- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Perl in 2011. Uh-oh.
Admin
So, the first query is only there to ensure those IDs actually exist in the table? Is it even possible that they don't?
Admin
refactoring a small portion is better than no refactoring at all, even if it is only to add comments. i've been at it for years at my current job, and the codebase improves slowly, and I shudder to think how I found it when I accepted the job.
my favorite saying: "once deleted, it will never return."
Admin
So what happens if it "dies" I wonder? There is no context provided as to how this code is used.
Admin
I've interviewed candidates that are using perl in 2024. Some of them were almost as old as the perl version they were using.
Admin
Hey, @Remy, you missed an extra WTF - the
id
field of the database is a string that's populated, it seems, entirely by stringified numbers. (OK, we only have a limited selection of values, but they are all stringified numbers.)Admin
The pattern of join as a loop in code is very common in my actual job. It has to do with IBM funny way of calculating the amount of money they will charge you each month. In the old times the project i'm working now was a cobol + db2 mainframe monstruosity. Because the db2 and the cobol code execute over the same big machine, there where no network latency, and looping over a result to launch queries cost a lot less money than making a join query and looping over the results.
We have moved from cobol, via automatic tranlation to java, and now we have tons of code with that kind of behaviour But now the core run in different hardware than the db2 so instead of money, we now are paying for it in network time, because of the trip to the db in each iteration of a loop.
Admin
How else are you going to support IDs that might be GUIDs? This is future proof code
Admin
From that code, I wouldn't assume that the database field is itself a string. Quoting integers in queries is just another mini-WTF I've seen from junior coders who know little-to-nothing about data types, and think all data has to be in quotes.
Admin
What are you waiting for? Become a supervillain TODAY!
It'd be one heck of a story. The dev who sees bad code day after day, until he turns crazy and embraces a path of darkness as a revenge against society. Countless horrors happen, until the supervillain kidnaps Batman's girlfriend to make her write a web application in BOBX. An epic fight ensues, during which the server room gets destroyed, and the supervillain gets captured. But at the end of the film, his prison cell is found empty, save for piece of paper with a handwritten code snippet from the prison's electronic locks' source code, showing an unmistakable SQL injection...
Admin
Good rule of defense programming: check return codes/results, and if you don't know how to solve/process failure - just die/stop/halt.
Do not try to continue up to unpredictable results.
So, this "do or die" is actually not a WTF, but small piece of actual good code in this pile of shit.
And yes, I sometime use perl for quick scripting. It's actually good as scripting language - if you code fit in ~5 kilobytes.
Admin
Not necessarily, it's possible it's an integer and they're forcing the database to convert the values for the comparison, per their implicit conversion type priorities.
Admin
There should be a foreign key constraint from admin_routeurs.networkid to admin_networks.id. If this is missing, or not enforced, it will be possible for the IDs to be missing.
Admin
. . . then you should not be coding. Let someone who knows what they are doing write the application.
Admin
That's OK. Microsoft SQL Server lets you search with stringified numbers for numeric values. As a side effect, the automatic conversion prevents an index search.
Admin
Yop, I mean I coded in Pascal in the 80s as well, still know what it does, but honestly wouldn't release a project made with it in the 2010s. So it's great if you know stuff that long has been surpassed by better solutions, I wonder at this point though how long this project was actually cooking... over two decades, because that was pretty much when CGI was still popular?
Admin
I worked with a client ones where (ORACLE) SQL script literals all had to be strings no matter the datatype. Luckily I was in the .net team and we used code first migrations, so we had not to deal with this. However that was the old EF6 with XML migration scripts, so that resulted in another bag of bees during branch merges.
Admin
If it's MySQL, it automatically coerces strings to numbers when necessary, and it 's pretty common to quote numbers in queries (perhaps thinking it's a way to prevent SQL injection, or just because they've gotten into the habit of quoting all literals). It does no harm, so it's a minor WTF.
Admin
I'll watch it!
Admin
Indeed, not a big WTF at all.
Admin
This code is also subject to bobby tables, having used a string interpolation rather than a placeholder. Perl has supported placeholders since 1995 via DBI.
Admin
Another WTF: The id values in the query for $sth are not in order. Absolutely not required, but another person reading it would appreciate the ordering. Here's two lists; you decide which is more "readable"
8,13,14,16,22,26,27,23,40,39,33,31
8,13,14,16,22,23,26,27,31,33,39,40
Admin
Bu if you sort by number you lose history!
Admin
It's not, since the ID values are constrained in this context, but you can be sure that the developer has written other code that is.
And if they would use placeholders, preparing the statement on each loop iteration would be unnecessary.
This just illustrates that a "safety culture" can never be a match for a Turing-complete programming language.
Admin
It is also possible that in the future IDs could be added in the futuristic form of '8a', '8c', '8.7', '8-1', '8 new', '8 deputy' and '8 '. This solution might still work... or die.
Admin
And would it even matter if they didn't?
Admin
Well, since the string interpolated is the id field from the previous query, it's probably already sanitised.
What I like but that nobody seems to have picked up is that they are using prepare/execute but without any placeholders. They are so close...
Addendum 2024-10-03 07:14: That's a response to Randal L. Schwartz
Admin
I wrote DB-interfacing Perl code many years ago that purposefully did a query/loop/query instead of one SQL join expressly because the indexing on the DB was so bad for a specific situation that doing multiple queries and looping was faster than letting the DB do all the work. But somehow I doubt that's the case here, especially since that first query is entirely superfluous even if you really want to have nested loops.
Admin
I wrote DB-interfacing Perl code many years ago that purposefully did a query/loop/query instead of one SQL join expressly because the indexing on the DB was so bad for a specific situation that doing multiple queries and looping was faster than letting the DB do all the work. But somehow I doubt that's the case here, especially since that first query is entirely superfluous even if you really want to have nested loops.
Admin
Apart from the french-sounding table name, this could be from our systems. Down to the
$sth2
, the hardcoded jumble of magic numbers, the bullshit query. I bet you there's some manual HTML monster string around that to generate a web page.