And I mean every developer. If you are an entrepreneur and you are hiring a consultant to work on your hot idea you need to do this. It could cost you everything if you don’t.
I recently took on a side project. It’s a return to a project I did 2 years ago. Since I have worked on it there have been at least 2 other people on the project. I’m writing this for the Business Development guy (the guy I assume hired the other folks). I am not writing this to "cut" on the other developer (I am not perfect), but I did detect a flaw that for me is critical. So one of the other guys is not only not up to snuff IMNHO, but s/he shouldn’t be working anywhere as anything but entry level (I’m sorry to be so harsh, but when you understand what I’m talking about you’ll why I’m being so harsh).
One more thing because I’m writing this more for a non-technical person. You don’t need to pretend to be technical. Pretend like you’ve hired someone to help you assess a programmer, and this is your one and only question.
The Question
When should/would you ever right code like the following (pick the version that applies to you):
1: // C# Code
2: string query = "select * from SomeTable where SomeID = " + cboField.SelectedValue;
3: SqlCommand cmd = new SqlCommand(query, connection);
4: SqlDataAdapter da = new SqlDataAdapter(cmd);
5: da.Fill(ds);
1: ' VB.NET (actually most versions of VB look something like this)
2: Dim query As String = " select * from SomeTable where SomeID = " + cboField.SelectedValue
3: Dim cmd As New SqlCommand(query, connection)
4: Dim da As New SqlDataAdapter(cmd)
5: da.Fill(ds)
6:
7: ' Thank you Telerik for the quick translation
The Answer
The simple answer is nowhere.
The biggest reason is security. That code enables something called SQL Injection. There are utilities that exist that will let a hacker (actually you as a non-technical person could use them) to steal your entire database via a single whole in your app like this. All kinds of bad things can happen as a result of this. I recently switched grocery stores because my old grocery store had an IT problem where my debit card number got stolen. That kills it for me. I won’t be going back. The same will be true of your customers (if you don’t get sued). So the proper answer to this question means a lot.
A second option is that the programmer might mention the DataSet. This is really less critical (and there are times to do this). The first line of the code is what should be singled out in your mind, because this will tell you if the programmer "gets" security. If s/he doesn’t understand it here... s/he probably won’t understand it elsewhere (you probably have a non-professional programmer pretending to be a professional programmer... take this from a guy who started as a non-professional and doesn’t have a programming degree).
If they suggest making any changes to the first line, then they know what the problem is. They pass. If they leave that first line alone. They fail. By the way, it doesn’t matter whether the programmer is building a web app, a windows app, or some kind of service, this is a universal mistake.
No matter how cheap they are they are creating problems that you don’t need. You can get a good programmer for a lower rate. For instance, I lowered my rate considerably to get a small piece of the pie on the app I’m working on.
Print | posted on Saturday, June 14, 2008 9:18 AM