![[community profile]](https://www.dreamwidth.org/img/silk/identity/community.png){kind=small}
posted by ![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
jbanana at 05:52pm on 21/05/2009
jbanana at 05:52pm on 21/05/2009I'm working on a project which involves a lot of JSP in an "interesting" CMS. We have a consultant helping us with the "interesting" bits. Today he gave us a JSP containing the following (some details elided to protect the guilty):
Edit: Many people dislike JSPs. They don't bother me, but they do allow you to do anything at all, not just rendering. In this particular case, the JSP has to know about the database table structure [sigh], and it should (but probably doesn't) sanitise the
I'm even a little miffed about pointless local variable
String sql = "SELECT * FROM tree WHERE id in ( SELECT parent FROM tree WHERE id=" + parent + ")"; parents = cms.SQL ( sql );I'd like to propose this for the canonical example of what *not* to do.
Edit: Many people dislike JSPs. They don't bother me, but they do allow you to do anything at all, not just rendering. In this particular case, the JSP has to know about the database table structure [sigh], and it should (but probably doesn't) sanitise the
parent parameter [sigh], and it has to have a database connection wrapper object [sigh].I'm even a little miffed about pointless local variable
sql, but I'll let that one go. Oh, and KEYWORDS in UPPER case annoys me too, but some people think it's more readable.