I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.

  1. They were stored in a configuration file, in xml format.

  2. The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.

  3. This was then sent to the server as pure sql, no orm.

  4. Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.

  • Fmstrat@lemmy.world
    1·
    1 day ago

    #4 is a good thing. ORMs do not make queries better or safer, they make them easier for devs that don’t learn SQL or safe calls. In some cases, they have been shown to cause slowdowns.

  • Phoenixz@lemmy.ca
    421·
    3 days ago

    A program that HR had built so that all employees could they their payment receipts online

    The username was the companies’ email address, the password was a government personal id code that you can lookup online, a don’t change, and you can’t update the password to something else.

    So I told the director of HR this was a bad idea. She told me I was overreacting until I showed her her own receipt, then she finally understood that this is a really fucking bad idea.

    Okay, so now she out me in charge of debugging that program.

    So I setup a meeting with the director of the company they hired, he came by with the developer: a 21 yo girl who I think hadn’t finished college yet. Great start! Apparently it was her idea to do the authentication like that so that explains a few things.

    So we dive in to the code.

    First of all, the “passwords” were stored in blank, no hashing, no encryption, nothing. That wasn’t the worst.

    For the authentication she made a single query to check if the user email existed. Of that was true, then step two was a second query to see if the password existed. If that were true, the email had been authenticated.

    So let’s say, hypothetically, that they had actual passwords that people could change… I could still login with the email from anyone, and then use MY OWN password to authenticate.

    This just blew my mind so hard that I don’t think I ever fully recovered, I still need treatment. The stupidity hurts

    • groet@feddit.org
      19·
      3 days ago

      I wouldnt blame that on stupidity as much as on ignorance and naivety. Many people simply don’t think about anybody deliberately misusing their design. The idea that somebody could even want to access somebody elses receipts didn’t occur to them. And if they were still doing their studies they might not have known that you can “combine” SQL queries and ask for two things at once.

      I don’t blame the girl, but whoever chose her to design a system with sensitive information.

      • Phoenixz@lemmy.ca
        3·
        2 days ago

        I don’t blame a girl for doing a job that lands her food on the table. I blame the guy employing her because she’s the cheapest option

        Having said that, this design was so bad that she should not have been doing any of this. If you don’t know that SQL allows you to select multiple columns then by all means, do a tutorial, it’s not that hard.

        If you don’t even know what encryption is, that passwords need hashing and what not, then you should really question what you’re doing

        OPs question was about the worst code I’ve seen, that was the worst I’ve seen

        • RobertoOberto@sh.itjust.works
          1·
          2 days ago

          If you don’t even know what encryption is, that passwords need hashing and what not, then you should really question what you’re doing

          I agree with your point, but I would phrase it more generally: when we’re assigned a task in a problem space we are unfamiliar with, we should always take some time to research that space before designing our solution.

          After all, if we don’t know what encryption or password hashing are, how could we know that we need to learn about them first? But spending just a couple hours one morning reading about password and authentication management would have given the developer a good sense of best practices.

          So she either, A) didn’t think to familiarize herself with a new topic prior to working on it, or B) did read about it and ignored general industry guidance. Both of those options are more problematic to me than simply not knowing specific things. Those are process problems that need to be addressed to build her skills as a developer.

          But ultimately, in my opinion, this is really all the fault of the cheapass director who didn’t want to pay any experienced professionals to handle the task.

          • psud@aussie.zoneEnglish
            1·
            15 hours ago

            It wouldn’t take much google-fu to get a worked example of good authentication in whatever language. She can’t have tried, she must have just gone “programming 104 covered how to SQL, I can use that”

  • csm10495@sh.itjust.worksEnglish
    14·
    3 days ago

    There was something like

    # sleep for about a second on modern processors
math.factorial(10000)

    After it was found we left it in the code but commented out along with a sleep(1) for posterity.

    • Eranziel@lemmy.world
      2·
      3 days ago

      I saw one where the program ran a busy loop on startup to calculate how long it took. Then it used that as an iterations-to-seconds conversion for busy loops between scheduled actions.

