

Ask HN: What horrifying and/or terrible things have you seen in production code? - jackweirdy

Interested in hearing the worst things you&#x27;ve seen that somehow went into production somewhere.
======
vijayaggarwal
I've seen many things in my 10+ years of coding, Here are some favourites:

* No authentication check on any page after login page. (You could type in any URL in browser address bar and gain access).

* GET request updating home page related content in database. (A few of these GET request was picked up by Alexa bot and we hard our home page content change _randomly_ for many days. We had a real hard time troubleshooting this one).

* Use of mysql_query() in PHP. (Deprecated mote than 10 years ago. Opens doors for SQL injection).

* Use of loop variables i,j,k,l,m for 5-level nested loop. (Too error prone and difficult to read).

* Unit testing applied to a highly monolithic code. (The hacks for isolating code _units_ produced more garbage than the code itself). It was a legacy code and the management blindly ordered writing of unit tests when a few bugs were caught in production.

~~~
shoo
> Unit testing applied to a highly monolithic code

Do you (or indeed anyone else reading) have suggestions for getting other
forms of testing in place around legacy monolithic code?

Perhaps this is a fairly ill-posed question without more context.

~~~
vijayaggarwal
You can still do Integration Testing with the system as a whole, although it
is supposed to be done after Unit Testing. The disadvantage due to absence of
Unit Testing will be that it will be difficult it isolate bugs found during
Integration Testing. For websites, we use Selenium all the time.

------
S4M
In a video game company, something like (it was in Action Script, I don't
remember the exact syntax of that language):

    
    
        public class ScoreManager {
             //some statements
             public void updateScore(Action action) {
                  int n = action.entityDestroyed;
                  if n < n1 {
                       playSound1();
                       score += 100*n;
                  } else {
                       playSound2();
                       score += 200*n;
                  }
              }
        }
    

I had to deal with that piece of code for something, and asked the developer
to move the functions playing the sound out of the ScoreManager class so I
could reuse it, and he categorically refused without giving me any
explanation.

EDIT: typos

------
thejteam
A function that consisted of a giant switch statement, with each case
consisting of another switch statement. Half of the sub-cases contained GOTO
statements back to the top of the function.

Even worse... I wrote the code. It was 2am, I had been working for 18 hours
straight to get everything ready for a demo the next morning.

Even worse than that... the code worked so management wouldn't let me change
it. I tried my best to find an edge case it wouldn't handle but never could.
So the code shipped.

~~~
JoachimSchipper
If that's the worst, that's not too bad - I mean, it's _ugly_ , but apparently
it works well. ;-)

------
sergiotapia
* Horrible duplicate code. * Functions with more than 200 lines. * Functions with about 16 parameters. * A deploy process that consisted of copy and pasting using FTP. * No source code control. Not even regular file backups, the 'code' was just on production and everybody worked against that. * If else cases in the double digits.

~~~
shoo
Ugh.

> Functions with about 16 parameters.

I am reminded of a talk by Kevlin Henney [1]. He mentions this quote from Alan
Perlis: "If you have a procedure with ten parameters, you probably missed
some." [2]. Kevlin goes on to give anecdotes about code he has encountered or
heard stories about while consulting / teaching - the record was a function
with around 370 parameters, and that function was still growing.

I'd prefer to see a function with a dozen arguments than a "function" that
takes no arguments, returns void, and secretly communicates using global
state. Explicit horror beats surprise horror.

[1] [http://www.infoq.com/presentations/architecture-
uncertainty-...](http://www.infoq.com/presentations/architecture-uncertainty-
nordevcon-2014) [2] [http://www.cs.yale.edu/homes/perlis-
alan/quotes.html](http://www.cs.yale.edu/homes/perlis-alan/quotes.html)

------
adolfoabegg
It was 2005, I had to execute an Oracle function from c#. The PL/SQL
programmer that created the package/function told me that the function will
return a single string.

The returned string had the info a customer concatenated, like this:

    
    
        Pete      McDonald  5519500303
    

The instructions - to extract the data - were:

    
    
      The indexes from 0 to 9 will contain the name (please trim the trailing spaces)
      The indexes from 10 to 19 will contain the last name (same, please trim)
      20 to 21 will contain the age of the customer
      the rest of the string contains the customer's birthday
    
    

EDIT: formatting

------
dwarman
A company for which I used to work decided to buy rather than invent some new
technology. In this one case, after the principles had taken their money and
run, I was asked to look at the IP that money purchased. This came in the form
of 8 8" floppy disks (dating me:). At the time I was in a metrics MSc class,
so I decided to write a comment stats program, and ran these disks through it.
With a alarming result - precisely 1 comment. And when I searched it out, it
was this:

"I don't know why this works"

Oops. After that they put me at the front end due diligence instead of the
back end.

------
twunde
Upon login, an application that created a new database for the user and then
imported ALL the data from the api before allowing the user to continue to the
next screen. The database would be dropped upon logout. Login times were in
the hours if it was successful at all.

And now think about the security and data integrity problems that implies.

------
mschuster91
Passwordless sudo for www-data and a shellcode injection attack give a pretty
nice exploit vendor.

------
rachelandrew
I used to do quite a bit of troubleshooting/rescuing half finished projects,
or live things that had no developer involved for one reason or another.

Not that many years ago I was still seeing people storing credit card numbers
in plain text files on servers, and sending them unencrypted via email.

~~~
kjs3
> Not that many years ago I was still seeing people storing > credit card
> numbers in plain text files on servers, and > sending them unencrypted via
> email.

I've seen it in the last week. I work for an ESP, and have to continually tell
customers "just because you _can_ store CCs (or SSNs, or private account #s,
etc) in our database, there's never a good reason why you _should_ " and "PCI?
Heard of it?".

------
scdna
\- no index on the db with even more reads than writes

\- duplicating full data set to handle offline sync of data between a client
and a server

\- over 1000 lines of java per source file

Edit: formatting

------
GnarfGnarf
Jumping (GOTO) out of a subroutine directly back to a label in the main code.

RPG.

Sorting months by alpha name.

------
BenMorganIO
XUL code and I had to install Firefox 16.2. Was not happy.

------
andrewstuart
All the code I wrote.

