Oh Wow, Man...



  • I maintain a huge site for a client.  The site's been around forever, but I joined the team only a year ago.  As big as it is, I find new WTFs on almost a daily basis.  The two gems for today were a page called "hello", which was, in its entirety (and live on the site):

    <BODY BGCOLOR=#FFFFFF>
    <% for i = 3 to 7 %>
    <FONT SIZE=<% = i %>>Wow man!</FONT><BR>
    <% next %>
    </BODY>

    ...and a page called query.asp:

    <FORM METHOD=POST ACTION="Results.asp">
    <P>Query:
    <% sql = Request("sql")
    if sql = "" Then
    sql = "select ProductName, ProductType, ProductDescription, ProductImageURL from products"
    end if
    %>
    <P><TEXTAREA NAME="sql" ROWS=15 COLS=75><%=sql%></TEXTAREA><BR>
    <P><INPUT TYPE=SUBMIT VALUE="Execute"><INPUT TYPE=RESET VALUE="Reset">
    </FORM>

    I nearly soiled myself on that one. It was live, not secured, and definitely hitting a production database. Fortunately, nothing sensitive, but still. Incidentally, both pages were in a folder called "wow".  Indeed.

    The offending pages have been removed from the server.



  • But, but...  Wouldn't it be a lot of fun for your customers to be able to write their own queries?



  • Atleast 'wow' was not misspelt, unlike 'brillant'.



  • [quote user="RShilling"]But, but...  Wouldn't it be a lot of fun for your customers to be able to write their own queries?[/quote]

     Yeah. The possibilities are endless...

    'UPDATE products SET ProductImageURL = 'http://www.hotbarnyardporn.com/images/blondewithhorse.jpg'

     



  • [quote user="codemoose"]

    [quote user="RShilling"]But, but...  Wouldn't it be a lot of fun for your customers to be able to write their own queries?[/quote]

     Yeah. The possibilities are endless...

    'UPDATE products SET ProductImageURL = 'http://www.hotbarnyardporn.com/images/blondewithhorse.jpg'

     

    [/quote]

    You might have used a real url ...



  • [quote user="RShilling"]But, but...  Wouldn't it be a lot of fun for your customers to be able to write their own queries?[/quote]

    We call this "empowering the users"

    Remember - "Code you don't write is code you don't have to maintain"!



  • [quote user="codemoose"]

    [quote user="RShilling"]But, but...  Wouldn't it be a lot of fun for your customers to be able to write their own queries?[/quote]

     Yeah. The possibilities are endless...

    'UPDATE products SET ProductImageURL = 'http://www.hotbarnyardporn.com/images/blondewithhorse.jpg'

     [/quote]

    WTF!?  That URL isn't working!  Do you have the correct URL?  Please fix this quickly.  ;) 



  • [quote user="rbriem"]

    Remember - "Code you don't write is code you don't have to maintain"!

    [/quote]

    I wish.
    Where do you work and how do I apply? 



  • @rbriem said:

    [quote user="RShilling"]But, but...  Wouldn't it be a lot of fun for your customers to be able to write their own queries?

    We call this "empowering the users"

    Remember - "Code you don't write is code you don't have to maintain"!

    [/quote]

    My neverending stream of WTFs is from code I [i]didn't[/i] write, but [i]do[/i] have to maintain...



  • [quote user="Balthazaar"][quote user="rbriem"]

    Remember - "Code you don't write is code you don't have to maintain"!

    [/quote]

    I wish.
    Where do you work and how do I apply? 

    [/quote]

    That was the actual marketing slogan for a product I supported once ... looooong ago ...



  • [quote user="smbell"]

    WTF!?  That URL isn't working!  Do you have the correct URL?  Please fix this quickly.  ;) 

    [/quote]

     I just knew someone would try whatever I typed in there.
     



  • [quote user="codemoose"]

    The offending pages have been removed from the server.

    [/quote]

    Please restore the production server to its correct state immediately. I require the"hello" page to carry out my duties.

    Thank you.


Log in to reply