//UNSAFE (String Concatenation) query. Necessary for backward compatibility with the old system
//which stores the query and uses it while querying the ticket list
//Warning: Dynamic queries are UNSAFE and prone to SQL injection!! This should really be fixed..
//==========================================================
query += value;
//==========================================================
//SAFE (Parameterized) query not used due to compatibility issues :(
//==========================================================
//query += "@Value" + row.Index;
//SqlParameter param = new SqlParameter();
//param.ParameterName = "@Value" + row.Index;
//param.Value += value;
//cmd.Parameters.Add(param);
//==========================================================
Anyone else ever had to painfully write code against all better judgement due to limitations of legacy code? It's a terrible feeling.
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches!
MarauderIIC wrote:Yes. At least check to see if its a digit
The values aren't digits though, they're arbitrary filter terms. I'm going to at least prevent single quotes and double dashes though. This is an internal app, so SQL injection isn't a huge deal as long as it's not easy to do accidentally.
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches!
MarauderIIC wrote:Oh, I wasn't paying attention. Was seeing "+ row.Index" and thought it was a digit, now I see you're modifying the variable name in the safe version.
Yeah it's a bit out of context, this code is in a loop that iterates through the row collection of a UI grid of user-defined expressions in order to build a filter query.
Falco Girgis wrote:It is imperative that I can broadcast my narcissistic commit strings to the Twitter! Tweet Tweet, bitches!