• RobIII (cs)

    The way I see it from looking over it briefly is that he's just removing all apostrophes?

    So the obvious thing would be <FONT face="Courier New" size=2>MyFunction = Replace(inText,"'","")</FONT>... But ofcourse, you could opt to KEEP the apostophes. Gues he never found this out: <FONT face="Courier New" size=2>MyFunction = Replace(inText,"'","''")</FONT>

    If this guy morron was in my "team", I would've kicked his ass to the kerb. Buh bye !

  • dubwai (cs)

    bweeeerhg [:|]

  • RobIII (cs) in reply to RobIII

    HEY! Why can't I edit my message? [:@]

    Anyways... I wanted to add that you gotta love his one and only comment. And to say that I never understand why these guys morons never think to themselves: there should be an easier way to do this. And if there's not (or you did actually miss it by accident and didn't know about the Replace function) why these people morons never get the idea to write their own "Replace" function. Nah, we'll keep re-inventing the wheel each time we need some code to replace a character or string.

  • Schol-R-LEA (cs)

    Speaking of 'giant' programs written in VB6 that need to be reverse engineered, I wonder how Mycosoft are  going to handle this little matter...

  • Martin Carolan (unregistered) in reply to RobIII

    That, and the fact that he is using a really lame method to clean strings of sql injections... and doesn't even realise that an injection is possible (hence the comment)

  • richleick (cs)

    I wonder if this is the reason that the last time I was at the local "gentleman's" club and asked the dancer to stripweird she danced twice as long and took all my $'s

  • Bustaz Kool (cs)

    >>> 'sql server freaks out on this character: ' <<<

    And my word processor completely freaks out over both the CR and LF characters!  Starts moving the cursor over to the left side of the screen !!

    Of a new line!!!

    Damn lousy word processor...

  • Maurits (cs) in reply to RobIII
    RobIII:

    HEY! Why can't I edit my message? [:@]


    And given that I can't - why is there an "Edit" button?
  • whojoedaddy (cs)

    At least he didn't <FONT color=#0000ff>Dim pos as Double </FONT>

  • Rick (cs)

    Do you think he does the loop twice, once for the opening quote and once for the closing quote?????

  • Ayende Rahien (unregistered)

    So, he doesn't know what ' does.
    Doesn't bother to /find out/.
    Then he decide to do a string concentration to remove it, and then he repeats it, just to be safe.
    This indicate WAY bigger problems elsewhere.  

  • Anonymous Coward (unregistered)

    If this was originally written in VB5, there was no replace function.

    I do like the way he loops twice though, and the left 16000 is a nice touch.

  • DelawareBoy (cs)

    <FONT color=#000000>From TFA
    </FONT>
    'sql server freaks out on this character: '

    Ok,  maybe if you're doing ad hoc queries or Dynamic SQL ("INSERT INTO .." .. But SQL Server doesn't choke on the ' character if part of a stored procedure, doesn't it?!

    Stored Procs, in general, are better than dynamic SQL, in my experience.

     

  • OMG (cs)

    I think the way he/she makes extra double sure there aren't any ' chars is really just good, good, sound, sound, careful, careful programming. Hey, if the code missed one, then it can miss it again! Sure beats writting an error handler! My only worry is when the InTxt value is 16001 char or more - wouldn't it be better to write:

    Private Function StripWeird(InTxt As String) As String
      Dim pos As Integer

      if LEN(inTxt)<= 16000 THEN     
        InTxt = Trim(Left(InTxt, 16000))
      Else
        if LEN(inTxt)<= 16000 THEN     
          InTxt = Trim(Left(InTxt, 16000))
        Else    
          inTxt = TRIM(InTxt)
        end if
        inTxt = TRIM(InTxt)
      End if
     
      'sql server freaks out on this character: '
      pos = InStr(1, InTxt, "'")
      Do While pos > 0
        InTxt = Left(InTxt, pos - 1) & Mid(InTxt, pos + 1)
        If pos > 1 Then
          pos = InStr(pos - 1, InTxt, "'")
        Else
          pos = InStr(1, InTxt, "'")
        End If
      Loop
     
      pos = InStr(1, InTxt, "'")
      Do While pos > 0
        InTxt = Left(InTxt, pos - 1) & Mid(InTxt, pos + 1)
        If pos > 1 Then
          pos = InStr(pos - 1, InTxt, "'")
        Else
          pos = InStr(1, InTxt, "'")
        End If
      Loop

      StripWeird = InTxt
    End Function

  • mizhi (cs) in reply to dubwai

    This WTF has rendered dubwai unable to form coherent sentences.  Is this a first? [:)]

  • dubwai (cs) in reply to mizhi

    mizhi:
    This WTF has rendered dubwai unable to form coherent sentences.  Is this a first? [:)]

    WTF is the second loop for?  That doesn't do anything, does it?

