NOT NULL



  • I noticed this code a few days back - the DWTF reminded me to post it:

    We have a sql table with various columns NOT NULL, to ensure they contain at least something.

    Some bright spark decided to do this on the gui client:

    if (description.Length() == 0) description = "(null)"; // We can't insert NULL values into the database

    sql = "INSERT INTO tblTasks (<...>) VALUES <...>,'"+description+"'";

    [...]

    Ignoring the injection vulnerabilities, what the hell was this guy thinking?

     

     



  • @Mole said:

    We have a sql table with various columns NOT NULL, to ensure they contain at least something.


    And now they contain something. Where is your problem?



  • Why can't you just use empty string?

    ducks



  •  @Mole said:

    if (description.Length() == 0) description = "(null)"; // We can't insert NULL values into the database

    sql = "INSERT INTO tblTasks (<...>) VALUES <...>,'"+description+"'";

    [...]

    Let me guess. The code to get the data out is:

    description = "SELECT description FORM tblTasks WHERE id="' + Request.Form['id'] + "';"

    ' Take out nulls until it isn't nulls or length is 0 again

    while descrition.length > 0 And (description = "(null)" Or description= "null)" OR description = "ull)" or description = "ll)" Or description = "l)" or Description = ")")

       if description.length = 1 And description = ")"
           description = description.replace(")", "")
       else
          description = description.mid(2, description.length - 1) ' I can't be arsed to look up if VB.Net zero indexes string functions

    end while




  • @Mole said:

    I noticed this code a few days back - the DWTF reminded me to post it:

    We have a sql table with various columns NOT NULL, to ensure they contain at least something.

    Some bright spark decided to do this on the gui client:

    if (description.Length() == 0) description = "(null)"; // We can't insert NULL values into the database

    sql = "INSERT INTO tblTasks (<...>) VALUES <...>,'"+description+"'";

    [...]

    Ignoring the injection vulnerabilities, what the hell was this guy thinking?

     

    Possibly, "If the idiots we call 'users' don't see something there, they'll think there's something wrong with the data."

    Assuming this guy was thinking at all.

     



  • @RHuckster said:

    Why can't you just use empty string?

    ducks

    Made my day. lol



  • This kind of bullcrap makes me want to share my fully-parameterized DynamicSql namespace with the world. 

    Then again, fuck the world! 🙂



  •  @Lorne Kates said:

    Zero is a valid index. It isn't the index VB.Net uses but it is an index.
    Haah! It's spreading to other threads!



  • @RHuckster said:

    Why can't you just use empty string?

    ducks

     

     

    if (description.Length() == 0) description = """";

     

    Works for me.

     

     



  • @Weps said:

    @RHuckster said:

    Why can't you just use empty string?

    ducks

    Made my day. lol

    Mine too. Been working too much with Or*cle?



  • @RHuckster said:

    Why can't you just use empty string?

    ducks

     

    This makes me suddenly wonder if anyone has ever encountered a full string.

     



  • @too_many_usernames said:

    @RHuckster said:

    Why can't you just use empty string?

    ducks

     

    This makes me suddenly wonder if anyone has ever encountered a full string.

     

     

    Yes.

     



  • @Ilya Ehrenburg said:

    @too_many_usernames said:

    @RHuckster said:

    Why can't you just use empty string?

    *ducks*

     

    This makes me suddenly wonder if anyone has ever encountered a full string.

     

     

    Yes.

     

    I'd prefer using *ducks*



  • Ye gods.

    If the description field must contain a value then why not use something meaningful like "No description was provided".

    This should be pushed back onto the organisation. If their business rules require a description then they should be providing a default value. if they can't provide a default then they obviously do not actually require a value. Their call.

    As a database programmer I favour the approach of "make it the user's problem".



  • @havokk said:

    If the description field must contain a value then why not use something meaningful like "No description was provided".

    Because if "No description was provided" then, obviously, one isn't required. There are only two paths forward, either get the DBA to acknowledge reality and allow NULLs, or mess with him. It looks like Mole found somebody who chose door #2.



  • To my mind, if the description is required by business rules but wasn't provided by the user, the application should populate it with something along the lines of "<USERNAME> failed to provide a description for this item." And there should be a report listing the number per user. Of course, then you might get people deliberately putting in "<OTHERUSER> failed to provide a description for this item."

    But since the report would actually be linked to the user who created the record, you could also pick up such spoofing attempts and they would be grounds for dismissal..... sorry, I seem to have been drifting off into a fantasy world there.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.