  • quinkin@lemmy.world
    27·
    4 days ago

    XML-DOM page templates stored in a database, line by line.

    So rendering a page started with:

    select * from pages

    where page_id = ‘index’

    order by line_number asc;

    Each line of XML from each record was appended into a single string. This string was then XSLT transformed to HTML, for every page load.

    • dejected_warp_core@lemmy.world
      12·
      4 days ago

      This has to be one of the worst ways to reinvent a filesystem that I’ve ever heard. At the very least, storing static data in an relational database at this scale should be a slappable offense.

      • quinkin@lemmy.world
        10·
        4 days ago

        The session data, that would have been fantastic to have in a relational, queryable, reliable and trustable format was stored as a single giant string of PHP pickled data structure in a session file associated with the users cookie id.

  • Valmond@lemmy.world
    24·
    4 days ago

    The architect sending a pointer over an API, in hexadecimal string format. char *c = “71E4F33B” just cast it on the right structure bro.

    Just to add, we only did C/C++, on windows mfc, in a monolithic software.

    I spent quite some time assuring myself that I was not the insane person before bringing it up with him.

    • groet@feddit.org
      6·
      3 days ago

      A memory pointer? So it must have been a program sending a pointer using an API to itself so it ends up in the same process again?

    • wer2@lemmy.zip
      2·
      3 days ago

      Mine was very much like that, but they also deleted the pointer after sending it, but before receiving it for good measure.

  • softkitteh@lemmy.blahaj.zoneEnglish
    29·
    4 days ago

    Oh boy, this one was a doozy…

    Was working at a very big company named after a rainforest on smart home products with integrations for a certain home assistant…

    New feature was being built that integrates the aforementioned home assistant with customer’s printers so they can ask the assistant to print stuff for them.

    The initial design lands from our partner team with a Java backend service fairly nicely integrated with some CUPS libraries for generating the final document to be sent to the customer’s printer. All good.

    They are about to launch when… uh oh… the legal team notices an AGPL licensed package in one of the CUPS library’s dependencies that was absolutely required for the document format needed by the project and the launch is cancelled.

    So the team goes off in a panic looking for alternatives to this library and can’t find any replacements. After a month or two they come back with their solution…

    Instead of converting the document directly in the backend service with the linked CUPS library (as AGPL is a “forbidden license” at this company) the backend uploads the initial document to an S3 bucket, then builds a CUPS document conversion bash shell script using some random Java library, the shell script is then sent (raw) to a random blank AWS host that comes prepackaged with CUPS binaries installed (these hosts were not automated with CI/CD / auto updates as was usually mandated by company practice because updating them might remove the CUPS binaries, so they required a ton of manual maintenance over the service’s lifetime…), the bash shell script is then executed on that “clean” host, downloading the document from S3, converting it via the CUPS command line binary, then reuploading it to another S3 bucket where the Java backend picks it up and continues the process of working the document through the whole backend pipeline of various services until it got to the customer’s printer.

    This seemed to satisfy the legal team at the very least, and I have no doubt is probably still in production today…

    The kicker though? After all those months of dev work from a whole team (likely all on 6 figure salaries), and all the time spent by various engineers including myself on maintenance and upkeep on that solution after it was transferred to us?

    An alternative, completely unrestricted corporate license was available for the package in question for about $100 per year so long as you negotiated it with the maintainers.

    But that was a completely unacceptable and avoidable cost according to upper management…

  • Mr. Satan@lemmy.zip
    14·
    3 days ago

    So this is not as bad as some of the other stories I’ve seen, but I’ll bite.

    It was an old .NET Framework MVC app. Some internal product management system or something. There was a need to do a PDF export in one of the use cases, so someone implemented it. It wasn’t a good implementation: one big controller, mixing UI and business logic, etc. However, it basically came down to a single private method in a specific controller for a page.

