“When a ‘customer’ of ours needs custom-developed software to suit their business requirements,” Kelly Adams writes, “they can either ‘buy’ the development services from the IT department, or go to an outside vendor. In the latter case, then we’re supposed to approve that the software meets corporate security guidelines.”

“Most of the time, our ‘approval’ is treated as a recommendation, and we end up having to install the application anyway. But recently, they actually listened to us and told the vendor to fix the ‘blatant SQL-injection vulnerabilities’ that we discovered. A few weeks later, when it came time for our second review, we noticed the following as their ‘fix’.”

internal static string FQ(string WhichField)
{
   string expression = "";
   int num2 = Strings.Len(WhichField);
   for (int i = 1; i <= num2; i++)
   {
      string str = Strings.Mid(WhichField, i, 1);
      if (str == "'")
      {
         str = str + "'";
      }
      expression = expression + str;
   }
   return Strings.Trim(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
      Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace(
         expression, 
            "xp_", "", 1, -1, CompareMethod.Text), 
            "sp_", "", 1, -1, CompareMethod.Text), 
            "--", "-", 1, -1, CompareMethod.Binary), 
            "alter table", "", 1, -1, CompareMethod.Text), 
            "drop table", "", 1, -1, CompareMethod.Text), 
            "create table", "", 1, -1, CompareMethod.Text), 
            "create database", "", 1, -1, CompareMethod.Text), 
            "alter table", "", 1, -1, CompareMethod.Text), 
            "alter column", "", 1, -1, CompareMethod.Text), 
            "drop column", "", 1, -1, CompareMethod.Text), 
            "drop database", "", 1, -1, CompareMethod.Text), 
            "1=1", "", 1, -1, CompareMethod.Text), 
            "union select", "", 1, -1, CompareMethod.Text), 
            "/*", "", 1, -1, CompareMethod.Text), 
            "*/", "", 1, -1, CompareMethod.Text), 
            "boot.ini", "", 1, -1, CompareMethod.Text), 
            "../", "", 1, -1, CompareMethod.Text), 
            "%27", "", 1, -1, CompareMethod.Text), 
            ";dir", "", 1, -1, CompareMethod.Text), 
            "|dir", "", 1, -1, CompareMethod.Text), 
            "script>", "", 1, -1, CompareMethod.Text), 
            "language=javascript", "", 1, -1, CompareMethod.Text), 
            "language=\"javascript\"", "", 1, -1, CompareMethod.Text));
}

Kelly adds, “of course this time, when we told them the application was still vulnerable so long that a hacker typed ‘1 = 1’ instead of ‘1=1’, they told us were beeing too picky, and had us install the application anyway.”

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/classic-wtf-injection-proof-d

It's a holiday week this week, so today is our Friday. Enjoy an Errord. - Remy

"I have to wonder what on earth posessed those parents to add that suffix to their kid's name," writes Mack C.

"For me, 'impossible' errors are the best kind of errors," wrote Tim D.

Will K. writes, "Remove all keys before shutting down? Then put them all back when you boot up? Truly unbeatable security!"

"I'm pretty proud of the fact that only myself and & percent of my fellow Americans know the state capitals," Eric wrote.

"Orbitz has a funny idea of what 'vicinity' means," writes Steve L.

Dan wrote, "Yeah, I think that we've all had one of those days."

"I was looking for open phone development positions, but I don't think that I can take a pay cut like this," writes Randy R.

[Advertisement] Onsite, remote, bare-metal or cloud – create, configure and orchestrate 1,000s of servers, all from the same dashboard while continually monitoring for drift and allowing for instantaneous remediation. Download Otter today!

http://thedailywtf.com/articles/actually-my-father-was-a-folding-chair

From: Kirby McCloy kmccloy@initech.com
Subject: Concerns about SMERPS
The SMERPS project seems to be going down the wrong path. I thought our quarterly goal was for IT modernization.

The email carried no specific call to action. It barely had a point, and was little more than bad-natured griping. It also came from Kirby, the CTO. The email triggered a four-alarm underpants fire as every manager on the SMERPS project tried to guess what Kirby might possibly mean.

Someplace between the frenzied cries of, Chris, did you see Kirbys email? How do we reply? someone had the bright idea that maybe this was just politics. Maybe Kirby just wanted to feel like he was part of the process, that his input was valued. They could just schedule a little sit-down, with Kirby, the PMs, and a few of the lead developers, and smooth this whole thing over.

Thus, Brittany found herself with an entire Friday afternoon blocked off for a meeting. None of the large conference rooms were available, which meant three PMs, the project coordinator, and four developers had to cram into a small office to review the plan. Thirty minutes into the meeting, they were all huddled around the projector for warmth, and the CTO was a no-show.

That didnt dissuade management from trying to keep the meeting on track. Well, while we wait for Kirby, Chris said, we can make sure were all on the same page. Lets review the current plan.

For the next two hours, the PMs nattered on about critical paths, resource leveling, and project milestones that were already unlikely to bear any resemblance to reality, and would only slip farther with each new bit of overmanagement. Brittany was nearly asleep when Chris called her name. Why dont you tell us about the technical side for the web team?

Well, Brittany said, SMERPS is a pretty straightforward CRUD app. She noticed the vaguely surprised and offended look among some of the PMs and quickly explained, Create-read-update-delete. A basic data-management tool. The application needed to be accessible from the corporate office, at manufacturing sites, and at customer locations, and work on mobile devices. All in all, its very similar to apps like RDR, TPM, and PlusPoint, so were planning to use the same tech-stack.

Specifically, SQL Server for the database, C# for the backend services, and Angular2 and Typescript on the front-end. A good stretch of the project could be scaffolded out with automated tools, and most of the rest could be lifted from other projects. The hard parts- the 10% of the code thatd take 90% of the time to build- were the places where it needed to talk to the ERP system.

Brittany was in the process of making this explanation when Kirby swept into the room. Sorry Im late, he said, and I cant stay long. But I have a few issues Id like this team to address. First, there are a lot of resources on this project. I want you to be lean. There should be one developer on this project.

Thats impossible, Brittany said.

The CTO rolled right over her. It is if youre using the right tools. Before this meeting, I did a little research, and did you know that Python is the number two programming language in the world? Were going to use that for this project, which should make our developer more efficient.

This statement was greeted with silence and a vaguely shell-shocked look. The CTO took this for agreement, rapped his knuckles on the table, and said. Great. Good. Get on that. Email me with any questions. Now, if youll excuse me…

What a Python might look like

As the door closed behind Kirby, Chris stepped up. Okay, so you heard what the CTO suggested. Lets not go making any big decisions just yet. Scott, Lisa, I need you to write up a clearer picture of the ERP side of the project, and why we need multiple ERP developers. Larry, Bob- you do the same for the web team. Brittany, before you leave for the day, I need you to do an alternatives analysis that compares our current tech with Python. Be objective and fair, but… well…

Well, indeed. Brittany had no real opposition to Python as a language, but definitely did not like the idea of making a massive shift just on a CTOs whims. She focused her analysis on a few key points. First, no one in their organization actually knew Python. Their entire portfolio was some flavor of .NET and the newer projects had added Angular. Their entire toolchain, build-process, continuous integration process, etc., all were built to support C# and Angular projects. Even beyond that, Python didnt perform as well as C#, and since the requirements wanted a single-page application, theyd need to use Angular anyway, so there was no getting rid of Angular.

