I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.
-
They were stored in a configuration file, in xml format.
-
The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.
-
This was then sent to the server as pure sql, no orm.
-
Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.
Unless I’m missing something, this is a pretty bog standard SQL injection, yeah?
Back in the day, a C program to handle estimating procurement costs for complex government contracts. We had to figure out the code and write in in a different language. It was just one giant loop, no functions, with variables named V1, V2, V3, etc. Hundreds and hundreds of them. I still shudder at the horror of it all.
I worked on a laser seam welder which basically was programmed in a mix of g code and I guess vb??
The fun part was variables could only be numbers between 100 to 999. So let’s say you have a sensor and need to verify it’s within a certain range. You could set #525 to 10 and #526 to 20 then say #527 = sensor 1 signal. Now lower down you verify it as if(#525 > #527 || #526 < #527){show error}
Now you could create each variable at the beginning with comment of what it was but then have to keep referring to the top to remind yourself what number was what. Or create the variable at first use so it was closer but now it’s spread across the document.
I went with first case and just printed out the first 2 pages which listed all the variables.
Before you ask, I talked to the guy who wrote the language and made the system many times he confirmed you couldn’t use variable names.
G Code is basically a geometric scripting languge and isn’t Turing complete in basic implementations. Every manufacturer pretty much also has their own dialect that is Turing complete.
Gcode with control commands and variables is called, no shit, Macro G Code. It’s Turing complete. That form of variable names is normal and is inherited from hardware registers/banks and TTL.
It’s not unusual for a save dialog to be labelled Punch as it has a direct lineage from punch tape.
Kind of like assembly and a graphing calculator had an abortion together.
Lol, yeah I’ve written g-code from 4 different manufacturers and yeah it’s a new experience each time.
I wonder at what point it would be easier to make a compiler to convert variable names into those numbers
If you did and it was usable across multiple cnc manufacturers you could make a pretty penny.
The script I vibe coded to automate part of my job. It’s sloppy and unrefined, but it works, and saves me a ton of effort.
I hate vibe coding. However, this is the best use of it. I’ve done it several times for scripts and basic HTML dashboards.
Agreed. I wouldn’t write an entire app with an LLM, but for basic scripting and backend UIs, it’s perfect for when you just need something quick and inelegant that works.
I have nothing against AI when it’s used as a tool instead of a crutch.
For anyone who knows and understands Android development, process death, and saved state…
The previous dev had no understanding of any of it, and had null checks with returns or bypassing important logic littered all over the app, everywhere.
I could only assume he didn’t understand how all these things were randomly null or why it was crashing all the time so he thought oh, i’ll just put a check in.
Well, you minimize that app for a little bit, reopen it, and every screen was fucked visually and unusable, or would outright crash. It was everywhere. This was before Google introduced things like view models which helped but even then for awhile weren’t a full solution to the problem.
It was many many months of just resolving these problems and rewriting it the correct way to not have these problems.
Oh I remember. There are tons of events and associated handlers. Even just switching to landscape view stops and restarts an android view I think. Friends at uni handled that problem by disallowing landscape view instead of handling it hahah
Friends at uni handled that problem by disallowing landscape view instead of handling it hahah
😭
Such a tragic and common ‘solution’ because it doesn’t actually solve it, it just delays it until someones minimizes the app for 30 minutes and re opens it, or one of the many many other ways that also trigger it.
I’ve had some apps that I do lock to portrait, but I would disable that flag on debug builds, since rotating the phone was the easiest way to test for some of those bugs. I didn’t worry about a good looking UI since it’d be locked in portrait, I just used it to test for bugs.
XML-DOM page templates stored in a database, line by line.
So rendering a page started with:
select * from pages
where page_id = ‘index’
order by line_number asc;
Each line of XML from each record was appended into a single string. This string was then XSLT transformed to HTML, for every page load.
This has to be one of the worst ways to reinvent a filesystem that I’ve ever heard. At the very least, storing static data in an relational database at this scale should be a slappable offense.
The session data, that would have been fantastic to have in a relational, queryable, reliable and trustable format was stored as a single giant string of PHP pickled data structure in a session file associated with the users cookie id.
This sentence has made me violently ill. Please take it back.
I don’t have any specific examples, but the standard of code is really bad in science. I don’t mean this in an overly judgemental way — I am not surprised that scientists who have minimal code specific education end up with the kind of “eh, close enough” stuff that you see in personal projects. It is unfortunate how it leads to code being even less intelligible on average, which makes collaboration harder, even if the code is released open source.
