ASPX everywhere!



  • For some time now my wife has been working on setting up an online store to sell some products.

    Somehow, a friend of hers found out and proposed us to use his custom made e-store solution in exchange of testing it out (You probably see where this is going).

    This guy decided one day (four years ago) that none of the existing e-store software was custom enough for him so he decided to build one by his own, from scratch, with .Net

    Now, I should have known better before my wife accepted his offer simply by checking on the facts:

    • Shared Windows hosting in 1&1
    • IIS, MSSQL & .Net

    Fair enough, you can do great stuff with this stack (SO for example) but also allows any person with a Windows PC to start hacking their way into programming hell and release it to others to suffer.

    Guy is a self-learner without any formal education. I'm in no way going to neglect someone for not having a degree but the jump from bar owner to web developer is not an easy one and this shows:

    • No source control
    • No unit tests
    • No version control nor stable releases.
    • Everything is .Net generated HTML/JS
    • Every label is in the database... or not.
    • No idea what a virtual host is (I simply copy the folder from my instance)
    • Lots of features but no sane UX
    • No localization (breaks prices, validation and currency if your browser is in a different language)
    • Plain text passwords

    Guy spent two days doing a deploy of our site and still there are things that doesn't work because our store is a copy of his always-in-development store. Tried to talk him into using git, but he prefers to have different folders (AKA brute-force source/version control). I'm afraid.

    I don't how or why, but everything which is created (product, post, category) seems to generate a .aspx page. Literally, each product has its own file because if I want to I can modify each page metadata individually. I created the "males" category two times by mistake and now I can see that I have males.aspx and males1.aspx. This smells like a bigger WTF than I thought.

    The thing has a lot of features (blog, news, stats, social, zoom) but not a way of adding colors and sizes to a product. Because of so many features, navigating the admin part of the site is crazy and there are oh-so-many forms for oh-so-many little things.

    Anyway, it works, sort of, because there are so many little annoyances that makes it unusable. I haven't spent a single hour and I'm already trying to convince my wife to change to something else.



  • It's the smell of a program made by a smart, competent individual who is not a programmer.



  • I expect someone can explain to me how it's possible that it generates a file for each element and if this is something which .Net does by default or it's something which he had to explicitly do.



  • Oh no, at some point he probably thought it was a good idea, so he made it happen. Like I said, a person who is used to think through a problem, just no experience with the science of programming.


  • FoxDev

    @cartman82 said:

    Oh no, at some point he probably thought it was a good idea,

    it's for performance! no need to keep going back to the database when a page is requested. and if the base template/generation rules change you just need to do a full rebake of the pages.

    ... why does that sound familiar?


  • area_deu

    This is most definitely NOT something ASP.net does on it's own. OTOH if the source code is generated dynamically, this (partly) explains why he doesn't want to use source control...



  • Here's the page that lists the different stuff I already added. As shown, from here, you can modify each page title, keywords and description.

    Also, I got a glimpse of this same page on his testing store and it has 1000's of entries like those in the picture.



  • Great, I can upload a table of products... [spoiler]using an MDB file [/spoiler] :angry:


  • BINNED

    @cartman82 said:

    Oh no, at some point he probably thought it was a good idea, so he made it happen.

    So he's a Jeff?



  • @Luhmann said:

    So he's a Jeff?

    Nope.

    @cartman82 said:

    It's the smell of a program made by a smart, competent individual who is not a programmer.



  • @Eldelshell said:

    I expect someone can explain to me how it's possible that it generates a file for each element and if this is something which .Net does by default or it's something which he had to explicitly do.

    Not a .NET default. He had to set it up for that.



  • @Eldelshell said:

    Plain text passwords

    At some point, I think deployments of software that doesn't hash passwords on services that handle financial or personal data should become illegal, and the software authors should not be able to disclaimer away their liability on this matter. (I feel the same about SQL injections and am rapidly cloning on feeling the same about buffer overflows and other memory errors.)

    (I'm assuming you mean the database stores the password rather than a hash, instead of meaning that it's transmitted to the server without SSL.)

    That point is reason enough to dump his software.



  • @EvanED said:

    At some point, I think deployments of software that doesn't hash passwords on services that handle financial or personal data should become illegal, and the software authors should not be able to disclaimer away their liability on this matter.

    Absolutely. It is so easy to work with hashed passwords. And an inexperienced programmer doesn't even need to worry about it since there are so many libraries and plugins out there that will do it for you.

    Well, expect for the "illegal" part. Based on past experience, you just know that if they tried to pass a law on this it would be written in such a way that other software problems could become unsolvable. Not because the problems are technically impossible, but because the solution would violate the law. Not only that, but would you like to consult a lawyer every time you needed to write a user authentication module? Not to mention, you'd need a whole new breed of programming-competent lawyers. Ugggh!



  • Spitballing here:

    Hm. There's nothing (well, except the normal permissions system...) to prevent C# from just writing new aspx pages in its site. I'd be surprised if IIS JIT compiled them or served them up, though-- I'm pretty sure IIS compiles the whole site at first-run and doesn't touch it afterward.

