Long time ago, but by far the worst for me was when I inherited some code that a previous programmer had done. Every variable was a breakfast item. So if biscuit>bacon then scrambledeggs=10. Shit like that. It was a nightmare and luckily I only had to deal with it infrequently.

So, this is completely off topic, but some of the comments here reminded me of it:

An elderly family friend was spending a lot of her time using Photoshop to make whimsy collages and stuff to give as gifts to friends and family.
I discovered that when she wanted to add text to an image, she would type it out in Microsoft Word, print it, scan the printed page, then overlay the resulting image over the background with a 50% opacity.
I showed her the type tool in Photoshop and it blew her mind.

One time, I had to request firewall access for a machine we were deploying to, and they had an Excel sheet to fill in your request. Not great, I figured, but whatever.

Then I asked who to send the Excel file to and they told me to open a pull request against a Git repo.
And then, with full pride, the guy tells me that they have an Ansible script, which reads the Excel files during deployment and rolls out the firewall rules as specified.

In effect, this meant:

1. Of course, I had specified the values in the wrong format. It was just plaintext fields in that Excel, with no hint as to how to format them.
2. We did have to go back and forth a few times, because their deployment would fail from the wrong format.
3. Every time I changed something, they had to check that I'm not giving myself overly broad access. And because it's an Excel, they can't really look at the diff. Every time, they have to open it and then maybe use the Excel version history to know what changed? I have no idea how they actually made that workable.

Yeah, the whole time I was thinking, please just let me edit an Ansible inventory file instead. I get that they have non-technical users, but believe it or not, it does not actually make it simpler, if you expose the same technical fields in a spreadsheet and then still use a pull request workflow and everything...

I've had legacy systems that would encrypt user passwords, but also save the password confirmation field in plain text. There was a multitenent application that would allow front end clients to query across any table for any tenant, if you knew how to change a header. Oh and an API I discovered that would validate using "contains" for a pre-shared secret key. Basically if the secret key was "azh+37ukg", you could send any single individual character like "z" and it would accept the request.

Shits focked out here, mate.

Floats for currency in a payments platform.

The system will happily take a transaction for $121.765, and every so often there's a dispute because one report ran it through round() and another through floor().

I found code that calculated a single column in an HTML table. It was “last record created on”.

The algorithm was basically:

foreach account group
  foreach account in each account group
    foreach record in account.records
      if record.date > maxdate
        max = maxdate

It basically loaded every database record (the basic unit of record in this DATA COLLECTION SYSTEM) to find the newest one.

Customers couldn’t understand why the page took a minute to load.

It was easily replaced with a SQL query to get the max and it dropped down to a few ms.

The code was so hilariously stupid I left it commented out in the code so future developers could understand who built what they are maintaining.

A registration form and backend that would return the error "please choose more unique password" if you choose a password that was already stored (in plain text) in the database against another username.

I shit you not.

I worked for a mid-sized government entity where we handled PII data. Underneath us were local municipalities who were in charge of sending us that PII so that it could be registered at our level. For PII think licenses, IDs, sensitive stuff for sure.

Most of the municipalities were easy to work with, they did an SFTP drop or used a VPN or something.

A couple though were rural. Very rural, and didn't have IT departments. They had Martha who works the counter from 1-4pm. Those places were... horrid. We had a special email where they would email us whatever formats they had. Unencrypted, completely open, we couldn't do anything about it because it was their data and their rules, it was our job to simply accept what they had. We could of course make serious suggestions, point out how horrid this was, but at the end of the day it was their decision. So we had a job to log into an email account every day, check for an email from Martha's hotmail account, and parse the excel file she used to read out private IDs and license numbers which she manually typed into it.

This was 20 years ago now so dear god I hope their laws improved.

Java webapp. Customer facing. E-commerce application, so in PCI scope and dealt with credit card info and such.

There was one specific cookie that stored some site-wide preference for the customer. (Why not just put that preference in the database associated with the user? Because that would make too much sense is why.)

But the way they encoded the data to go into the cookie? Take the data, use the Java serialization framework (which is like Python's "Pickle" or Go's "Gob") to turn that into a string. But that string has binary data in it and raw binary data is kindof weird to put in a cookie, so you base64 encode the result. (The base64 encoding was the only sane step in the whole process.) Then you do the reverse when you receive the cookie back from the browser. (And no, there was no signature check or anything.)

The thing about the Java serialization framework, though is that decoding back into Java objects runs arbitrary object constructors and such. As in, arbitrary code execution. And there's no checking in the deserialization part of the Java serialization framework until your code tries to cast the object to whatever type you're expecting. And by that point, the arbitrary code execution has already happened. In short, this left a gaping vulnerability that could easily have been used to extremely ill effect, like a payment information breach or some such.

So all a malicious user had to do to run arbitrary code on our application server was serialize something, base64 encode it, and then send it to our servers as a cookie value. (Insert nail biting here.)

