- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
That's great. It allows anyone to change any SQL used by the program to anything they like. Added flexibility. What could possibly be wrong with that?
Admin
when Russians stolen Diablo they changed all strings to Russian anyway, the fact that strings were stored in compiled executable didn't stop them
Admin
Well, in fairness, at /least/ they're being used in prepared statements... and they're all in one file...
This is how low my expectations have been brought through years following this site.
Admin
Drop table hope;
Admin
Drop table hope;
Admin
Error: 1008 SQLSTATE: HY000 (ER_DB_DROP_EXISTS) Can't drop database 'hope'; database doesn't exist
Admin
Still better than forcing everyone to use stored procedures, and having to grovel to the DBA whenever you want a slightly different query.
Admin
Not just from following this site. From working with other, often (very) experienced developers, too.
Admin
Far better than in-lining them, imho
Also means at some point they can replace the sql lookup implementation without having to change all the calling code
Admin
It actually doesn't seem like a terrible idea inside of a code base used by a single team.
Admin
Well, there's your problem. (Where did Adam quote that from anyway?) He was dropping a table; you tried dropping the entire database.
Admin
So? Now just write a DSL to allow users to write their own queries without actually knowing SQL.
Admin
"Now just write a DSL to allow users to write their own queries without actually knowing SQL." Oh, that sounds so much like the old "let the users define custom reports" that I used to hear. There's a reason I was paid the mediocre bucks to write optimized-ish SQL for those reports I very carefully designed....
Admin
DELETE FROM Hope WHERE Person='Ye' AND Action='Entering' AND Location='Here';
Admin
Still a better love story than Twilight.
Admin
I've been in shops where everything (repeat everything) had to be in a stored procedure.
I'm currently working on stuff that uses Entity Framework code-first where the database structure is defined in C# code (a table for each interface and resulting model). The guy that first designed this is a brilliant front end developer for imaging software. He chose EF code-first as he knew nothing about data design. The resulting database code shows this.
So the best of both - let the developers design their database. Use an ORM for access. Use the DBA for their expertise.
Admin
Well as long as the replacement strings had the same length in bytes, replacing them in the executable should not matter or be that hard.
One of my friends back in university did that with a hex editor and replaced 'Starting MS-DOS' to 'Welcome to hell' (or something similar, can't remember the exact string) in comand.com.
Admin
Spoken like a true developer who doesn't understand what stored procedures are or the advantages they have
Admin
And apart from storing the unencrypted connect data into the very same file where's the WTF? We don't know if or how this file can be accessed by the end user; it may very well be packed into a .war file for the user unable to see or access. If the Database is accessible to the end user what prevents him of firing up google and looking into the latest security vulnerabilities to gain access to an unpatched database.
And since everyone's falling into autistic screeching when the word "stored procedure" or "view" is even mentioned I don't believe everyone is wrinkling their nose because the sql statements aren't encapsulated in stored procedures returning ref cursors and recurring SQL Statements are wrapped in views. And most certainly ORM tools aren't the solution to every database problem. Try to tune a SQL Statement generated by one of those monstrosities...but sure enough, that's the DBAs department, right?
OK, one could argue that a DDL Statement really shouldn't make it into the runtime version of the application, so really, what's so bad here?
I am guessing the database either doesn't support stored procedures, the developer didn't know them, or because a coleague of a coleague of a friend of a cousin of the boss' dog sometime worked in a job where he had to use them and instead of learning how to use them properly the pure horror followed. So stored procedures are plain evil and must not be used at all costs. And in that case having the SQL Statements stored in some named fashion, giving them a unique name sounds like a good idea at least to me.
cheers
Admin
Sprocs every day of the week!
Admin
"A simple regex-based parser ..."
Has a sentence that started that way ever ended well?
Admin
1987 called. They want their code back.
Admin
"So? Now just write a DSL to allow users to write their own queries without actually knowing SQL."
