep the interfaces clean enough so you have a chance to make the Right Thing later.
Admin
Wait, wouldn't it be just awesome if the program did a check on that field to see whether it was an exact date or a date range, and then fix the SQL query on its own?
But fancy code like that tends to be brittle. Much better to go with a simple, robust system. :D
Admin
Sage CRM MME, a popular CRM system for medium-sized businesses, has a SOAP interface. It has two functions for fetching data. The first is innocent enough: you supply an entity type as a string ("company", for example) and then the numeric ID which is the primary key for that company in the database.
There is a second function which takes two parameters: (entityType, query). The documentation on the SOAP interface doesn't explain what goes in the "query", but it does say that it's a string. It turns out that this field contains some SQL which gets inserted verbatim after the "WHERE" keyword in the SQL query.
I had the "pleasure" of having to use this SOAP interface to integrate some stuff into our intranet for remote workers to access. Each time I used that second function I considered just throwing it all away and connecting to the database directly, since it's functionally equivilent, right?
Admin
The best WTF here is everybody explainig it a thousand times to demonstrate "they know".
Admin
DiamondDave asked. It's only natural that people answer to that before they read the whole thread. At least it's better to give serious answers than answering with "Isn't that obvious?" or something similar.
Admin
_Know it_? The original is in my basement!
Admin
Rather looks like queries to the Siebel 2000 CRM system to me.
Admin
Rather looks like queries to the Siebel 2000 CRM system to me.
-----------------------------------------------------
You're just jealous 'cause the voices only talk to me!
Admin
Scary. At £1000/developer/day they could put some more effort into it. What's so complicated with extending the format so that it directly supports 'between' comparison?
<EntityQuery> <Entity Name="ClientContact"> <Fields> <FieldBetween Name="ContactDate" LowValue="2003-04-01" HighValue="2003-04-30" /> </Fields> </Entity> </EntityQuery>I really hope SQL is renamed to XQL some day, gets lots of hype and the people finally learn how to do the right thing with it...
Admin
who says noone thought of it before?
Admin
That's normal. Your rented out at a thousand a day, and you get $36k a year. But you cost the company something like 3 times that (taxes, social security premiums, your lease car, laptop, other benefits that aren't on your paycheck).
That's 100K a year give or take.
Then there's the people the company doesn't rent out, maybe a third of the workforce. If they make on average the same again you're now costing $150K a year.
You now cost the company $150K a year to make a thousand a day for 170 days a year (assuming you're on site 50 weeks a year, 5 days a week, so minimal sickleave and vacation time).
Suddenly the profit they make on you is $20K out of $150K, 2/15. That's about13%, not bad but certainly not massive especially since it assumes 100% availability of you as an income generating asset (which is unrealistic).
Admin
In Spain there are no pesatas, there are €, and before there were pesetas. 2500 pesetas are ~ 20$
Admin
I think a normal employee costs rather twice than three times his income. USD 72k per year for taxes, social security, lease cars and laptops? Even if taxes and social security amounted to 36k (which I doubt), the remaing 36k would easily buy you a new car every year and a new laptop every other month (and you could always throw away the old one).
On the other hand, the ratio between employees whose work can be sold for 1k/day and the other employees is often much worse than 2:1, rather 1:1 or even 1:2. Think of all the salespeople, the secretary, the managers, the cleaning women. The consultants in training or waiting for an assignment.
Admin
Was that pseudo typo intended?
(Yep, first post, trying to quote...)
Admin
Why does this remind me of:
name: admin password: ' OR '1'='1
Admin
"Brillant" is an insider joke in this forum. Look for the "the brillant paula bean" wtf.
Admin
Thus the question if 'Brilliant!' was a (pseudo) typo :)
Admin
Screw the code, was Mike Barker the one who sold this project to management as in the quote "That, and the bargain-basement rate of £1000/developer/day, made the Entity Manager-based CRM system an install sell to management". If not, then who was the idiot who let this project even go for a year without noticing that this was simply a glorified SQL generation tool even if your the one who has to provide the correct SQL. Did this company even realize about the dangers of injection or did the Entity Manager take care of sql injection on it's end?
