CodeSOD: Interned Sort
Caleb scored his first intership at a small, family-owned print-shop. Much to his surprise, the day before he started, their primary web-developer left for a bigger, more lucrative job. His predecssor was an experienced programmer, but came at solving problems in his own unique way. This meant no comments, no functions, no classes, SQL injection vulnerabilities everywere, and cryptic 500-character one-liners stuffed into the value attribute of an input tag.
Caleb spent his first day just trying to get the code running on his dev machine. On the second day, he sat down with a more experienced co-worker to try and understand some of the queries. For example, there was one query that needed to return product details sorted in some meaningful fashion- like by name. Weirdly, though, the page wasn't sorting them by name, except when it was- no one who used the product search understood the sort order.
Cabel dug in, expecting to see some variation on this:
SELECT `id`, `name`, `description`FROM productsWHERE `name` LIKE '%{$keyword}% 'ORDER BY `name`;
Instead, he saw this:
# $keyword is a PHP variable that was interpolated into the concatenated PHP string.# It is the search term the user entered, preserved here for clarity.SELECT T1.product.id AS product_id, T1.slug, T1.name, description, details, T2.media_id, url, T1.orderFROM ( SELECT product.id AS product_id, slug, name, description, product.details, text CASE WHEN name LIKE '$keyword' THEN 0 WHEN name LIKE '$keyword%' THEN 1 WHEN name LIKE '%$keyword' THEN 2 WHEN name LIKE '%$keyword%' THEN 3 WHEN product.details LIKE '%$keyword%' THEN 4 WHEN description LIKE '%$keyword% ' THEN 5 WHEN text LIKE '$keyword' THEN 6 WHEN text LIKE '$keyword%' THEN 7 WHEN text LIKE '%$keyword' THEN 8 WHEN text LIKE '%$keyword%' THEN 9 ELSE 10 END AS `order` FROM `product_option`, `product` WHERE `product_option`.`product_id` = `product`.`id` AND product.parent_id=0 AND ( name LIKE '%$keyword%' OR description LIKE '%$keyword%' OR product.details LIKE '%$keyword%' OR text LIKE '%$keyword%' ) ORDER BY `order`, name) AS T1 LEFT JOIN ( SELECT * FROM product_media WHERE product_media.order = 1) AS T2 ON T1.product_id=T2.product_id LEFT JOIN media ON T2.media_id=media_id)
He sat down with a more experienced developer, trying to understand what on Earth this was supposed to do. In the end, they couldn't figure it out, so they just replaced it with the straightforward ORDER BY name, and left some TODO comments confessing they don't know what they just replaced.
Caleb's boss stopped by after they released this change, complimenting him on how much better the product search page worked.
[Advertisement] Release!is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!