• Cornify (unregistered)

    Frist Iteration

  • TheCPUWizard (unregistered)

    Would love to see the whole thing.... it looks like (warning: minimal coffee intake) the intent is to actually do 16 queries...

  • Brian (unregistered)

    When I see things like this series, I'm sorely tempted to post my own experiences with a codebase made entirely of (C++) WTF, except there's so much that I wouldn't even know where to start... it was written by a self-proclaimed "performance junkie" who decided to re-implement most of the STL containers himself, because he thought he could write a better version (which, in one recent instance, cost us two weeks of development while he hunted down a program crash in what turned out to be a memory leak in some very "clever" code.) This then leads to things like his vector and map implementation that store everything as a char*, and then leave it up to the application to re-cast that pointer however it wants. Type-safety? What's that? Whenever I point out that he's leaving the door wide open for all kinds of bugs, he just makes some vague comment about how a good programmer never makes those kinds of mistakes.

    The good news: the management is totally on board with me cleaning up this trainwreck, and I happen to be a fan of challenging puzzles. So I can totally empathize with Virginia here.

  • 🤷 (unregistered)

    I once introduced a switch-loop into a program during refactoring. In my defense, it was only an attempt to make the code more readable. And more readable it was. Which isn't really surprising at all, since the original version featured nested-if-else-statements inside that for-loop. I think it was something like 32 nested if-else's, like this

    if(i==1) {
        //code here
    }
    else {
        if(i==2)
            //code here
        else {
            if(i==3){
                 //even more code here
            }
            //continue until you reach if(i==32)
        }
    }
  • 🤷 (unregistered)

    Aha! Using html-Tags in comments is a sure way to get the comment held for moderation. I was trying to use the pre-Tags for code formatting. Is that even the right way to do that here?

  • E.R. (unregistered)

    Do we know that those strings are user input? If their content is fully known and strictly controlled (a big "if" and probably not the case, but it could be), then building the queries by concatenation isn't bad.

    What I keep wondering is: Why StringBuilder?

  • Brian Boorman (google) in reply to 🤷

    I think you can use left-bracket code right-bracket 'your code here' left-bracket forward-slash code right-bracket.

    Let's see if I can use ampersand-codes to reproduce that: &#5b code &#5d your code here &#5b &#2f code &#5d

    Addendum 2017-11-02 09:06: Nope.

  • 🤷 (unregistered)

    Well, let's see...

    if(success)
        printf("Thanks");
    else
        printf("Nope");
    
  • Dude (unregistered)

    I find it weird how they know enough to use StringBuilder, but use it to append concatenated strings, almost defeating the purpose of StringBuilder for those cases...

  • 🤷 (unregistered)

    Okay, that works. So, I'll repost my other (still held) comment:

    I once introduced a switch-loop while refactoring code. But in my defense, I did it to make the code more readable. And more readable it was. Which is not surprising, since the original code used a for-loop and nested if-else-statements. I think there where 32 nested statements, like this:

    [code] if(i==0) { //do stuff here } else { if(i==1) { //do different stuff here } else { if(i==2) { //do something completly different here } else { //and so on } } }

    IIRC, the code manipulated a dialog form and displayed different text depending on which value 'i' had. That's why it wasn't a simple matter of "getting rid of the for loop", since that would've meant to introduce some way to stop the process from running and wait for user input before continuing. I'm pretty sure you all know how this goes: Change the code around a bit and you are bound to introduce about 30 bugs per changed line. I then settled to remove all the if-else's and make use of a switch. At least you didn't have to scroll to the right to read the code anymore.

  • 🤷 (unregistered) in reply to 🤷

    Nice, forgot to close the code tag... :(

    if(i==0)
    {
        //do stuff here
    }
    else
    {
        if(i==1)
        {
            //do different stuff here
        }
        else
        {
            if(i==2)
            {
                    //do something completly different here
            }
            else
            {
                    //and so on
            }
        }
    }
    
  • Mr Bits (unregistered)

    The author of this code missed a glorious opportunity to inject some real excitement by assigning a new value to i in some of the cases. (Yes, I have seen instances of this.)

  • AndyW (unregistered) in reply to Mr Bits

    You owe me a new keyboard for that comment!

  • Paul Neumann (unregistered) in reply to 🤷

    Cool story bro. Now, fuck off!

  • Vexorg (unregistered)

    Where I am right now, they just do it like

    return string.format($"
    //Insert 1,600 lines of SQL here with a couple of things appended in
    ");
    
  • At least they stopped at case 15 (unregistered)

    I was half expecting a bug because there was a case 16 that was never running.

  • P. Wolff (unregistered) in reply to At least they stopped at case 15

    And I was half expecting a

    default:
    - DotNet still doesn't recognize when all entries of an enum are exhausted but complains of not all code paths returning a value

  • pie_flavor (unregistered)

    Just pointing out that the letters can be rearranged to spell I Spam Vote.

  • Jim Tonic (unregistered) in reply to P. Wolff

    I'm not sure, but I think it's possible to have an enum in an external library. When an enum value is added in a new version of the library, the default clause comes in handy.

  • MiserableOldGit (unregistered) in reply to Mr Bits

    Seen a whole codebase using that "method" ... Most of our time was spent stepping through these while/switch loops trying see where they got stuck in infinite iterations or crashed out sideways because the iterator was given the wrong setting.

    The real joy were the ones where the senior WTFgenerator had thrown in a bit of recursion for no apparent reason beyond "only real programmers understand recursion". Presumably it takes the artificial kind to know when it is appropriate to use it.

  • MiserableOldGit (unregistered) in reply to Brian

    Hmm, I think I used to work with that guy. He used to like lecturing the rest of us on how to do proper OO code. One look at his class names was enough to know you'd be better off not listening!

  • isthisunique (unregistered)

    I can see immediate problems here such as the use of a StringBuilder. Who in their right might would use such a facility when any decent language would simply override an operator for something as absurdly commonplace as string concatenation and interpolation? What's next? LogicBuilder?

    Humbug I say humbug!

  • Paul Neumann (unregistered) in reply to P. Wolff

    .NET doesn't require enum values to be defined:

    enum Color {
        Red = 1,
        Green = 2,
        Blue = 3
    }
    
    Color c = (Color) -255;
    

    is entirely valid code, thus there must be a default condition even when all defined values are handled.

  • Harrow (unregistered) in reply to Mr Bits

    Indeed, leaving out the incrementer and changing the value of i in at least some of the cases is a valid justification for writing a switch-loop. With some sort of consumer in the loop, it is an excellent way to implement a state machine.

  • 🤷 (unregistered) in reply to Paul Neumann

    Cool story bro. Now, fuck off!

  • Mikie (unregistered)

    Wow, this is a new one. They have managed to correctly use bind variables (with the add parameter) while still retaining classic SQLi!

    ?searchStock=' union select table_name from all_tab_columns where column_name like '%PASSWORD%' --

  • Paul Neumann (unregistered) in reply to 🤷

    Not now, 🤷 the grown ups are talking.

Leave a comment on “Switching the Search”

Log In or post as a guest

Replying to comment #:

« Return to Article