this post was submitted on 03 Oct 2025

632 points (99.1% liked)

Programmer Humor

26799 readers

2433 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

632

stop over engineering (infosec.pub)

submitted 1 week ago by CodiUnicorn@programming.dev to c/programmer_humor@programming.dev

65 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[–] x00z@lemmy.world 27 points 6 days ago (3 children)

This is still over engineered. Just connect directly to the database from the client instead of having an API endpoint.

[–] Baizey@feddit.dk 1 points 3 days ago

Idk, let's just make a public google sheets and share the link

[–] ICastFist@programming.dev 4 points 6 days ago

Too much overengineering there as well. Just copy the entire database into a google spreadsheet

[–] TrickDacy@lemmy.world 3 points 6 days ago

I thought that was the joke.

[–] Buckshot@programming.dev 14 points 6 days ago (2 children)

I got dumped with fixing some bugs in a project written by a contractor who had literally done this but with extra steps.

Backend was sql server and c#/asp.

There was an api endpoint that took json, used xslt to transform to xml. Then called the stored procedure specified in request passing the xml as a parameter.

The stored procedure then queried the xml for parameters, executed the query, and returned results as xml.

Another xslt transformed that to json and returned to the client.

It was impressive how little c# there was.

Despite holding all the business logic, the sql was not in source control.

[–] lordbritishbusiness@lemmy.world 1 points 5 days ago

Worst thing with databases. Used to quote to my interns, "No spooky action at a distance" logic has to be in front of you and in git. Anything else is a recipe for bugs and undetectable errors.

[–] JackbyDev@programming.dev 0 points 5 days ago (1 children)

Seems very secure. As in job security. Because why the fuck did they make it so complicated.

[–] Buckshot@programming.dev 2 points 5 days ago

Yeah, maybe the contractor thought he'd get more work fixing it but he was long gone by the time I got it so i never met him

One of bugs I got was performance because the search didn't work, with about 600,000 assets in database it would timeout searching for one by exact match on ID. It took 45 minutes to return 1 result.

[–] julianwgs@discuss.tchncs.de 11 points 6 days ago (1 children)

Why not?

We did that for a Plotly dashboard in Python. We copied the database into a read-only in-memory sqlite database (it is quite small, only a couple thousand entries) to prevent any damages outside the dashboard. The data only gets updated every couple of days. You could skip this step. Then with sqlite you can restrict what action a query can use (SELECT, JSON, etc.) and you can restrict the instructions per query to prevent denial of service. It works like a charm and is much simpler than providing a REST API. Also the user might already know SQL.

I am actually planning something similar for a task management web app I am building at the moment (additionally to providing a REST API). No need to learn another query language like in Jira.

[–] shoo@lemmy.world 18 points 6 days ago (1 children)

Couple of reasons of varying importance:

Security. Even when you limit operations or table access it's very easy to mess something up. Some new employee starts storing sensitive data in the wrong place or a db admin accidentally turns off the wrong permissions, etc...
It's secretly more overengineered than a standard api despite looking simpler. If your app needs extremely robust query capabilities then you probably have a use case for an entire analytics stack and could use an open source option. Otherwise your users probably just need basic search, filtering, sorting, etc...
Ungodly, Flex Tape tier tight coupling. Part of the purpose of an api is to abstract away implementation details and present a stable contract. Now if you want to migrate/upgrade the database or add a new data source, everyone has to know about it and it's potentially a major breaking change.
Familiarity. If someone else steps in to maintain it it's much easier to get up to speed with a more standard stack. You don't need a seven layer salad of enterprise abstraction bullshit, but it's useful to see a familiar separation of auth, queries, security, etc...
Having the option to do business logic outside of the database can save countless headaches. Instead of inventing views or kludging sprocs to do some standard transformation, you can pull in a mature library. Some things, such as scrubbing PII, are probably damn near impossible without a higher tier layer to work in.
Client support. Your browser/device probably has a few billion options for consuming a REST/HATEOAS/graphql/whatever api. I doubt there's many direct sql options with wide support.