When we found out that there was a severe vulnerability, I got the task of closing the hole. But the existing cookies had to continue to be honored. The boss wasn't ok with just not honoring the old cookies and developing a new cookie format that didn't involve the Java serialization framework.

So I went and learned enough about the internal workings of how the Java serialization framework turned a Java value into a binary blob to write custom code that worked for only the subset of the Java serialization format that we absolutely needed for this use case and no more. And my custom code did not allow for arbitrary code execution. It was weird and gross and I made sure to leave a great big comment talking about why we'd do such a thing. But it closed the vulnerability while still honoring all the existing cookies, making it so that customers didn't lose the preference they'd set. I was proud of it, even though it was weird and gross.

The value that was serialized to put into the cookie? A single Java int. Not a big POJO of any sort. Just a single solitary integer. They could just as well have "serialized" it using base-10 rather than using the Java serialization framework plus base64.

A program that HR had built so that all employees could they their payment receipts online

The username was the companies' email address, the password was a government personal id code that you can lookup online, a don't change, and you can't update the password to something else.

So I told the director of HR this was a bad idea. She told me I was overreacting until I showed her her own receipt, then she finally understood that this is a really fucking bad idea.

Okay, so now she out me in charge of debugging that program.

So I setup a meeting with the director of the company they hired, he came by with the developer: a 21 yo girl who I think hadn't finished college yet. Great start! Apparently it was her idea to do the authentication like that so that explains a few things.

So we dive in to the code.

First of all, the "passwords" were stored in blank, no hashing, no encryption, nothing. That wasn't the worst.

For the authentication she made a single query to check if the user email existed. Of that was true, then step two was a second query to see if the password existed. If that were true, the email had been authenticated.

So let's say, hypothetically, that they had actual passwords that people could change... I could still login with the email from anyone, and then use MY OWN password to authenticate.

This just blew my mind so hard that I don't think I ever fully recovered, I still need treatment. The stupidity hurts

First of all, lack of ORM isn’t bad. It’s not a good or bad thing to use them out not use them. What’s bad is not sanitizing your query inputs and you don’t need an ORM to do that.

I think the worst thing I’ve seen is previous devs not realize there’s a cost to opening a DB connection. Especially back when DBs were on spinning rust. So the report page that ran one query to get the all the items to report on, then for each row ran another individual query to get that row’s details was probably one of the slowest reports I’ve ever seen. Every DB round trip was at minimum 0.1 seconds just to open the connection, run the query, send back the data, then close the connection. So 10 rows per second could be returned. Thousands of rows per page has people waiting several minutes, and tying up our app server. A quick refactor to run 2 queries instead of hundreds to thousands and I was a hero for 10 min till everyone forgot how bad it was before I fixed it.

Our CFO's social security number, contact info, and just about everything you'd need to impersonate them inside a random shell script that was being passed around like drugs at a party for anyone to use. Oh and it had an API key to our payments processor hard coded into it.

That was the tip of the iceberg of how bad the systems were at the company. All of these are from the same company:

• A fintech based company with no billing team
• An event system that didn't event
• A permissions system that didn't administer permissions
• A local cache for authentication sessions. Which means that requests would intermittently fail auth because the session was only on one replica. If you hit any of the other ones, you'd get an unauthenticated error
• A metrics collection system that silently lost 90% of it's data
• Constant outages due to poorly designed and implemented systems (and lack of metrics... hmmm)
• Everything when I joined was a single gigantic monolith that was so poorly implemented they had to run at least 3 different versions of it in different modes to serve different use cases (why the fuck did you make it a monolith then?!)
• The subscriptions system was something like 20 or 30 database tables. And they were polymorphic. No one could touch the system without it breaking or that person declaring failure, which leads me to ...
• A database schema with over 350 tables, many of which were join tables that should have been on the original table (fuck you scala/java for the limitations to the number of fields you can have in a case class). Yes you read that right. Table A joined to table B just to fill in some extra data that was 1:1 with table A. Repeat that a few dozen times
• History tables. Not separate from the original table, but a table that contained the entire history of a given piece of data. The worst example was with those extraneous join tables I just mentioned. If you went and changed a toggle from true to false to true to false, you'd have 4 records in the same table. One for each of those small changes. You'd have to constantly try to figure out what the 'latest' version of the data was. Now try joining 5 tables together, all of them in this pattern.
• Scala... I could go on a tirade about how bad scala is but needless to say, how many different error handling mechanisms are there? Scala decided to mix all of them together in a blender and use them all together. Scala is just two white paper languages in a trenchcoat. Never use it in a production system
• A dashboard for "specialists" that was so easy to overwhelm that you could do it by breathing on it due to the LACK of events that it needed
• Passwords stored in plain text (admittedly this was in the systems of the company we acquired while I was there). Doesn't matter if they were actually , they were visible in a dashboard accessible by employees. Might as well have been plain text
• A payments system that leaked it's state into a huge part of the rest of the system. The system ended up being bifurcated across two systems, I was brought in to try to clean up some of the mess after only a couple of months. I desperately tried to get some help because I couldn't do it solo. They ended up giving me the worst engineer I've ever worked with in my 15 year career, and I've seen some bad engineers. Looking back, I'm reasonably confident he was shoving our codebase into an AI system (before it was approved/secured, so who knows who had access) and not capable of making changes himself. I could make several posts about this system on its own
• I could go on but I'll cut it off there

I was told about a bug in a specific tool. It was being used in production. Apparently we've gotten a lot of complaints about it over the years, and they would complain if the site was actively used it always failed.

