We got ripped off



  • We had a consultant do some SIMPLE searches in the database, and I'm pretty sure he was either an idiot, or he was just trying to get hours and thought nobody would ever find out. I guess he didn't plan on me getting his job. I hate this guy... if I ever see him in a dark alley... it's not going to be pretty :)

    The task is to search the database against 6 columns, each of which is searchable by a user entry in the "criteria" object - which is sometimes referred to as "isc" and sometimes as "criteria" - but it doesn't matter because they are exact copies of each other (the criteria object itself is a big WTF too). This is what the genius consultant came up with... and this is only for one option in the possible search types: quick search, find specific issue, and advanced search - this is for the advanced search. The others were equally bloated...

    Today I replaced this with a single stored procedure call, and the proc is 120 lines long, but most of that is "blank line" formatting and comments. Not only is this ridiculously long and full of WTFs, it didn't even work right most of the time.

    Here's my code:

    cmd.CommandText = "exec WL_search_advanced @terms, @match, @title, @author, @start_month, @start_year, @end_month, @end_year, @pubs, @descriptors";
    cmd.Parameters.AddWithValue("@terms", criteria.Terms);
    cmd.Parameters.AddWithValue("@match", criteria.SearchMatchType.ToString("G"));
    cmd.Parameters.AddWithValue("@title", criteria.Title);
    cmd.Parameters.AddWithValue("@author", criteria.Authorlastname);
    cmd.Parameters.AddWithValue("@start_month", criteria.FromMonth);
    cmd.Parameters.AddWithValue("@start_year", criteria.FromYear);
    cmd.Parameters.AddWithValue("@end_month", criteria.Month);
    cmd.Parameters.AddWithValue("@end_year", criteria.Year);
    cmd.Parameters.AddWithValue("@pubs", criteria.Publications.ToString("G"));
    cmd.Parameters.AddWithValue("@descriptors", criteria.Keywordlist);

     

    And here's how you make money: 

                        // do author
                        if (criteria.Authorlastname != null && criteria.Authorlastname.Trim().Length > 0)
                        {
                            cmd.CommandText += " and Authors like @author";
                            cmd.Parameters.AddWithValue("@author", "%" + criteria.Authorlastname + "%");
                        };

                        // do title search                   
                        if (criteria.Title != null && criteria.Title.Trim().Length > 0)
                        {
                            cmd.CommandText += " and Title like @titleOnly";
                            standardsfilter += " Title like @titleOnly ";
                            cmd.Parameters.AddWithValue("@titleOnly", "%" + criteria.Title + "%");
                        }

                        // do keywords comparison, must do like comparisons because of delimiters used in waternet data
                        // added the keywordlist logic for
                        if (criteria.Keywordlist != null && criteria.Keywordlist.Trim().Length != 0)
                        {
                            string stdsKeywordList = "  (";
                            string stdsKeywordList_tail = ") ";
                            //stdsKeywordList = " and (";

                            //If there is a title and there are terms we need the and before and the appropriate and/or after
                            if ((criteria.Title != null && criteria.Title.Trim().Length > 0) && (criteria.Terms != null && criteria.Terms.Trim().Length > 0))
                            {
                                stdsKeywordList = " and (";
                                switch (criteria.SearchMatchType)
                                {
                                    case SearchMatchType.All:
                                        stdsKeywordList_tail = ") aNd ";
                                        break;
                                    case SearchMatchType.Any:
                                        stdsKeywordList_tail = ") oR ";
                                        break;
                                    case SearchMatchType.Phrase:
                                        stdsKeywordList_tail = ") anD ";
                                        break;
                                    default:
                                        stdsKeywordList_tail = ")/*default terms and title */ ";
                                        break;
                                }
                            }
                            //If there is a title entry and no terms we add text before the descriptors
                            else if ((criteria.Title != null && criteria.Title.Trim().Length > 0) && (criteria.Terms == null || criteria.Terms.Trim().Length == 0))
                            {
                                stdsKeywordList = " and (";//this value is updated later depending on whether or not there are terms in the title
                                stdsKeywordList_tail = ") ";
                            }
                            //If there is no title entry we need to add text after the descriptors
                            else if ((criteria.Terms != null && criteria.Terms.Trim().Length > 0) && (criteria.Title == null || criteria.Title.Trim().Length == 0))
                            {
                                //set the text in these three lines so that it is easier to find in a text dump of the query syntax
                                stdsKeywordList = "  (";
                                switch (criteria.SearchMatchType)
                                {
                                    case SearchMatchType.All:
                                        stdsKeywordList_tail = ") aNd ";
                                        break;
                                    case SearchMatchType.Any:
                                        stdsKeywordList_tail = ") oR ";
                                        break;
                                    case SearchMatchType.Phrase:
                                        stdsKeywordList_tail = ") anD ";
                                        break;
                                    default:
                                        stdsKeywordList_tail = ")/*default criteria.Terms != null*/ ";
                                        break;
                                }
                            }
                         
