This is indeed worthy of

So here I am, victorious at last after two agonizing days of waging battle against what seems trivial in hindsight (and is indeed trivial in truth!). Two whole days of flirting with a simple logically illogical mess created by, surprisingly, not SQL but by my official tool and favorite punch-bag, Java!

This just goes to show that the more banal the bug, the more anguish and torment that it causes! In the end, the problem turned out to be so ridiculously obvious (again, in hindsight) that I wonder if this indeed even wtwtf! 😉 … Well, I cannot recover those two days of wasted effort (well, actually partially wasted as I did a lot of bypassing around it and could well afford to, since I am working on a huge feature for my product) but I can  at least try and salvage some honor from this humbling experience. Here is the code snippet (redacted for reasons twofold – proprietary software and ease of reading. The spirit of the mind-numbingly irksome bug still remains) :

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.sql.DriverManager;

public class StructuredQuirkyLanguage {

	public static final String VMSERVER_TABLE_NAME = "VMServer";
	public static final int VMSERVER_ID = 0;
	public static final int ENCRYPTED_CREDENTIALS = 1;
	public static final String[] vmServerColNames = { "id",
			"encrypted_credentials" };

	public static void main(String args[]) {
		String tableName = VMSERVER_TABLE_NAME;
		String columnName = vmServerColNames[VMSERVER_ID];
		String updateColumnName = vmServerColNames[ENCRYPTED_CREDENTIALS];

		String encryptedCredentials = "3C8C537B6F88501F";
		String vmServerSystemIdString = "cba73408-261f-47c8-9e15-83f1c4c74598";

		encryptedCredentials = "\'" + encryptedCredentials + "\'";
		vmServerSystemIdString = "\'" + vmServerSystemIdString + "\'";

		String updateSql = "update " + tableName + " set " + columnName + " = "
				+ encryptedCredentials + " where " + updateColumnName + " = "
				+ vmServerSystemIdString + ";";
       try {
       } catch (ClassNotFoundException cnfex) {
		String databaseUrl = "jdbc:solid//localhost:1315";
		String username = "dba";
		String password = "dba";

		Connection connection = null;
		PreparedStatement stmt = null;
		int numRows = 0;

		try {

			connection = DriverManager.getConnection(databaseUrl, username,
			stmt = connection.prepareStatement(updateSql);

			numRows = stmt.executeUpdate();
			if (numRows != 1) {
				throw new SQLException("Could not update the database");


		} catch (SQLException sqlex) {
		} finally {
			if (connection != null) {
				try {
				} catch (SQLException sqlex) {


So let it be known that that was the last and final humiliation of z0ltan by anything lesser than z0ltan…. well, at least till next monday! 😉


(Note: The real wtf could be that you could fall for the same trap! See if you can find the problem. And oh yeah, the error dump wasn’t very helpful either –
[SOLID Table Error 13037]: Illegal DOUBLE PREC constant 😉


*wtwtf = worse than ‘worse than failure’!!! You saw that one coming, didn’t you?

This is indeed worthy of

8 thoughts on “This is indeed worthy of

  1. Anonymous says:

    Making your readers spend their time finding the same bug it took you two days to find isn’t wise. You might feel you’re giving us an interesting puzzle, but we’re more interested in the WTF-worthy bug than finding it in that pile of Java. (which is doubly useless for those of use not familiar with Java’s SQL interfaces).


  2. I guess you expected it to put 83F1C4C74598 in the encrypted_credentials varchar field ? 😛

    The real WTF is that you’re not using bind parameters and therefore desserve to be punished by public SQL injection.


  3. @Anonymous

    The thing is that when I wrote that specific method, I had no idea that it contained one misleadingly innocuous bug! If you have read the blog completely, you will find that I have completely accepted the fact that I was such a fool to miss it! So I am guessing folks out there are much more “aware” than I was! 😀


  4. @Eric D

    Hehehe… actually that was what I had been led onto by that error message squelched out by SOLID. But the bug is something so trivially mundane, I would not be surprised if someone were to scream out loud at the end of it!! Believe me, I nearly did! 😉


  5. @Michael Campbell

    Naaw…. pretty close again….

    Okay folks, seeing as to how I have had my share of fun, here’s the real wtf:

    In the line:

    String updateSql = “update ” + tableName + ” set ” + columnName + ” = ”
    + encryptedCredentials + ” where ” + updateColumnName + ” = ” + vmServerSystemIdString + “;”;

    See the “;” at the end ? 😉 😉 😉 … THAT was the freakin’ bug!!! The ‘prepareStatement’ does not require (or even take) that finicky character at the end, as we would expect would be required in SQL. So my guess is that that character was being (mis)interpreted as a DOUBLE PREC constant!!!



  6. That line should be of great concern, but not because of the semi-colon. As others have mentioned before, that string is super dangerous. Do yourself a favor and used prepared statements so you don’t get your tables deleted. thats even worse than wtwtf


Speak your mind!

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s