Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreic4ua2bnduv3y5ijeg57da57eu6chuv25le64cq2rn3c2obekdgnq",
    "uri": "at://did:plc:vyjlfm46mfv6u4vjp6qtrfx2/app.bsky.feed.post/3mniaoqoyzxd2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreidg2k33tiuupnstmiowh7hyyvtsbe3gyhfygiytrzynysnhoctrxi"
    },
    "mimeType": "image/jpeg",
    "size": 81260
  },
  "path": "/articles/build-up",
  "publishedAt": "2026-06-04T06:30:00.000Z",
  "site": "https://thedailywtf.com",
  "tags": [
    "CodeSOD",
    "Utilize BuildMaster",
    "Download"
  ],
  "textContent": "If there's one thing that seems to be a constant source of issues, it's people constructing SQL queries through string concatenation. Even if you're using parameters in the query, I'm opposed to handling raw SQL as strings in my programs. My solution is always \"use a builder\"- an API that constructs a syntax tree that it can then _render_ to SQL as needed. (Yes, a builder, not an ORM, that's a whole _other_ discussion, I'm not dogmatically _anti_ -ORM, but it's a leaky abstraction at best.)\n\nMany languages have such a thing, Java included. **Lukasz** 's team was using Java, and they had a rule: \"don't do SQL strings, use a builder\". Unfortunately for Lukasz's team, their guideline didn't specify what _kind_ of builder.\n\n\n        StringBuilder builder = new StringBuilder();\n\n        builder.append(\"where ID_BSNGP = ? \");\n        builder.append(\"and ID_ITM = ? \");\n        builder.append(\"for update\");\n\n        SQLQuery query = new SQLQuery();\n\n        query.setQueryString(builder.toString());\n\n\nA `StringBuilder` is _a kind_ of builder. Technically correct and all that. It's just concatenation with extra steps, but it's a builder. Of course, the bonus point here is that this built query is… just wrong? `SELECT FOR UPDATE field FROM table WHERE condition` would make sense, but we're missing most of that syntax here.\n\nThat this code was running in production without anyone noticing means that whatever errors this was triggering were getting swallowed or ignored, _and_ the fact that no good output ever came from it ended up not mattering. The real WTF is less the malicious compliance and more the fact that this obviously broken code wasn't so broken as to be _noticed_.\n\n[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!",
  "title": "CodeSOD: Build Up"
}