jbanana: Badly drawn banana (Default)
Add MemoryShare This Entry
posted by [personal profile] jbanana at 05:52pm on 21/05/2009
I'm working on a project which involves a lot of JSP in an "interesting" CMS. We have a consultant helping us with the "interesting" bits. Today he gave us a JSP containing the following (some details elided to protect the guilty):
String sql = "SELECT * FROM tree WHERE id in (
	SELECT parent FROM tree WHERE id=" + parent + ")";
parents = cms.SQL ( sql );
I'd like to propose this for the canonical example of what *not* to do.

Edit: Many people dislike JSPs. They don't bother me, but they do allow you to do anything at all, not just rendering. In this particular case, the JSP has to know about the database table structure [sigh], and it should (but probably doesn't) sanitise the parent parameter [sigh], and it has to have a database connection wrapper object [sigh].

I'm even a little miffed about pointless local variable sql, but I'll let that one go. Oh, and KEYWORDS in UPPER case annoys me too, but some people think it's more readable.
There are no comments on this entry. (Reply.)

Links

March

SunMonTueWedThuFriSat
  1
 
2
 
3
 
4
 
5
 
6
 
7
 
8
 
9
 
10
 
11
 
12
 
13
 
14
 
15 16
 
17
 
18
 
19
 
20
 
21
 
22
 
23
 
24
 
25
 
26
 
27
 
28
 
29
 
30
 
31