- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
lol, I saw almost the same thing at work today
(my workday is already over now - sweet, sweet Europe ;)
Admin
Sooo.. the WTF is that they thought a 9 digit User ID was enough? How horrible! Jeez, unless you're Amazon, 9 digits probably will be enough. Maybe the number needs to be parsed by a human at some point.
Admin
no. the wtf is that they're using the first 9 digits of the unique key...which no longer makes it unique. ex: 849183758193 = uuid1 849183758194 = uuid2 and using the first 9 return the same result, which means its no longer unique.
Admin
Hmm, why didn't they just do this:
After all, they'd have been happier...Admin
Captcha - poindexter - Hey! Are you trying to imply something?
Admin
Wow... half a dozen posts and no one has taken any "coldFusion sucks" shots yet. That has to be some kind of record.
Admin
Happy now?
Admin
Anyone that say Coldfusion sucks must either be Hitler or a Nazi. And thus I Godwin's law.
captcha: sanitarium. I think the voices in my head are telling me something.
Admin
And why is this editor so messed up in konqueror?
CAPTCHA: sanitarium
Admin
Sadly I can't talk either.
Admin
The editor is messed up in Konq because it doesn't load fancy rich text editor and there's no stylesheet to set reasonable width/heights for the textarea. Already notified Alex but it doesn't look like he's very interested in fixing it.
Admin
The problem isn't the date. The WTF is the string truncation.
Admin
I will join the conversation: CF Sucks :)
Even though I do not know why :)
Admin
Actually as I look up the UUID format, the first eight characters (the ninth being a hyphen) are the least significant bits of the timestamp, which is not such a bad way to generate a pseudo-random number.
captcha: gygax. wtf?
Admin
Why does everyone feel the need to reiterate their captchas in their comments? Is it not enough to type it once in that little textbox?
To be honest, it drives me a little batty to see these captcha comments sprinkled throughout the discussions. Although whatever, comment how you like.
Fourteenth!
Admin
So 1 in a billion isn't good enough for you? Lemme guess, you work for the state lottery commission, marketing department - you can't win if you don't play.
captcha - what's gygax?
Admin
CreateUUID() returns the UUID as a string.
Admin
Admin
It doesn't make much sense to have your "UUID" generated from time only. Sooner or later*, it will screw up and be a pain to fix.
*unless you are planning on the company being bankrupt in 6 months
Gary Gygax is well known for creating/working on table top rpgs, including D&D
captcha: waffles, but i'm typing "no".. and it didn't work, fine i'll type waffles
Admin
[quote]And why is this editor so messed up in konqueror?[quote]
Konqueror sucks. Happy now?
captcha: burned... Oh how appropriate!
Admin
I think you're missing the point. Regardless of how long the substring is, taking a unique number and chopping off some of it could result in collisions much more frequently than the odds would lead you to believe. Try a small experiment - you don't need all that many iterations to see collisions when you truncate like that.
Captcha - riaa - Grrrrrrrrrrrrrrrrrrrrrr..
Admin
I shiver with pain and fear when I hear these kind of stuff.
Admin
Two customers click "Submit" at the same time. Oops, they get the same customer ID.
Admin
http://livedocs.adobe.com/coldfusion/6.1/htmldocs/functi54.htm
So all their UUIDs are now something like: 12345678-02-21-07
So the "Universally Unique Identifier" is the same for anything created that day...if they're only creating one of whatever is represented by IDstring per day I guess that works. (Though I'd tend to guess that IDstring is a user reference, the code doesn't really give us enough to know).
Admin
In Soviet Russia, UUID writes U!!!
Chopping off UUIDs kind of defeats the purpose.
Reminds me of those dudes that converted letters to numbers to implement RSA ... resulting in screwed up code that would act funny with non-alpha characters. Somehow they didn't realize that all letters are already numbers (the ASCII code value) which is trivial to get.
Admin
Assuming that the CreateUUID function returns a string of the form "550e8400-e29b-41d4-a716-446655440000", taking the first 9 characters will return "550e8400-". There are 8 random hexadecimal characters in there, so the number of possible outcomes for a given day is 16^8 = 4,294,967,296.
If two customers are added on a given day, the probability of a collision is 1/(16^8).
