Brandons company had a lot of work to do, and not enough staff to do it, so they hired on some freelancers. They were careful about it, and felt like theyd hired some good people. One developer, in particular, was the kind of developer who not only understands the low-level Windows API, but actually knows how to use some of the undocumented corners of it to get things done.

Most of the module was pretty good, but when Brandon double checked on the method for escaping disallowed characters from a URL, he found some problems.

The function went character by character through the string, which was bad enough, but when it wanted to know if a certain character needed to be escaped or not, it called this function:

bool NeedEscape ( wchar_t c )
{
    switch ( c )
    {
        case L'0': case L'1': case L'2': case L'3': case L'4':
        case L'5': case L'6': case L'7': case L'8': case L'9':
        case L'a': case L'b': case L'c': case L'd': case L'e':
        case L'f': case L'g': case L'h': case L'i': case L'j':
        case L'k': case L'l': case L'm': case L'n': case L'o':
        case L'p': case L'q': case L'r': case L's': case L't':
        case L'u': case L'v': case L'w': case L'x': case L'y':
        case L'z': case L'A': case L'B': case L'C': case L'D':
        case L'E': case L'F': case L'G': case L'H': case L'I':
        case L'J': case L'K': case L'L': case L'M': case L'N':
        case L'O': case L'P': case L'Q': case L'R': case L'S':
        case L'T': case L'U': case L'V': case L'W': case L'X':
        case L'Y': case L'Z': case L'-': case L'.': case L'_':
        case L'~':
            return false;
        default:
            return true;
      break;
    }
}

While this freelancer may have been an expert on the undocumented Windows APIs, they didnt quite know their way around the documented ones.

http://thedailywtf.com/articles/just-in-case