135
linuxxx
6y

We were learning to create a login system in mysql and php when one of my classmates showed me and the teacher his code.

He did a select all on the users table and looped through everything with a foreach.

We both tried to explain him why that wasn't the best method but he just refused to accept that.

He turned out a designer.

By the way, please never do it his way 😬

Comments
  • 31
    > Get count of entries
    > for(int i=1; i < count, i = i + i / i)
    > execute SELECT ALL and get the element at position i

    Wouldn't that be way more awesome?

    Also, who cares about the first entry 🤷‍♂️
  • 49
    Oh boy...
    He must be one of those people who would store passwords in cleartext, request the whole user table with AJAX and do the authentication by looping through it in JavaScript in the Browser.
    Fucking beautiful!
  • 18
    I hope he's a better designer than he is a developer!
  • 44
    delete from users where 'username' !=username;

    select * from users;

    This should allow him to get rid of the foreach loop
  • 9
  • 7
    @PonySlaystation I bet he would hardcode the database params into the js
  • 3
  • 4
    We have this in our legacy systems' production code. Takes forever to generate reports that are like a few mb...
  • 4
    if i would ever be an teacher, 1 and 6 would be rare as fuck, but if someone gets it he earned it.
  • 3
    @PonySlaystation Yeah he didn't see the point in hashing :/
  • 2
    Then he should log all his work on front end.

    User 1 not matching with username
    .
    .
    .
    Username matched with username but password did not match with pwd.
  • 1
    @PaperBag this is what I always do. SQL is for losers.
  • 1
    @TheMiper I'm disappointed that you even have a DB. Just keep it the credentials in a json file and loop over that, jeez.
  • 1
    @HollowKitty just keep it in the ram, what can possibly go wrong?
  • 1
    @TheMiper I think you just reinvented mongodb lol
  • 0
    gotta love it when people use technology *precisely* in such a way that circumvents the main point of that technology XD
  • 0
    Oh, I have done that too.
    Even worse, we had 4 Tables and instead of joining I nested 4 loops of this type and just hoped to never get more than 10 entries.

    School times, teacher didn't look at the code anyway and thankfully the dataset kept being small.

    At least this was not vulnerable to SQL injection (don't ask about XSS tho)
  • 0
    Some folk should simply not be allowed near databases. The number of "SELECT *" I've seen when only a few fields are wanted. Or worse, no WHERE part of the query where the selection logic will be done on the client end in a script or program.

    Or the ultimate one... SELECT * across an entire, large table without any criteria (thus fetching the entire table) as a sub-query within another database system, and then select specific fields with criteria on that system. Then complain to the hoster of the original database that "it is slow to get data".

    All of these have happened in business settings, by the way...
Add Comment