                            else
                            {
                                stdsKeywordList = "  (";
                                stdsKeywordList_tail = ")/*default for title and terms descriptor logic*/ ";
                            }

                            string[] terms = criteria.Keywordlist.Split(new char[] { ',' });
                            int count = 0;
                            cmd.CommandText += " AND (";
                            foreach (string term in terms)
                            {
                                count += 1;
                                if (count > 1)//cmd.CommandText += " OR ";
                                {
                                    cmd.CommandText += " OR ";
                                    stdsKeywordList += " OR ";
                                }
                               
                                cmd.CommandText += "Descriptors like @desc" + count;
                                stdsKeywordList += "Descriptors like @desc" + count;
                                cmd.Parameters.AddWithValue("@desc" + count, "%" + term + "%");
                            }
                            cmd.CommandText += ") ";
                          
                            standardsfilter = standardsfilter + stdsKeywordList + stdsKeywordList_tail;
                        }

                        if (criteria.Terms != null && criteria.Terms.Trim().Length != 0)
                        {
                            string[] terms = criteria.Terms.Split(new char[] { ' ' });
                            int count = 0;

                            // do terms comparison
                            switch (criteria.SearchMatchType)
                            {
                                case SearchMatchType.All:
                                    cmd.CommandText += " AND (";
                                    cmd.CommandText += "(";
                                    count = 0;

                                    foreach (string term in terms)
                                    {
                                        count += 1;
                                        if (count > 1)// cmd.CommandText += ") AND (";
                                        {
                                            cmd.CommandText += ") AND (";
                                            standardsfilter += ") AND (";
                                        }
                                        cmd.CommandText += " Abstract like @Abstract" + count;
                                        standardsfilter += " Abstract like @Abstract" + count;
                                        cmd.Parameters.AddWithValue("@Abstract" + count, "%" + term + "%");

                                        cmd.CommandText += " OR Title like @Title" + count;
                                        standardsfilter += " OR Title like @Title" + count;
                                        cmd.Parameters.AddWithValue("@Title" + count, "%" + term + "%");

                                        cmd.CommandText += " OR Descriptors like @Descriptors" + count;
                                        standardsfilter += " OR Descriptors like @Descriptors" + count;
                                        cmd.Parameters.AddWithValue("@Descriptors" + count, "%" + term + "%");

                                        //added by RRR 10-18-2007 to include the awwa product code in the search
                                        cmd.CommandText += " OR AWWA_Product_Code like @AWWA_Product_Code" + count;
                                        standardsfilter += " OR AWWA_Product_Code like @AWWA_Product_Code" + count;
                                        cmd.Parameters.AddWithValue("@AWWA_Product_Code" + count, "%" + term + "%");
                                    }
                                    cmd.CommandText += "))";

                                    break;
                                case SearchMatchType.Any:
                                    cmd.CommandText += " AND (";
                                    cmd.CommandText += "(";
                                    count = 0;
                                    foreach (string term in terms)
                                    {
                                        count += 1;
                                        if (count > 1) //cmd.CommandText += ") OR (";
                                        {
                                            cmd.CommandText += ") OR (";
                                            standardsfilter += ") OR (";
                                        }
                                        cmd.CommandText += "Abstract like @Abstract" + count;
                                        standardsfilter += "Abstract like @Abstract" + count;
                                        cmd.Parameters.AddWithValue("@Abstract" + count, "%" + term + "%");

                                        cmd.CommandText += " OR Title like @Title" + count;
                                        standardsfilter += " OR Title like @Title" + count;
                                        cmd.Parameters.AddWithValue("@Title" + count, "%" + term + "%");

                                        cmd.CommandText += " OR Descriptors like @Descriptors" + count;
                                        standardsfilter += " OR Descriptors like @Descriptors" + count;
                                        cmd.Parameters.AddWithValue("@Descriptors" + count, "%" + term + "%");

                                        //added by RRR 10-18-2007 to include the awwa product code in the search
                                        cmd.CommandText += " OR AWWA_Product_Code like @AWWA_Product_Code" + count;
                                        standardsfilter += " OR AWWA_Product_Code like @AWWA_Product_Code" + count;
                                        cmd.Parameters.AddWithValue("@AWWA_Product_Code" + count, "%" + term + "%");
                                    }
                                    cmd.CommandText += "))";

