Elysian Shadows

The Next Generation of 2D Roleplaying Games
http://elysianshadows.com/phpBB3/

Working with legacy applications

http://elysianshadows.com/phpBB3/viewtopic.php?t=8349

Page 1 of 1

Working with legacy applications

Posted: Tue Oct 16, 2012 2:54 pm
by dandymcgee

Code: Select all

//UNSAFE (String Concatenation) query.  Necessary for backward compatibility with the old system
//which stores the query and uses it while querying the ticket list
//Warning: Dynamic queries are UNSAFE and prone to SQL injection!! This should really be fixed..
//==========================================================
query += value;
//==========================================================

//SAFE (Parameterized) query not used due to compatibility issues :(
//==========================================================
//query += "@Value" + row.Index;

//SqlParameter param = new SqlParameter();
//param.ParameterName = "@Value" + row.Index;
//param.Value += value;
//cmd.Parameters.Add(param);
//==========================================================
Anyone else ever had to painfully write code against all better judgement due to limitations of legacy code? It's a terrible feeling.

Re: Working with legacy applications

Posted: Wed Oct 17, 2012 12:02 pm
by MarauderIIC
Yes. At least check to see if its a digit :(

Re: Working with legacy applications

Posted: Wed Oct 17, 2012 3:13 pm
by dandymcgee
MarauderIIC wrote:Yes. At least check to see if its a digit :(
The values aren't digits though, they're arbitrary filter terms. I'm going to at least prevent single quotes and double dashes though. This is an internal app, so SQL injection isn't a huge deal as long as it's not easy to do accidentally.

Re: Working with legacy applications

Posted: Sun Oct 21, 2012 11:02 am
by MarauderIIC
Oh, I wasn't paying attention. Was seeing "+ row.Index" and thought it was a digit, now I see you're modifying the variable name in the safe version.

Re: Working with legacy applications

Posted: Sun Oct 21, 2012 12:56 pm
by dandymcgee
MarauderIIC wrote:Oh, I wasn't paying attention. Was seeing "+ row.Index" and thought it was a digit, now I see you're modifying the variable name in the safe version.
Yeah it's a bit out of context, this code is in a loop that iterates through the row collection of a UI grid of user-defined expressions in order to build a filter query.
All times are UTC-06:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited