A new paradigm in query strings



  • I've inherited a classic ASP web application (WTF #1: the app isn't that old, I'm pretty sure it was written after ASP.NET came out. Why anyone would write in classic ASP anymore is beyond me - although maybe there are reasons; I'm primarily a Java developer so the Microsoft world is a bit unfamiliar to me).

    Aaaanyway, I've only been delving into the app for a couple of hours, but I've already had a few WTF moments. Needless to say the app follows what in the Java world we would call "Model 1" architecture - i.e., pretty much all logic in the pages themselves, and (of course) suffers from SQL injection [this app is currently live on the internet]. Oh, and it's currently not in source control. So a nice fun project all round, really.

    My 'favourite' thing I've come across so far is a rather interesting way of using query strings, or specifically, abusing them. For example, this is a standard URL:

    query_raise.asp?999999999,1,1,,,1,,,,,,

    Then, in the ASP page, it performs a split(',') on the query string. This seems stupid to me, given that:

    1. I'm sure ASP natively supported getting named parameters, i.e. ?user_id=1 etc.
    2. Name / value pairs are so much easier to deal with - ordering isn't important. splitting a comma delimited string is prone to errors.
    3. What's with all the empty values? As far as I can tell, they're not used - leaving some empty space there just to confuse people?
    Anyway, I may post up with more tales of the classic ASP app as and when I have to dig into it further (oh, the joy).



  •  I want to see what happens when a field in the querystring contains a comma.



  • @PhillS said:

    I'm primarily a Java developer so the Microsoft world is a bit unfamiliar to me.

    Don't feel bad, the Microsoft world is a bit unfamiliar to a lot of VS.Net developers too.



  • @PhillS said:

    I've inherited a classic ASP web application (WTF #1: the app isn't that old, I'm pretty sure it was written after ASP.NET came out. Why anyone would write in classic ASP anymore is beyond me - although maybe there are reasons; I'm primarily a Java developer so the Microsoft world is a bit unfamiliar to me).
     

    I primarily work on projects for big financial institutions and they are VERY slow when it comes to adapting newer technologies. My current project involves writing DTS packages for SQL Server 2000.



  • The real WTF is using ancient technology and not even doing it well. As if there aren't hundreds of best practice* references sitting around.

    There are two web developers in my current (non-web development) company with a similar problem. they actually understand query strings, and yet still create SQL statements by combining strings.

    A recent annoyance is that I wanted to bypass their (incredibly slow) website and generate a report myself only to find they've stored information that could fit into a single table as three separate tables - none of which are normalized. The also end up accessing these tables up to nine times per report instead of just grabbing what they need and sorting it out programatically for example:

    first = " SELECT * WHERE value = " + 1
    second = "SELECT * WHERE value = " + 2
    third = "SELECT * WHERE value = " + 3

    *Yes with vb this is something of an oxymoron.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.