You can't imagine how many lines of pure and utter horseshit, seemingly written in PHP, I had to dig through this whole weekend. (relating to my 2 previous rants)

How is it even possible to write code this unbelievably ugly?

Examples:
- includes within loops
- included files use variables from parent files
- start- and endtags separated to different files
- SQL queries generated by string concatenation, no safety measures at all (injection)
- repeating DB calls within loops
- multiple directories with the same code (~40 files), only different by ~8 lines, copied
- a mixture of <?php echo ... ?> and <?= ... ?>
- a LOT of array accesses and other stuff prefixed with "@" (suppress error messages)
- passwords in cleartext
- random non-RESTful page changes with a mixture of POST and GET
- GET parameters not URL-encoded
- ...

My boss told me it took this guy weeks and weeks of coding to write this tool (he's an "experienced dev", of course WITHOUT Git).

Guess what?
It took me only 20 hours and about 700 lines of code.

I must confess, since this task, I don't hate PHP anymore, I just simply hate this dev to death.

Addendum: It's Monday, 5:30am. Good night. 😉

!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

Encrypting passwords with AES and storing the decryption key alongside te passwords file.

HOW FUCKING HARD CAN IT BE TO NOT STORE PASSWORDS IN CLEARTEXT AND THEN PROCEED TO SEND ME AN UNENCRYPTED EMAIL WITH THE PASSWORD IN IT??? THE SITE HAS A PREMIUM FUCKING SSL AND SAFETY CERTIFICATES YET THEY STILL DON'T COMPLY TO THIS? FUCK YOU! IF IT WASN'T FOR THAT I HAD TO ORDER A NEW SCREEN FOR MY BROKEN PHONE, YOU COULD'VE SUCKED BETTER THAN ME + VACUUM CLEANER.

Sorry abt that. But for real, mytrendphone stores passwords in plain texts and waves a fucking safety certificate in your face...

Uhm. I don't like this

We just had the introduction lesson about Emails. I think our teacher had fun sending fake mails from his computer over the server under our name.

when a dev with absolutely no knowledge of the systems or whatsoever, tells a client "sure, easy. we can get your password if you forget" and that client then comes to you and doesnt understand he has to use the recovery function because its encrypted using a slow oneway hash...

needless to say, that dev thought passwords were stored in cleartext..