I could imagine quite a few people getting fired over allowing that disaster to even make it past the planning stages.
Admin
Isn't the database responsible for the security? A good setup of the DBMS should prevent the frontend attempting any malicious actions, but I'm no expert on this topic. Perhaps someone could enlighten me?
--
I hear voices in my head. And they don't like you!
Admin
It wouldn't suprised me if they were running the application with sa priveliges either.
Admin
It's not neccesarily XML that's WTF, but their misuse of it. Based on the description, they could have easily used:
Query{They could have saved a lot of code and runtime by using a trivial custom parser instead of using a full blown XML parser. That's WTF #1. The way this query is processed is the main defficiency-- by simply dropping the value string into an SQL query. They then tried to cram a range query into this simple model when they ought to have extended the query syntax for ranges. WTF #2. In fact, this is an advantage of XML that they specifically did not use! The X is for Extensible. They could have very very easily eXtended their XML query format to include a way to specifically include a range of values. But they diddn't. The big WTF, and #3.
Admin
Yes and no.
It's kind of like if you setup a service listening to the unfirewalled internet that will download and run executables on demand. Sure the permissions system on the host should prevent any damage, but you should still be thrown against the wall and shot.
Admin
I wonder if the code Mike is looking at is the middle layer. The 'consultant' developed the front end that would prompt users to choose fields and their data, thereby releasing them of any required knowledge of xml, sql or abracadbra. Mike was developing an interface for 'his' system so he would need to side step the front end. So for him to develop code that would do sql injections would be to break his own code. I highly doubt that the end user is presented with the requirement to enter a 'sql' like query into a front end program, if so this company got rooked.
Admin
That's a lot of overhead, but I'll let it slide for the sake of argument.
Ditto.
50 * 5 = 250
250 - 5 sickdays - 15 vacationdays = 230
Where did your extra 60 days go? Is ptomblin's health that bad?
ok
dpm
Admin
XML-INI!! Now we can embed XML with one of the formats it was supposed to replace! Quick, someone tell the PHBs!
Admin
Frankly, if you are expensing soap and shampoo you are just taking advantage. No wonder all those companies in the 90s went out of business!
Admin
YEAH MAN! I love it! Straight up sql inject yourself. Hey man. if all else fails.. HACK IT
Admin
Lease car??? THAT is the real WTF. What kind of company gives those perks anymore? (Or ever did...)
Admin
<FONT color=#000000>The funniest thing is that the proposed solution isn't even working correctly if ContactDate stores time information together with the date part.The correct way would be</FONT>
<FONT color=#0000ff><FONT color=#ff0000>Value</FONT>="2003-04-01' OR ContactDate BETWEEN '2003-04-01' AND DateAdd(day, 1, '2003-04-30')"
</FONT>Admin
Your chunk of Canada must have the worst IT industry in north america, or else you were just too young to pick up and take off. You should have cut a deal with the client to halve his hours, if he'd give you 30-40% of the savings, and use the pickings to walk away and find something better or start your own thing. :p
Admin
(picks jaw off the floor)
This leads to an interesting philosophical conundrum. If you document a security hole as standard practice, then is it still a bug? I mean, obviously somebody should be punched for such a thing, but still...
Admin
Well actually now its a 'feature'... yeah thats the ticket.
Admin
<FONT face=Verdana>lol!</FONT>
<FONT face=Verdana></FONT>
<FONT face=Verdana>That's funny cos, Sage CRM (formerly Accpac) does exactly the same.</FONT>
<FONT face=Verdana></FONT>
public string GetPhoneNumber(int companyId)
{
Connect();
string phoneNumber = string.Empty;
crm.ewarebase[] phone = binding.query("Phon_CompanyID = " + companyId.ToString() + " AND Phon_Type = 'Business'","phone").records;
crm.phone p = (crm.phone)phone[0];
phoneNumber = p.areacode + " " + p.number;
return phoneNumber;
}
<FONT face=Verdana>mwaahahhahaha</FONT>
Admin
Actually, that fine, as it's defined as an int in the function declaration. So trying to feed in "10; drop database" will die before it even gets into this function.
Sorry to burst the bubble there.