@sprained said:

I'm porting a horrifying custom CMS to a common platform.  Today's entertainment was preparing data migration.  I know we see this all the time around here, but here are just a few of today's fun hair-tearing moments, courtesy of my new favorite incompetent CMS developer:

 

• separate tables for two different types of users, both queried on every page load
• permissions stored as a comma-separated list of paths in a TEXT field in each user table
• records with relations to user table don't use integer primary key as foreign key, but instead user's full name. 
  
• Several user records have been renamed or removed without updating related records, leaving nearly half the records in question referencing nonexistant users
• table storing leads with redundant columns: type (always "new"), status ("new" or "sent") and category (which turned out to be an integer incremented every time a lead is sent)
• dates stored in mm/dd/yyyy format, with times as a separate column, in 12-hour format
• EXCEPT for one table that uses ISO format so that the dev could actually sort results
  
• (dates are always displayed exactly as formatted in the DB)
• because results can't be easily filtered by date (without convolutions that the original dev clearly didn't realize were possible) a cron job runs every night to mark yesterday's records "inactive" - and results are filtered on this column
• every SELECT is a SELECT *
• despite how very convenient PHP makes associative arrays, every database result is integer-indexed, making it impossible to track down in which files and under what circumstances a given database column is used.

I'm sure there's more in the remaining 90% of the project.  In the meantime, please wish me patience.

 Sprained this your incompetent co-worker. Please stop posting information about our advanced CMS. You know this CMS shall overtake all horizontal markets because of its superior:

1) Algorithmic deficiency

2) Obsfucated source code

3) Non-relational relational database tables

4) Broken test suite 

@DeepThought said:

Yes, don't be a slave to your company

 That is the exact point I wanted to hit on. If management is willing to allocate some of you 40 hr work week to fix security holes, sweet.

I am extremely happy with the amount of feedback people provided. 

@stratos said:

morbius is right, it's not even trolling, it's just the truth. As a programmer you are responsible for the code. No buts, no nothing, it is your responsibility. 

Lots of books have been written and thousands of blogs have been written about when programmers no longer understand this, stuff like the broken window effect and such, but in the end if you can't take responsibility for code when you are made responsible for it, then you are a bad programmer. 

 Security is best applied in layers. If the operating system and network are unsecure what is the point of securing the application layer? If the data has no value why waste the resources to even secure the application. If the probability of attack is low why secure the application?

I try to fight the fires that matter and accomplish what will get the biggest return on improving company efficiency and effectiveness. I use secure programming techniques on newer software projects, but not on legacy projects. The legacy projects are left without improvement because "I  feel" it is not valuable to the company for me to go back and write numerous software tests to insure that my "security improvements" did not break the production code. 

Everybody likes to sit on a pillar of righteousness about computer security. Security requires compromises be made around usablity and cost to implement. It is important to have security in mind when designing new applications or supportting old ones. For me, I have 168 hours in my week and my family means more to me than spending extra time at the office securing an application that is getting replaced in six months. I care more about my family than my work.

 I would rather be a good parent than a good programmer. :)

Thank you for the tip. You suck at programming! How about that for a comeback?

So the system was working fine untill you changed its hosting environment? Did you perform any tests after you switched its hosting environment? The real WTF is developers and sysadmins who do not test or have a backout plan.

Why do you care if the application is secure? If it aint's broke why fix it. I work on a older codebase (2000 era) that suffers from quite a few vulnerabilities (XSS, Sql Injection, CSRF). Sure, I could fix them but my company does not seem to mind if such vulnerabilities exist. I am not willing to put in the extra man hours in to fix the problem because their is no incentive except for 60 hour work weeks and a nice warm fuzzy feeling, which is more than what management will feel. 

If they pay you specifically to fix the security holes awesome! Else, relax and enjoy some extra time off.

 Wow, I hope the original developer has quit doing development. Source code like that should be used as an educational tool to teach students how not to develop software. 

@icklemichael said:

Now, maybe I am going crazy, but we are not talking about arrays here, we are talking about lists. If you think doing a quicksort on a linked list in place is a good idea then I think you need to get an algorithm's book.

There is simple algorithm for sorting a linked list.

http://www.openasthra.com/c-tidbits/sorting-a-linked-list-with-quicksort-simple-algorithm/ 

@icklemichael said:

I don't do .net, but isn't an in place sort a really bad idea in general?

You need to go find an algorithm's book and look up how Quicksort works. You perform sort in place because creating a copy of an array is expensive (requires more memory and copying of the whole array).

 PHP is a wonderful language. It is easy for inexperienced programers to write horrible software. And, the horrible software always gets rewritten by experienced programmers. Everyone wins!