The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

I was baffled…

Posted by jpluimers on 2011/11/15

When I saw code like this in a production app, I was speachless:

			if (matcher.Trim().Length > 0)
			{
				if (eesteWhere){sqlWhere += "WHERE ";eesteWhere = false;}
				else{sqlWhere += "AND ";}
				sqlWhere += "m.matcher like '" + matcher.Trim() + "%' ";
			}

Not once, twice, but hundred of fragments like these. Not generated, but hand copy-pasted. And the client thought they were running stable, reliable apps :(

This is soo XSCD ‘Exploits of a Mom‘ (aka Bobby Tables):

The department that wrote the code has been closed a while ago, but some serious refactoring time needs to be invested here, as all applications delivered by that department are vulnerable to SQL Exploits.

–jeroen

This entry was posted on 2011/11/15 at 06:00 and is filed under .NET, C#, C# 2.0, Database Development, Development, Software Development, SQL, SQL Server. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»