  • mizhi (cs) in reply to dubwai
    dubwai:

    mizhi:
    This WTF has rendered dubwai unable to form coherent sentences.  Is this a first? [:)]

    WTF is the second loop for?  That doesn't do anything, does it?



    Insurance in case that the first loop's eyes were tired and missed the ' 
  • David (unregistered) in reply to dubwai
    dubwai:

    mizhi:
    This WTF has rendered dubwai unable to form coherent sentences.  Is this a first? [:)]

    WTF is the second loop for?  That doesn't do anything, does it?

     

    Some people said I was crazy to build a loop that removed all apostrophes from a string.  But I did it anyway.  And that loop missed some apostrophes.

    So I ran the loop again.  That loop missed some apostrophes too.

    So I ran the loop a third time.  That loop missed some apostrophes too.

    So I ran the loop a FOURTH time.  And that one caught all the apostrophes!  And today that's what you're getting, son.

     

    A thousand apologies to Monty Python.

  • MoebiusStreet (unregistered) in reply to DelawareBoy

    No excuse at all. Even for dynamically generated SQL, you should be using parameter placeholders, and then setting the values in Parameter objects for the Command. It's easy, and completely avoids both injection attacks as well as any need to mangle your apostrophes.

    Anyone on my team who doesn't do it this way is going to get a good talking-to [:@]

  • anonymous (unregistered)

    WTF is why does anyone use Visual Basic, that is one of the most horrible programming languages ever seen!?

  • Disgruntled DBA (unregistered)

    What IS that character??  I have never seen that character before.

  • Zach (unregistered) in reply to anonymous

    VB isn't great, but it is fantastic for rapid application development.  It comes in handy for small little projects and was a godsend before Java came mainstream.  Develop a small GUI App in VC then do the same one in VB and see how long they both take you.  Dollars to doughnuts says VB kicks the ever living crap out of the VC time.  In the end, larger projects needing closer interfacing to hardware should be done in VC.  The problem is, 90% of projects out there start small, then through maintenance and evolution become projects that should have been spec'd completely and prolly done in Java or maybe, just maybe VC if you have someone who knows what they are doing.

  • Kazrael (cs) in reply to Zach
    Anonymous:
    VB isn't great, but it is fantastic for rapid application development.  It comes in handy for small little projects and was a godsend before Java came mainstream.  Develop a small GUI App in VC then do the same one in VB and see how long they both take you.  Dollars to doughnuts says VB kicks the ever living crap out of the VC time.  In the end, larger projects needing closer interfacing to hardware should be done in VC.  The problem is, 90% of projects out there start small, then through maintenance and evolution become projects that should have been spec'd completely and prolly done in Java or maybe, just maybe VC if you have someone who knows what they are doing.


    You would think a reply would actually reply to the post selected...but NOOOOOO.  You have to quote them...
  • nordyj2001 (cs) in reply to David

    Hehehehe

  • dubwai (cs) in reply to Zach

    Anonymous:
    VB isn't great, but it is fantastic for rapid application development.  It comes in handy for small little projects and was a godsend before Java came mainstream.  Develop a small GUI App in VC then do the same one in VB and see how long they both take you.  Dollars to doughnuts says VB kicks the ever living crap out of the VC time.  In the end, larger projects needing closer interfacing to hardware should be done in VC.  The problem is, 90% of projects out there start small, then through maintenance and evolution become projects that should have been spec'd completely and prolly done in Java or maybe, just maybe VC if you have someone who knows what they are doing.

    I'm would bet the development time for a fat client VB is gong to kick the crap out of Java too.  The problem tends to be that the app is quick in the first dev cycle but each progressive cycle takes longer and longer.  Eventually it takes longer to make a few enhancements than it did to write the app in the first place.  It's no the language mind you, it's that the skill level required to code in VB is a lot lower than most languages so you tend to get less skilled developers.  Another way to put it is that VB makes it easy to do a lot of things that experienced programmers know not to do.

