jbanana: Badly drawn banana (Default)
posted by [personal profile] jbanana at 05:52pm on 21/05/2009
I'm working on a project which involves a lot of JSP in an "interesting" CMS. We have a consultant helping us with the "interesting" bits. Today he gave us a JSP containing the following (some details elided to protect the guilty):
String sql = "SELECT * FROM tree WHERE id in (
	SELECT parent FROM tree WHERE id=" + parent + ")";
parents = cms.SQL ( sql );
I'd like to propose this for the canonical example of what *not* to do.

Edit: Many people dislike JSPs. They don't bother me, but they do allow you to do anything at all, not just rendering. In this particular case, the JSP has to know about the database table structure [sigh], and it should (but probably doesn't) sanitise the parent parameter [sigh], and it has to have a database connection wrapper object [sigh].

I'm even a little miffed about pointless local variable sql, but I'll let that one go. Oh, and KEYWORDS in UPPER case annoys me too, but some people think it's more readable.

Reply

From:
Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Links

June

SunMonTueWedThuFriSat
            1
 
2
 
3
 
4
 
5
 
6
 
7
 
8
 
9 10
 
11
 
12
 
13
 
14
 
15
 
16
 
17
 
18
 
19
 
20
 
21
 
22
 
23
 
24
 
25
 
26
 
27
 
28
 
29
 
30