I see a lot of teams basically reinventing the wheel. For example, 3D protein structures in the Protein Database (pdb) don’t have hydrogens on them. This is partly because that’ll depend a heckton on the pH of the environment that the protein is. Aspartic acid, for example, is an amino acid where its variable side chain (different for each amino acid) is CH2COOH in acidic conditions, but CH2COO- in basic conditions. Because it’s so relative to both the protein and the protein’s environment, you tend to get research groups just bashing together some simple code to add hydrogens back on depending on what they’re studying. This can lead to silly mistakes and shabby code in general though.
I can’t be too mad about it though. After all, wanting to learn how to be better at this stuff and to understand what was best practice caused me to go out and learn this stuff properly (or attempt to). Amongst programmers, I’m still more biochemist than programmer, but amongst my fellow scientists, I’m more programmer than biochemist. It’s a weird, liminal existence, but I sort of dig it.
This one is funny because it 100% still exists somewhere, but I haven’t had the chance to verify it again.
Okay so basically its a data recorder box (ex: brainbox) that connects to a bunch of industrial sensors and sends the data over the network with your preferred method.
Builtin firmware gives you an HTTP webui to login and configure the device, with a user # and password.
I think the user itself had a builtin default admin which was #0, which everyone uses since there wasn’t really much use for other users.
Anyway, I was looking at the small JS code for the webui and noticed it had an MD5 hashing code that was very detailed with comments. It carefully laid out each operation, and explained each step to generate a hash, and then even why hashes should be used for passwords.
Here’s the kicker: It was all client side JS, so the login page would take your password, hash it, and then send the hash over plaintext HTTP POST to the server, where it would be authenticated.
Meaning you could just mitm the connection to grab the hash, and then login with the hash.
I sat there for like 10 minutes looking at the request over and over again. Like someone was smart enough to think “hey let’s use password hashing to keep this secure” and then proceeded to use it in the compleltly wrong way. And not even part of like a challenge/handshake where the server gives you a token to hash with. Just straight up MD5(password).
It was so funny because there were like a hundred of these on a network, so getting a valid hash was laughably easy.
I never got to check if this was fixed in a newer firmware version.
It was a Java project and every class was in a separate Maven module.
First of all, lack of ORM isn’t bad. It’s not a good or bad thing to use them out not use them. What’s bad is not sanitizing your query inputs and you don’t need an ORM to do that.
I think the worst thing I’ve seen is previous devs not realize there’s a cost to opening a DB connection. Especially back when DBs were on spinning rust. So the report page that ran one query to get the all the items to report on, then for each row ran another individual query to get that row’s details was probably one of the slowest reports I’ve ever seen. Every DB round trip was at minimum 0.1 seconds just to open the connection, run the query, send back the data, then close the connection. So 10 rows per second could be returned. Thousands of rows per page has people waiting several minutes, and tying up our app server. A quick refactor to run 2 queries instead of hundreds to thousands and I was a hero for 10 min till everyone forgot how bad it was before I fixed it.
It’s the round trips that kill you.
Oracle drivers for .NET are fun. Have a user client application which uses quite a lot of data, but a few thousand rows are fetched some queries. It’s way too slow for any larger query, turns out for the batch query kind of work we do, the default FetchSize for Oracle is just a performance killer. Just throw it to 128 MB and it doesn’t really hurt at all.
Worst thing i’ve seen though, apart from the 150 line long dynamic sql stored in our database, was probably a page in our program that loaded about 150 rows from the database. Normally we do create a new connection for each query, but it’s fine since Oracle has a connection pool. Whatever millisecond is trumped by the round trip. But imagine a UI so badly written, it did 4 separate database queries for EACH row it loaded into the UI list. Useless things like fetching a new ID for this row in case it is changed, reading some data for the row i think, and more. Thing took a solid minute to load. There was so many bad patterns in that page that even during the PR for improving the speed it was just dealing with a mess because you couldn’t just rewrite the entire thing, so they had to make it work within the constraints. Horrible thing to work with.
Our CFO’s social security number, contact info, and just about everything you’d need to impersonate them inside a random shell script that was being passed around like drugs at a party for anyone to use. Oh and it had an API key to our payments processor hard coded into it.