  • bugsRus (cs)

    <font size="4">Couldn't

        If pos > 1 Then
    pos = InStr(pos - 1, InTxt, "'")
    Else
    pos = InStr(1, InTxt, "'")
    End If

    </font>

    <font size="4">Be...

          pos = InStr(InTxt, "'")


    When you re-invent the wheel, be sure to make it round.</font>


  • Jon Limjap (cs) in reply to bugsRus

    I think what he was trying to do was remove single quotes from strings to prep for database insertions. Makes the whole purpose of the thing a WTF: he should've added escape characters instead of removed them single quotes.

  • vhawk (unregistered)

    VB ?  So where is the   'On Error Continue Next' ?     The biggest WTF is not reading the help file looking at 'String Functions'.  Goodness the functions are all documented there.  But then the system is developed in VB which speaks volumes for the experience of the developer(s) working on this project.  Real programmer ( and consultants :-) ) knows that you work in languages like C, C++, Java, C# or what ever but never in VB

  • witch (unregistered) in reply to bugsRus
    bugsRus:
    <font size="4">Couldn't

        If pos > 1 Then
    pos = InStr(pos - 1, InTxt, "'")
    Else
    pos = InStr(1, InTxt, "'")
    End If
    </font>

    <font size="4">Be...

          pos = InStr(InTxt, "'")


    When you re-invent the wheel, be sure to make it round.</font>




    Well, he could do that, but InStr(pos - 1) is faster, because you know there aren't any ' before pos, so skipping that part of the string kinda makes sense...

  • Spidey (cs) in reply to vhawk
    Anonymous:
    Real programmer ( and consultants :-) ) knows that you work in languages like C, C++, Java, C# or what ever but never in VB


    Oh, do us a favour. "Real programmers" know that you use the best tool for the job.

    It's is so dull when this board turns into a VB vs TheRestOfTheProgrammingLanguagesInTheWorld discussion by snobby programmers who like to look down on VB because it is fast, easy and popular, and somehow undermines their own sense of self importance in being a guru programmer in a 'difficult' language.

    Time to move on, people!


  • jzlondon (unregistered)

    <FONT face="Courier New"><FONT size=2>Private Function StripWeird(InTxt As String) As String
    </FONT></FONT><FONT face="Courier New" size=2> .....</FONT>

    <FONT face="Courier New" size=2>  InTxt = Left(InTxt, pos - 1) & Mid(InTxt, pos + 1)
    </FONT><FONT face="Courier New" size=2>...</FONT>

    <FONT face="Courier New"><FONT size=2>  StripWeird = InTxt
    End Function</FONT></FONT>

    <FONT size=+0><FONT face=Arial color=#000000 size=2><FONT color=#000000>For my money, one of the best bits is the way he's passing the input in by reference (the default before VB.Net) then using it as his temporary variable, modifying it and passing it back out.  </FONT></FONT></FONT>

    <FONT size=+0><FONT face=Arial color=#000000 size=2><FONT color=#000000>Beautiful.  Even if he didn't return the results, anyone calling this so-called function will find the contents of their argument variable have been modified.</FONT></FONT></FONT>

    <FONT size=+0><FONT face=Arial color=#000000 size=2></FONT></FONT> 

  • jzlondon (unregistered) in reply to jzlondon

    OK.  What's the deal with the fonts on this forum?

  • tufty (cs)

    The comments indicate that the coder (I hesitate to use the word 'programmer') has found that quotes cause problems with his database engine of choice.

    So, rather than working out why, and risk providing a sensible solution, he has decided unilaterally to simply strip all the quotes out. Neet. And deserving of a poke up the arse with a sharpened stick.

    I fully expect to see, elsewhere in the system, something that converts quotes to some other character, and then converts them back again after it's been through this routine.

    The funy thing is, if you use a decent toolkit, you don't ever have to worry about reinventing this particular wheel. But I don't remember ever seeing VB described as a decent toolkit, so I guess that point is moot.

    Simon

  • javascript jan (unregistered) in reply to RobIII
    RobIII:

    HEY! Why can't I edit my message? [:@]

    Anyways... I wanted to add that you gotta love his one and only comment. And to say that I never understand why these guys morons never think to themselves: there should be an easier way to do this. And if there's not (or you did actually miss it by accident and didn't know about the Replace function) why these people morons never get the idea to write their own "Replace" function. Nah, we'll keep re-inventing the wheel each time we need some code to replace a character or string.