Brittany did her best to be thorough. That was easy. Being polite was harder. She was working late on Friday night to get the document over to Chris, who was also working late. When she hit send, he instantly replied to her with a big THANKS!. She went home, and ignored work until Monday.

On Monday, there was an email from Chris. Got a meeting with Kirby at 11AM. Will follow up after.

At 11:15, Brittany got an email from Kirby. Saw your analysis, he wrote, but with 1 hour of research, I can disagree with it. Angular and TypeScript is old. Python is new, and Google is writing everything with it. Python is the best practices for development.

The project was put on hold while everyone tried to talk some sense into Kirby. Kirby was adamant, though: he read that Google used Python, and so Initech also needed to use Python. If our team still needs to use Angular, just use the Python version, were his final words on the subject.

Brittany pulled Chris aside. Chris, does Kirby even know what Python is? He clearly doesnt know what Angular is. What happens if we just say, Yes, well use Python, and then… dont?

And thats how Brittany completed her first major development project in Python, although it didnt actually contain a single line of Python code.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/unpythonic

Florians office has a rule of ten. Well, they dont, but one of Florians co-workers seems to think so. This co-worker has lots of thoughts. For example, they wrote this block, which is supposed to replace certain characters with some other characters.

sbyte sbCount = 0;
// set value of new field content to old value
sNewFieldContent = sFieldContent;
while (rFieldIdentifierRegex.Match(sNewFieldContent).Success) {

        // for security reasons
        if (++sbCount > 10)
                break;

        // get identifier and name
        string sActFieldSymbol = rFieldIdentifierRegex.Match(sNewFieldContent).Groups[1].Value;
        string sActFieldName = rFieldIdentifierRegex.Match(sNewFieldContent).Groups[2].Value;
        string sActFieldIdentifier = sActFieldSymbol + sActFieldName;

        // default value for unknown fields is an empty string
        string sValue = "";

        [... calculate actual replacement value ...]

        // replace value for placeholder in new field content
        sNewFieldContent = sNewFieldContent.Replace(sActFieldIdentifier, sValue);
}

As Florian puts it:

Having more matches than 10 inside one line is obviously a security risk (it isnt) and must be prohibited (it mustnt) because that would cause erroneous behavior in the application (it doesnt).

[Advertisement] Infrastructure as Code built from the start with first-class Windows functionality and an intuitive, visual user interface. Download Otter today!

http://thedailywtf.com/articles/the-rule-of-ten

"If you ask me, it's not just English speakers that GSMArena is in need of," wrote Aankhen.

"This Israeli burger chain offers a simplified menu for its customers," writes Shawn A.

Mark H. writes, "Wow! How did this site know I have hemorrhoids?"

"I know EULAs are meant to be obscure, but this is taking it to a new level," wrote Vladimir B.

Joshua O. writes, "And here I thought 'bug fixes and improvements' were as low as release notes could get."

"Well, it looks like Thunderbird is going to be busy for a while," wrote Josh H.

Andrew C. writes, "Sherman's pretty spry for an 88-year-old!"

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

http://thedailywtf.com/articles/does-anyone-here-speak-css

Youre going to learn quite a bit from Burt, Burt said. Hes one of the best.

Davide blinked. He wondered if his new boss spoke about himself in the third person as a matter of course. Cautiously, he said, Well… I hope so?

Burts been with us since the beginning, Burt continued. Nobody but nobody knows our systems and our environment better than he does. Hes one of those… whatchacallits… Burt glanced around his desk, and found what he was looking for- a glossy trade-mag with a cover story about the most productive developers. A Ten-X developer. Were really lucky to have him, and youre really lucky to work with him.

Burt was not speaking in the third person. Burt, the CTO of the company, was a huge fan of Burt, the lead developer at the company. When Davide was hired on, CTO-Burt spent a lot of time praising the genius of Dev-Burt. Once David started working, he didnt see CTO-Burt very much, but Dev-Burt also was eager to talk about what a genius he was.

Not just anybody can manage a system with 100KLOC, mostly by themselves, Dev-Burt said. But stick with me, and maybe youll learn.

Dev-Burts genius was questionable. Five minutes skimming the code-base made it clear that Dev-Burt had the coding conventions of a drunken lemur. The only thing that made the code even slightly readable was that most of it was in Python, and thus had to be indented logically. That was the only logical thing about it. Some variables were named in camelCase, others in snake_case. Half of them were just alwayslowercase. Function names were generally more consistent, only because there were fewer of them: Dev-Burt was the kind of developer that just loved to write 5,000 line functions. There were plenty of global variables, plenty of spaghettified code, and plenty god objects that mashed together thirty unrelated behaviors into one mess that behaved differently depending on which specific flags you set.

Dev-Burt was too busy being a 10x developer to give Davide any guidance about what he was supposed to do. The only coding conventions appeared to be Dev-Burt does whatever Dev-Burt wants. From time to time, Davide would pick up tickets as they came through, tracking down and patching bugs, but mostly he tried to find opportunities to refactor the code and add some unit tests.

This radical behavior lead to a tense meeting with the Burts.

Burt tells me youre causing problems, CTO-Burt said.

Hes making a mess out of my code, Dev-Burt complained. Hes making it more complicated!

I was just refactoring it so-

There he goes, Dev-Burt said, throwing a hand in the air, using his made up buzzwords. Look, weve got product to ship, and your refractioning isnt getting us anywhere. I wouldnt mind so much, but its eating into my own time, and making it harder for me to get work done!

Thats bad, CTO-Burt chimed in. Because Burts a Ten-X developer. His times ten more times as valuable as yours.

At least, after the meeting, Davide had clear rules to follow: Dev-Burt does whatever he wants, Davide does whatever Dev-Burt tells him to, and Davide was not to touch any code unless it was to deal with a ticket assigned to him by CTO-Burt.

This gave Davide a lot of downtime, during which he could watch the codebase grow. It was true, Dev-Burt was a 10x developer, in the sense that he could write ten times as much code as necessary and hed often write the same code ten times, in different places in the application.

One day, while wondering if this made Dev-Burt the first 100x developer, Davide received a new ticket. One of the automated jobs had failed, dumping a stack trace to the log, and it kept failing every hour. It didnt seem to be having any other effects, but CTO-Burt wanted it fixed.

