- Anime-Junkie wrote:
- I agree with Bael here, if there's a better solution, which there apparently is, they should be notified of it.
Oh, they are well aware of it. It is impossible that they have not heard of this problem and its solution; every SQL book talks about it; every online article about SQL injection attacks mentions parameters as a way to prevent attacks.
But I can hear you saying "But if everyone knows about it, why is it still a problem?" The reason problems like this are still around are because of situations like the following.
Bob is a programmer. Bob codes up a simple demo of an idea; he codes quickly and pays little attention to things like security and potential bugs because this is just a demo to see if the concept is sound. The demo will be built and analyzed for design problems that weren't obvious when he started building it, so that when he builds the real thing he can fix those design flaws.
At some point a critical error is made; someone, for some reason, decides to
not start over from scratch, but instead decides to try to improve the quality of the demo program they have written. Sometimes this is a management decision, deciding that they don't really want to pay to recode something. Sometimes this is a programmer's decision, either because of laziness or time constraints. This is always a mistake, and an example of false savings (in my opinion at least.) With possibly only one exception, it is not generally possible to take a demo and fix its structural defects in less time than it would take to analyze the demo and simply build a new, better program from scratch. (The one possible exception would be a project running under a "Test First" policy (tests are "micro programs" that automatically test you code for certain things, and helps prevent bugs because you make tests to cover any bug you find, thus meaning that once you fix a particular bug, you will know the instant it shows up again (because the test covering it will fail if it does show up again.) Projects running under a "test first" policy just might have a flexible enough structure that you can fix it faster than it would take to rebuild it... maybe.
Once the decision is made to not rebuild it, it becomes harder and harder to ever rebuild it, because there are more and more features built into the (originally) demo code, and each one of those features is patched into the original structure in a (probably) haphazard manner because of the structural flaws inherent in the design. Each new feature will likely interact in strange ways with existing ones, hiding some bugs and creating strange, twisting paths to others. You end up with situations like one I saw once: a multi-megabyte HTML file that had to be entirely downloaded across the internet, just so that about 100k of it would actually be shown to any one user.... and over half of its 400+ pages were like that. (And no, I didn't write it, I just had to maintain a small part of it, thank God.)
The Windows ME/ Windows 98 series of Microsoft Windows Operating Systems is a good example of this type of code bloat. Windows ME is Windows 98 with code tacked on. Windows 98 is actually mostly Windows 95 with new code tacked on. Windows 95 is actually mostly Windows 3.11 with new code tacked on. Windows 3.11 is actually DOS 4.0 (or something) with code tacked on. What this all means is that Windows 98 was restricted by design decisions made almost a decade earlier for a system radically different than what Windows 98 was trying to be; it also had bugs caused by all the strange interactions between the different systems. (Windows XP is from a different line, one that was handled much more cleanly, and Windows Vista and Windows 7 are a totally new line in and of themselves, and it shows: Windows 7 beats Windows XP in speed and features even when running on the same computer.
tl;dr Someone at deviantART seems to have decided to do it cheap and quick, rather than right.
/Angry Programmer Rant... I am doing too many of these lately; I should make myself a blog to post them on so that they can be properly ignored without inconveniencing others.