"UPDATE table_name SET w = $1, x = $2, z = $4 WHERE y = $3 RETURNING *",

does not do the same as

"UPDATE table_name SET w = $1, x = $2, y = $3, z = $4 RETURNING *",

It’s 2 am and my mind blanked out the WHERE, and just wanted the numbers neatly in order of 1234.

idiot.

FML.

  • KISSmyOS@lemmy.world
    811·
    9 months ago

    That’s an easy one to recover from:
    Simply fake your own death and become a goat herder in Guatemala.

    • kucing@lemmy.ml
      15·
      9 months ago

      I’ve read something like “there are two kinds of people: those who backup and those who are about to”

  • originalfrozenbanana@lemm.eeEnglish
    62·
    9 months ago

    This doesn’t help you but may help others. I always run my updates and deletes as selects first, validate the results are what I want including their number and then change the select to delete, update, whatever

    • NOPper@lemmy.world
      23·
      9 months ago

      I learned this one very early on in my career as a physical security engineer working with access control databases. You only do it to one customer ever. 🤷‍♂️

  • agilob@programming.devEnglish
    451·
    9 months ago

    All (doesn’t seem like MsSQL supports it, I thought that’s a pretty basic feature) databases have special configuration that warn or throw error when you try to UPDATE or DELETE without WHERE. Use it.

  • Blackmist@feddit.ukEnglish
    43·
    9 months ago

    You’re not the first. You won’t be the last. I’m just glad my DB of choice uses transactions by default, so I can see “rows updated: 3,258,123” and back the fuck out of it.

    I genuinely believe that UPDATE and DELETE without a WHERE clause should be considered a syntax error. If you want to do all rows for some reason, it should have been something like UPDATE table SET field=value ALL.

    • drekly@lemmy.worldOPEnglish
      1·
      9 months ago

      Because I’m relatively new at this type of thing, how does that appear on the front end? I’m using a js/html front end and a jsnode backend. Would I just see a popup before I make any changes?

      • Blackmist@feddit.ukEnglish
        2·
        9 months ago

        No idea. My tools connect directly to the DB server, rather than going though any web server shenanigans.

      • aravindan_v@programming.dev
        2·
        9 months ago

        If you’re asking about the information about the number of rows, oracle db clients do that. For nodejs, oracle’s library will provide this number in the response to a dml statement execution. So you can retrieve it in your backend code. You have to write additional code to bring this message to the front-end.

        https://oracle.github.io/node-oracledb/

        • drekly@lemmy.worldOPEnglish
          1·
          9 months ago

          Awesome, thanks for the info. Definitely super useful for debug mode whilst I’m fixing and tampering!

    • groucho@lemmy.sdf.orgEnglish
      2·
      9 months ago

      Yep. If you’re in a situation where you have to write SQL on the fly in prod, you have already failed.

      • XTornado@lemmy.ml
        4·
        9 months ago

        Me doing it for multiple years in a Bank…Uhm…

        (let’s just say I am not outting my money near them… and not just because of that but other things…)

        • groucho@lemmy.sdf.orgEnglish
          1·
          9 months ago

          Yeah, I swear it’s part of the culture at some places. At my first full-time job, my boss dropped the production database the week before I started. They lost at least a day of records because of it and he spent most of the first day telling me why writing sql in prod was bad.

    • XTornado@lemmy.ml
      2·
      9 months ago

      But the adrenaline man… some of us are jonkies of adrenaline but we are too afraid of anything more of physically dangerous…

    • olafurp@lemmy.world
      21·
      9 months ago

      Raw dog is the fastest way to finish a task.

      • productivity
      • risk

      It’s a trade-off

        • olafurp@lemmy.world
          4·
          9 months ago

          No, but people are sometimes forced to do these things because of pressure from management and/or lack of infrastructure to do it in any other way.

          Definitely don’t endorse it but I have done it. Think of a “Everything is down” situation that can be fixed in 1 minute with SQL.

      • Nailbar@sopuli.xyz
        16·
        9 months ago

        By running a select query first, you get a nice list of the rows you are going to change. If the list is the entire set, you’ll likely notice.

        If it looks good, you run the update query using the same where clause.

        But that’s for manual changes. OP’s update statement looks like it might be generated from code, in which case this wouldn’t have helped.

    • drekly@lemmy.worldOPEnglish
      3·
      9 months ago

      I did when I made the query a year ago. Dumdum sleep deprived brain thought it would look more organised this way

  • TeenieBopper@lemmy.world
    29·
    9 months ago

    I once dropped a table in a production database.

    I never should have had write permissions on that database. You can bet they changed that when clinicians had to redo four days of work because the hosting company or whatever only had weekly backups, not daily.

    So, I feel your pain.

  • SuperFola@programming.devEnglish
    27·
    9 months ago

    There is still the journal you could use to recover the old state of your database. I assume you commited after your update query, thus you would need to copy first the journal, remove the updates from it, and reconstruct the db from the altered journal.