Davide assumed there was an un-handled error, and dug through the stack trace to find the offending code. He was half right. Once he cut away the bulk of the logic, the basic structure of the method was this:

def manage_expectations(*args,**kwargs):
    try:
        #about 1,200 lines of code
   except Exception, e:
       raise e

So, Dev-Burt had handled the exception… by re-throwing it. A few hours picking apart the function, and it was clear that the underlying problem was a FileNotFoundError when scanning a logfile for messages- there was no guarantee that the logfile would exist. It was easy enough to make the code fail gracefully when it encountered the exception, but that might be considered refractioning, and so Davide needed to ask Dev-Burt for permission first.

Hey, Burt, Davide asked, can you pull up some code for me? He pointed to the raise e and said, Why are you doing that? Why is that there?

Dev-Burt nodded, stroking his chin thoughtfully. Thats an exception handler, he said.

Yes, I know that. Why is that raise there?

Hmm… I guess Im not sure. What does the raise command do?

Davide went back to his desk, fixed the exception handler, and then started sending out resumes. Hed learned everything he needed to from Dev-Burt, and was now ready to fail gracefully out of this job.

[Advertisement] Application Release Automation for DevOps – integrating with best of breed development tools. Free for teams with up to 5 users. Download and learn more today!

http://thedailywtf.com/articles/the-10x-developer

In 1989, a pair of physicists claimed to have achieved the fusion of hydrogen at room temperatures. This came as quite a shock to other physicists, since fusion was only known to happen inside of stars. Within a few months, their claims were roundly rejected. Cold fusion became synonymous with junk science.

Fast forward to 1995. when a small company wanted to make its own set of generous claims about its web application framework. Allaire, Inc (eventually bought out by Macromedia, which itself was eaten by Adobe), claimed that its Cold Fusion could solve all your web development problems. All of your web development challenges could be solved through the judicious application of CFML.

Fast forward to today, where Im surprised to learn that ColdFusion is still in active development. Brian recently had the pleasure of attempting to install it. First, he was annoyed at just the install size- 1.2GB for a web runtime and its assorted libraries. Then… the install failed. Brian poked around in the installer and found the following shell script:

DISTRO_NAME=
GUEST_OS_NAME=
if [ -f /etc/issue ] ; then
        DISTRO_NAME=`cat /etc/issue`
fi

if [ ! -z "$DISTRO_NAME" ] ; then
        if [ ! -z "$(echo $DISTRO_NAME | awk '/Ubuntu/')" ] ; then
                jre_success=`exec "$actvm" 2>&1`
                case "$jre_success" in
                                *No*such*file*or*directory*|*install*bin*|*cannot*execute*binary*file* )
                                                echo "JRE libraries are missing or not compatible...."
                                                echo "Exiting...."
                                ;;
                                *)
                                        exec "$actvm" $options $lax_nl_java_launcher_main_class "$propfname" "$envPropertiesFile" $cmdLineArgs
                                ;;
                                esac
        elif [ ! -z "$(echo $DISTRO_NAME | awk '/CentOS/')" ] ; then
                jre_success=`exec "$actvm" 2>&1`
                case "$jre_success" in
                                *No*such*file*or*directory*|*install*bin*|*cannot*execute*binary*file* )
                                                echo "JRE libraries are missing or not compatible...."
                                                echo "Exiting...."
                                ;;
                                *)
                                        exec "$actvm" $options $lax_nl_java_launcher_main_class "$propfname" "$envPropertiesFile" $cmdLineArgs
                                ;;
                                esac
        elif [ ! -z "$(echo $DISTRO_NAME | awk '/SUSE/')" ] ; then
                jre_success=`exec "$actvm" 2>&1`
                case "$jre_success" in
                                *No*such*file*or*directory*|*install*bin*|*cannot*execute*binary*file* )
                                                echo "JRE libraries are missing or not compatible...."
                                                echo "Exiting...."
                                ;;
                                *)
                                        exec "$actvm" $options $lax_nl_java_launcher_main_class "$propfname" "$envPropertiesFile" $cmdLineArgs
                                ;;
                esac

There are a few issues here. First, while /etc/issue is a file that you can reasonably expect a modern Linux system to have, there is no guarantee that it is there, or that its contents will include the identifier of the system distribution. If there isnt one, the installer makes no attempt to fail over to a different file (like /etc/system-release, which while also not guaranteed, is probably more accurate), or even uname. But thats all minor details.

Regardless of what it finds in the /etc/issue file, it executes the exact same command anyway, raising the question of why it even checked in the first place.

[Advertisement] Incrementally adopt DevOps best practices with BuildMaster, ProGet and Otter, creating a robust, secure, scalable, and reliable DevOps toolchain.

http://thedailywtf.com/articles/coldly-fused

Brad was brought in as a new hire to work on improvements for a big-name ERP system. His supposed role would be that of the "input guy" for a new I/O module where engineers would enter some numbers, they would be crunched, and it would output a wireframe design of what they needed to build. While he got started, the development manager Cindy assured him they'd have an "output guy" soon enough.

A month passed while Brad was making good progress. One Monday, Cindy walked up to his desk with a tall, dark-haired gentleman in tow. "Brad, this is Dmitry, your 'output guy'."

"Hello Bard. I am Dmitry. Please to see you," he introduced himself with a firm handshake and large grin.

After Dmitry got settled in, Cindy came back to Brad and told him in a hushed tone, "He just got here from Russia. He might be a little hard to understand, but boy can he code! You might need to give him a little guidance since your part of the application comes first, but I'm sure it will work out great!"

So began several arduous weeks of Brad working on his input interface about 15 minutes a day, while assisting Dmitry the rest of the time. They got far enough to prepare an end-to-end demo for Cindy. When she arrived, Brad put in the specifications for some plumbing parts he found online. They were passed to Dmitry's code and out came what looked like a reject from Rorschach's inkblot test.

"Oh no!" Dmitry cried. "I think I forget to check in part of code. Need a little more time," he requested with a grin and a nod.

"Brad!" Cindy shouted, crossing her arms. "You obviously aren't getting through to Dmitry. Before the next end-to-end test, I want you to test your own components first, then cross-test each other's. I expect better results next time!"

Brad ran through his own code exhaustively while Dmitry supposedly did the same. "Dmitry, I'm ready to exchange code when you are. Everything seems ok on my end."

"Oh yes! My code is good, yes. Add a few more DLL, more logging. Great now," Dmitry assured him.

Brad attempted to test Dmitry's code but couldn't even get it to run. He found several initial run blocks, proving Dmitry never even once ran his code because surely he would have noticed the myriad uninitialized collections and NullReferenceExceptions.

Brad explained the situation and offered assistance but Dmitry assured him "No, no. You sit, I code and fix it up." An hour passed before Brad got an email from Dmitry with a .zip attachment that said "Deploy new DLL. Code working." Brad did just that only to find the code NOT working.

With day turning to night on the Thursday before their Friday demo, Brad decided it would be more efficient to dig in and fix Dmitry's code himself. "Dmitry, just head home. I have some troubleshooting to do on my code," he lied. "I'll get it fixed up before the demo."

"Maybe you need the coding practice!" Dmitry grinned while putting on his jacket. "Goodest luck, tomorrow bring great success."

