Computer
Climate Activists Stop Air Traffic After Breaking Into Four Airport Sites
Read more of this story at Slashdot.
ISPs Ask Supreme Court To Kill New York Law That Requires $15 Broadband Plans
Read more of this story at Slashdot.
Apple, Google Wallets To Carry California Driver's Licenses
Read more of this story at Slashdot.
Microsoft Tweaks Fine Print To Warn Everyone Not To Take Its AI Seriously
Read more of this story at Slashdot.
German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage
Read more of this story at Slashdot.
Redbox App Axed, Dashing People's Hopes of Keeping Purchased Content
Read more of this story at Slashdot.
Google Sold Android Phones With Hidden Insecure Feature, Companies Find
Read more of this story at Slashdot.
Eric Schmidt Walks Back Claim Google Is Behind on AI Because of Remote Work
Read more of this story at Slashdot.
Kim Dotcom To Be Extradited From New Zealand To US
Read more of this story at Slashdot.
Epic Judge Says He'll 'Tear the Barriers Down' on Google's App Store Monopoly
Read more of this story at Slashdot.
Cisco Slashes Thousands of Workers As It Announces Yearly Profit of $10.3 Billion
Read more of this story at Slashdot.
Magic: The Gathering Community Fears Generative AI Will Replace Talented Artists
Read more of this story at Slashdot.
Researchers Figure Out How To Keep Clocks On the Earth, Moon In Sync
Read more of this story at Slashdot.
CodeSOD: Stored Procedures are Better
We all know that building SQL queries via string concatenation, and then sending them to the database, is just begging for fragile code and SQL injection attacks. But, what if the bad part is the "sending them to the database" part? Has anyone ever thought about that?
Kris's predecessor has.
CREATE PROCEDURE [dbo].[usp_LossMit_GetCDCMappingInfo] @PropertyNameString NVARCHAR(4000), @Environment CHAR(1) AS BEGIN DECLARE @TICK CHAR (1) SET @TICK = CHAR(39) DECLARE @SQLSelect NVARCHAR (4000) DECLARE @SQLWHERE NVARCHAR (4000) DECLARE @SQLSelectII NVARCHAR (4000) DECLARE @SQLWHEREII NVARCHAR (4000) SET @SQLSelect = ' SELECT CDCID As PropertyValue, CDCName AS EntityName, ISNULL(RTRIM(PropertyName), '+ @TICK + @TICK + ') AS PropertyName FROM dbo.LossMitCDCIDMapping' SET @SQLWHERE = ' WHERE PropertyName IN (' + @PropertyNameString + ') AND Environment = ' + @TICK + @Environment + @TICK + 'AND IsActive = 1' SET @SQLSelectII = ' UNION SELECT lccm.CDCControlID AS PropertyValue, lccm.CDCControlName AS EntityName, ISNULL(RTRIM(lccm.PropertyName), '+ @TICK + @TICK + ') AS PropertyName FROM dbo.LossMitCDCIDMapping lcm INNER JOIN dbo.LossMitCDCControlIDMapping lccm ON lcm.CDCID = lccm.CDCID' SET @SQLWHEREII = ' AND lcm.PropertyName IN ( '+ @PropertyNameString + ') AND lcm.Environment = ' + @TICK + @Environment + @TICK + ' AND lccm.Environment = ' + @TICK + @Environment + @TICK + ' AND lcm.IsActive = 1 AND lccm.IsActive = 1' PRINT (@SQLSelect + @SQLWHERE + @SQLSelectII + @SQLWHEREII) EXEC (@SQLSelect + @SQLWHERE + @SQLSelectII + @SQLWHEREII) END /*****usp_LossMit_GetAutoIndex******/ GONow, just one little, itsy-bitsy thing about T-SQL: it handles variables in SQL statements just fine. They could have written AND Environment = @Environment without wrapping it up in string concatenation. This entire function could have been written without a single string concatenation in it, and the code would be simpler and easier to read, and not be begging for SQL injection attacks.
And I have no idea what's going on with @TICK- it's a one character string that they set equal to an empty 39 character string, so I assume it's just ""- why are we spamming it everywhere?
And not to be the person that harps on capitalization, but why @SQLSelect and @SQLWHERE? It's next-level inconsistency.
My only hypothesis is that this code was originally in ASP or something similar, and someone said, "Performance is bad, we should turn it into a stored procedure," and so someone did- without changing one iota about how the code was structured or worked.
Kris has this to say:
Just started at a new job--it's going to be interesting…
Interesting is certainly one word for it.
[Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!Scientists Find Humans Age Dramatically In Two Bursts: At 44, Then 60
Read more of this story at Slashdot.
NIST Finalizes Trio of Post-Quantum Encryption Standards
Read more of this story at Slashdot.
Artists Claim 'Big' Win In Copyright Suit Fighting AI Image Generators
Read more of this story at Slashdot.
FTC Finalizes Rule Banning Fake Reviews, Including Those Made With AI
Read more of this story at Slashdot.
'Gemini Is Replacing Google Assistant On Pixel Phones, and It's a Trainwreck'
Read more of this story at Slashdot.
Paramount Global To Lay Off 15% of US Workforce, Close TV Studio
Read more of this story at Slashdot.