    Were I feeling charitable, I'd guess that mentioning "replace" as the right way to do what the coder originally intended (even if he didn't realise he intended it) - twice - was an ironic commentary on the double construct in the original code.

    However, I'm not feeling charitable, and I am forced to conclude that you must be one of those "morrons" we hear so much about.
  • AndyB (unregistered) in reply to Spidey

    Yup, I agree - there's plenty of scope for similar/worse approaches in ANY language...having said that, this WTF is a corker.

  • RayS (cs)

    It should be clearly obvious to everyone here that the real WTF is SQL Server freaking out over a standard ASCII character!

    I'd love to see the first error message he got when he found this out.

    "Dude, that character like totally freaked me out!!! Don't send me any more, ok?"
    [OK]  [Cancel]

  • RobIII (cs) in reply to javascript jan

    Anonymous:

    Were I feeling charitable, I'd guess that mentioning "replace" as the right way to do what the coder originally intended (even if he didn't realise he intended it) - twice - was an ironic commentary on the double construct in the original code.

    However, I'm not feeling charitable, and I am forced to conclude that you must be one of those "morrons" we hear so much about.

    I was commenting on the code as it was posted, not what he should have done (Stored Procedures, Parametrized Query's). Everyone knows he should have used XML with some XSLT and some Javascript and preferably throw in some other languages too. [:D]

  • SerKevin (cs) in reply to Rick

    Yeah, it does look like he's running the loop twice, once for open, once for closing quote... how very very very odd.

  • smitty_one_each (cs) in reply to OMG
    OMG:

    I think the way he/she makes extra double sure there aren't any ' chars is really just good, good, sound, sound, careful, careful programming. Hey, if the code missed one, then it can miss it again! Sure beats writting an error handler! My only worry is when the InTxt value is 16001 char or more - wouldn't it be better to write:



    I'm a little worried about the efficiency of the code.
    Why not a script that generates the function, explicitely unrolled for an arbitrary number of bytes (up to say, 640K, since Bill Gates decreed that's all we'd ever need) and then just checks each byte explicitely.
    'That's, in my mind, efficiency's best bet, y'all, since you don't know how many ASSKISS 39's the input may be packin''.
    We can call such a script: Duff's Dementia.
  • Schol-R-LEA (cs) in reply to dubwai
    dubwai:
    VB makes it easy to do a lot of things that experienced programmers know not to do.


    Do you mind if I use this quote? It perfectly sums up many of the problems with VB (and several other RAD tools as well).
  • Schol-R-LEA (cs) in reply to Spidey
    Spidey:
    Anonymous:
    Real programmer ( and consultants :-) ) knows that you work in languages like C, C++, Java, C# or what ever but never in VB


    Oh, do us a favour. "Real programmers" know that you use the best tool for the job.

    It's is so dull when this board turns into a VB vs TheRestOfTheProgrammingLanguagesInTheWorld discussion by snobby programmers who like to look down on VB because it is fast, easy and popular, and somehow undermines their own sense of self importance in being a guru programmer in a 'difficult' language.


    While I agree that a lot of the VB-bashing (such as the example above) is uncalled for, there are objective reasons why VB is less than desirable. The language is extremely large and complex (far more so than most client-programmers suspect when they begin using it), has many grave design flaws, and through VB6 at least had been developed in a slipshod and ad hoc manner. VB.Net really does fix many (nowhere near all) of the problems with VB as a language, but the result is about as different from VB6 as Java is from C++. Since the language is proprietary and subject to arbitrary change (something which is also true of Java, admittedly)

    I doubt that a 'visual' RAD tool based on, say, Ruby, would have nearly as many problems, or as many complaints. To give a real example, I've heard of implementation complaints regarding Boa Constructor, but I can't recall many complaints about the underlying language (Python), and certainly nothing like those levelled at VB; this may be just a function of popularity, I suppose, but from what I've seen Python is mostly a language people move to rather than away from. Had VB been better designed as a language (and if there were an open, published standard from the start),  I doubt that it would have the odious reputation it does.

    Personally, my biggest issue is that VB looks easy to use, and is for fairly straightforward projects, but becomes monstrously difficult to maintain beyond that. Also, I personally feel that VB is a poor language for teaching - something I also feel about C, C++, Java, and Perl, though for different reasons in each case - and encourages sloppy programming habits. It tries to fit the 'casual programmer' niche Smalltalk was designed for, and fails.
  • Schol-R-LEA (cs) in reply to Schol-R-LEA

    Feh. I apparently dropped the end of that first paragraph somehow. It should have read:

    "Since the language is proprietary and subject to arbitrary change, programmers using it cannot be certain if the code they write today will work on the next version of the language - something which is also true of Java, admittedly, but the Java developers tend to make fewer radical changes, and phase out old constructs rather than simply axing them or rearranging them. The fact that the language is not fully documented (AFAIK), and no standards body exists for it, makes some aspects of development a matter of guesswork.