Brad committed the changes to Dmitry's code around midnight in what amounted to a complete re-write. Weary, he went home relieved that Cindy would be off his back for a while after the demo. That would give him time to figure out what to do about Dmitry.

The following afternoon, the demo to Cindy went off without a hitch now that it had been purged of most of Dmitry's code. Cindy was pleased with the results, "great job gentlemen! How about we go out to the pub to celebrate! I'm buying the first round."

Brad would have preferred to go home to collapse, but he couldn't pass up a free drink. The three of them engaged in awkward small talk over a round of beers. Dmitry offered to buy the next round when he switched to vodka. Cindy left after Round 2, leaving Brad and Dmitry who both seemed to have an unquenchable thirst.

Brad was growing to like Dmitry when he ordered yet another round, putting them on the verge of not being able to stand. Dmitry leaned over to him, bleary eyed and said, "let me tell you a little secret." In perfectly clear English but still with a heavy Russian accent, he shared, "I apologize. I do the broken English thing so people don't expect a lot out of me. It's really the whole logic part of the job that I struggle with. I have a hard time understanding computers. Sorry you had to spend so much time fixing my code."

The stunning revelation caused Brad to temporarily snap out of his stupor. When Dmitry went to the bathroom, he pulled out his phone to text Cindy, "We need to talk about Dmitry on Monday. Don't call me tomorrow, the phone ringing will hurt my head."

[Advertisement] Incrementally adopt DevOps best practices with BuildMaster, ProGet and Otter, creating a robust, secure, scalable, and reliable DevOps toolchain.

http://thedailywtf.com/articles/the-logic-barrier

Brandons company had a lot of work to do, and not enough staff to do it, so they hired on some freelancers. They were careful about it, and felt like theyd hired some good people. One developer, in particular, was the kind of developer who not only understands the low-level Windows API, but actually knows how to use some of the undocumented corners of it to get things done.

Most of the module was pretty good, but when Brandon double checked on the method for escaping disallowed characters from a URL, he found some problems.

The function went character by character through the string, which was bad enough, but when it wanted to know if a certain character needed to be escaped or not, it called this function:

bool NeedEscape ( wchar_t c )
{
    switch ( c )
    {
        case L'0': case L'1': case L'2': case L'3': case L'4':
        case L'5': case L'6': case L'7': case L'8': case L'9':
        case L'a': case L'b': case L'c': case L'd': case L'e':
        case L'f': case L'g': case L'h': case L'i': case L'j':
        case L'k': case L'l': case L'm': case L'n': case L'o':
        case L'p': case L'q': case L'r': case L's': case L't':
        case L'u': case L'v': case L'w': case L'x': case L'y':
        case L'z': case L'A': case L'B': case L'C': case L'D':
        case L'E': case L'F': case L'G': case L'H': case L'I':
        case L'J': case L'K': case L'L': case L'M': case L'N':
        case L'O': case L'P': case L'Q': case L'R': case L'S':
        case L'T': case L'U': case L'V': case L'W': case L'X':
        case L'Y': case L'Z': case L'-': case L'.': case L'_':
        case L'~':
            return false;
        default:
            return true;
      break;
    }
}

While this freelancer may have been an expert on the undocumented Windows APIs, they didnt quite know their way around the documented ones.

[Advertisement] Otter allows you to easily create and configure 1,000's of servers, all while maintaining ease-of-use, and granular visibility down to a single server. Find out more and download today!

http://thedailywtf.com/articles/just-in-case

"Apparently, only a small part of my dinner qualifies as food," writes Alex F.

Hamkakei wrote, "I've heard of a working lunch, but Amazon seems a little over confident about how much code will be written with this."

"404 on Index? Are you feeling OK Github?" Mattias C. writes.

"I've heard some bad things about Backup Exec, but you must be doing something good to be able to handle that many jobs," wrote Marc B.

Paul writes, "Being broken is bad enough, but being broken twice in a row is a whole other story."

"I'm pretty good at counting, so am I missing something?" wrote Silvia

"So, if I want to see what Windows 10 wants to uninstall, it looks like I'm going to have to give it permission and then look afterwards to see what's missing," Smylers writes.

[Advertisement] Scale your release pipelines, creating secure, reliable, reusable deployments with one click. Download and learn more today!

http://thedailywtf.com/articles/let-s-eat

Enterprise Resource Planning software, or ERP for short, is crucial to the operation of many large businesses. Several popular ERP systems have plugin-friendly architecture, the better to sell upgrades their customers will never want or use. This software is primarily aimed at businesses with too many complex process flows to manage by hand—making it the perfect domain for a small, lean startup with 3 developers and 1 customer.

Ethan and Roland were brand-new developers, fresh out of college and ready to take on the world. Patrick, a consultant, was more experienced, though still fairly early in his career. They worked in C# with the Visual Studio ecosystem, and their boss had bestowed just one instruction as to how their culture should be formed:

"Picture a scale from 1 to 10, with 1 being fast and 10 being scalability and code quality and all that crap. I want you to aim for a 2."

Visual Studio is a great tool for beginning developers who need to work fast. It makes scaffolding the code simple and efficient, and allows for a drag-and-drop visual design that lets you rapidly prototype your screens. Couple that with great intellisense, and the team was confident they could deliver their addon as promised.

That said, Visual Studio is also a complex piece of software, with many of its best features hidden inside a labyrinthine menu system and/or optional settings deep in a configuration file. It works better if you have time to learn how to use it. Unfortunately, our ERP team did not have that kind of time, and they missed a few key features. For example, out of the box, Visual Studio won't step into a catch block while debugging. You can debug catch blocks, but you have to explicitly set a breakpoint in them or they will be skipped entirely. There's an option to turn this behavior off, but it's hidden deep in the menus.

Ethan and Roland developed a workaround for this behavior that let them continue working: they would comment out catch blocks surrounding code they were actively debugging, then restore the commented-out code afterward. But this took time and effort, and often multiple cuss-filled executions as they realized the exception was handled at a higher or lower level than they'd originally anticipated and they had to comment out more code. Finally, Patrick came up with a more creative solution: pre-emptively comment out all try-catch blocks in the entire solution, and stop adding more.

"There's no time for exception handling," he scoffed. "We have to move fast or we won't hit our street date."

Ethan was concerned by this solution. He'd already caught himself forgetting to un-comment catch blocks using their old strategy. Wasn't this infinitely more risky? And how would they know their catch blocks were written correctly? What about testing the error messages they were meant to display to the users? Still, he was brand new, and Patrick had industry experience, so he was overruled.

The weeks wore on, and development moved at blazing speed. The developers did their own unit tests, and from time to time, their BA would perform manual tests of the addon installed in the ERP system. It mostly crashed, but it was early yet. There was time to figure it out. Still, blazing isn't quite lightspeed, and the BA kept finding more and more crucial functionality that would be required if anyone was going to be interested in purchasing the thing. The general feeling of the project team matched the immortal words of Sonic the Hedgehog: "We're not going to make it. Let's speed up!"