I couldn't find it in the development branch in source control.

I asked if this tool was purchased from a third party. My boss, who was not a developer, said no. And he was very sure of that. But he didn't know where the code was.

I was the developer with the most seniority, and I was there for less than a year at this point.

I looked again. I finally found it... In an unapproved pull request from a few years prior.

The meat of this tool basically took information to make an order and create an order in the system.

Any time we needed to insert a record, it would find the highest Id in the table, increment 1, and insert the new record, id and all. It did this for every entity that needed to be inserted. Address, customer... Everything.

Worse, very little validation was done. Want to order something but it's out of stock? No problem, this tool just pushed it right through.

Want to ship something using a shipping method that doesn't exist? You got it.

Want to ship something to an address that doesn't exist? Sounds like the warehouse's problem.

Knowing about the level of knowledge here, you know that there were no transactions. All sorts of unused records were left in the database when there was an error. The users would get a generic error and try again several times, too.

The worst part was, we have an already existing function that would take order information and try to make an order. And it would give you actionable errors!

I'm not going to share it here because it's code I've written. I'm hiding in my own shame

Oh boy, this one was a doozy...

Was working at a very big company named after a rainforest on smart home products with integrations for a certain home assistant...

New feature was being built that integrates the aforementioned home assistant with customer's printers so they can ask the assistant to print stuff for them.

The initial design lands from our partner team with a Java backend service fairly nicely integrated with some CUPS libraries for generating the final document to be sent to the customer's printer. All good.

They are about to launch when... uh oh... the legal team notices an AGPL licensed package in one of the CUPS library's dependencies that was absolutely required for the document format needed by the project and the launch is cancelled.

So the team goes off in a panic looking for alternatives to this library and can't find any replacements. After a month or two they come back with their solution...

Instead of converting the document directly in the backend service with the linked CUPS library (as AGPL is a "forbidden license" at this company) the backend uploads the initial document to an S3 bucket, then builds a CUPS document conversion bash shell script using some random Java library, the shell script is then sent (raw) to a random blank AWS host that comes prepackaged with CUPS binaries installed (these hosts were not automated with CI/CD / auto updates as was usually mandated by company practice because updating them might remove the CUPS binaries, so they required a ton of manual maintenance over the service's lifetime...), the bash shell script is then executed on that "clean" host, downloading the document from S3, converting it via the CUPS command line binary, then reuploading it to another S3 bucket where the Java backend picks it up and continues the process of working the document through the whole backend pipeline of various services until it got to the customer's printer.

This seemed to satisfy the legal team at the very least, and I have no doubt is probably still in production today...

The kicker though? After all those months of dev work from a whole team (likely all on 6 figure salaries), and all the time spent by various engineers including myself on maintenance and upkeep on that solution after it was transferred to us?

An alternative, completely unrestricted corporate license was available for the package in question for about $100 per year so long as you negotiated it with the maintainers.

But that was a completely unacceptable and avoidable cost according to upper management...

There was a website where users could request something or other, like a PDF report. Users had a limited number of tokens per month.

The client would make a call to the backend and say how many tokens it was spending. The backend would then update their total, make the PDF, and send it.

Except this is stupid. First of all, if you told it you were spending -1 tokens, it would happily accept this and give you a free token along with your report.

Second of all, why is the client sending that at all? The client should just ask and the backend should figure out if they have enough credit or not.

I basically fix other people shitty voice for a living (replacing it with my own shitty code), the "best" one was by a guy, I suppose he was a self taught c programmer from how he wrote code, writing a complex python program. I saw:

• a function called randomNumberGenerator. It was a function which started a webserver. While looking for a python tutorial for something I found out why: he copy pasted the tutorial snippet but then didn't bother renaming the function
• a program whose job was to listen to all other services and send them to another service via udp BUT it had a maximum buffer size so messages sometimes got truncated. I just directly put the listener in the target program and deleted it
• like another guy in this thread he didn't use git. First day on the job they told me "yes, we need to check which machine has the latest code because he ssh into them and work there". His version control was basically putting code in different machines
• lot of copied variables, because of c I suppose? Things like var = self.var
• camelCase python (ok this is just styling in the end)
• files with 10k lines of code
• half the services were in python 2, half in python 3. Don't ask me why
• variables name in his original language (not English, not the client language)
• single letter variables, I fondly remember self.I (upper case i)
• I remember an if a == a: (I left it there because lol)
• he added a license check which used the ethernet mac address. Too bad ethernet was removed from the machine, and his code launched an exception which returned 00:00:00:00 as mac address, so all licenses were working on all machines

And many other things...