    Now time passes and lo and behold, we need a PDF export in another page for a different use case. “No problem,” - same dev, probably - “I already solved this problem. I’ll just reuse the PDF generation logic.”
    Now, any sane person would probably try to refactor the code responsible for PDF stuff into a separate service (class) and reuse it. A less sane, but somewhat, acceptable approach would have been to just copy paste the thing into another controller and call it a day.

    Ha! No no no no no no… Copy pasting is bad, code should be reused…

    The end solution: REFLECTION. So the dev decided that the easiest way to make it work was to: 1) use reflection to inject one controller into another; 2) then use reflection again to get access and call that private method for PDF rendering into a stream.

    Fortunately I didn’t have to fix that fragile mess. But I did my fair share of DevExpress corpse hacking and horrible angular “server side rendering” workarounds.

  • AnarchistArtificer@slrpnk.netEnglish
    22·
    4 days ago

    I don’t have any specific examples, but the standard of code is really bad in science. I don’t mean this in an overly judgemental way — I am not surprised that scientists who have minimal code specific education end up with the kind of “eh, close enough” stuff that you see in personal projects. It is unfortunate how it leads to code being even less intelligible on average, which makes collaboration harder, even if the code is released open source.

    I see a lot of teams basically reinventing the wheel. For example, 3D protein structures in the Protein Database (pdb) don’t have hydrogens on them. This is partly because that’ll depend a heckton on the pH of the environment that the protein is. Aspartic acid, for example, is an amino acid where its variable side chain (different for each amino acid) is CH2COOH in acidic conditions, but CH2COO- in basic conditions. Because it’s so relative to both the protein and the protein’s environment, you tend to get research groups just bashing together some simple code to add hydrogens back on depending on what they’re studying. This can lead to silly mistakes and shabby code in general though.

    I can’t be too mad about it though. After all, wanting to learn how to be better at this stuff and to understand what was best practice caused me to go out and learn this stuff properly (or attempt to). Amongst programmers, I’m still more biochemist than programmer, but amongst my fellow scientists, I’m more programmer than biochemist. It’s a weird, liminal existence, but I sort of dig it.

  • NotMyOldRedditName@lemmy.world
    16·
    4 days ago

    For anyone who knows and understands Android development, process death, and saved state…

    The previous dev had no understanding of any of it, and had null checks with returns or bypassing important logic littered all over the app, everywhere.

    I could only assume he didn’t understand how all these things were randomly null or why it was crashing all the time so he thought oh, i’ll just put a check in.

    Well, you minimize that app for a little bit, reopen it, and every screen was fucked visually and unusable, or would outright crash. It was everywhere. This was before Google introduced things like view models which helped but even then for awhile weren’t a full solution to the problem.

    It was many many months of just resolving these problems and rewriting it the correct way to not have these problems.

    • Kazumara@discuss.tchncs.de
      10·
      4 days ago

      Oh I remember. There are tons of events and associated handlers. Even just switching to landscape view stops and restarts an android view I think. Friends at uni handled that problem by disallowing landscape view instead of handling it hahah

      • NotMyOldRedditName@lemmy.world
        6·
        4 days ago

        Friends at uni handled that problem by disallowing landscape view instead of handling it hahah

        😭

        Such a tragic and common ‘solution’ because it doesn’t actually solve it, it just delays it until someones minimizes the app for 30 minutes and re opens it, or one of the many many other ways that also trigger it.

        I’ve had some apps that I do lock to portrait, but I would disable that flag on debug builds, since rotating the phone was the easiest way to test for some of those bugs. I didn’t worry about a good looking UI since it’d be locked in portrait, I just used it to test for bugs.

  • jjjalljs@ttrpg.network
    28·
    4 days ago

    There was a website where users could request something or other, like a PDF report. Users had a limited number of tokens per month.

    The client would make a call to the backend and say how many tokens it was spending. The backend would then update their total, make the PDF, and send it.

    Except this is stupid. First of all, if you told it you were spending -1 tokens, it would happily accept this and give you a free token along with your report.