The team took on more developers in an effort to increase overall velocity. One of these was Alex, a contractor with 30 years of experience handling IT projects. Alex rapidly emerged as the clear leader of the entire team; his age and experience dethroned even Patrick. He spent increasing amounts of time sequestered with the boss, talking through everything from planned features to plugin architecture to the speed of development, which the boss felt was responsible for their missed milestones. Not because the code quality was crappy and therefore more time was spent fixing bugs, but because developers "weren't coding fast enough."

The codebase had grown from a few hundred lines to several thousand. Ethan had found the magic toggle for Visual Studio that made it step into catch blocks, much to his relief. He reported this to the boss, and the ban on exception handling was (begrudgingly) lifted. Ethan adjusted rapidly, but many of the other developers still blamed exception handling for the slowness of coding. Often the addon would crash due to an incorrect cast or bad index. However, handling exceptions was seen as wasted time, so many developers refused to do it.

Upon overhearing the boss and Alex discussing the matter, Ethan threw in his two cents. "We're nearing release. We should really start adding exception handling to all new code. Then we should do a final round of testing to make sure nothing breaks."

This didn't go over well with the boss. The solution was simple to him. "Just don't use any exception handling. Remove all of it. Then we won't have to test anything extra, and we might even make our deadline."

Ethan, after retrieving his jaw from the floor, protested violently. "Who's gonna pay for a system that crashes the moment you look at it wrong? What about data integrity? If bad data is persisted to the database, it'll fill up with garbage—and then the application will throw even more exceptions!"

"I know it's not ideal," said the boss, "but there's no time. Remember the scale: we need to be at a 2, and you're at like a 6 right now. This is industry standard stuff. Trust me on this, okay?"

Time marched on. The company doubled in size, adding more developers who were forbidden from using exception handling. They moved even faster now, approaching the final ship date—well, the new final ship date, anyway.

One day, while debugging, Ethan noticed that the addon didn't crash anymore, but did log an error to the console. "Wait, what? Where was that handled?"

Concerned, he dug through the code. Most of his exception handling had been removed or commented out; he couldn't find a single catch block in the whole module he was working on. Finally, he found it: at the very top level, someone had put a try-catch block around the entry point to swallow any exceptions that were thrown.

Ethan asked Alex about it the next time he caught him in the hallway.

"Yeah, we can't have the addon crashing all the time, you know?" Alex shrugged.

Another junior developer poked his head out of a nearby cubicle. "It turns out, in C#, if you have an exception, the entire application crashes! Crazy, right? I found that out last week, and I told Alex about it, so we decided to implement exception handling."

Ethan had no words at first. He just cradled his forehead in the palm of his hand. Finally, he tried one last time to explain. "Look. Exception handling is a good idea. But this is going to swallow all the errors, so debugging will be impossible. At the very least, let's put a catch block around each module so we know which one failed. And stop removing my catch blocks!"

Alex shook his head. "You just have to do it right. All of you," he added, raising his voice so the others could hear. "If you just code it right from the start, there won't be exceptions, and handling them won't be necessary!"

Ethan learned a valuable lesson that day: why exactly it was that startup developers tended to congregate in bars and debate the merits of various fine liquors online. It wasn't that people who liked alcohol were drawn to software development. Working at places like this drove developers to drink.

[Advertisement] Universal Package Manager - ProGet easily integrates with your favorite Continuous Integration and Build Tools, acting as the central hub to all your essential components. Learn more today!

http://thedailywtf.com/articles/exceptional-handling

Once upon a time, a client contacted Trick R. and asked him to figure out why files were disappearing from their website.

The seemingly innocent task proved to be a swan-dive into a sewer of bad PHP, unsanitized user input, and plain-text passwords stored in the database, among other vulnerabilities. However, the following conditional took the cake for awfulness. What better way to ensure a record is really gone than by running the DELETE query a bunch of times?

if( $_REQUEST['task'] == "delete_single" && preg_match("/^([0-9]+)$/", $_REQUEST['id'], $reg) ) {
         $qry = " delete from department where id=".$_REQUEST['id'];
                mysql_query( $qry );
                 $qry = " delete from department where id=".$_REQUEST['id'];
        mysql_query( $qry );
                $qry = " delete from department where id=".$_REQUEST['id'];
        mysql_query( $qry );
                 $qry = " delete from department where id=".$_REQUEST['id'];
        mysql_query( $qry );
                 $qry = " delete from department where id=".$_REQUEST['id'];
        mysql_query($qry);
                 $qry1="select * from department where id ='".$_REQUEST['id']."'";
                $query=mysql_query($qry1);
         while($data=mysql_fetch_array($query)){ 
         $qry = "delete from department where id=".$data['id'];
        mysql_query( $qry );
         
                 $qry = " delete from department where id=".$data['id'];
        mysql_query( $qry );
                 }
                  $qry = " delete from department where id='".$_REQUEST['id']."'";
        mysql_query( $qry );


     $qry2="select * from department_login where pid ='".$_REQUEST['id']."'";
                $query=mysql_query($qry2);
         while($data=mysql_fetch_array($query)){ 
          $qry = "delete from department_login where pid=".$data['id'];
        mysql_query( $qry );
         
                  $qry = " delete from department_login where pid=".$data['id'];
        mysql_query( $qry );
                 }
                  $qry = " delete from department_login where pid='".$_REQUEST['id']."'";
        mysql_query( $qry );

$qry3="select * from files where pid ='".$_REQUEST['id']."'";
                $query=mysql_query($qry3);
         while($data=mysql_fetch_array($query)){ 
          $qry = "delete from files where pid=".$data['id'];
        mysql_query( $qry );
         
                  $qry = " delete from files where pid=".$data['id'];
        mysql_query( $qry );
                 }
                  $qry = " delete from files where pid='".$_REQUEST['id']."'";
        mysql_query( $qry );

$qry4="select * from pdf where pid ='".$_REQUEST['id']."'";
                $query=mysql_query($qry4);
         while($data=mysql_fetch_array($query)){ 
          $qry = "delete from pdf where pid=".$data['id'];
        mysql_query( $qry );
         
                  $qry = " delete from pdf where pid=".$data['id'];
        mysql_query( $qry );
                 }
                  $qry = " delete from pdf where pid='".$_REQUEST['id']."'";
        mysql_query( $qry );

       
        $errorMsg = "
Record deleted successfully !!
";
}

[Advertisement] Infrastructure as Code built from the start with first-class Windows functionality and an intuitive, visual user interface. Download Otter today!

http://thedailywtf.com/articles/repeat-delete

Weve all inherited legacy systems. You know the sort; 20 years old, more than 50,000 lines of code, poorly designed - even for its time, completely undocumented externally and useless code comments within, mangled beyond recognition due to countless developers making myriad ad-hoc changes upon changes and so-on. Now imagine such a system written in a tool thats been around for nearly half a century, but rarely used for the intended purpose of the application.

