2 Likes
The project I’ve been working on (20hrs a week more or less) is almost complete and I found out today there will be an offer for something. Don’t know if it’s another contract or permanent. Very happy about it. I like this place and it’s not easy for me to like my employers.
6 Likes
Just had my first sprint planning meeting as an engineer
We’re just adopting scrum and it’s going to be really interesting to see what happens. I’m actually looking forward to it - my team has been beyond dysfunctional (mostly due to my psychotic boss) and some structure is much needed.
From the annals of “is Java the worst language ever created”, I bring you this amazing discovery. I should say that the original Java Date system is notoriously awful and was later replaced by Java.time and is essentially deprecated. But still, it crops up in old code. I was seeing an occasional bug in old code consuming an API:
com.microsoft.sqlserver.jdbc.SQLServerException: The conversion of a nvarchar data type to a datetime data type resulted in an out-of-range value.
So I added some logging and waited for it to happen again. Here is what was logged:
[21:06:53] 1339894821, 0, 2021-06-01 22:35 AM, 19780116477
[21:06:53] 1339894821, 0, 2021-06-02 01:30 AM, 19780116478
[21:06:53] 1339894821, 0, 2021-06-02 01:30 AM, 19780116479
[21:06:53] 1339894821, 0, 2021-06-02 01:30 AM, 19780116480
Wait a minute. Say what?
2021-06-01 22:35 AM
Very weird. The Date object is internally represented as epoch milliseconds. I mean I don’t know why the guy who wrote this is outputting 24-hour time plus AM/PM, but it shouldn’t actually cause problems. I tried to reproduce this output, but to no avail. Formatting dates in old Java uses something called SimpleDateFormat, you just do this:
Date d = new Date();
SimpleDateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm a");
String formattedDate = df.format(d);
Naturally, the guy who had written the code had written a helper method to do it.
public static SimpleDateFormat sqlDf = new SimpleDateFormat("yyyy-MM-dd HH:mm a");
public static String sqlDateFormat(Date date) {
if (date!=null) {
return sqlDf.format(date);
} else {
return "";
}
}
After puzzling over this for a while I began to have certain… dark suspicions. But it couldn’t be that. Could it? No language designer could possibly be that stupid. Right? Could they? I guess I’d better check Google just to rule this out…
One of the most important things to note about
SimpleDateFormatclass is that it is not thread-safe and causes issues in multi-threaded environments if not used properly.
Dude, no way. NO WAY.
The
SimpleDateFormatclass mutates its internal state for formatting and parsing dates. That’s why it results in these issues when multiple threads use the same instance ofSimpleDateFormatconcurrently.
Did a high school work experience kid write this class or something? What in the actual fuck.
2 Likes
Also pet hate of mine there in the exception: “conversion of a nvarchar data type”. Would it kill you to just tell me what the nvarchar value was which failed conversion?
it’s a pretty common spec that error messages cannot have values in them. it’s supposed to be completely memory safe etc. it gets hairy when values exceed 1kb, but yeah it’s painful. working with terrible code is the absolute worst.
it’s been 4 years since i touched java. but nowadays i wouldn’t even think of doing unixtime format/conversion until it’s in the db server. like insert into t values (from_unixtime(ts)) or something. i would also design datetime columns that are computed from ts column value.
reason is pretty simple, three years ago brazil changed timezones or something, so every db vendor had to release a patch to support it, and the functional testing for it was done at every big client project. that gives me confidence it was solid, on top of db’s internal unit/integration tests. there’s just no way most Java or even C++/C# code that’s worth anything went through the same crowd verification.
here you go guys, so you can look cool bringing this up at lunch with your coworkers.
https://www.teamten.com/lawrence/writings/dynamic_cast_std_integer_c.html
Is the following safe to run as a query against an SQL Server DB?
var queryName = " select 1 from MyTable where (name ='" + strInputKeyword.Replace("'", "''").Trim() + "') and active=1";
strInputKeyword is a fully untrusted and unvalidated string pulled from an HTTP query parameter. (To be clear, I did not write this and know it’s terrible for other reasons.)
Sprint numero uno (we named it “arby’s”! Isn’t that fun?) and in the first week I’ve already had a 3 point story added onto my workload as an interruption, and my boss fucked off on PTO for a week and I got relegated to all his stories, in addition to mine. Fun system.
Estimates are really fun too. Get assigned a task I know will be a week+, but the bosses expect it to take 3 days. So you just gotta say 3 days or however many points that is in this stupid fucking system.
Where’s my other agile hater at @Vict0ar
1 Like
No one answering this one? @Jalfrezi is a db guy I think. Seems to me llike it’s an opening for SQL injection and I thought about experimenting with that, but got lazy.
Anyway, update on my software career, I’m on another contract. The first was like 2 months, but went over. This is 6 months. They were talking about employee vs. contract. Some people there are long term contract. I said I was pretty close to indifferent and re-evaluate in 6 months sounds good. 20-30 hrs a week. I will still do some solar - just the easiest/highest paying solar.
4 Likes
You don’t need to experiment. Any query using user data must be executed as a parameterized query where you pass a query format string and a list of parameters. Doing your own printf is how injection happens, so don’t – there is no cost to doing it right.
3 Likes
In SQL Server specifically this should be safe in a normal environment (by which I mean you’re connecting to the database with a normal driver and not some weird third-party one written in 1996).
1 Like
I wouldn’t trust that SQL query - too many ways it can go wrong. See this SO post for several creative possibilities that could defeat naive single quote escaping.
Actually since the string literal isn’t preceded by an N (like N’some string’) to specify Unicode, there’s some chance sending a unicode parameter would break it. I’m not sure if this would work or not. You can try sending U+02BC in a string and see if you can break it.
Edit: The idea is that since that character is not ', the replace won’t work, but then the character is forced to ’ when SQL translates to the local charset.
Proof of concept in SQL:
DECLARE @inputstring VARCHAR(MAX) = 'ʼ; SELECT ''injected'' AS [gotcha] --'
EXECUTE('SELECT 1 WHERE ''x'' = ''' + @inputstring + ''' AND 1 = 1')
This injects a second SELECT, output:
I don’t know if this works in practice though or whether the driver/database will correctly interpret the string as Unicode. I think the latter, but I’m not 100% certain.
Just read this. It’s a horrible way of running Agile which only really works if Devs set estimates in sprint planning meetings and if the PM thinks any are too high they can challenge.
New contract comes with this:
(It’s not really mine for keeps - but don’t people inherit things like this if they have them for work for a while because no one wants an old one?)
Intel core i9
I was given the option of a smaller mac that would have had a faster processor, but I wanted the bigger screen.
every job i’ve ever had took the mbp back. they last a good while. currently typing on mbp i got 4 years ago when i started. they have to take it back because asset management would lock me out anyway.
i also had several jobs where they gave thinkpads/lenovos. exactly one of those places let me keep it.
Thanks for this! Very helpful. I’ll let you know what the resolution is…