    Second of all, why is the client sending that at all? The client should just ask and the backend should figure out if they have enough credit or not.

    • vrek@programming.devOPEnglish
      141·
      4 days ago

      I agree but I would say if there are variable token costs depending on report it would be nice if client sent request to server, server calculates x tokens to be used, sends x to client, client confirms that’s acceptable, server does work.

      Like if I expected a report to be 2 tokens but because of some quirk or a typo or something it cost 200 tokens I would like a chance to cancel it if it’s not worth it.

  • moopet@sh.itjust.worksEnglish
    7·
    3 days ago

    Lots. But one that springs to mind is a custom CMS where a new dev decided to print out the sql generated for a particular content type on paper. He took it to the CTO without comment.

    What was wrong?

    It was 12 pages.

    • vrek@programming.devOPEnglish
      2·
      3 days ago

      Am I reading that right, that he printed out the generated sql query?

      If so depending on context that may make sense to complain about. A 12 page sql query would be insane, something sounds like their are other issues.

      That said I probably wouldn’t go to cto, I would go to manager or a senior dev and ask why it was so complex to get a particular content type. If there were no performance issues or bugs I would just ask out of curiosity.

      • moopet@sh.itjust.worksEnglish
        1·
        2 days ago

        Yes, the generated SQL query. It basically consisted of a lot of WHERE x IN (1,2,3,4) clauses for all the document IDs that matched something or other, and then repeated for the next JOIN. Small company, CTO was our direct boss and in the same open-plan office.

  • FigMcLargeHuge@sh.itjust.worksEnglish
    96·
    5 days ago

    Long time ago, but by far the worst for me was when I inherited some code that a previous programmer had done. Every variable was a breakfast item. So if biscuit>bacon then scrambledeggs=10. Shit like that. It was a nightmare and luckily I only had to deal with it infrequently.

    • CaptDust@sh.itjust.works
      52·
      5 days ago

      Why do people do stuff like this, is the logic not difficult enough to follow on it’s own without a secondary definition table to consult!? Fucking hell.

      • Björn@swg-empire.de
        14·
        4 days ago

        Had a programmer like this when I was still an apprentice. He was so full of himself. Was originally a Java programmer but had to program in PHP because that was what ran on the server. I never found out why he couldn’t just put Java on the server. We had full control.

        All his variables were first names. Like $klaus and $grobi. Because he was afraid of clashing with reserved keywords. The thing is, in PHP all variables begin with $ exactly to prevent this issue. So he brought that habit over from Java which was far superior and not such a “Mickey Mouse language”.

        I mean, he wasn’t totally wrong, especially back then PHP was awful. But he surrounded every function with <?php and ?> (PHP was designed to be combined with HTML output outside of these tags) and had plenty of whitespace between them and couldn’t fathom why all his html files had huge swaths of whitespace at the start.

        His way of preventing SQL injection was to look for SQL keywords in user input and then throwing an error in the log files.

    • vrek@programming.devOPEnglish
      291·
      5 days ago

      I don’t know what’s worse… That program or that you put biscuits greater than bacon…

      Actually I think the greater crime is biscuits being greater than bacon

    • Quibblekrust@thelemmy.clubEnglish
      10·
      4 days ago

      Oh god, that’s worse than I’ve seen where a SQL query joining 10 tables aliased all of the tables as a, b, c, d, e, f, g, h, i, j.

      It was a mess, and as a new dev on the project, trying to figure out which where clause was for which table and how things worked was a fucking nightmare. Trying to keep a dictionary of letters to real table names in your head as you looked at the query was very taxing. In the end, I just fixed it all to stop using aliases. Or to use short abbreviations.