Reg worked for a firm that built space-rocket related applications; specifically an Ada compiler, written in SNOBOL, for a 15+ years obsolete legacy processor used in the rocket. The system itself consisted of more than 100 SPITBOL (a speedier compiler of SNOBOL) programs, most of which were written by one guy nearly four decades ago, Barry. Barry was a former sixties hippie-turned-coder. Though long since retired, he had been called back to active duty to try and help decipher what this thing does.

The code is full of comments explaining what each block does, but not why. Nor were the comments up to date with what the code actually did, which was one set of bugs, in addition to the more normal set of errors. Of course, in those days, nobody wrote unit tests (was it even possible to write test suites for SNOBOL?) Some of the more interesting phenomena included mangled memory addresses, incorrect hex/decimal conversions, offsets disappearing, seemingly random mangling/unmangling/remangling of variable names, etc.

Regs ongoing project was to replace this mess with a shiny new Ada compiler written in Python.

Along the way, Reg had to deal with all the control flow of SNOBOL (e.g.: gotos), on-the-fly execution of strings containing arbitrary SNOBOL code, the immediate-value-assignment operators (. and $) and pattern matching that would reduce a regex-wizard to a quivering mass of Jello.

Even Barry, the tie-dyed, retired, hippie could no longer decipher what the internals were doing. Maybe hed just fried too many neurons. Reg couldnt get any further- maybe he just wasnt smoking enough marijuana to understand what the hippie had done. Reg decided to simply try to replicate the output of the legacy system. This was accomplished by running both systems on the same input and doing diffs.

This project started long before Reg joined the firm, and will probably be going strong long after hes gone.

Reg got the number of diffs on the output down to less than 1,000. That might not sound great, but almost all of them were caused by bugs in the legacy code.

Now his toughest job begins: explaining to management why success must be defined as about 1,000 differences in the output between the legacy and replacement systems, and, more importantly, determining whether correcting the output of the previous systems will cause the rocket to act in an undesirable manner. Like exploding.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/a-snobol-s-chance

Unit tests are a wonderful tool for proving that your code works. Ideally, when youre using other code, like say, the .NET Framework, you dont write tests that test the framework itself. After all, didnt Microsoft already do that?

David Ts co-worker laughs at your na"ivet'e. Why would you trust Microsoft? You need to make sure the framework works as advertised. Which is why their unit tests are mostly made up of code like this:

    [Test]
    public void It_Converts_DataType_Text_Into_ConcreteType()
    {
        const string dataTypeText = "System.DateTime";

        var dataType = Type.GetType(dataTypeText);

        Assert.IsTrue(dataType == typeof(DateTime));

    }

    [Test]
    public void It_Converts_String_Into_Given_DataType()
    {
        const string data = "10-10-2014";

        const string dataTypeText = "System.DateTime";

        var dataType = Type.GetType(dataTypeText);

        object newData = Convert.ChangeType(data, dataType);

        Assert.That(newData, Is.TypeOf());
    }

Now, if the .NET Frameworks ability to load and recognize types ever breaks, Davids team will be the first to know.

[Advertisement] Application Release Automation – build complex release pipelines all managed from one central dashboard, accessibility for the whole team. Download and learn more today!

http://thedailywtf.com/articles/a-type-of-test

Dan writes, "This happened when selecting 'see more' under my (Your) recommendations. Maybe there's buried treasure somewhere?"

"I found this while browsing Ikea jobs," Ian J. wrote, "A series of tasks...based on generic profile details. I might have a shot!"

"Flavor? I hope it comes in pumpkin spice!" writes Stephanie F.

"Part of me doesn't want to see the bill, but another part can't wait to see my bill," wrote Dallas H.

Aeden M. writes, "There has to be a threat somewhere on this machine, even the computer thinks it's a possibility."

"Looks like upwork.com may need to be more picky of the freelancers they use on their site," writes Jeremy.

"No matter my score, I find that my overall Windows experience is impacted by this 'error'," writes Steve.

[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!

http://thedailywtf.com/articles/x-marks-the-spot

When Nate was wrapping up his senior year of college, he hunted around for a job that would hire an undergrad on flexible hours. He knew that the kinds of companies that tended to hire on those terms could often have… creative practices, but college wasnt about to pay for itself.

He found a small shop that needed an extra hand. Extremely small- there was only one other developer, Gordon. Nate was prepared to enter a tiny shop with no real practices or procedures, because with only one developer, you dont expect a lot of rules and bureaucracy.

Gordon was only one person, but he was able to create enough contrived, arcane, and downright mysterious bureaucratic policies and procedures for fifty developers. Reading the style-guide was closer to reading a novel, but not a good novel where there was a clear point and narrative thread, but something meandering and pointless, like a Douglas Adams book.

Gordon wasnt just opinionated about style. He also had Opinions™ on the proper use of source control. Branches, Gordon explained, are absolutely vital for separating units of work.

Gordons explanation came after Nate was stunned by the sheer number of branches- there were hundreds of branches in the repository. Look, Gordon said, you dont have to be intimidated by this. We can start you out, just do this small change in the main branch, then Ill show you how to release it.

Nate dutifully checked out master, made the change, and committed it. He sent Gordon a pull request.

You used the wrong branch. Back out your change, and put it in the main one.

Which branch is the main one? Its not master?

It used to be, but we dont really use master anymore. Use master_4513.

As it turned out, the main branch was usually whichever branch Gordon touched last. There were five or six different branches that could be the main branch at any given time. Maybe seven- it was very hard for Nate to be certain.

Nate made the changes in master_4513, but that was only the start of the nightmare. Now, those changes had to be merged into the correct branch for deployment. This is pretty complex, do you want me to walk you through it? Gordon asked.

Nate said yes, and so Gordon sat down next to him, and started explaining each step that Nate needed to perform. These explanations started with Gordon pressing his fingers against Nates monitor and saying, Click here. No, fire up the GUI, not the CLI. Select this branch. The instructional process was recorded as a smear of fingerprints on Nates screen.

Changes merged outward from the main branch (whatever main happened to be that day). Instead of merging back towards a known-good trunk of code, changes were made to the trunk, and then percolated outward, according to Gordons own twisted logic. You see, he explained, weve gotta maintain, like, 15 different versions, and some of them depend on a different version of our framework lib. This main version builds against version 1.2 of the framework.

But… isnt your framework up to version 4.5? Like… for years now?

Yeah, but this change only goes out to the 2.0 users, so you need to merge from main to master_51, then to frameworkupgradeA1, then to perky_peregrine. Youll need to resolve conflicts.

Nate ground his teeth hard enough to make diamonds between them, and fought his way through the merge conflicts. A few hours later, Nates one line change was merged into a releasable version, but Nate had no idea how that change would migrate to any other version, if it ever did.

Nates next assignment was to make a change to the same version, and since it was a larger change, he made a feature branch off of perky_peregrine, do the changes there, then merge right back into perky_peregrine after the work was done. Then he could propagate the changes back to the current main branch, asdfg. This resulted in an angry visit from Gordon.