Welcome to the "Inner platform effect". This has been discussed before. It always yields a giant WTF!
Admin
They read the file at startup and stored it in a hash? But what if they wanted to change the strings at runtime? TRWTF is that they didn't make a function that opened sql.txt, read every line until it found the correct item, then returned it. Bonus points if it could rarely leave the file handle open such that the program runs out of file handles and dies with a cryptic error message after running for six hours. Triple word score if it used some kind of eval() on what it read from sql.txt to create a code execution vulnerability.
Good on them for at least using prepared statements. But they probably only did it because it was too hard to splice parameters into the SQL command strings.
Admin
The only WTF here is cramming each whole SQL statement on a single line. Well, that and using positional rather than named parameters.
One way or another, keeping all SQL statements in one place makes schema changes a lot easier.
What I've found is best is putting each statement - or set of statements (for DDL and some explicitly-transactioned DML) - in a separate .sql file (in a single sql/ directory), which (among other things) gives syntax highlighting.
Admin
JSON would be standards based, with parsers widely available, and I know I can trust it with quotes, escaped characters etc.
Admin
Here here. I'm not a robot is the sorry of developer who should be jailed when their implementation gets hacked.
Tottally horrified at "I'm not a robot"'s stupidity.
Admin
This sorry of article should be titled. "How to get compromised through stupidity". Here's what's wrong with the article.
Admin
... and this technique is bad why, exactly?
Admin
CREATE TRIGGER on_entering_hell BEFORE INSERT ON hell EXECUTE PROCEDURE abandon_hope();
Admin
Notice the lack of Indexes.
Admin
Ref folks above defending an [sprocs for everything] policy ...
The folks complaining about having to use [sprocs for everything] are mostly complaining about the political problem when devs are responsible to create results on a schedule while DBAs are free to say "no" or "too busy to fix" without consequence. Which leads to horrific work-arounds by the devs when the bosses don't care to solve the politics, or worse yet actively abet the politics.
As with so much of this stuff the deep baseline WTF is human-to-human, not human-to-machine.
Admin
I've worked with (and was hired to write the replacement for) a program that did something very much like that... in Clipper. It was an idea both miles ahead and way behind its time.
Admin
Meh, I've seen much worse. Like a large book wholesaler, where if you ask in an email for a copy of the database schema, they forward your email to the head IT guy, who takes an hour to respond, as he's typing in the schema, from memory.
Admin
@Scott - I have a worse one : "A simple regex-based HTML parser ..."
Olig link: https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags/1732454#1732454
Admin
Oh yes the developer should have used sprocs and named arguments. Silly developer, bad developer?
But what if the code was originally developed for Sqlite which doesn't support sprocs or named arguments?
Oh yeah... Um it's not a bad compromise it's it?
Admin
i remember doing the same things in HXD hex Editor, replacing the plain text String from byte code and running them; but the problem occurs if compiled code stores more then just Plain text string as if it store the length (if string static) or storing the checksum value type something that i never figured out what were those things (i was a novice back then :D) .
But the idea there to store string like each query from SQL.txt into a class and serialize it so that it is not directly in plain sight is still a better choice to get those dirty hands off from your code (WTF :D) or storing them into a dedicated DB table where it can be changed easily by some particular DB user having privilege over that is still good even it increase the first time DB access and fetch time but still is a good thing in a sense...
Storing everything in file-system including db_password is surely a WTF for programmers...
Admin
It most certainly does support named arguments, but your language interface to it might not. Sprocs are much less useful, as there's no notion of multi-user permissions involved (and that's a consequence of Sqlite definitely not being a multi-user service, by design), but good language interface will handle the necessary caching so it doesn't matter, and the time to recompile the SQL is usually small enough to be irrelevant next to the cost of accessing the data.
Admin
This reminds me of named Hibernate queries back in the days before annotations. But that was clearly better, because they were placed in an XML file.