• bvs23bkv33 (unregistered)

    i did not see "prepare statement" statement between "sqlquery.append" and "parameters.put"

  • Little Bobby Tables (unregistered)

    Aha, I get it: so TRWTF is calling the parameter to these methods "original", amirite?

  • my name is missing (unregistered)

    CopyPasta is delicious served with a side of WTF sauce.

  • Scott (unregistered)

    I ran across this in our db recently. App called sproc 1 with a parameter x.

    sproc 1 said, "if x = a, call sproc 2, else call sproc 3"

    sprocs 2 and 3 used the exact same query, except 2 hard-coded some value v1 and 3 used v2.

    Sigh.

  • (nodebb) 
        public static String MapFristGroup(String original) {

        String result = "";
        Logger logger = new Logger("ThisClass.MapFrist");
        StringBuffer sbQuery = new StringBuffer();
        AccessBdNonXa accessBdNonXa = new AccessBdNonXa();
        HashMap<String, String> parameters = new HashMap<String, String>();
        try {
            sbQuery.append(" SELECT  COD2 FROM MAPPINGS ");
            sbQuery.append("  WHERE COD1= ?");
            sbQuery.append("  AND   MAP_GROUP= ?");
            parameters.put("1", original);
            parameters.put("2", "GROUP_COMMENT_CODE");
        	@SuppressWarnings("rawtypes")
            Vector vectorBD = accessBdNonXa.lookup(sbQuery.toString(), parameters);
            logger.debug(" Query bbdd" + sbQuery.toString());
            if (vectorBD != null && vectorBD.size() > 0) {
            	@SuppressWarnings("rawtypes")
                HashMap hData = (HashMap) vectorBD.get(0);
                result = (String) hData.get("COD2");
            }
        } catch (Exception e) {
            logger.error("Exception: " + e.getMessage());
            e.printStackTrace();
        } finally {
            if (accessBdNonXa != null) {
                accessBdNonXa.close();
            }
        }
        return result;
    }
  • (nodebb)

    MAPPINGS is a "database" table! Thanks to qualify it like that - now I can rest assure that you did not mean a picnic table or a kitchen table.

  • Little Bobby Tables (unregistered) in reply to bjolling

    I suppose it might have been a wooden table.

  • sizer99 (google) in reply to bjolling

    This IS the Daily WTF, so it could have been a gigantic hardcoded table embedded right in the code instead of in the database - we've seen it before. And then of course they'd search it with an O(n^2) algorithm...

    It soon becomes obvious it is a database table, but explicitly calling it 'database table' up front works well here for establishing that that isn't the WTF at least.

  • (nodebb)

    So, for example, one laboratory test Sergio’s company performs might be called “QD1” internally, but is known by the government as “F3+”.

    Not related to the WTF, but I would use different "string wrapper classes" or typedefs to explicitly encode that those 2 different identifiers (which happen to be strings) are different and cannot be mixed up. The purpose of type systems is to model the domain space and to express the programmer's intent.

  • K. (unregistered) in reply to jimbo1qaz 0

    Many (too many) programmers I work with do not have a good grasp on what their intent even is.

    And im fairly certain that no programmer whose code ends up here know what they are doing & how to do it. Otherwise, the code would not have ended up here.

  • P (unregistered)

    Queen to d1? Pawn to f3 check?

  • hello (unregistered)

    logger.debug(" Query bbdd" + sbQuery.toString());

    Apparently teh BBDD is a Spanish plural form of "database".

  • Rich (unregistered) in reply to Scott

    That might've been an attempt to prevent problems with parameter sniffing. I expect by now things have improved, but a few version of sql server ago, that could've been a reasonable way to ensure that each version used an appropriate execution plan. More likely it was just bad code, but it is at least plausible.

  • Salvo (unregistered) in reply to Little Bobby Tables

    It could have been excel, never forget excel

  • anonymous (unregistered)

    In my opinion, it's not necessarily wrong to have a separate method for each category. Otherwise anyone who wants to do a query has to know the correct category name to use, and the code becomes harder to read. In a well-organised project, you might also have different category queries in different modules, possibly with different access specifiers.

    However, I would do this by writing one method that takes the category as a parameter and does the actual query, then have a one-line wrapper method for each category that passes a hardcoded category name to the actual query method.

  • anonymous (unregistered) in reply to bvs23bkv33

    I think it's done inside the accessBdNonXa.lookup(sbQuery.toString(), parameters) function. Hopefully they use the proper parametrisation functions of their database API and don't do some exploit-filled string substitution/concatenation/escaping nonsense.

  • emabrey (unregistered)

    I think the reason for the StringBuffer for a single line is that older JVM implementations of the "+" operator used an implementation that was slower than making your own StringBuffer and appending it with append() instead. Or they are just bad and/or inattentive programmers...

  • emabrey (unregistered)

    I found an example of what I'm talking about: https://www.appmarq.com/public/security,7196,Avoid-large-number-of-String-concatenation

Leave a comment on “Repeat and Rinse”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article