Are you trying to mess this up? Gordon demanded. There is a system. There are policies! Did you even read the development guide I gave you? Feature branches are fine, but they have to come off the main branch, not one of the dependent branches!

Nate had tried valiantly to read it, but failed. I was just going to do the work, merge into perky_peregrine, and then delete the branch, why does it matter?

Merge back? Gordon shrieked. DELETE the BRANCH? Branches dont merge backwards, only outwards. Like a tree. Each feature branch is supposed to be an entirely new line of development. Have you even used source control?

Something snapped in the back of Nates brain, because for a brief, terrifying moment, that almost made sense. Nate had been puzzling over the bizarre state of their source control repository, and those words from Gordon put understanding it within tantalizing reach. If he asked a few more questions, he might just see the method to this madness…

Nate chose the wiser path. He smiled, he nodded, he complied with Gordons policies, and moved on to the next feature, weeks after cutting through the shrubbery that was Gordons branching system.

The next feature was to make a change that only impacted users of the latest version of the base framework. The current main branch was back on version 2.3, so Nate needed to start by making a branch from there. Then he had to bring it up to version 4.0, then convert a few of the datafiles into a new format, then finish the upgrade to 4.5. This was about two weeks of hair pulling frustration. Then he could make his changes. He spent that week asking serious questions about the career path he was on. Finally, he could merge his changes into the actual 4.5 release branch, but never back into any master branch.

This resulted in tens of thousands of merge conflicts. The next few weeks were spent cutting through them, and by the end of that time, Nate discovered the semester was nearly over. He was about to graduate. He went to Lindsey, the co-owner of the small company, and handed in his resignation.

Weve been really impressed by your work, she said. You could stay on after college, if you like.

Her tone was even, perhaps even a little indifferent, but there was a plea in her eyes. Nate vaguely recalled hearing that Gordon was a friend of Reggie, the other co-owner. Nate saw a hint that Lindsay knew what Gordon was doing to their software product. Maybe she thought Nate could be her ally in fixing it.

Or maybe Nate was reading too much into it. Discretion was the better part of valor. Im sorry, I just dont think Im the right fit for this team, he said. They made the polite noises, she promised him a recommendation letter, they connected on LinkedIn, and Nate went off to find a source tree that didnt look like a tangled briar.

A few months after Nate settled into his new job, he snooped on Gordons LinkedIn profile- he was unemployed. A message to Lindsay confirmed that shed fired him over his inability to deliver new features. The last anyone had heard, Gordon had retired to a cabin in the woods, where he could be alone with many branches that never merged back into their trunks.

Editors Note: We meant no harm in teasing Douglas Adams, but your reaction was much more interesting than it would have been to another tired Twilight joke.

[Advertisement] Incrementally adopt DevOps best practices with BuildMaster, ProGet and Otter, creating a robust, secure, scalable, and reliable DevOps toolchain.

http://thedailywtf.com/articles/the-world-tree

An Anonymous source sends us some Java code they found in source control, with really special variable naming conventions. I can only assume this came from a plucky startup hoping to attract venture capital.

import java.util.*;
import java.awt.*;
import javax.swing.*;
import java.awt.event.*;

public class Array implements ActionListener, MouseMotionListener, MouseListener  {
        int $$_, _$$, $$$,$_$;
        JFrame $$$__$$$ = new JFrame();
        boolean draw = true;
        JButton $$1 = new JButton("Line"), $$2 = new JButton("Rectangle"), $$3 = new JButton("Clear");
        ArrayList $$$$$$$$$$ = new ArrayList<>();

        JPanel aa$$aa = new JPanel(), _$$_$_ = new JPanel(), $0$0$ = new JPanel() {
                @Override
                public void paintComponent(Graphics g) {
                        super.paintComponent(g);

                        for (Shape i : $$$$$$$$$$)
                        {
                                if (i.$s$ == true) {
                                        g.setColor(Color.green);
                                        g.drawLine(i.$$_,i._$$,i.$$$,i.$_$);
                                }
                                else {
                                        g.setColor(Color.red);
                                        g.fillPolygon(new int[] {i.$$_,i.$$_,i.$$$,i.$$$}, new int[] {i._$$,i.$_$,i.$_$,i._$$}, 4);
                                }
                        }
                        if (draw) {
                                g.setColor(Color.green);
                                g.drawLine($$_,_$$,$$$,$_$);
                        }
                        else {
                                g.setColor(Color.red);
                                g.fillPolygon(new int[] {$$_,$$_,$$$,$$$}, new int[] {_$$,$_$,$_$,_$$}, 4);
                        }
                }
        };

        public Array () {
                aa$$aa.setLayout(new BoxLayout(aa$$aa, BoxLayout.Y_AXIS));

                _$$_$_.add($$1);
                $$1.addActionListener(this);
                _$$_$_.add($$2);
                $$2.addActionListener(this);
                _$$_$_.add($$3);
                $$3.addActionListener(this);
                

                $0$0$.setPreferredSize(new Dimension(200, 200));
                aa$$aa.add($0$0$);
                $0$0$.addMouseListener(this);
                $0$0$.addMouseMotionListener(this);
                aa$$aa.add(_$$_$_);

                $$$__$$$.add(aa$$aa);
                $$$__$$$.setSize(new Dimension(400, 400));
                $$$__$$$.setVisible(true);
                $$$__$$$.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
        }


        public static void main(String[] args) {
                new Array();
        }

        public void actionPerformed(ActionEvent e) {
                if (e.getSource() == $$1) {
                        draw = true;
                } else if (e.getSource() == $$2) {
                        draw = false;
                } else if (e.getSource() == $$3) {
                        $$$$$$$$$$.clear();
                }
                $$_ = 0; 
                _$$ = 0; 
                $$$ = 0; 
                $_$ = 0;
                $$$__$$$.repaint();
        }

        public void mousePressed(MouseEvent e) {
                $$_ = e.getX();
                _$$ = e.getY();
                $0$0$.repaint();
    }

    public void mouseReleased(MouseEvent e) {
         $$$ = e.getX();
         $_$ = e.getY();
         $$$$$$$$$$.add(new Shape($$_,_$$,$$$,$_$, draw));
         $$_=0;
         _$$=0;
         $_$=0;
         $_$=0;
         $$$__$$$.repaint();
    }

    public void mouseEntered(MouseEvent e) {
         $$$__$$$.repaint();
    }

    public void mouseExited(MouseEvent e) {
         $$$__$$$.repaint();
    }

    public void mouseClicked(MouseEvent e) {
         $$$__$$$.repaint();
    }

    public void mouseMoved(MouseEvent e) {
         $$$__$$$.repaint();
    }

    public void mouseDragged(MouseEvent e) {
         $$$ = e.getX();
         $_$ = e.getY();
         $$$__$$$.repaint();
    }

    class Shape {
         int $$_,_$$,$$$,$_$;
         boolean $s$;
         Shape(int xx, int yy, int x$, int y$, boolean tp) {
                 $$_ = xx;
                 _$$ = yy;
                 $$$ = x$;
                 $_$ = y$;
                 $s$ = tp;
         }

         public String toString() {
                 return ""+$$_+" "+_$$+" "+$$$+" "+$_$;
         }
    }
}

[Advertisement] Infrastructure as Code built from the start with first-class Windows functionality and an intuitive, visual user interface. Download Otter today!

http://thedailywtf.com/articles/dollar-dollar-dollar-dollar-underscore

Ed wasnt excited about his job. He worked for a large automotive manufacturer. This is the kind of industry that might invest heavily into robots and research and development, but when it comes to managing their supply chain and accounts receivable, their IT infrastructure was frozen in amber circa 1974.

