Did you REALLY just do that?


  • Garbage Person

    No, really. Did you even bother reading the spec or the goddamn security brief from the beginning of the project?

    We have this desktop application. It deals with all manner of sensitive data and as such was built from day 0 with database security in mind.

    Parameterized queries, stored procedures with API keys. SSL. You know, the basics like that.

    We're counting days until delivery day (at which time myself and two other team managers will transfer over to full-time service and maintainence and the rest of the team dissolves) and we have less than 10 of them. At the last god damned minute, the hosting vendor tells us that they actually can't poke that hole through their firewall to let the desktop app portion of this project access the database - we're going to have to convert the desktop app to a web service. Since I'm busy with packaging concerns, and my fellow managers are fighting "OH BTW WE FORGOT TO TELL YOU ABOUT THIS CRITICAL FEATURE!" fires, we handed the web services conversion to a pair of developers who had proven to be reliable and quick at turning things around.

    The spec called for moving a million billion CrystalReports into the Web App and returning CrystalReport objects and in a few instances where the GUI needed to be database-backed, take parameters and return the appropriate datatable. One method per report and one method per dataset. You know, like you'd expect any sane developer to do instinctively because the code to generate the CrystalReports is already present and can be copypasted into a web method and that web method called instead in a 2-second refactor job.I could have written a fucking perl script to do this job.

    2 days later, we had our web service. I packaged it and pushed it to test. It wasn't until today that I bothered to review the code - there are 3 web methods. Their signatures are as follows:

     

    public DataTable executeQuery(String apiKey, String sql);

    public Object executeScalar(String apiKey, String sql);

    public void executeNonQuery(String apiKey, String sql);

    I'll give you ONE GUESS as to whether or not that sql is escaped or not.

     

    I DO NOT HAVE TIME FOR THIS SHIT.



  • Okay, I'll bite. Yes, it is escaped. That's my guess.



  • @Weng said:

    The spec called for moving a million billion CrystalReports into the Web App
     

    Apparently the spec should have been a bit more thorough.

    Sounds painful.



  • Escaping queries are for amatures. Real developers uses parameterized queries instead.



  • @henke37 said:

    Escaping queries are for amatures. Real developers uses parameterized queries instead.
     

    There's not much to parameterize when you're sending to whole query as a "variable". :-) Escaping won't help much, either...



  • @Weng said:

    I DO NOT HAVE TIME FOR THIS SHIT.

     

    Then quit wasting time on tdwtf forum.



  • @Weng said:

    I DO NOT HAVE TIME FOR THIS SHIT.
    Ah, retarded, unmaintanable, insecure, "but it works" code... I feel your pain.

    You should come work here. It'll make your current job seem like heaven.



  • Hey, any code that has to be created in the last nine days before delivery, in response to some royal screwup on the part of someone else, deserves all the slack it takes. You want security, you get months in advance security. You want to change the specs a week before delivery, you aren't going to get security, anywhere.


  • Discourse touched me in a no-no place

    @Weng said:

    . At the last god damned minute, the hosting vendor tells us that they actually can't poke that hole through their firewall to let the desktop app portion of this project access the database
     

    Their frontend to whatever passes for iptables on their firewall won't allow the requisite rules to restrict access to those ports from whichever clients should have access?

    Can you not move the ports to something they will let through?

    (Their) corporate policy won't allow it?

    Or they just don't want  external database access and would prefer a less secure method of getting data in there?

     



  • @Weng said:

    ... At the last god damned minute, the hosting vendor tells us that they actually can't poke that hole through their firewall to let the desktop app portion of this project access the database - we're going to have to convert the desktop app to a web service. ...

    1. Shouldn't that be a reason to look for different hosting vendor rather than changing the code?
    2. If you don't have that one hole through the firewall, but you have HTTPS, just enable CONNECT method in the web server (at least apache supports it, or you can insert a reverse proxy) running there and use some utility that can establish connection though several consecutive proxies and just run the service through that as it was designed.
    3. If you only have HTTP, there's still the httptunnel thing, that can get arbitrary TCP/IP through that.


  • There's not much to parameterize when you're sending to whole query as a "variable". :-) Escaping won't help much, either...

     

    Sure it will.  You just have to make sure it's done [i]once[/i].



  • Maybe you should make time.

    Not everyone is a genius.



  • @Bulb said:

    If you only have HTTP, there's still the httptunnel thing, that can
    get arbitrary TCP/IP through that.

    Or you can use the [url=http://tools.ietf.org/html/rfc3093]Firewall Enhancement Protocol[/url].



  • I'm just wondering what "executeNonQuery" does...



  • @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.



  • @arty said:

    @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.

    Don't those return something also? (Something like affected keys, number of records touched?)