    Then again, maybe he just wrote a scheduled task to issue an IIS Reset every 5 minutes.



  • ASP.Net has several execution models. It is capable of compiling inline code on the fly, in a manner similar to how classic ASP worked.



  • Bleark. I bet MS coded that just to make people like this dev-clown here happy.



  • @abarker said:

    Not only that, but would you like to consult a lawyer every time you needed to write a user authentication module?

    You wouldn't have to consult a lawyer every time you wrote an auth module any more than a professional engineer consults a lawyer every time they sign their name to a structure plan. You would have to know the requirements, and know that you met them.

    I don't think we're at the point where we could feasibly have or want a software equivalent to an actual engineering certification... but I do think it's time to start importing ideas from that world for a limited class of very-preventable problems in higher-stakes programs.

    (I also think that another part of my ideal plan would be that the requirements wouldn't apply to every auth module. If TDWTF used Discoplaintextpasswords I'd be at least somewhat okay with saying that shouldn't necessarily be illegal because of the lower stakes. What I would do as dictator would be to establish a two-level (or maybe more) system. Software authors who don't feel like sticking their neck out wouldn't be required to, but then administrators would be prohibited from using that software for installations holding personal or financial data. If the software author is willing to take on the responsibility, they could declare their software as free of these elementary vulnerabilities and then administrators would be free to use it. A third-tier for life-critical software (e.g. cars, medical devices) with more rigorous standards I think would also be useful, though I'm not sure what standards you'd use. The main difficulty I'd see -- and it's a big one -- would be getting basic stuff like the OS, libc, and language runtime certified. I think an exception would have to be made for those.)



  • @EvanED said:

    professional engineer

    Oh no you did not write that.

    @EvanED said:

    they sign their name to a structure plan

    You can't compare software to civil engineering, and that's one of the reasons of lame software this days. Once a plan is signed by the engineer, it's built and no one will change it. You (engineer) cannot guarantee that it won't fail under any circumstance or that it wont change or that a change in underlying code won't break it. Hell, we read everyday about bugs as old as 30 years made by even the smartest people. You gonna sue the guys of OpenSSL or Bourne (famous for BASH)?



  • @EvanED said:

    You wouldn't have to consult a lawyer every time you wrote an auth module any more than a professional engineer consults a lawyer every time they sign their name to a structure plan.

    Structural engineering and software engineering are very different though. Structural engineering doesn't evolve very quickly. It is somewhat governed by the laws of physics. These limitations mean that they can take their time to study and investigate new materials and processes before modifying existing laws and regulations.

    Software engineering, by comparison, evolves quickly. A regulatory body wouldn't have time to analyze new technology and adapt existing regulations before the next one came out. And we can't afford to slow down the pace of software evolution because we are just keeping even with hackers as it is, and even that is questionable.

    Also, everything in @Eldelshell's post.



  • @Eldelshell said:

    You can't compare software to civil engineering

    @abarker said:

    Structural engineering and software engineering are very different though. Structural engineering doesn't evolve very quickly

    It's almost like I said

    @EvanED said:

    I don't think we're at the point where we could feasibly have or want a software equivalent to an actual engineering certification

    :-)

    That's why I'm only "proposing" certification that something is free of a certain small number of bugs -- not that something be certified to be bug free, or work exactly as specified or as intended under all (or even all reasonable) conditions.



  • @EvanED said:

    That's why I'm only "proposing" certification that something is free of a certain small number of bugs

    And that takes me back to my original point: any regulation starts with intervention by politicians. When politicians interfere with something they don't understand, they end up writing laws with unintended consequences. Usually, this means that the law does more than intended. In this case, it would most likely result in a law that made certain techniques unusable. Or it would make certain coding styles illegal. Or any of thousand of possibilities that would make working on software nearly impossible.

    tl;dr: regulating software development is a bad idea because politicians are idiots.



  • Fuck, this shit is getting on my nerves. I just added all the products, but since the site isn't supposed to be selling anything I decided to set the stock amount of every item to 0. Which, and for some reason, sends each item to an out-of-stock state in which I can't modify it.



  • @Eldelshell said:

    sends each item to an out-of-stock state in which I can't modify it.

    WTF? Why can't you edit an item that isn't in stock?



  • @abarker said:

    tl;dr: regulating software development is a bad idea because politicians are idiots.

    You would also end up with software only from regulated companies like Accenture, Oracle, IBM, MS or PWC and we all know how that well works.



  • @abarker said:

    WTF? Why can't you edit an item that isn't in stock?

    Good question I did ask.

    His response:

    Weird, you seem to have a newer version than the one in my laptop and I haven't tested it yet.

    So basically I'm in version 0.0.3454345-DEV-9 and he has 0.0.3454345-DEV-1 and he's fixing shit in my live store. That's agile!


  • ♿ (Parody)

    @blakeyrat said:

    I'm pretty sure IIS compiles the whole site at first-run and doesn't touch it afterward.

    It's page by page... but you can "precompile" your site. ASP.NET sees an .aspx http request, then looks in the cache for a compiled page; if uninclused, then the .aspx page is compiled and cached. The cache is cleared every time app pool is recycled.