That was the tip of the iceberg of how bad the systems were at the company. All of these are from the same company:
- A fintech based company with no billing team
- An event system that didn’t event
- A permissions system that didn’t administer permissions
- A local cache for authentication sessions. Which means that requests would intermittently fail auth because the session was only on one replica. If you hit any of the other ones, you’d get an unauthenticated error
- A metrics collection system that silently lost 90% of it’s data
- Constant outages due to poorly designed and implemented systems (and lack of metrics… hmmm)
- Everything when I joined was a single gigantic monolith that was so poorly implemented they had to run at least 3 different versions of it in different modes to serve different use cases (why the fuck did you make it a monolith then?!)
- The subscriptions system was something like 20 or 30 database tables. And they were polymorphic. No one could touch the system without it breaking or that person declaring failure, which leads me to …
- A database schema with over 350 tables, many of which were join tables that should have been on the original table (fuck you scala/java for the limitations to the number of fields you can have in a case class). Yes you read that right. Table A joined to table B just to fill in some extra data that was 1:1 with table A. Repeat that a few dozen times
- History tables. Not separate from the original table, but a table that contained the entire history of a given piece of data. The worst example was with those extraneous join tables I just mentioned. If you went and changed a toggle from true to false to true to false, you’d have 4 records in the same table. One for each of those small changes. You’d have to constantly try to figure out what the ‘latest’ version of the data was. Now try joining 5 tables together, all of them in this pattern.
- Scala… I could go on a tirade about how bad scala is but needless to say, how many different error handling mechanisms are there? Scala decided to mix all of them together in a blender and use them all together. Scala is just two white paper languages in a trenchcoat. Never use it in a production system
- A dashboard for “specialists” that was so easy to overwhelm that you could do it by breathing on it due to the LACK of events that it needed
- Passwords stored in plain text (admittedly this was in the systems of the company we acquired while I was there). Doesn’t matter if they were actually <insert algorithm here>, they were visible in a dashboard accessible by employees. Might as well have been plain text
- A payments system that leaked it’s state into a huge part of the rest of the system. The system ended up being bifurcated across two systems, I was brought in to try to clean up some of the mess after only a couple of months. I desperately tried to get some help because I couldn’t do it solo. They ended up giving me the worst engineer I’ve ever worked with in my 15 year career, and I’ve seen some bad engineers. Looking back, I’m reasonably confident he was shoving our codebase into an AI system (before it was approved/secured, so who knows who had access) and not capable of making changes himself. I could make several posts about this system on its own
- I could go on but I’ll cut it off there
A switch that would just return the input value with a constant offset … hardcoded for over 40 consecutive values.
Another kind of “code” but:
The poll in a excel sheet the office sent via email. You had to fill it out and send it back, so they could type it off in another excel sheet.
That’s where i realized that people have fundamentally different approaches in thinking and problem-solving.
Am I getting it correctly that the excel sheet was basically a form to fill in, with fields and labels, but as a spreadsheet? If so, that sounds pretty clever to me - there’re many better ways to do this, but if everybody working there has excel anyways, that’s a fast and easy way to get the data in a unified and automatable format without any extra infrastructure.
Nope. Like “what to get for the company party? A, B or C”.
Workflow: open excel sheet to know what it is about, save it, edit it, drag&drop it to the answer-mail. That could have been one of the zilions of online polling tools.
It was a single PHP file containing upper tens of thousands of lines of code (i.e. probably 60k+ but I no longer recall the exact amount). And the horrors didn’t stop there. Function names and code formatting were haphazard, some functions were descriptive enough to be helpful(ish) like check_if_first_friday_of_month() but most were literally along the lines of function12() with no comments to indicate the purpose. A̸n̶d̷ ̴t̵h̵e̵ ̸h̷o̵r̶r̸o̷r̵s̸ ̸d̷i̸d̵n̷’̷t̶ ̵s̶t̴o̸p̸ ̷t̵h̶e̶r̵e̶.̴ This application was storing sensitive personal information in the database in plain text. And the horrors didn’t stop there.
Congrats to the developer, though. This project was the one that finally got him fired and he immediately pivoted into a management position at a big tech company (don’t recall which but it might’ve been Microsoft or IBM) making an order of magnitude more money.
I’m not going to share it here because it’s code I’ve written. I’m hiding in my own shame
All about PTC’s God awful piece of shit PLM/PDM systems IntraLink and PDMlink. I cannot believe the amount of trash code that company uses. And they get paid millions to basically screw the customers over. The costumer’s CAD gets intertwined in a huge heap of automated HTML garbage. This leads to a total disaster.