  • p (unregistered) in reply to RobIII
    RobIII:

    I was commenting on the code as it was posted, not what he should have done (Stored Procedures, Parametrized Query's). Everyone knows he should have used XML with some XSLT and some Javascript and preferably throw in some other languages too. [:D]

    it you be much better to store the javascript in the db as xml, like so:

    ...
    <if condition="pos &gt; 1">
     <assign var="pos">
      <replace what="'" with="">
       <value of="pos" />
      </replace>
     </assign>
    </if>
    ...
    then convert it javascript [Y]
  • Spidey (cs) in reply to Schol-R-LEA
    Schol-R-LEA:
    Feh. I apparently dropped the end of that first paragraph somehow. It should have read:

    "Since the language is proprietary and subject to arbitrary change, programmers using it cannot be certain if the code they write today will work on the next version of the language - something which is also true of Java, admittedly, but the Java developers tend to make fewer radical changes, and phase out old constructs rather than simply axing them or rearranging them. The fact that the language is not fully documented (AFAIK), and no standards body exists for it, makes some aspects of development a matter of guesswork.


    Jesus, dude, don't you have anything better to do?

  • Smokey (unregistered)

    It's missed it's requirement goal. If it strips "wierd", how come I can still see the code?

  • Suomynona (unregistered)

    So many WTFs... Let's see:

    1. (most importantly) That d00d is too dense to use stored procedures, even after he's realized that there's a problem with apostrophes in strings.
    2. He decides to remove apostrophes/single quotes from string parameters before assembling a query (ok, at least he does something that will prevent SQL injection), but he doesn't actually know what he's doing, as exemplified by the comment.
    3. This means that apostrophes can no longer be used in string parameters at all, which is kind of annoying if you use SQL for feedback/guestbook/comment/mail body fields.
    4. He writes his own method instead of just using Replace.
    5. Instead of writing a general purpose "Replace"-like function, he decides to hardcode it to perform Replace(InTxt, "'", "").
    6. He executes the exact same copy-pasted Do While loop twice in a row, just to be sure.
    7. His Replace implementation manages to require quadratic time in the worst case, which is essentially an invitation to cheap DoS attacks (just send 16,000 single quotes to the server).
    8. The function name is a WTF in itself.
    9. He trims string parameters to 16,000 characters without any notice.
    10. He's using VB6 (scnr).

    Ok, did I miss any?

  • Suomynona (unregistered) in reply to bugsRus
    bugsRus:
    <font size="4">Couldn't

        If pos > 1 Then
    pos = InStr(pos - 1, InTxt, "'")
    Else
    pos = InStr(1, InTxt, "'")
    End If
    </font>

    <font size="4">Be...

          pos = InStr(InTxt, "'")


    When you re-invent the wheel, be sure to make it round.</font>




    He's probably trying to shave off some cycles, but, unfortunately, he's a bozo, which means it doesn't actually buy him anything. That's because the line
        InTxt = Left(InTxt, pos - 1) & Mid(InTxt, pos + 1)
    always requires linear time, and it's executed once for every apostrophe, so in the worst case, he manages to make a simple string replacement, which should be O(n), O(n²) in time complexity.

  • Suomynona (unregistered) in reply to javascript jan
    Anonymous:

    Were I feeling charitable, I'd guess that mentioning "replace" as the right way to do what the coder originally intended (even if he didn't realise he intended it) - twice - was an ironic commentary on the double construct in the original code.

    However, I'm not feeling charitable, and I am forced to conclude that you must be one of those "morrons" we hear so much about.


    Were I feeling charitable, I'd calmly point out that what you are saying has nothing at all to do with RobIII's comments.

    However, I'm not feeling charitable, and I am forced to conclude that your "brain" is actually a half-rotten cauliflower, moron.

  • Yuppie (unregistered)

  • m@ciek (unregistered) in reply to jzlondon
    Comment held for moderation.

Leave a comment on “Weird Stripping”

Log In or post as a guest

Replying to comment #:

« Return to Article