In another project I saw a backend running on the frontend, as in, this guy wrote the logic for a machine on the Javascript running the user interface of the screen

XML-DOM page templates stored in a database, line by line.

So rendering a page started with:

select * from pages

where page_id = 'index'

order by line_number asc;

Each line of XML from each record was appended into a single string. This string was then XSLT transformed to HTML, for every page load.

The architect sending a pointer over an API, in hexadecimal string format. char *c = "71E4F33B" just cast it on the right structure bro.

Just to add, we only did C/C++, on windows mfc, in a monolithic software.

I spent quite some time assuring myself that I was not the insane person before bringing it up with him.

Disclaimer: this is not really about code, but about using IT in my non-IT workplace and I realized this just yesterday. A rant.

I work in the social sector. Our boss seems to have slipped into position sideways (they did not do our work for a significant amount of time before).

I got zero onboarding when I started working there; everything I know about the organisational ins and outs I learned by asking my colleagues.

The boss seems to actively want to not inform me of things, i.e. even if I ask about something they reply in the most cursory manner or immediately refer me to somebody else. I have no idea why they do it, my guess is that they sense that they're woefully inadequate for the job, plus me being much older triggers insecurities?

For example, when I could not log into an app to see my future shifts, I asked the boss about it first but they immediately refered me to tech support. Calling them, after a while we found out that the boss had mistyped my name. Then I could log in.

Last week I was sick and waited til Sunday noon to check this week's shifts - but again I couldn't log in. The boss answered neither phone nor email. Fair enough I guess, on a sunday. Thankfully tech support was working and after a long while we found out that the app for checking my shifts only allows log-ins from within the workplace network, not the open web.

I almost missed my monday shift because of that. Boss calls me, enraged. I explained the situation. They clearly did not know that the app only allows log-ins from within the workplace network.

All my coleagues tentatively/silently agree that this boss is useless. How do we keep the workplace running, and why is it me who is left in the dark? Turns out they have a Whatsapp group. I don't use Whatsapp. They asked me repeatedly and urgently to join.

tl;dr: this workplace would fall apart if people wouldn't communicate through Whatsapp instead of official channels

I don't have any specific examples, but the standard of code is really bad in science. I don't mean this in an overly judgemental way — I am not surprised that scientists who have minimal code specific education end up with the kind of "eh, close enough" stuff that you see in personal projects. It is unfortunate how it leads to code being even less intelligible on average, which makes collaboration harder, even if the code is released open source.

I see a lot of teams basically reinventing the wheel. For example, 3D protein structures in the Protein Database (pdb) don't have hydrogens on them. This is partly because that'll depend a heckton on the pH of the environment that the protein is. Aspartic acid, for example, is an amino acid where its variable side chain (different for each amino acid) is CH2COOH in acidic conditions, but CH2COO- in basic conditions. Because it's so relative to both the protein and the protein's environment, you tend to get research groups just bashing together some simple code to add hydrogens back on depending on what they're studying. This can lead to silly mistakes and shabby code in general though.

I can't be too mad about it though. After all, wanting to learn how to be better at this stuff and to understand what was best practice caused me to go out and learn this stuff properly (or attempt to). Amongst programmers, I'm still more biochemist than programmer, but amongst my fellow scientists, I'm more programmer than biochemist. It's a weird, liminal existence, but I sort of dig it.

A data ingestion service that was processing ~15 billion logs each day that was duplicating each of those logs 2-4 times in memory as a part of the filtering logic. No particular reason nor need to do it. When I profiled the system it was BY FAR the largest hog of CPU and memory.

The engineer who wrote it once argued with me about writing comparisons a == b vs b == a because one was technically more efficient ... in a language we weren't using.

VB.NET app that was installed on every employees computer to capture time sheets. Required VPN access so it could talk to the accounting DB using raw queries, zero input validation, and it used a pirated library for the time input grid control.

The IT staff who would install the program on all new machines (it didn't work with their imaging system) had a script to suppress the message requesting a paid license. There was nothing special about this control, it was basically a rip off of built in winforms controls.

Source code was long lost, but reverse engineering and decompiling CIL/MSIL code is thankfully relatively straightforward.

I once saw an 'encryption' function where the key had a range of 32. Not 32 bits. I mean there were 32 different keys. And it was prepended as the first byte in the stream, so the decryption function didn't have to go out of the way to find it.

Thankfully I noticed that it got torn out and replaced with real encryption at some point.

I'll consider myself lucky that the worst I've had to deal with was a 8K LOC C file that implemented image processing for a cancer detection algorithm. Nothing terribly tricky but just poorly organized. Almost no documentation at all. The only test was running this code against a data set of patient images and eyeballing the output. No version control other than cloning the project onto their NAS and naming it "v2" etc.

Research code can be really scary.

My current workmate unironically calls his variables as "cat1", "cat2", etc.

He also didn't knew about git, so before I arrived, he uploaded the code to production with scp.