The pay was fine, but the work was frustrating. Things like Code reviews and refactoring were viewed as wastes of time or developers playing with toys. Unit tests were a luxury for lazy developers- good developers should just be writing code that works. If the work youre doing isnt directly involved in getting cars built and shipped, you shouldnt be doing it.

Ed was looking to get out of the company, and while he kept sending out resumes, he found more excuses to get away from his desk by taking smoke breaks with Mitchell. Mitchell was a lifer- he joined the company back when pensions were a thing, and was close enough to retirement that he just needed to keep his head down and stay the course to check out with a nice nest-egg. But you, hed tell Ed, youve gotta get out of here. Youre young. You shouldnt be wasting your time here.

After one of those smoke breaks, Ed returned to his desk to see Pilar waiting for him. Pilar was their summer intern, a junior in college. She mostly handled manual reporting, which was a euphemism for we dont actually have a reporting system for this data set, so we have an intern run SQL queries against production and then copy/paste the results into a spreadsheet. Yes, there were still manual reports because none of the SBUs wanted to pay to automate them.

Ive got a new report, she said, and its on something called SCORDBE? You wouldnt know how I get access, would you?

Ed didnt know. At best, he might have seen the acronym someplace on a PowerPoint during a quarterly meeting once. No, but has anyone shown you the Internal Apps Sheet? He was referencing a spreadsheet used to track support contacts for different applications. He CTRL+F-ed to the entry for SCORDBE. Oh, no…

The SCORDBE database was administered by Yev Ticket-Nazi Kassem. He automatically closed any tickets for changing the database- even for production releases. Any ticket requesting access to the database, for any reason, received a simple reply: NO ACCOUNT FOR YOU. He used IP whitelists to prevent connections from unapproved devices. While it probably was good for security, that was an afterthought. Yev had a small bit of power, and he wanted to make sure that he held onto it.

Still, that was just the database side. There was an application on top of that database. He scrolled across the spreadsheet, past the cloumns for Approving Manager, SBU Contact, SBU Backup Contact, SBU Backup Bakcup Contact and found IT Development Contact. It was Mitchell.

I dont think youll get very far with the database, Ed said. But maybe Mitchell can help?

Pilar went off to visit Mitchell, and Ed got back to his regular work. A half hour later, Mitchell CCed him on an email to Pilar. Ive got a solution. Just visit this URL and itll run your query. And you can change the id=… part at the end to do it for other part numbers.

Ed didnt think much about it until his next smoke break. So, he said, howd you get past the Ticket-Nazi?

Mitchell laughed. I didnt. He paused and lit his cigarette, taking a few drags before explaining. SCORDBE is about 35,000 lines of Perl written back in the 90s. Nobody ever wants to touch this code, and nobody really understands what it does. I figured there had to be some poorly escaped queries, so I just grepped until I found one. Now we can run ad-hoc queries as needed.

Ed left the company a short time later. Mitchell, and his injection-based reporting solution, however, are still there.

[Advertisement] BuildMaster integrates with an ever-growing list of tools to automate and facilitate everything from continuous integration to database change scripts to production deployments. Interested? Learn more about BuildMaster!

http://thedailywtf.com/articles/no-account-for-you

As Halloween descends upon us, mysterious emails start reaching our inbox. These plaintive missives are but the screams of the damned, encoded and sent over SMTP.

For example, someone known to us only as DBA Guy sent an email with this subject: Silver bullet SQL scalar function built by the Ancient Ones.

These ancient ones obviously did not come from the Euclidian plane we know so well, but obviously from a twisted, higher dimensional space where there exist no right angles.

The code itself, is simple:

/*--------------------------------------------------------------------------------------------------
Name                    fnValueChanged
Purpose:                Returns a value based on the parameters passed in which will tell the user whether or not 2 values have changed
Usage                   Select dbo.fnValueChanged(Parameter1,Parameter2,Parameter3,ParameterN...)
Returns         tinyint
--------------------------------------------------------------------------------------------------*/
ALTER          FUNCTION [dbo].[fnValueHasChanged]
(
        @pOldValue varchar(255),
        @pNewValue varchar(255),
        @pItemType varchar(40)                  -- to be used if we need to do date comparisions etc.
)
RETURNS int
AS
Begin
        Declare @vHasChanged tinyint
        set @vHasChanged = (
                Case
                        When IsNull(@pNewValue, '') <> IsNull(@pOldValue, '') and @pNewValue Is Not Null Then 1
                        Else 0
                End
        )
        RETURN (@vHasChanged)
End

Given an old value and a new value, determine if theyre different. Its awkward and strange, with dead parameters coming to us from across the aeons, and an awkward Case statement when an If would probably be clearer and easier to understand. But how, praytell, is this code used?

CarPassword = (
        Case
                When dbo.fnValueHasChanged(@LocPasswordOld, @LocPassword, NULL) = 1 then @LocPassword
                Else @LocPasswordOld
        End
)

The code which calls the function must be the same as the code within the function. Thus, we have a case within a case, a mystery within a mystery, and a function which has ben handed down to us from the ancient ones.

[Advertisement] Release! is a light card game about software and the people who make it. Play with 2-5 people, or up to 10 with two copies - only $9.95 shipped!

http://thedailywtf.com/articles/the-wisdom-of-the-ancients

"This building is sinking so fast that it lost 4 floors between the headline and the body," writes Hans.

"I was looking for a new fridge, for some reason this one didn't quite have the features I was looking for," writes Tim D.

Matt R. wrote, "Well, I guess the Microsoft Time Estimator has a new job!"

"Work is sponsoring a flu shot clinic and the clinic wants to make it really easy for Marylanders," writes Rick B., "Or really hard...it rejects all but one of the MD entries!"

"So, does an inverted dropdown turn into a riseup?" wrote Tomi A.

Jordan B. writes, "Wait, exactly how much storage does Database Engine Tuning Advisor need? I don't think they make hard drives INT64_MAX megabytes in size..."

"I didn't know you could 'oSettingsEvent.comest' your audio setup or '.mog' into a meeting," writes Peter, "It doesn't get any easier in French either."

[Advertisement] Incrementally adopt DevOps best practices with BuildMaster, ProGet and Otter, creating a robust, secure, scalable, and reliable DevOps toolchain.

http://thedailywtf.com/articles/going-fast