    (I normally don't work with databases)



  • @menta said:

    Not everyone is a genius.

    Especially not you, since you clearly weren't original enough to not blatantly copy my Signature Guy code.



  • @Daid said:

    @arty said:

    @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.

    Don't those return something also? (Something like affected keys, number of records touched?)
    (I normally don't work with databases)
     

    Yes, you're correct.  Clearly the person who wrote this API never uses that information :-)



  • @Daid said:

    @arty said:

    @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.

    Don't those return something also? (Something like affected keys, number of records touched?)

    (I normally don't work with databases)

    Ya, in a separate signal channel. NOT as a data row.



  • @bannedfromcoding said:

    @Daid said:
    @arty said:

    @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.

    Don't those return something also? (Something like affected keys, number of records touched?)
    (I normally don't work with databases)

    Ya, in a separate signal channel. NOT as a data row.
     

    He's likely talking about the int result from ExecuteNonQuery.  Leaving out the int result in the OP's API means you can't check whether your update worked (or whether it worked exactly once).



  • @arty said:

    @Daid said:

    @arty said:

    @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.

    Don't those return something also? (Something like affected keys, number of records touched?)

    (I normally don't work with databases)
     

    Yes, you're correct.  Clearly the person who wrote this API never uses that information :-)

    The query itself doesn't return a result set, but the function that executes the query might return a value based on number of rows affected. (In this case, it doesn't)

    Even so, the real point is that it's not a "nonQuery" -- it is just a query that doesn't return data.

    God the forum software is shitty... no GUI in Safari or Chrome, and the plain-vanilla text editor doesn't even convert newline characters into paragraph tags.</p


  • Garbage Person

    @AndyCanfield said:

    Hey, any code that has to be created in the last nine days before delivery, in response to some royal screwup on the part of someone else, deserves all the slack it takes. You want security, you get months in advance security. You want to change the specs a week before delivery, you aren't going to get security, anywhere.

    We have an inflexible ship date - either it ships that day or we don't get paid. Ever. The customer bins us and continues using their antique COBOL junkheap. Unfortunately this was our first "big" contract where we went with an "agile development methodology" (and in the minds of our managers that means "the customer can change their mind in any way at any time they want" rather than "the customer needs to be sane and reasonable and we'll provide them with a continuously integrated, functional product at all stages of development so they can make minor clarifications to the spec.") and as such we've gotten boned hard several times already eating up all our slacktime.

  • Garbage Person

     @Bulb said:

    @Weng said:
    ... At the last god damned minute, the hosting vendor tells us that they actually can't poke that hole through their firewall to let the desktop app portion of this project access the database - we're going to have to convert the desktop app to a web service. ...

    1. Shouldn't that be a reason to look for different hosting vendor rather than changing the code?
    2. If you don't have that one hole through the firewall, but you have HTTPS, just enable CONNECT method in the web server (at least apache supports it, or you can insert a reverse proxy) running there and use some utility that can establish connection though several consecutive proxies and just run the service through that as it was designed.
    3. If you only have HTTP, there's still the httptunnel thing, that can get arbitrary TCP/IP through that.

     

    1. Politics made this decision - not any sane bidding process. Our PM handed me a business card for their CEO and said "I drink with this guy and said we'd give it to him. Make it happen." Will be having words over that later.
    2/3. They won't reconfigure IIS either. They're VERY paranoid about their configurations.


  • Garbage Person

    @rohypnol said:

    @Weng said:

    I DO NOT HAVE TIME FOR THIS SHIT.

     

    Then quit wasting time on tdwtf forum.

    This comment: Because no salaried employee should ever complain about not having enough work-hours to accomplish a task despite already working 8AM to 9PM daily.


  • @Weng said:

    At the last god damned minute, the hosting vendor tells us that they actually can't poke that hole through their firewall to let the desktop app portion of this project access the database - we're going to have to convert the desktop app to a web service.
     

     This right here is the WTF. The project manager that let such a giant roadblock lay in the way of your project until the last minute without implementing a contingency failed ( epically even! ).  



  • @Daid said:

    @arty said:

    @Daid said:

    I'm just wondering what "executeNonQuery" does...
     

    It executes an update, delete or whatever else that doesn't return a result set.

    Don't those return something also? (Something like affected keys, number of records touched?)
    (I normally don't work with databases)
     

    They often do, but they don't return records, so they're not considered a query.  The term query is misused a lot of the time to mean "SQL statement".



  • @savar said:

    God the forum software is shitty... no GUI in Safari or Chrome, and the plain-vanilla text editor doesn't even convert newline characters into paragraph tags.
    I'm more concerned that you have over 300 posts and have chosen now to complain about the software.

    Also, I didn't know that about Chrome. I would have expected better.

    This post made painstakingly with Chrome

Log in to reply