Finally, my boss told me that he is priority, so if he doesn't underestand git, we won't keep using it. I would underestand if this was about a different language, but it's git vs scp we're talking about.

It was a single PHP file containing upper tens of thousands of lines of code (i.e. probably 60k+ but I no longer recall the exact amount). And the horrors didn't stop there. Function names and code formatting were haphazard, some functions were descriptive enough to be helpful(ish) like check_if_first_friday_of_month() but most were literally along the lines of function12() with no comments to indicate the purpose. A̸n̶d̷ ̴t̵h̵e̵ ̸h̷o̵r̶r̸o̷r̵s̸ ̸d̷i̸d̵n̷'̷t̶ ̵s̶t̴o̸p̸ ̷t̵h̶e̶r̵e̶.̴ This application was storing sensitive personal information in the database in plain text. And the horrors didn't stop there.

Congrats to the developer, though. This project was the one that finally got him fired and he immediately pivoted into a management position at a big tech company (don't recall which but it might've been Microsoft or IBM) making an order of magnitude more money.

We had some super old code in our company monorepo that was written by someone who became the CTO, there was a comment forbidding people from writing private methods in the code base because "we aren't babies". It explained so much about the awful code and why everything was crazy.

Another kind of "code" but:

The poll in a excel sheet the office sent via email. You had to fill it out and send it back, so they could type it off in another excel sheet.

That's where i realized that people have fundamentally different approaches in thinking and problem-solving.

A bit of Perl code from the late 90s/early 2000s that worked something like this (working from memory, untested):

my $hits = `grep $search_string $file`;
my @lines = split /\n/, $hits;
my @real_hits;
for( my $i = 0; $i < scalar(@lines); $i++ ) {
    my $line = $lines[0];
    if( $line =~ /$search_string/ ) {
        push @real_hits, $line;
    }
}

Let me explain a bit about what this does. Instead of reading a file line-by-line and using Perl's regex engine to match, it uses backticks to call out to the shell for grep. Those are split up by line. Then go through those lines (in a C-style for loop, not the perfectly good foreach version that Perl has had for a long time) and now we use a regex to match that line. You know, just in case shell grep didn't do its one job.

If anything, I'm probably making this code look better by declaring variables with my and following use strict standards.

This was written by a guy who was the main programmer before I was hired. I was told he was a real piece of shit. He often had some checks in his code that, if not passed, threw messages to the client like "WE HAVE DETECTED YOUR HACKING AND LOGGED YOUR IP ADDRESS WE'RE GOING TO GET YOU". Never met him personally, but his code is a pretty good example of why everyone came to hate Perl.

I spoke with a client just last week, international scale, that let me know their user passwords are simply encoded and stored in Base64 haha

Not mine, but svn-based JDSL is the best related story that's always worth sharing.

https://thedailywtf.com/articles/the-inner-json-effect

First One:

Big ASP.Net Core Web API that passed through several different contract developer teams before being finally brought in house.

The first team created this janky repository pattern on top of Entity Framework Core. Why? I have no idea. My guess is that they just didn't know how to use it even though it's a reasonably well documented ORM.

The next team abandoned EFCore entirely, switched to Dapper, left the old stuff in place, and managed to cram 80% of the new business logic into stored procedures. There were things being done in sprocs that had absolutely no business being done there, much less being offloaded to the database.

By the time it got to me, the data layer was a nightmarish disaster of unecesary repo classes, duplicates entities, and untestable SQL procedures, some of which were hundreds of lines long.

"Why are all our queries running so slow?"

We'll see guys, it's like this. When your shoving a bunch of telemetry into a stored procedure to run calculations on it, and none of that data is even stored in this database, it's going to consume resources on the database server, thereby slowing down all the other queries running on it.

Second One:

Web app that generates PDF reports. Problem was it generated them on-the-fly, every time the PDF was requested instead of generating it once and storing it in blob storage and it was sllloowwwww. 30 seconds to generate a 5 page document. There were a list of poor decisions that led to that, but I digress.

Product owner wants the PDF's to be publicly available to users can share links to them. One of the other teams implements the feature and it's slated for release. One day, my curiosity gets the best of me and I wonder, "what happens if I send a bunch of document requests at once?" I made it to 20 before the application ground to a halt.

I send a quick write up to the scrum Master who schedules a meeting to go over my findings. All the managers keep trying to blow it off like it's not a big deal cause "who would do something like that?" Meanwhile, I'm trying to explain to them that it's not even malicious actors that we have to be concerned about. Literally 20 users can't request reports at the same time without crashing the app. That's a big problem.

They never did fix it properly. Ended up killing the product off which was fine because it was a pile of garbage.

1. Take from index 10 of the buffer, AND it with some hard-coded hex value.

2. Bit shift it by a hard-coded amount of 2

3. Do the first two steps, but with a different hard-coded index, hex value, and bit shift.

4. OR the two results.

5. Shove the result back into a buffer.

All of this is one line with no commenting or references to what the fuck this process comes from or why it is applicable. Then there was a second copy of the line, but with different hard-coded values.

