Patterns Nonsense

So, I'm looking through the patterns stuff on Microsoft's site and I come across the MVC stuff. Man, they do some rediculously lame things when implementing these patterns. The patterns themselves are ok, it is their implementation that is just horrendous. For example:

public class DatabaseGateway
{
   public static DataSet GetRecordings()
   {
      String selectCmd = "select * from Recording";

      SqlConnection myConnection =
         new SqlConnection(
            "server=(local);database=recordings;Trusted_Connection=yes");
      SqlDataAdapter myCommand = new SqlDataAdapter(selectCmd, myConnection);

      DataSet ds = new DataSet();
      myCommand.Fill(ds, "Recording");
      return ds;
   }

   public static DataSet GetTracks(string recordingId)
   {
      String selectCmd =
         String.Format(
         "select * from Track where recordingId = {0} order by id",
         recordingId);

      SqlConnection myConnection =
         new SqlConnection(
            "server=(local);database=recordings;Trusted_Connection=yes");
      SqlDataAdapter myCommand = new SqlDataAdapter(selectCmd, myConnection);

      DataSet ds = new DataSet();
      myCommand.Fill(ds, "Track");
      return ds;
   }

So, first off, whose idea was it not to use a parameterized queries? Even if it was an integer coming in, I would still question their absence, but this is a string based id coming in to this method. Way to go, you just opened up your site to the easiest hack in the book.

Secondly, who on the content team loves static methods? Come on. I thought these examples were supposed to illustrate best practices and such... guess I was mistaken.

6 Comments

  • I just like the harded connection string in each method.

  • that's "hard coded"

  • At least they didn't put their password in there :-).

  • Rememember, these are examples of the patterns, not anything deeper. The implementation is also very insecure. I for one would not like a multi-page setup that included:





    1) Adding a bunch of stored procs to the DB.


    2) Locking down said procs with appropriately restricted SQL user accounts.


    3) Adding the connection string to the DPAPI store so my UN/PW aren't out hanging out there.


    4) Getting a mini lesson in "sn.exe" so I could sign my assembly.


    5) I could go on...





    Reading "Writing Secure Code 2nd Edition" opens your eyes and gives me a whole new series of complaints about sample code :-)





    Jesse - Forgive the C++ converts use of "static". They just think they are giving optimization hints to the compiler ;-)





    adam...


  • Yes, I agree they are just examples of patterns, but that isn't an excuse to put security holes in them, especially considering that someone new to patterns might just drop that code in their app and go, assuming that it was kosher. Yah, we know better, but the pleebs don't :-).

  • This simply stinks. If it's supposed to be best practice it should be _good_, and that example should be removed. And I miss the UML documentation too. Their (new?) example application for Scheduling doesn't really impress me either. But the patterns & practices initiative is starting to do good stuff though!

Comments have been disabled for this content.