      Here’s a mock example:

      SELECT
    j.delivery_eta,
    c.cat_desc,
    a.part_number,
    h.region_label,
    f.wh_loc,
    e.emp_last,
    g.state_flag,
    b.mfg_title,
    i.ship_track_code,
    d.order_sum,
    a.created_on,
    j.last_scanned_at,
    e.emp_first,
    c.cat_code,
    g.state_level
FROM parts AS a
INNER JOIN manufacturers AS b 
    ON a.manufacturers_id = b.id
INNER JOIN categories AS c 
    ON a.categories_id = c.id
INNER JOIN orders AS d 
    ON a.orders_id = d.id
INNER JOIN employees AS e 
    ON d.employees_id = e.id
INNER JOIN warehouses AS f 
    ON a.warehouses_id = f.id
INNER JOIN inv_state AS g 
    ON a.inv_state_id = g.id
INNER JOIN regions AS h 
    ON f.regions_id = h.id
INNER JOIN shipments AS i 
    ON d.shipments_id = i.id
INNER JOIN logistics AS j 
    ON i.logistics_id = j.id
WHERE
    (b.mfg_title LIKE '%Corp%' OR b.mfg_title LIKE '%Global%')
    AND c.cat_desc NOT IN ('Unknown', 'None', 'Legacy')
    AND (d.order_sum > 1000 OR d.order_sum BETWEEN 250 AND 275)
    AND e.emp_last ILIKE '%berg'
    AND (f.wh_loc IN ('A1', 'Z9', 'M3') OR f.wh_loc IS NULL)
    AND g.state_flag IN ('ACT', 'PENDING')
    AND h.region_label NOT LIKE 'EXT-%'
    AND (i.ship_track_code IS NOT NULL AND i.ship_track_code <> '')
    AND (j.delivery_eta < NOW() + INTERVAL '90 days' OR j.last_scanned_at IS NULL)
    AND (a.part_number ~ '^[A-Z0-9]+$' OR a.part_number IS NULL)
    AND (
        (c.cat_code = 'X1' AND g.state_level > 2)
        OR
        (e.emp_first ILIKE 'J%' AND d.orders_id IS NOT NULL)
    );
      • psud@aussie.zoneEnglish
        1·
        14 hours ago

        That’s how mainframe programmers at my workplace do SQL. I think they do it due to long table and field names and narrow mainframe COBOL files

    • hddsx@lemmy.ca
      211·
      5 days ago

      I don’t know how old you are but when I was in school, this was just going out of style. They saw this as job security. If you’re the only one who can work on the code, then they won’t fire you

  • deadbeef79000@lemmy.nz
    53·
    4 days ago

    A registration form and backend that would return the error “please choose more unique password” if you choose a password that was already stored (in plain text) in the database against another username.

    I shit you not.

    • psud@aussie.zoneEnglish
      1·
      14 hours ago

      Create a moderately ok password, hash it, use the hash as your nice unique password, as a private joke for when the database leaks and yours is the only password that’s hashed and you start getting spam saying they know your password hunter2 (because they incorrectly dehashed the password) or 2ab96390c7dbe3439de74d0c9b0b1767 (md5 sum of hunter2; because they correctly read it as plain text)

  • HakFoo@lemmy.sdf.org
    66·
    5 days ago

    Floats for currency in a payments platform.

    The system will happily take a transaction for $121.765, and every so often there’s a dispute because one report ran it through round() and another through floor().

    • RecallMadness@lemmy.nz
      5·
      4 days ago

      Lmao.

      Using floats for nearly anything in a finance platform should be grounds for immediate dismissal.

    • FishFace@piefed.socialEnglish
      11·
      4 days ago

      Presumably every so often there’s a dispute because 0 + (0.3 + 0.3 + 0.3) - 0.3 - 0.3 - 0.3 is not equal to 0 (in floating point arithmetic).

      • psud@aussie.zoneEnglish
        1·
        14 hours ago

        Round is the safest way of using decimals for money as it corrects 10.499999999 (decimal fractions can’t be stored precisely in floats as binary can’t precisely represent all 2 digit decimals) to 10.50, where floor would take it to 10.49

        It is safer to count in cents and have a policy to handle fractions of cents from divisions