For anyone who knows and understands Android development, process death, and saved state...

The previous dev had no understanding of any of it, and had null checks with returns or bypassing important logic littered all over the app, everywhere.

I could only assume he didn't understand how all these things were randomly null or why it was crashing all the time so he thought oh, i'll just put a check in.

Well, you minimize that app for a little bit, reopen it, and every screen was fucked visually and unusable, or would outright crash. It was everywhere. This was before Google introduced things like view models which helped but even then for awhile weren't a full solution to the problem.

It was many many months of just resolving these problems and rewriting it the correct way to not have these problems.

Here is my story:

There were console outputs after nearly every line. I asked about them: "Oh, I couldn't get the debugger to work, so I print everything to the console"

This was everywhere. The whole program was like this. On a standard Linux machine. It wasn't even remote debugging or something. Just a local C++ program.

The filenames where written in 8+3. Again, on a modern Linux machine. His answer? "You never know where we'll port this software to"

Onto computers that were outdated decades ago? To embedded systems? Of course he had no answer for this except "just in case..."

I could tell you more, that software was the stuff for nightmares.

At a small company I used to work for we agreed to take over the management system for someone trading physical resources. The guy that originally wrote it was self taught. We did a hand over with him where he took us through the code base. It was written in dotnet but it was a huge mess, he had blended multiple different dotnet paradigms, there was mixed business and UI code all over the place, large chunks of html were stored in the db, db code was just scattered through the application. We took it over briefly but it was a nightmare to work on and we found a SQL injection vulnerability. So as kindly as possible we told the client that his software was a piece of shit and the dev he hired had no idea what he was doing.

There was something like

# sleep for about a second on modern processors
math.factorial(10000)

After it was found we left it in the code but commented out along with a sleep(1) for posterity.

It was a huge codebase in c# with a single file in VB.net with a comment at the top "copied from codinghorrors.com/…". I never dared to try understanding what that file was supposed to do and why nobody bothered converting it in c#

So this is not as bad as some of the other stories I've seen, but I'll bite.

It was an old .NET Framework MVC app. Some internal product management system or something. There was a need to do a PDF export in one of the use cases, so someone implemented it. It wasn't a good implementation: one big controller, mixing UI and business logic, etc. However, it basically came down to a single private method in a specific controller for a page.

Now time passes and lo and behold, we need a PDF export in another page for a different use case. "No problem," - same dev, probably - "I already solved this problem. I'll just reuse the PDF generation logic."
Now, any sane person would probably try to refactor the code responsible for PDF stuff into a separate service (class) and reuse it. A less sane, but somewhat, acceptable approach would have been to just copy paste the thing into another controller and call it a day.

Ha! No no no no no no… Copy pasting is bad, code should be reused…

The end solution: REFLECTION. So the dev decided that the easiest way to make it work was to: 1) use reflection to inject one controller into another; 2) then use reflection again to get access and call that private method for PDF rendering into a stream.

Fortunately I didn't have to fix that fragile mess. But I did my fair share of DevExpress corpse hacking and horrible angular "server side rendering" workarounds.

I think the worst software-gore I remember seeing was a web app that dumped all the data to the browser as a huge XML file and then had JavaScript translate the contents of the xml into views. That probably wouldn’t even sound that far off the reservation now if it was JSON, thanks to the sleepless efforts of the JavaScript industrial complex, but back then you’d just render pages and return them.

Oh, I've seen some doozies... The one I remember the most, and I've seen this twice, is this:

myClass.TheProperty = myClass.TheProperty;

When I asked about it, the developer said that, well yes, because it reads from one place and sets in another! Not at all difficult to read!

I wrote an algorithm that should be recursive but in expediency I wrote a loop that iterates 10 times.

It's fine but I'm still mad 3 weeks later

This might require a bit of background knowledge about Power Query in Excel and Power BI, specifically the concept Query Folding.

Power Query is a tool to define and run queries against a host of data sources and spit out tabular data for use in Excel (as tables) or Power BI (as Tabular Data Model). The selling point of it is the low-code graphical presentation: You transform the data by adding steps to the query, mostly through the menu ribbon. Change a column type? Click the column header > Data Type > select the new type. Perform a join? Click "Merge Queries", select the second query, select the respective key column(s) to join on and thr join type – no typing needed. You get a nested table column you can then select which columns to expand or aggregate from.

Each step provides you with a preview of the results, and you can look at, edit, delete or insert earlier steps at will. You can also edit individual steps or the whole query through a code editor, but the appeal is obviously that even non-programmers can use it without needing to code.

Of course, it's most efficient to have SQL transformations done by the database server already. Bur Power Query can do that too: "Query Folding" is the feature that automatically turns a sequence of Power Query steps into native SQL. A sequence like "Source, Select Columns, Filter Rows, Rename Columns" will quite neatly be converted into the SQL equivalent you'd expect. Merges will become Join, appending tables becomes Union, converting a text to uppercase becomes UPPER and so on.