                                    break;
                                case SearchMatchType.Phrase:
                                    cmd.CommandText += " AND (";

                                    cmd.CommandText += "Abstract like @Abstract";
                                    standardsfilter += "Abstract like @Abstract";
                                    cmd.Parameters.AddWithValue("@Abstract", "%" + criteria.Terms + "%");

                                    cmd.CommandText += " OR Title like @Title";
                                    standardsfilter += " OR Title like @Title";
                                    cmd.Parameters.AddWithValue("@Title", "%" + criteria.Terms + "%");

                                    cmd.CommandText += " OR Descriptors like @Descriptors";
                                    standardsfilter += " OR Descriptors like @Descriptors";
                                    cmd.Parameters.AddWithValue("@Descriptors", "%" + criteria.Terms + "%");
                                    //cmd.CommandText += ")";

                                    //Added by RRR 10-18-2007 to include the awwa product code in the search
                                    cmd.CommandText += " OR AWWA_Product_code like @AWWA_Product_code";
                                    standardsfilter += " OR AWWA_Product_code like @AWWA_Product_code";
                                    cmd.Parameters.AddWithValue("@AWWA_Product_code", "%" + criteria.Terms + "%");
                                    cmd.CommandText += ")";

                                    break;
                                default:
                                    cmd.CommandText += " AND (";
                                    cmd.CommandText += "(";
                                    count = 0;
                                    foreach (string term in terms)
                                    {
                                        count += 1;
                                        if (count > 1) //cmd.CommandText += ") OR (";
                                        {
                                            cmd.CommandText += ") OR (";
                                            standardsfilter += ") OR (";
                                        }
                                        cmd.CommandText += "Abstract like @Abstract" + count;
                                        standardsfilter += "Abstract like @Abstract" + count;
                                        cmd.Parameters.AddWithValue("@Abstract" + count, "%" + term + "%");

                                        cmd.CommandText += " OR Title like @Title" + count;
                                        standardsfilter += " OR Title like @Title" + count;
                                        cmd.Parameters.AddWithValue("@Title" + count, "%" + term + "%");

                                        cmd.CommandText += " OR Descriptors like @Descriptors" + count;
                                        standardsfilter += " OR Descriptors like @Descriptors" + count;
                                        cmd.Parameters.AddWithValue("@Descriptors" + count, "%" + term + "%");

                                        //Added by RRR 10-18-2007 to include the awwa product code in the search
                                        cmd.CommandText += " OR AWWA_Product_code like @AWWA_Product_code" + count;
                                        standardsfilter += " OR AWWA_Product_code like @AWWA_Product_code" + count;
                                        cmd.Parameters.AddWithValue("@AWWA_Product_code" + count, "%" + term + "%");
                                    }
                                    cmd.CommandText += "))";

                                    break;
                            }
                        }

                        // do month and year ranges
                        cmd.Parameters.AddWithValue("@FromYear", criteria.FromYear);
                        cmd.Parameters.AddWithValue("@Year", criteria.Year);
                        cmd.Parameters.AddWithValue("@FromMonth", criteria.FromMonth);
                        cmd.Parameters.AddWithValue("@Month", criteria.Month);
               
                        if (criteria.Publications == MatchPublication.Journal)
                        {
                            //old//cmd.CommandText += " and Pub_Abbreviation = 'JAW'";
                            //start new
                            cmd.CommandText = "select " + cmd.CommandText;
                            cmd.CommandText += " and (( mo_period    between ";
                            cmd.CommandText += " ( CASE WHEN LEN(@FromMonth) = 1 THEN CAST( @FromYear AS varchar(4)) + '0' + CAST( @FromMonth AS varchar(2))  ELSE CAST( @FromYear AS varchar(4)) +  CAST(@FromMonth AS varchar(2)) END ) ";
                            cmd.CommandText += " and ( CASE WHEN LEN(@Month) = 1 THEN CAST( @Year AS varchar(4)) + '0' + CAST( @Month AS varchar(2))  ELSE CAST( @Year AS varchar(4)) +  CAST(@Month AS varchar(2)) END)";
                            cmd.CommandText += ")) and Pub_Abbreviation in  ( 'JAW')";
                            //end new
                        }
                        else if (criteria.Publications == MatchPublication.Standards)
                        {
                            //standardsfilter = " abstract like '%steel%' and abstract like '%pipe%' ";
                            cmd.CommandText = "select " + cmd.CommandText;
                            cmd.CommandText += " /*foo*/ and Pub_Abbreviation like 'ST%' and (" + standardsfilter + ") and a.pub_year = (select max(pub_year) ";
                            cmd.CommandText += " from waternet_document_flat b where  a.standard_name=b.standard_name ";
                            //cmd.CommandText += " and b.pub_abbreviation like 'ST%' and ( " + standardsfilter + ") group by b.standard_name) order by a.standard_name";
                            cmd.CommandText += " and b.pub_abbreviation like 'ST%' group by b.standard_name) order by a.standard_name";
                        }
                        else if (criteria.Publications == MatchPublication.All)
                        {
                            cmd.CommandText = "select " + cmd.CommandText;
                            cmd.CommandText += " and ((    mo_period between (@FromYear * 100 + @FromMonth ) And (@Year * 100 + @Month ))) ";                 
                            cmd.CommandText += " or accession_no in (select accession_no from  v_waternet_flat where pub_abbreviation in ('ST', 'STA', 'STB', 'STC', 'STD', 'STE', 'STF', 'STG') and pub_year >= @FromYear ";