If a thousand new customers are added on a given day, the probability of a collision occuring is 1-((1-(1/(16^8)))^499500) (499500 possible pairs, each with a chance of 1-1/(16^8) of NOT colliding)
That's a chance of less than 1 in 10,000 of creating a collision that day.
Conclusion: while this is a bug, the code is expected to operate without creating collisions for decades (under the reasonable assumption that 1000 new customers each day is an upper limit).
Admin
Ok so I over simplified because I didn't read enough about CreateUUID (I'm not a CF guy).....however the point still stands that for a high activity site 8 characters isn't really enough uniqueness. Esp given we don't know if IDstring is UserID, CartID, LineItemID, etc....
Admin
Where does it say IDstring is a customer?
Admin
Because konqueror sucks! Bwaahahahahaha!
Man, you just walked into that one.
Admin
The point being missed here is that they want a unique ID, not a random ID. A sequential ID is less likely to have a collision than a random ID, but the first 9 characters in a 10 character sequential ID would collide 90% of the time! This is like creating an MD5 hash, then truncating it to only 9 characters, it makes it significantly less useful.
Admin
Admin
Since most system clocks only do millisecond accuracy, you're only actually getting 86400000 different values in one day. The same number will repeat 200 times a day, so that's 200/86400000 or 1/432000 chance of collision.
Like I said, unless you're Amazon, it will probably be fine.
Admin
ThisCustomerID
Admin
ThisCustomerID
Admin
You're still missing the point. Calculate the chances of CreateUUID returning the same thing twice in one day, then compare it to the chances you calculated above, and realize that the developer made extra effort to INCREASE the chances of collision. That is the WTF.
Admin
Your math is wrong. This is the birthday paradox computation. The probability of no collision is (1 - 0/16^8)(1 - 1/16^8)(1 - 2/16^8)...(1 - 999/16^8). Doing this with double precision floating point (which will be off, but I don't feel like pulling out the exact arithmetic package right now) yields p = 0.999883707, or about 1 in 8600. The number of days that must pass before there is a 1 in 2 probability that a collision will have occurred is ceiling(log(1/2) / log(p)) = 5961. If we consider a 1% risk completely unacceptable, the time is ceiling(log(0.99) / log(p)) = 82 days!
Admin
Captcha = atari yeah, that was an annoying company too.
Admin
Haha, captcha: slashbot! Get it?! Slashbot! Hey wait...
Admin
That's faulty logic... If you create an id every 7 minutes (exactly) then your 100% guarenteed to get a collision... No?
The real chances of a collision are 50%. Either you will get one or you won't.
Admin
Accounting for the number of possible pairs (as I did) automatically accounts for the birthday paradox effect.
It is actually your math which is wrong. For n new customers, you have a probability factor (1 - n/16^8) in your calculation. For n>16^8, this results in a negative probability :D
Admin
Avoiding collision is not the only concern. It seems almost certain (from the additional MM-DD-YY tag) that the ID is intended to be human-readable. A 36-character UUID is too much if you have to read it over the phone, etc. The trade-off here seems entirely sensible.
Admin
This is now officially over my head. I think I'm going to go play in the archives for a little while.
Admin
Who cares how likely the chances of a collision are? There's a perfectly acceptable solution where the chance of collision is guaranteed under all circumstances to equal zero.
And I don't buy the "humans might need to parse it" argument. Humans can memorize thousands of digits of pi, so reading 32 numbers should be within the capabilities of the average office worker. Anyway, there's probably something wrong with your process if you require non-techies to interact with user IDs on a regular basis.
Admin
The REAL WTF - Nobody seems to understand the WTF.
OK everybody, let me explain it. The UUID is for the transaction. You take the customerID and that day's date string to make your UUID. This is fine as long as the same user doesn't try to make more than one purchase per day. That's the WTF. Man I thought the people who read this page were supposed to be smart
Admin
stupidity + sarcasm - selfConsciousness = gold
Admin
Admin
The customer ID isn't used in the code shown. It is generated.
Admin
I'd say the real WTF is not using a bad ID, but GETTING a UUID and then THROWING HALF OF IT AWAY.
It's like buying a server with 16gb ram and then taking 8gb out and throwing it in the trash.
Admin
is it coincidence that the captcha for this reply is "craaazy"?
Admin
The WTF is that you can't spell ColdFusion