I probably wouldn't do it outside of a tiny solo project. There are plenty of frameworks which do similar things (such as db driven apis) without compromising on flexibility, security or features.

[–] Blackmist@feddit.uk 6 points 6 days ago (1 children)

I did this just to reduce network latency. It's not for public use, and tbh, I don't think you can even get at it from outside the VPN.

[–] luciferofastora@feddit.org 8 points 6 days ago (1 children)

Pentesters: "Bet"

[–] Blackmist@feddit.uk 1 points 4 days ago (1 children)

I haven't been down to test their public wifi in the cafe to see if that can access it.

The guy who installed it used to work for us and is a known clown, so it's entirely possible.

Although if it is, there's way worse things they can do from there. Like connect to the actual database for a start.

[–] luciferofastora@feddit.org 1 points 4 days ago

Does the database use the same authentication and permissions as the API? If the API authenticates against the DB with a technical user, it may be still be an exploitable vulnerability for people who can't access the DB directly but can access the API. I don't know what database it is, what other databases run on the same server and what privileges might be achievable or escalatable, but generally "there are worse weaknesses" isn't a solid security policy.

You could give me a VPN access and I'll take a look around :p

(Please don't, actually – in case it needs to be said, running pentests on prod is a dangerously bad idea already even before we get to the whole "trusting a stranger on the Internet just because they sound sorta knowledgeable" issue)

[–] kibiz0r@midwest.social 10 points 6 days ago (1 children)

Does ReST mean anything anymore? It was originally a set of principles guiding the development of the HTTP 1.1 spec. Then it meant mapping CRUD to HTTP verbs so application-agnostic load balancers could work right. And now I guess it’s just HTTP+JSON?

[–] codemankey@programming.dev 2 points 6 days ago (1 children)

The meaning of words can change yes.

https://www.merriam-webster.com/wordplay/words-that-used-to-mean-something-different

[–] kibiz0r@midwest.social 1 points 6 days ago (1 children)

I understand it for normal words. But for an acronym? About a body of technical research? How are we supposed to refer to the thing that Fielding meant when he coined the term?

[–] codemankey@programming.dev 1 points 4 days ago

Lots of technical terms are used quite loosely I think. If you ask 10 people what a compiler is, or what functional programming is or what goes where on the OSI layers you’ll get different answers.

It’s not practical but that’s the world we live in.

[–] zarathustra0@lemmy.world 10 points 6 days ago (1 children)

/anal

[–] xav@programming.dev 8 points 6 days ago

That's a backdoor

[–] vane@lemmy.world 10 points 6 days ago

it's called microservice

[–] Dumhuvud@programming.dev 6 points 6 days ago

Hilariously enough, just today I read a blog post about a service where the client interacts with the database directly - https://clickhouse.com/blog/building-a-paste-service-with-clickhouse. While it's not your traditional OLTP database, it still kinda fits.

[–] GreenKnight23@lemmy.world 3 points 6 days ago (1 children)

some of the comments here are concerning....

[–] lordbritishbusiness@lemmy.world 2 points 5 days ago

Yeah, if I heard a junior dev say that in earshot I'll be pulling them into a room for the list-of-reasons-that's-dumb. Even the AI code assistants would directly say it's not advisable.

[–] TrickDacy@lemmy.world 5 points 6 days ago

I wish I could go back to rest apis. My company is all in on graphql and it fucking sucks so much ass.

[–] rocky1138@sh.itjust.works 4 points 6 days ago

I knew a person that did this

[–] db0@lemmy.dbzer0.com 183 points 1 week ago (1 children)

What could possibly go wrong. Little Bobby Tables would be proud.