                            if (standardsfilter.Length != 0)
                            {
                                cmd.CommandText += "  and (" + standardsfilter + "))";
                            }
                            else
                            {
                                cmd.CommandText += "  )";
                            }
                        }



  • barf Damn I hate code that bad. I'm glad you replaced it with a commented sproc.



  • I might be missing something, but isn't the longer section of code actually better as it does error checking and is commented? The OP says "Here's my code:" when presenting the shorter bit, which is clean, but doesn't have error checking. Funky case on the oR aNd anD though.



  • @Lingerance said:

    I might be missing something, but isn't the longer section of code actually better as it does error checking and is commented? The OP says "Here's my code:" when presenting the shorter bit, which is clean, but doesn't have error checking. Funky case on the oR aNd anD though.
     

     

    I assume that the relevant error checking and comments were moved into the WL_search_advanced procedure.

     



  • @emurphy said:

    I assume that the relevant error checking and comments were moved into the WL_search_advanced procedure.

    I agree since this was stated:

    @jasmine2501 said:

    a single stored procedure call, and the proc is 120 lines long, but most of that is "blank line" formatting and comments

    That's more sane than all the checking and inline SQL statement building inside of the application itself.



  • Yes there's some range-checking done on the database side, but the validation of user input is actually done before the "criteria" object is built and passed in. Also, the AddWithValue() function performs sanitization against code injection and that sort of thing. 



  •  You have to understand, this is only a small part of some 50+ pages of bad code. There's a web page, three custom user controls, various Javascripts (that don't work), two DLLs, various classes which inherit Interfaces that don't do anything... and no stored procs. It's a mess... in 20 years of programming I haven't really seen anything like it, except on this site.

     If you want to see this thing live, go here:

    http://www.awwa.org/awwa/WaterLibrary/Search.aspx

     



  • @jasmine2501 said:

    If you want to see this thing live, go here

    Damn! That's a beast. I hope no one on slow broadband or dial-up is going to approach that. When it was first loading, I could see all sorts of bits that I shouldn't have. The "Advanced Search" tab is a complete failure in Opera 9.24. That keyword list is insane, too.



  •  We wouldn't know... you see, we only do testing on our super-high-speed internal network and only using Internet Exploder.

     At least this means I'll have a job for a while. The last place I worked at I got "everything done" and was let go because there wasn't any more work. Same with the rest of the IT staff...

    That keyword list is the next thing to get the axe. Just have to convince the business group that nobody in their right mind is going to browse through 1944 keywords in an 8-row list box, when they could just as easily type in what they are looking for



  • @jasmine2501 said:

    We wouldn't know... you see, we only do testing on our super-high-speed internal network and only using Internet Exploder.

    I know of many similar people that seem to think the outside world experiences exactly what they do when testing.

    @jasmine2501 said:

    The last place I worked at I got "everything done" and was let go because there wasn't any more work.

    I've done that before. Codethulu owns my soul now, though.

    @jasmine2501 said:

    Just have to convince the business group that nobody in their right mind is going to browse through 1944 keywords in an 8-row list box, when they could just as easily type in what they are looking for!

    When I first looked at the source, I was wondering what the hell that was. Then I looked at the name of the Select and went back to the Advanced tab and saw it. It's astounding that the person implemented search that way. I would understand the narrow-your-results type of search similar to job sites or eBay (select from category list, select from generated sub-category list, etc), but almost 2,000 keywords that have to be manually picked through and added to another list? Ha!


  • Discourse touched me in a no-no place

    @jasmine2501 said:

    We wouldn't know... you see, we only do testing on our super-high-speed internal network and only using Internet Exploder.

