Caught this gem from the BBC via Michael Tsai's blog:

“We moved almost immediately after we got married so it came up practically as soon as I changed my name, buying plane tickets,” she says. When Jennifer Null tries to buy a plane ticket, she gets an error message on most websites. The site will say she has left the surname field blank and ask her to try again.

Instead, she has to call the airline company by phone to book a ticket – but that’s not the end of the process.

“I've been asked why I'm calling and when I try to explain the situation, I've been told, ‘there's no way that's true’,” she says.

Sorry to say I pulled a legitimate LOL as soon as I read her last name. Ouch.

But my reaction? Gosh, which websites and what horrible programmers? I mean, even if you're a two-equals coder (you should use three, natch) in JavaScript, the weakest place I could think of off-hand, null != "null", and you've got no problem.


INSERT INTO Users (Name) VALUES ('Null') -- (as the result of a parameterized query)

... screwed up nobody ever. Which leads me to say...

This is not Little Bobby Tables.

bobby tables

This is stoopid.

We're all stoopid sometimes, but that's what this is. It's stoopid.


After a little more digging...

Seems I ran through the same steps in my head as the SO post the BBC includes, but the answer seemed obvious; this is the "worst case" I could think of going in...

The only reasonable workaround I can think of, short of fixing this bug in every damn version of ActionScript, is to test fields for "null" and escape them as CDATA values.

Well, duh. Though extend my sympathy for those who have a legacy system that still uses XML, not JSON. ;^)

What this really shows is...

  • There's waaaaaaay too much NIH syndrome in the enterprise
  • We're exceptionally bad at creating test cases
  • We need more imaginative coders.

If the name "Null" is still an issue three to six months from now, SHAME. No, ALL CAPS SHAME. FOR REAL. Horrible.

Wow. Seriously, I'm embarrassed for the profession. At worst, you needed to see why your client-side was "letting through" names that were empty so far that they got serialized to XML. Does nobody check the logs? Or are your logs so chatty you wouldn't see this error?


Labels: , ,