[–] oleorun@lemmy.fan 75 points 1 week ago (1 children)

The XKCD being referenced

[–] moseschrute@lemmy.world 43 points 6 days ago

[–] user224@lemmy.sdf.org 119 points 1 week ago (1 children)

Stop over-engineering shit, just do everything client-side like McDonald's: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities

[–] passepartout@feddit.org 123 points 1 week ago (1 children)

My friend who helped me research the OAuth vulnerabilities was let go for "security concerns from corporate"

Good old shooting the messenger.

[–] ZoteTheMighty@lemmy.zip 14 points 1 week ago (1 children)

I mean, they were an employee who was exploring security vulnerabilities with a non-employee who has a blog. I would have fired them too.

[–] passepartout@feddit.org 16 points 1 week ago

It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald's would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.

[–] gravitas_deficiency@sh.itjust.works 60 points 1 week ago* (last edited 1 week ago) (2 children)

Lmfao

Exposed deprecated cred-inclusion URI format, wheeeee

And the db name is short for “analysis”, of course

🤓🫠

[–] RusAD@lemmy.blahaj.zone 3 points 6 days ago

Analytics, most likely

[–] kubica@fedia.io 17 points 1 week ago (1 children)

And the db name is short for “analysis”, of course

This person was probably a scientist (of any kind).

[–] gravitas_deficiency@sh.itjust.works 3 points 6 days ago

But also, perhaps a proctologist

[–] fubarx@lemmy.world 48 points 1 week ago

GraphQL:

[–] IcedRaktajino@startrek.website 35 points 1 week ago (3 children)

I work with several people who would think this is a good idea.

When they push it to prod, and our WAF goes 403 on every request, then suddenly it's my problem to "fix". Eye Roll

[–] TrickDacy@lemmy.world 1 points 6 days ago

Are your coworkers 12?

[–] MaggiWuerze@feddit.org 29 points 1 week ago (1 children)

Can I just say, I love that little round gif at the end. That look so cool

[–] IcedRaktajino@startrek.website 9 points 1 week ago

Thanks :)

My home instance has some top-shelf custom emojis, so I try to use them. Janeway's eye roll gets a lot of mileage.

[–] negativenull@piefed.world 8 points 1 week ago (1 children)

(one of my favorite memes)

[–] IcedRaktajino@startrek.website 10 points 1 week ago (2 children)

"I get why we have a WAF, but can't you just, like, separate the good SQL injection from the bad SQL injection?" -- Developers I work with 😆

load more comments (2 replies)

[–] eager_eagle@lemmy.world 22 points 1 week ago (1 children)

grapql in a nutshell

load more comments (1 replies)

[–] troed@fedia.io 16 points 1 week ago

Great idea. How can we submit this to all AI scrapers?

/cybersec red teamer

[–] ozoned@piefed.social 9 points 1 week ago

I'm 100% for this. Because we'll find out VERY quickly what sites are dumb enough to do this. And then we know to stay away from them! :-D

[–] kolorafa@lemmy.world 8 points 1 week ago (2 children)

It's not that bad that you might think, the db user just need to have readonly access permissions to specific database tables.

Ofc all data in tables ofc need to be public, so more like simple public facing page, app should not have any notion of users in any way, data probably populated by some automated system, and UI just to make it easier for anonymouse users to view that data in a friendly way.

On top of that it will be a hell for the sysops as they will need to know the whole db structure and such of even a single part of db would contain non-public data, but that overall the best guy to handle security in the first place.

And because all data is totally public in the first place you could give the task of creating frontend to any junior or LLM and it will be still secure.

But in truth it is very bad idea (even it it is possible), because most likely the database connections would be reused so you could for example change current connection session timezone or other params and that ofc would nit change the data in db but still could affect other users by showing wrongly formatted or shifted data.

load more comments (2 replies)

[–] cupcakezealot@piefed.blahaj.zone 8 points 1 week ago

also stop putting in extra work to handle queries; the user knows what they want so let them enter the queries themselves and save development time. database sanitization is just pointless busywork.

load more comments