     At least this means I'll have a job for a while

    May be a bit longer; it's not exactly pretty in FireFox either (3.0b3):

    Screendump - FF3.0b



  • Doesn't surprise me... the page is a mixture of Coldfusion, ASP.Net, and various JavaScript., and it's hosted at two different places. The real WTF here is that we have a company policy that "pages must look the same in all web browsers" - when I heard that I got out my copy of Lynx and I said "oh really?" - I think that policy is going away - it's clearly not being met anyway.

    Where's the head-smackin smiley?



  • I hit Search without any text in the field, Entire Library was checked.  Looks like the search can't handle a null case, hehe.
     
    Server Error in '/AWWA' Application.
    Data is Null. This method or property cannot be called on Null values.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Data.SqlTypes.SqlNullValueException: Data is Null. This method or property cannot be called on Null values.

    Source Error:

    Line 76: else if (Session[ResultsKey] == null) // we have criteria, but no search results so search again
    Line 77: {
    Line 78: wlm.do_search();
    Line 79: }
    Line 80:


    Source File: d:\Inetpub\awwa-org\htdocs\AWWA\WaterLibrary\wlResults.aspx.cs Line: 78

    Stack Trace:

    [SqlNullValueException: Data is Null. This method or property cannot be called on Null values.]
    System.Data.SqlClient.SqlBuffer.get_String() +80
    System.Data.SqlClient.SqlDataReader.GetString(Int32 i) +39
    AWWADAL.WaterLibrarySearchManager.GetStandardName(String a) in C:\AWWASite\AWWADAL\Waterlibrary\WaterLibrarySearchManager.cs:250
    AWWADAL.WaterLibrarySearchManager.ReplaceHistoricalStandards(IWaterLibraryManager mgr, List`1 artcls) in C:\AWWASite\AWWADAL\Waterlibrary\WaterLibrarySearchManager.cs:305
    AWWADAL.WaterLibrarySearchManager.PerformSearch(IWaterLibraryManager mgr, ISearchCriteria criteria) in C:\AWWASite\AWWADAL\Waterlibrary\WaterLibrarySearchManager.cs:226
    AWWABLL.WaterLibraryManager.do_search() in C:\Web Projects\AWWABLL\Waterlibrary\WaterLibraryManager.cs:116
    wlResults.Page_Load(Object sender, EventArgs e) in d:\Inetpub\awwa-org\htdocs\AWWA\WaterLibrary\wlResults.aspx.cs:78
    System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +15
    System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +34
    System.Web.UI.Control.OnLoad(EventArgs e) +99
    System.Web.UI.Control.LoadRecursive() +47
    System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061


  • Maybe you should go try to rehire the guy that wrote your original search. I tried searching for "water", got this: 

    Server Error in '/AWWA' Application.


            <h2> <i>Data is Null. This method or property cannot be called on Null values.</i> </h2>
    
            <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">
    
            <b> Description: </b>An
    

    unhandled exception occurred during the execution of the current web
    request. Please review the stack trace for more information about the
    error and where it originated in the code.

            <b> Exception Details: </b>System.Data.SqlTypes.SqlNullValueException: Data is Null. This method or property cannot be called on Null values.<br><br>
    
            <b>Source Error:</b> <br><br>
    
            <table bgcolor="#ffffcc" width="100%">
               <tbody><tr>
                  <td>
                      <code></code><pre>Line 76:         else if (Session[ResultsKey] == null) // we have criteria, but no search results so search again<br>Line 77:         {<br><font color="red">Line 78:             wlm.do_search();<br></font>Line 79:         }<br>Line 80: </pre>
    
                  </td>
               </tr>
            </tbody></table>
    
            <br>
    
            <b> Source File: </b> d:\Inetpub\awwa-org\htdocs\AWWA\WaterLibrary\wlResults.aspx.cs<b> &nbsp;&nbsp; Line: </b> 78
            <br><br>
    
