Archive for the ‘Humor’ Category

Be careful of what you ask for… sometimes you might get it

April 6, 2011 Leave a comment

This is an example of why sometimes you should be careful of what you ask for when it comes to developers. You will get exactly what you asked for.

While working through a query that had been built by a third-party organization (whose name is being withheld to prevent snickering and embarrassment) when I noticed that some of the columns in the query were returning NULL. Ok, this happens, not a big deal. It just means the data for that piece of data is missing. Not unheard of and fully expected in this case. Usually to combat this, you use the ISNULL function to return a default value if the column contains NULL. So I made the appropriate changes and re-run the query.

What in the world? The NULLS continued to show. Needless to say, it required some investigation. The “problem” was buried in a custom SQL function that was designed to take a string, break it down on a delimiter, then return the specified element. There is was, in a case statement…. the else clause… where it returned ‘NULL’ … the literal. The literal text value ‘NULL’ … and not the NULL value as expected. I’m sure someone told them that if the element isn’t found, to return NULL. So that’s exactly what they did. It’s probably a good thing we didn’t ask them to return a blank value. We’d have gotten ‘A BLANK VALUE’.

Categories: Humor, Technology

“Little Bobby Tables”… (or why SQL injection is serious)

April 6, 2011 4 comments

I’d seen this xkcd strip before, but someone here in the office brought it up again during a discussion of the discovery that some one was building SQL statements by using data right out of a grid. xkcd: Exploits of a Mom. Don’t let the title scare you, it’s safe, even for work, unless audible laughter isn’t allowed. In short it shows what can happen when you don’t properly sanitize your data before just stringing it along into a SQL Statement. In addition, it shows the importance of using parameters for input values when ever possible.

Oh, and it is possible to use parameters with dynamic SQL, in a future post I’ll show how that’s possible.

Categories: Humor, Technology