    I guess, uh, it's good for people who like to be able to go and edit an aspx file right on the production server, or maybe deploy only a single aspx file?



  • @apapadimoulis said:

    I guess, uh, it's good for people who like to be able to go and edit an aspx file right on the production server, or maybe deploy only a single aspx file?

    And sadly they supported it so it is really hard to break coworkers of doing this.



  • This process is basically the same with JEE containers. You can have an exploded WAR in which you can modify JSP files on the server.

    Now, the amount of code it would require to generate a JSP page dynamically on the server for every-freaking-element is mind blowing. This is the kind of shit you have to sit and think: Is this right? There's gotta be a better way

    I still can't believe this is how the site works and the whole .aspx thing is misleading me. Gonna ask the creator.



  • @apapadimoulis said:

    I guess, uh, it's good for people who like to be able to go and edit an aspx file right on the production server, or maybe deploy only a single aspx file?

    I suppose I technically use it on my dev box. But then, my dev box is configured to use IIS instead of the default ASP.NET test server when doing debugging. This configuration has actually helped my track down a few trickier bugs.

    Don't ask me why VS doesn't just use IIS by default for debugging. I don't know.



  • Every dynamically typed language works this way and I haven't seen any developer I work with doing this kind of crazy.

    @Eldelshell said:

    allows any person with a Windows PC to start hacking their way into programming hell and release it to others to suffer

    I guess my point stands true then 🚕



  • @abarker said:

    Don't ask me why VS doesn't just use IIS by default for debugging. I don't know.

    It has for like the last two versions, hasn't it? Pretty sure they set the default to IIS Express ages ago.



  • I'm getting everything ready for an upgrade from VS 2008, so I guess I'll find out soon.


  • ♿ (Parody)

    As of like, 2012 or 2013…. it uses IIS Express; which is kinda IIS? I tend to prefer IIS over the Green Play Button myself.



  • With VS 2008, you can set it up so that the green play button launches your project using IIS.


  • ♿ (Parody)

    @EvanED said:

    At some point, I think deployments of software that doesn't hash passwords on services that handle financial or personal data should become illegal, and the software authors should not be able to disclaimer away their liability on this matter.

    There ought to be a law against saying there ought to be a law for something.



  • @boomzilla said:

    There ought to be a law against saying there ought to be a law for something.

    We can't do that without first writing a law allowing us to create a law saying there ought to be a law for something!

    When do we organize the first pre-meeting to begin preparing other pre-meetings to decide upon the real meeting to discuss this further?



  • @mott555 said:

    We can't do that without first writing a law allowing us to create a law saying there ought to be a law for something!

    When do we organize the first pre-meeting to begin preparing other pre-meetings to decide upon the real meeting to discuss this further?

    And do we need to vote on it?



  • I have a 10K+ poll somewhere we can repurpose for this!


  • I survived the hour long Uno hand

    @Eldelshell said:

    Weird, you seem to have a newer version than the one in my laptop

    Wait.... you're talking to the SOLE DEVELOPER of this product, right? And yet he doesn't have the latest version of his own code?

    The fuck?


  • Discourse touched me in a no-no place

    @Yamikuronue said:

    [what] The fuck?

    Yes.



  • Depends whether it is a "Website" or a "Web Application", I suspect the former.


  • ♿ (Parody)

    True true, but I never remember to run Visual Studio in Admin mode so I can’t actually attach a debugger to IIS.

    Fortunately, I never actually need to debug anything, or really even bother compiling. The one time my code didn’t behave as it was supposed to, it turned out to be a .net bug. Obviously I’ve memorized every line of IL and machine code in the CLR and all libraries I use, and I should have known about the bug beforehand, but what can I say… I’m only human.


  • Java Dev

    Even thinking this seems like TRWTF. There's a lot I get right the first time round, but there's always something wrong on the first pass.


  • Discourse touched me in a no-no place

    @PleegWat said:

    Even thinking this seems like TRWTF. There's a lot I get right the first time round, but there's always something wrong on the first pass.

    Whooooosh?


  • Java Dev

    Now that you mention it?



  • @apapadimoulis said:

    True true, but I never remember to run Visual Studio in Admin mode so I can’t actually attach a debugger to IIS.

    I have set my VS to always launch in Administrator mode. Some B*****n before I started here did something weird with our main project so that it won't even load properly without administrator mode. I haven't had any luck figuring out exactly what they did.


  • BINNED

    @abarker said:

    I haven't had any luck figuring out exactly what they did.

    He Belgiumed it for you!



  • Well, newer version would make sense if he followed some versioning system. As I said, he seems to be fixing thing directly in the instance of my server.



  • @boomzilla said:

    There ought to be a law against saying there ought to be a law for something.

    There ought to be a constitutional provision capping the total number of words in statute law.


  • Discourse touched me in a no-no place

    @flabdablet said:

    There ought to be a constitutional provision capping the total number of words in statute law.

    Better yet, cap the total number of characters…


Log in to reply