            <b>Stack Trace:</b> <br><br>
    
            <table bgcolor="#ffffcc" width="100%">
               <tbody><tr>
                  <td>
                      <code></code><pre>[SqlNullValueException: Data is Null. This method or property cannot be called on Null values.]<br>   System.Data.SqlClient.SqlBuffer.get_String() +80<br>   System.Data.SqlClient.SqlDataReader.GetString(Int32 i) +39<br>   AWWADAL.WaterLibrarySearchManager.GetStandardName(String a) in C:\AWWASite\AWWADAL\Waterlibrary\WaterLibrarySearchManager.cs:250<br>   AWWADAL.WaterLibrarySearchManager.ReplaceHistoricalStandards(IWaterLibraryManager mgr, List`1 artcls) in C:\AWWASite\AWWADAL\Waterlibrary\WaterLibrarySearchManager.cs:305<br>   AWWADAL.WaterLibrarySearchManager.PerformSearch(IWaterLibraryManager mgr, ISearchCriteria criteria) in C:\AWWASite\AWWADAL\Waterlibrary\WaterLibrarySearchManager.cs:226<br>   AWWABLL.WaterLibraryManager.do_search() in C:\Web Projects\AWWABLL\Waterlibrary\WaterLibraryManager.cs:116<br>   wlResults.Page_Load(Object sender, EventArgs e) in d:\Inetpub\awwa-org\htdocs\AWWA\WaterLibrary\wlResults.aspx.cs:78<br>   System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +15<br>   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +34<br>   System.Web.UI.Control.OnLoad(EventArgs e) +99<br>   System.Web.UI.Control.LoadRecursive() +47<br>   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061<br></pre>
    
                  </td>
               </tr>
            </tbody></table>
    
            <br>
    
            <hr color="silver" size="1" width="100%">
    
            <b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:2.0.50727.832; ASP.NET Version:2.0.50727.832</font>&nbsp;


  • Unless I'm missing something, isn't the Real WTF(tm) the fact that web.config must have debug set to true, because it's showing the stack trace and the line of code that's causing the error?  At least use a generic error page!



  • @ObiWayneKenobi said:

    Unless I'm missing something, isn't the Real WTF(tm) the fact that web.config must have debug set to true, because it's showing the stack trace and the line of code that's causing the error?  At least use a generic error page!

    Really it should have CustomErrors != "Off".

    RemoteOnly is my friend in most cases like this.



  • Yes, we are addressing the issues of the error messages, null values, and so on. It also crashes if you fill in certain combinations of fields. The version you are looking at is not the one I fixed, since we're doing beta testing on the fixed version right now. Or rather, I'm doing testing on it... I have a large number of these and I've only done a cursory examination of the site. This section isn't affected by our server upgrade though, so it has to be fixed, while the other problems can wait for the site re-design. 



  • @jasmine2501 said:

    Yes, we are addressing the issues of the error messages, null values, and so on. It also crashes if you fill in certain combinations of fields. The version you are looking at is not the one I fixed, since we're doing beta testing on the fixed version right now. Or rather, I'm doing testing on it... I have a large number of these and I've only done a cursory examination of the site. This section isn't affected by our server upgrade though, so it has to be fixed, while the other problems can wait for the site re-design. 

     

    Can't you change that one value in your web.config? I don't think you need to test that. Besides that site is horribly broken as is, I doubt you could really mess it up worse anyway.



  •  Not really... since I'm the new girl, I can't really change anything site-wide like that. I could probably get away with changing it only for that folder though... but not without getting a whole bunch of approvals. It's funny... they insist that things be tested in beta, and that certain people sign off on the change, but still, massive errors like this seem to get through. If people don't know WTF they are looking at, they shouldn't really be the ones signing off on it... but they are...

     



  • @jasmine2501 said:

     Not really... since I'm the new girl

     

     

    This is the real WTF.

    Girls don't exist on the intertubes. 



  • @jasmine2501 said:

    switch (criteria.SearchMatchType)
                                {
                                    case SearchMatchType.All:
                                        stdsKeywordList_tail = ") aNd ";
                                        break;
                                    case SearchMatchType.Any:
                                        stdsKeywordList_tail = ") oR ";
                                        break;
                                    case SearchMatchType.Phrase:
                                        stdsKeywordList_tail = ") anD ";
                                        break;
                                    default:
                                        stdsKeywordList_tail = ")/*default terms and title */ ";
                                        break;
                                }

    Fat the whuck?



  •  Hehe... Look at my avatar... I'm a dog :D

     Actually we had a meeting of the IT staff today and it was 8 guys and 6 girls... I've never seen that kind of ratio anywhere... that's the non-profit world though I think.

     If it matters, I'm not a chix0r in the classic sense: http://www.smoothjazzy.com - that's my unfinished web site - don't just look at the pictures ok... I can tell if you do that :)

    I'm an RC airplane nut too: http://jazzyflight.blogspot.com 



  • @jasmine2501 said:

     If it matters, I'm not a chix0r in the classic sense: http://www.smoothjazzy.com - that's my unfinished web site - don't just look at the pictures ok... I can tell if you do that :)
     

    Well, I think that proves Jonathon Holland's statement.

    Thanks for the warning about the content for those people at work and/or in sensitive environments...

    Everyone else: That link may or may not be NSFW.



  • To those interested in finding out what a t-girl is (jasmine2501 refers to herself as one), use google and not wikipedia.