    This might be harder than what I’m saying and heavily depends on which db you used, but if it was a transactional one it has to have a journal (not sure about nosql ones).

    • drekly@lemmy.worldOPEnglish
      4·
      9 months ago

      It is after the event that I find that postgres’ WAL journalling is off by default 🙃

    • elvith@feddit.de
      17·
      9 months ago

      Everyone has a production system. Some may even have a separate testing environment!

      • drekly@lemmy.worldOPEnglish
        6·
        9 months ago

        My only education is a super helpful guy from Reddit who taught me the basics of setting up a back end with nodejs and postgres. After that it’s just been me, the references and stack overflow.

        I have NO education about actual practises and protocol. This was just a tool I made to make my work easier and faster, which I check in and update every few months to make it better.

        I just open vscode, run node server.js to get started, and within server.js is a direct link to my database using the SQL above. It works, has worked for a year or two, and I don’t know any other way I should be working. Happy to learn though!

        (but of course this has set me back so much it would have been quicker not to make the tool at all)

        • max@feddit.nl
          31·
          9 months ago

          Have a look at an ORM, if you are indeed executing plain SQL like I’m assuming from your comment. Sequelize might be nice to start with. What it does is create a layer between your application and your database. Using which, you can define the way a database object looks (like a class) and execute functions on that. For instance, if you’re creating a library, you could do book.update(), library.addBook(), etc. Since it adds a layer in between, it also helps you prevent common vulnerabilities such as SQL injection. This is because you aren’t writing the SQL queries in the first place. If you want to know more, let me know.

          • drekly@lemmy.worldOPEnglish
            2·
            9 months ago

            Thanks, I’ll look into it! I’m interested in why you got downvoted though! 😅

            • jjjalljs@ttrpg.network
              3·
              9 months ago

              I didn’t downvote but some people like ideologically dislike orms. The reasons I’ve heard are usually “I can write better SQL by hand”, “I don’t want to use/learn another library”, “it has some limitations”

              Those things can be true. Writing better SQL by hand definitely is a big “it depends”, though.

              • max@feddit.nl
                2·
                9 months ago

                I can see why people might dislike them. Adds some bloat perhaps. But at the same time, I like the idea that my input is definitely sanitised since the ORM was written by people who know what they’re doing. That’s not to say it won’t have any vulnerabilities at all, but the chance of them existing is a lot lower than when I write the queries by hand. A lapse of judgement is all it takes. Even more relevant for beginning developers who might not be aware of such vulnerabilities existing.

                • drekly@lemmy.worldOPEnglish
                  1·
                  9 months ago

                  For a personal tool that runs locally I can handle some bloat in the name of safety!

            • max@feddit.nl
              2·
              9 months ago

              Short story, haters gonna hate ¯\_(ツ)_/¯ Long story, see my comment to the commenter below you. :)

        • jjjalljs@ttrpg.network
          2·
          9 months ago

          With that amount of instruction you’ve done well

          There’s probably lots of stuff you don’t even know you don’t know.

          Automated testing is a big part of professional software development, for example, and helps you catch things like this issue before they go live.

          • drekly@lemmy.worldOPEnglish
            1·
            9 months ago

            I’m up to 537 lines of server code, 2278 lines in my script, and 226 in my API interfacing, I’m actually super proud of it haha.

            But you’re totally right, there are things I read that I just have no clue what they even mean or if I should know it, and probably use all the wrong terminology. I feel like I should probably go back to the start and find a course to teach me properly. I’ve probably learned so many bad habits. It doesn’t help that I learned JS before ES6 so I need to force myself not to use var and force myself to understand and use arrow functions.

            I absolutely know that the way I’ve written the program will make some people cringe, but I don’t know any better. There are a few sections where I’m like “would that actually be what a real, commercial web app would do, or have I convoluted everything?”

            For example, the entire thing is just one 129-line html file. I just hide and unhide divs when I need a new page or anything gets changed. I’m assuming that’s a bad thing, but it works, it looks good, and I don’t know any better!

    • ck_@discuss.tchncs.de
      4·
      9 months ago

      If coffee simply does not get you out of bed in the mornings any more, you need to find your fix elsewhere 💁

    • Aganim@lemmy.world
      34·
      9 months ago

      Periodic, versioned and tested backups.

      It absolutely, totally, never ever happened to me that I had a bunch of backups available that turned out to be effectively unrestorable the moment I needed them. 😭

  • Phen@lemmy.eco.br
    16·
    9 months ago

    There was a time I worked as a third party for one of the 10 most accessed websites in my country. I got assigned to a project that has been maintained by another third party for 10+ years with no oversight. I have many stories from there but today’s is that this company had very strict access control to the production database.

    Third parties couldn’t access the database directly. All fine and good, except for the fact that we were expected to setup some stuff in the database pretty much every week. The dude who kept this project running for the previous decade, unable to get proper credentials to do his job, instead created an input box in some system that allowed him to run any sql code.

    You can already guess the rest of the story, right? For security reasons we had to do things in the least secure way imaginable. Eventually, wheres were forgotten.