If at some point there is a step it can't fold, it will use a native query to load the data up to that point, then do the rest in-memory. Even if later steps were foldable, they'll have to be done in-memory. You can guess that this creates a lot of potential for optimising longer queries by ensuring as much or it as possible is folded and that the result is as "small" as possible – as few rows and column as feasible etc.

Now, when I tell you that there is a table in one of our sources with a few large text columns you almost never need, you may be able to smell the smoke already. A colleague of mine needed help with his queries being slow to load. He had copied some code from Stackoverflow or what have you that joins a query with itself multiple times to resolve hierarchies. In theory, it was supposed to be foldable, provided the step it runs off of is. The general schema of my colleague's query went Data Source -> non-foldable type conversion -> copied code -> filtering (ultimately keeping about 20% of rows) -> renaming columns -> removing columns. Want to guess which columns were loaded, processed with each join, explicitly renamed and only then finally understood to be useless and discarded?

"I always do the filtering last, don't want to miss anything."

This is your regularly scheduled reminder that MS (and our corporate BI team) can present Power Query as self-service data transformation tool all it wants, that still doesn't mean it's actually designed for use by non-data techies.

Back in the day, a C program to handle estimating procurement costs for complex government contracts. We had to figure out the code and write in in a different language. It was just one giant loop, no functions, with variables named V1, V2, V3, etc. Hundreds and hundreds of them. I still shudder at the horror of it all.

It was a Java project and every class was in a separate Maven module.

I got forcefully moved onto another team at work. They use Observables to replace signals, change detection, local storage, and even function calls. Every single component is a tangled mess of Observables and rxjs. Our hotlist has over 300 bugs, and the app is like 6 months old.

I've been looking for a new team

Had a coding firm costing 1k+ euros which was unfamiliar with django select all() from DB just to cast that into a list each time a user opens the tool. That got real funny real fast when the customer started adding the announced 50k objects per day. They did that buried in about 50-60 api endpoints conveniently coded by hand instead of using genetic api endpoints available from django rest framework.

When the loading times hit 50s per click, the company took the money and ran. My colleagues and me spent 2 years and half that to fix that shit.

My university uses ORACLE. To make a payment from a research account, you need to manually input a 15 character chart string. Every time.

Mine.

I should state that I'm not a programmer. I'm a network engineer.

I work for a space (among other things) contractor, and there are days I feel like I'm mission control for Apollo 13.

There are a couple that come to mind.

Definitely the worst, a C# .net mvc application with multiple controllers that were 10s of thousands of lines long. I ran sonarqube on this at one point and it reported over 70% code duplication.

This code base actively ignored features in the framework that would have made things easier and instead opted to do things in ways that were both worse, and harder to do. For example, all SQL queries were done using antiquated methods that, as an added benefit, also made them all injectable.

Reading the code itself was like looking at old school PHP, but c#. I know that statement probably doesn't make sense, but neither did the code.

Lastly, there was no auth on any of the endpoints. None. There was a login, but you could supply whatever data you wanted on any call and the system would just accept it.

At the time I was running an internal penetration test team and this app was from a recent acquisition. After two weeks I had to tell my team to stop testing so we could just write up what we had already and schedule another test a couple months down the line.

This was then sent to the server as pure sql, no orm.

ORMs are overrated.

The encryption thing is definitely weird/crazy and storing the SQL in XML is kinda janky, but sending SQL to a DB server is literally how all SQL implementations work (well, except for sqlite, heh).

ORMs are straight trash and shouldn't be used. Developers should write SQL or something equivalent and learn how to properly use databases. eDSLs in a programming language are fine as long as you still have complete control over the queries and all queries are expressable. ORMs are how you get shit performance and developers who don't have the first clue how databases work (because of leaky/bad abstractions trying to pretend like databases don't require a fundamentally different way of thinking from application programming).

Private key for a third-party API hard-coded into the front-end web app

A switch that would just return the input value with a constant offset ... hardcoded for over 40 consecutive values.

Whatever im working on 💪

My current favorite is in ruby with the unless keyword:

tax = 0.00
unless not_taxed(billing)
  tax = billing.zipcode.blank? ? estimated_tax_from_ip(account) : billing.tax
  tax = (tax.nil? ? 0.00 : tax)
end

To me, anything payments related you want to be really super clear as to what you're doing because the consequences of getting it wrong are your income. Instead we have this abomination of a double negative, several turnaries, and no comments.

A (poorly written) Shell check if the process was able to write to the production database which in some, not all, cases threw the gem:

!!!!!!!! SQL ERROR !!!!!!!!!

Lots. But one that springs to mind is a custom CMS where a new dev decided to print out the sql generated for a particular content type on paper. He took it to the CTO without comment.

What was wrong?

It was 12 pages.

It's all mine.

it wasn't funny in any way, but JSHITBOSS "microservice" (it was a jboss service with one microservice inside, in a kubernetes pod, with only one core, tell me about redundancy). Service classes with over 2000 lines of code, it shouldn't even be called spaghetti code, more like lasagna code, the pasta came in layers, separation of concerns was a mere suggestion, code was not thread safe (and it needed to be), but there was only 40 Ejbs for each "stateless" service inside de EAR, so number go up, code goes better.

