TalesFromTheSmellySide(Of Code) – Episode #2 – SQL Injection Infection

Just so folks don’t think I’m coming off as elitist with my new
little series
, here’s an oldie but a goodie from yours truly on my
first .NET project way back in early 2002.
  (And really, my first real
programming project, since my previous life was mainly doing

And this is VB, folks.  <gasp>  (Notice the title change?)

cmd.CommandText = "UPDATE ATT_Circuits SET " & strField & "='" & strControlText.Replace("'", "") & "' WHERE Hostname='" & txtHostname.Text & "'"

Ok, so I don’t think I really need to point out all the embarrassing problems
in this one line of code.  Obviously it should be parameterized and that
Hungarian notation just gives me the willies.  Oh and did I mention that I had
this in right in the code behind for a web form?  Eeek!

In my defense, at the time (and some would say this is still the case),
that’s what Microsoft was encouraging.  Back then I didn’t know any better.  But
thankfully the many evening and late night hours I’ve spent over the past 5
years has allowed me to learn much better ways of building software.  <insert
thank you to my wife here />  Of course, this process seems to never cease! 

Anyone else brave enough to share smells from their first software
projects?  :D


This entry was posted in tales from the smelly side. Bookmark the permalink. Follow any comments here with the RSS feed for this post.

2 Responses to TalesFromTheSmellySide(Of Code) – Episode #2 – SQL Injection Infection

  1. Jimmy Bogard says:

    *sigh* this really brings me back.

    Though mine were usually of the variant:

    “DELETE tblCustomer WHERE ID=’” + Request.QueryString["id"] + “‘”

    Pretty funny.

  2. jlockwood says:

    Heh, my first software project was a big DOD app in Java/C++. I guess one rather rank smell was our invented scripting language for the persistence layer that read pretty much like assembler. Or maybe distributing “smart” UI frames through DCOM.

    …Heck, I wouldn’t know where to start. I think our problem was far too many clever folks on a big project. We committed two major sins during that project.
    1. The solution was overly complex, extremely difficult to maintain, and was developed by siloed teams.
    2. We used DCOM to distribute processing, but ended up “over distributing” what would now be called services. This was bad for performance and ended up contributing to a brittle system.