  • @jasmine2501 said:

    and only using Internet Exploder.
     

    If I couldn't use Firefox & Firebug (and a few other things) then I wouldn't be a web developer. Using IE only would drive me insane. 



  • Probly not safe for work... if you work at Focus on the Family or something... but I think it's fine just about anywhere else...

     



  • @jasmine2501 said:

    Probly not safe for work... if you work at Focus on the Family or something... but I think it's fine just about anywhere else...

     

     

    As long as you dont mind stuff like 't-girl' and 'porn' showing up in your web traffic logs...



  • @MasterPlanSoftware said:

    @jasmine2501 said:

    Probly not safe for work... if you work at Focus on the Family or something... but I think it's fine just about anywhere else...

     

    As long as you dont mind stuff like 't-girl' and 'porn' showing up in your web traffic logs...

    Well if they monitor the content of the page, you've just made this thread unsafe as well.



  • @Cap'n Steve said:

    @MasterPlanSoftware said:

    @jasmine2501 said:

    Probly not safe for work... if you work at Focus on the Family or something... but I think it's fine just about anywhere else...

     

     

    As long as you dont mind stuff like 't-girl' and 'porn' showing up in your web traffic logs...

    Well if they monitor the content of the page, you've just made this thread unsafe as well.

     

    Well, the keyword is actually "no porn" which I am, in general, against. If you use Google you might get the impression that t-girls are all sex object and adult film stars, but part of the point of the site is that we're not. I have thought about changing the opening lines, but I had an important point to make. I'm just an All-American girl who has no interest in objectifying myself in that way. I'm happy to objectify myself in cleaner ways... but not that way. And I could make a ton of money at it too... when I first created the site, I got a few offers like that, and I just wanted to put a stop to that. 



  • Google makes no distinction between the words "no porn" and the word porn when indexing. Try "All images of me are fully clothed".



  • @Lingerance said:

    Google makes no distinction between the words "no porn" and the word porn when indexing. Try "All images of me are fully clothed".
     

    Nor does anyone who happens to walk by who looks at your screen.



  • @MasterPlanSoftware said:

    @Lingerance said:

    Google makes no distinction between the words "no porn" and the word porn when indexing. Try "All images of me are fully clothed".
     

    Nor does anyone who happens to walk by who looks at your screen.

     

    if that site wasn't safe for you at work, and someone would have actually been bothered by you looking at it, then you need to find yourself a new job, because you work in the 3rd circle of hell. 

     

    PS.  I think in fact that people do make a distinction between "NO PORN" and "PORN" 



  • @Lingerance said:

    Google makes no distinction between the words "no porn" and the word porn when indexing.
     

    this assertion is not supported by experimentation of searching for no porn and searching for porn on google.   



  • @tster said:

    @Lingerance said:

    Google makes no distinction between the words "no porn" and the word porn when indexing.
     

    this assertion is not supported by experimentation of searching for no porn and searching for porn on google.   

    Experimentation .... riiiiight (wink)



  • @PJH said:

    t's not exactly pretty in FireFox either (3.0b3):

    Screendump - FF3.0b

     

     

     Renders correctly in FF 2.0.0.12, for the record.

     



  • @emurphy said:

    @PJH said:

    t's not exactly pretty in FireFox either (3.0b3):

    Screendump - FF3.0b

     

     

     Renders correctly in FF 2.0.0.12, for the record.

     

     

    Interesting.



  • Here's my code:

    cmd.CommandText = "exec WL_search_advanced @terms, @match, @title, @author, @start_month, @start_year, @end_month, @end_year, @pubs, @descriptors";
    cmd.Parameters.AddWithValue("@terms", criteria.Terms);
    cmd.Parameters.AddWithValue("@match", criteria.SearchMatchType.ToString("G"));
    cmd.Parameters.AddWithValue("@title", criteria.Title);
    cmd.Parameters.AddWithValue("@author", criteria.Authorlastname);
    cmd.Parameters.AddWithValue("@start_month", criteria.FromMonth);
    cmd.Parameters.AddWithValue("@start_year", criteria.FromYear);
    cmd.Parameters.AddWithValue("@end_month", criteria.Month);
    cmd.Parameters.AddWithValue("@end_year", criteria.Year);
    cmd.Parameters.AddWithValue("@pubs", criteria.Publications.ToString("G"));
    cmd.Parameters.AddWithValue("@descriptors", criteria.Keywordlist);

    Your code fails. The first line should actually be replaced with

    [code]cmd.CommandText = "WL_search_advanced";
    cmd.CommandType = CommandType.StoredProcedure;
    [/code]

    Your code is as prone to SQL injection and all around bugginess as the original.

