CodeSOD: Is It Safer to Use Numbers? |
Mac didn't know anything about how the JavaScript on the search page worked, and he wasn't that great at CSS styling, but that didn't matter. He had his orders. As part of the latest round of enhancements, the front-end developer had added another search parameter which would be passed via the regular search URL, and the back end needed to be adjusted to accomodate. (You know... instead of 'http://initrode.com/search?a=xxx&b=yyy' it now was 'http://initrode.com/search?a=xxx&b=yyy&c=zzz'.)
No problem. Mac made his tweak in the code and ran a quick test...which failed instantly in a spectacular way. "WTF? It's a parameter. Must be already used..." he thought, but nope.
Digging deeper, Mac came upon the following:
public enum eQueryParametersCount
{
New = 2,
Filtering = 3,
Navigation = 6,
SwitchView = 7
}
Odd. And then peppered throughout...
int iCount = Request.QueryString.Count;
if (iCount != (int)eQueryParametersCount.New
&& iCount != (int)eQueryParametersCount.Navigation
&& iCount != (int)eQueryParametersCount.Filtering
&& iCount != (int)eQueryParametersCount.SwitchView
)
{
logger.Log("QueryString error: invalid querystring");
Response.Redirect(PageManager.ErrorPage);
}
...and...
else if ((Request.QueryString.Count == (int)eQueryParametersCount.Filtering) && (!SetConfirmationMessage()))
{
if (!GetOverallQuality())
{
logger.Log("QueryString error: r not found or invalid value");
Response.Redirect(PageManager.ErrorPage);
}
}
In short, the previous coders figured that it was much better to 'count' the number of parameters to determine what the user wanted instead of actually reading them. It also means you can never have 3 params because that is taken by a different enum.
As Mac set about tearing things apart he found himself considering how tough it would really be to pick up some web design skills.
Photo credit: Laineys Repertoire / Foter / CC BY
| Комментировать | « Пред. запись — К дневнику — След. запись » | Страницы: [1] [Новые] |