I refactored it, it's now in the glorious quarkus 3.27, on virtual threads and java 21, not hyperbole, but 5x more throughput and you don't need 7 phds in italian cousine.

Edit: I also saw, in Angular, the infamous:

if (variable === true || variable === 'true' || variable === "true") {

I've seen a many-to-many relationship written as a column of CSV ids.

Also same ppl used "ID" instead of "id" (sometimes Id even) which made ORMs cry hard

Ok so this one is someone trying to move to "the cloud."

They had a database they used. It was on a server in the office. We were tasked to clone the db server to a hosted VM. Due to order of creation this got put on a new host without anything yet on it.

They needed a site to site VPN to keep privacy, that was all fine. However after the clone and during testing, their guy there said that this one part was really slow. We take a look and everything is good with performance of the server and of the VPN. I have to pop on to take a look.

It was in an office app and written in VB. (I forgot which one.) It was indeed slower on the hosted server. So I took a look at the function (he got it up for me) and I could instantly tell the issue.

This part was a lookup page that searched for you input. The function retrieved the entire table, then filtered the results in the client. I explained that transferring the whole table over the internet would be slower than on the local lan.

This guy said he originally wrote this, but "forgot VB."

In the end they decided not to update the app or keep the server in the office, but instead they rented some VDIs in the same data centre as the db.

The C++ code went something like this:

1. Conver pointer to int
2. Serialize the int over IPC to self using Linux Message Queues
3. Delete/free the pointer
4. Read the int from the queue
5. Convert to pointer
6. "Use" the pointer

A page that handled call requests. It was a table showing some information about the person, the case it's related to and some other fields. It fetched everything from any table it touched. So the call was fetching all the information about the person. The case it was related to. The person who was assigned to the case, and since the case was linked a couple of layers in, all of that data as well.

I created a simple view that only fetched the data it needed. It went from over A GIGABYTE of data to less than 25mb of data of transfer to the web ui.

This one is funny because it 100% still exists somewhere, but I haven't had the chance to verify it again.

Okay so basically its a data recorder box (ex: brainbox) that connects to a bunch of industrial sensors and sends the data over the network with your preferred method.

Builtin firmware gives you an HTTP webui to login and configure the device, with a user # and password.

I think the user itself had a builtin default admin which was #0, which everyone uses since there wasn't really much use for other users.

Anyway, I was looking at the small JS code for the webui and noticed it had an MD5 hashing code that was very detailed with comments. It carefully laid out each operation, and explained each step to generate a hash, and then even why hashes should be used for passwords.

Here's the kicker: It was all client side JS, so the login page would take your password, hash it, and then send the hash over plaintext HTTP POST to the server, where it would be authenticated.

Meaning you could just mitm the connection to grab the hash, and then login with the hash.

I sat there for like 10 minutes looking at the request over and over again. Like someone was smart enough to think "hey let's use password hashing to keep this secure" and then proceeded to use it in the compleltly wrong way. And not even part of like a challenge/handshake where the server gives you a token to hash with. Just straight up MD5(password).

It was so funny because there were like a hundred of these on a network, so getting a valid hash was laughably easy.

I never got to check if this was fixed in a newer firmware version.

Joined a new team and one of my first tasks was a refactor on a shared code file (Java) that was littered with data validations like if ("".equals(id) || id == null) { throw new IllegalArgumentException() }

The dev who wrote it clearly was trying to make sure the string values were populated but they apparently A) didn't think to just put the null check first so they didnt have to write their string comparison so terribly or else didnt understand short circuiting and B) didn't know any other null-safe way to check for an empty string, like, say StringUtils.isEmpty()

The script I vibe coded to automate part of my job. It's sloppy and unrefined, but it works, and saves me a ton of effort.

All about PTC's God awful piece of shit PLM/PDM systems IntraLink and PDMlink. I cannot believe the amount of trash code that company uses. And they get paid millions to basically screw the customers over. The costumer's CAD gets intertwined in a huge heap of automated HTML garbage. This leads to a total disaster.

Christ

Weather forecasting software that maintains a linked list. When it eventually freed the memory used by the list, it would walk to the end of the list and free the last item. Then it would go back to the beginning of the list and do it again - rinse and repeat. Wonder why it was having performance issues 🙄

Whatever is happening in Monster Hunter Wilds.

Sounds like a motel horror story.

A bit late to the party on this one, but Facepunch just opensourced a bunch of their code, I nominate that.

#4 is a good thing. ORMs do not make queries better or safer, they make them easier for devs that don't learn SQL or safe calls. In some cases, they have been shown to cause slowdowns.

Php, ob_start + ob_clean and friends. On backend. Nothing could go wrong, right

Doesn't that mean that your encryption algorithm and key is stored inside the code?
And since you are opening the code in Visual Studio anyway, just follow the function called by the "Decrypt" button, copy the function into another project and now you have a decryptor.