    (Tip: don't use these forums in Firefox. You lose Quote, Preview, and WYSIWIG editing)



  • Since Community Server sucks balls, and the edit time limit here sucks even harder, here's my last post with (manually added) linebreaks.

    Here's my code:
    cmd.CommandText = "exec WL_search_advanced @terms, @match, @title, @author, @start_month, @start_year, @end_month, @end_year, @pubs, @descriptors";
    cmd.Parameters.AddWithValue("@terms", criteria.Terms);
    cmd.Parameters.AddWithValue("@match", criteria.SearchMatchType.ToString("G"));
    cmd.Parameters.AddWithValue("@title", criteria.Title);
    cmd.Parameters.AddWithValue("@author", criteria.Authorlastname);
    cmd.Parameters.AddWithValue("@start_month", criteria.FromMonth);
    cmd.Parameters.AddWithValue("@start_year", criteria.FromYear);
    cmd.Parameters.AddWithValue("@end_month", criteria.Month);
    cmd.Parameters.AddWithValue("@end_year", criteria.Year);
    cmd.Parameters.AddWithValue("@pubs", criteria.Publications.ToString("G"));
    cmd.Parameters.AddWithValue("@descriptors", criteria.Keywordlist);


    Your code fails. The first line should actually be replaced with
    [code]cmd.CommandText = "WL_search_advanced";
    cmd.CommandType = CommandType.StoredProcedure;[/code]


    Your code is as prone to SQL injection and all around bugginess as the original.

    (Tip: don't use these forums in Firefox. You lose Quote, Preview, WYSIWIG editing, and fucking line breaks)


  • @Kyanar said:

    (Tip: don't use these forums in Firefox. You lose Quote, Preview, WYSIWIG editing, and fucking line breaks)

    You do not lose these things. They work perfectly.

    Try turning on javascript, or look at your forum settings.



  • @Kyanar said:



    Your code fails. The first line should actually be replaced with
    <font face="Lucida Console" size="2">cmd.CommandText = "WL_search_advanced";
    cmd.CommandType = CommandType.StoredProcedure;</font>


    Your code is as prone to SQL injection and all around bugginess as the original.

    (Tip: don't use these forums in Firefox. You lose Quote, Preview, WYSIWIG editing, and fucking line breaks)
    Nonsense, you still use AddWithValue to add parameters to the stored procedure.

    ADO.NET will just run an EXEC statement when you set the command type to Stored Procedure.

     Also, AddWithValue prevents injection.


     

     



  • @Kyanar said:

    Since Community Server sucks balls, and the edit time limit here sucks even harder, here's my last post with (manually added) linebreaks.
    Here's my code:
    cmd.CommandText = "exec WL_search_advanced @terms, @match, @title, @author, @start_month, @start_year, @end_month, @end_year, @pubs, @descriptors";
    cmd.Parameters.AddWithValue("@terms", criteria.Terms);
    cmd.Parameters.AddWithValue("@match", criteria.SearchMatchType.ToString("G"));
    cmd.Parameters.AddWithValue("@title", criteria.Title);
    cmd.Parameters.AddWithValue("@author", criteria.Authorlastname);
    cmd.Parameters.AddWithValue("@start_month", criteria.FromMonth);
    cmd.Parameters.AddWithValue("@start_year", criteria.FromYear);
    cmd.Parameters.AddWithValue("@end_month", criteria.Month);
    cmd.Parameters.AddWithValue("@end_year", criteria.Year);
    cmd.Parameters.AddWithValue("@pubs", criteria.Publications.ToString("G"));
    cmd.Parameters.AddWithValue("@descriptors", criteria.Keywordlist);


    Your code fails. The first line should actually be replaced with
    <font face="Lucida Console" size="2">cmd.CommandText = "WL_search_advanced";
    cmd.CommandType = CommandType.StoredProcedure;</font>


    Your code is as prone to SQL injection and all around bugginess as the original.

    (Tip: don't use these forums in Firefox. You lose Quote, Preview, WYSIWIG editing, and fucking line breaks)
     

    actually your entire post fails.

    1. AddWithValue is enough to prevent SQL injection in .NET

    2. I use firefox  and have WYSIWIG editing and quote

     

     

    and linebreaks.

     




  • Yes, I confirmed that about 100 times before I posted it. AddWithValue can prevent first-order SQL injection. It might not work against second-order attacks, but this data never comes back again, so it's groovy in this case. I wouldn't have given you guys the underlying code if I thought it could be used against me. The original code is fairly secure too, it's just messed up spaghetti code, which I don't like. 


Log in to reply