CW: The SQL injection vulnerability isn't important because our code is proprietary so hackers won't find it.

Me: <censored>

Today was my last day of work, tomorrow i have officially left that place. It's a weird feeling because i'm not certain about the future.
The job was certainly not bad, and after all i read on devrant i'm beginning to believe it was one of the better ones. A nice boss, always something to eat/drink nearby, a relaxed atmosphere, a tolerance for my occasionally odd behaviour and the chance to suggest frameworks. Why i would leave that place, you ask? Because of the thing not on the list, the code, that is the thing i work with all the time.

Most of the time i only had to make things work, testing/refactoring/etc. was cut because we had other things to do. You could argue that we had more time if we did refactor, and i suggested that, but the decision to do so was delayed because we didn't have enough time.

The first project i had to work on had around 100 files with nearly the same code, everything copy-pasted and changed slightly. Half of the files used format a and the other half used the newer format b. B used a function that concatenated strings to produce html. I made some suggestions on how to change this, but they got denied because they would take up too much time. Aat that point i started to understand the position my boss was in and how i had to word things in order to get my point across. This project never got changed and holds hundreds of sql- and xss-injection-vulnerabilities and misses access control up to today. But at least the new project is better, it's tomcat and hibernate on the backend and react in the frontend, communicating via rest. It took a few years to get there, but we made it.
To get back to code quality, it's not there. Some projects had 1000 LOC files that were only touched to add features, we wrote horrible hacks to work with the reactabular-module and duplicate code everywhere. I already ranted about my boss' use of ctrl-c&v and i think it is the biggest threat to code quality. That and the juniors who worked on a real project for the first time. And the fact that i was the only one who really knew git. At some point i had enough of working on those projects and quit.

I don't have much experience, but i'm certain my next job has a better workflow and i hope i don't have to fix that much bugs anymore.
In the end my experience was mostly positive though. I had nice coworkers, was often free to do things my way, got really into linux, all in all a good workplace if there wasn't work.

Now they dont have their js-expert anymore, with that i'm excited to see how the new project evolves. It's still a weird thing to know you won't go back to a place you've been for several years. But i still have my backdoor, but maybe not. :P

Me: Oh I see were using a non-standard architecture on this app. I like this bit but what is this doing? never seen it before.

Him: Ah we use that to abstract the navigation layer.

Me: oh ok, interesting idea, but that means we need an extra file per screen + 1 per module. We also can't use this inbuilt control, which I really like, and we've to write a tonne of code to avoid that.

Him: Yeah we wanted to take a new approach to fix X, this is what we came up with. Were not 100% happy with it. Do you have any ideas?

**
Queue really long, multi-day architecture discussion. Lots of interesting points, neither side being precious or childish in anyway. Was honestly fantastic.
**

Me: So after researching your last email a bit, I think I found a happy middle ground. If we turn X into a singleton, we can store the state its generating inside itself. We can go back to using the in-built navigation control and have the data being fetched like Y. If you want to keep your dependency injection stuff, we can copy the Angular services approach and inject the singletons instead of all of these things. That means we can delete the entire layer Z.

Even with the app only having 25% of the screens, we could delete like 30+ files, and still have the architecture, at a high level, identical and textbook MVVM.

Him: singleton? no I don't like those, best off keeping it the way it is.

... are you fucking kidding me? You've reinvented probably 3 wheels, doubled the code in the app and forced us to take ownership of something the system handles ... but a singleton is a bad idea? ... based off no concrete evidence or facts, but a personal opinion.

... your face is a bad idea

Laravel is the worst framework ever.

Everything has to be made convenient and easy. That sounds amazing, because developers want to save time, worry less about boilerplate code, right? No more constructors, no more dependency injection, fuck all the tedious OOP shit... RIGHT?

It does one thing well: Make PHP syntax uniform and concise through easily integrated libraries such as Collection and Carbon. But those are actually not really part of the framework... just commonly integrated and associated with Laravel.

The framework itself is completely derailed: You can define code in a callback in the routes file. You can define a controller in the routes file. You can define middleware as a parameter to the route, as a fluent method to the route, you can stack them up in a service provider. Validators can be made in controllers, Request objects, service providers, etc. You can send mail inline, through Mailable objects, through Notification objects, etc.

Everything is macroable, injectable, and definable in a million different places. Ultimate freedom!

Guess what happens when you give 50 developers of various seniority a swiss army knife?

One hammers in a screw with a nail file, the other clips the head from the screw using scissors, and you end up with an unworkable mess and blunt tools.

And don't get me started about Eloquent, the Active Record ORM. It's cute for the simple blog/article/author/comment queries, but starts choking when you want more selective and performant queries or more complex aggregates, and provides such an opaque apple-esque interface which lets people think everything is OK, when in reality it's forcing the SQL server to slowly commit suicide.

If you thought your legacy code was bad, this is what I'm dealing with. The below SQL is stored in a cookie on login and executed to on every further request to determine the user / privileges.

Why do people (Some devs too...) bloody hell think that devs have Hard time fixing the Semi Colon issue, we have a lot of other issues to figure out, like the Structure of Data, Code Fragmentation, API Creation, Invalid Data Handling, Injection Prevention. But no, since we are developers, we are having sleepless nights because of one fucking semicolon? FUCKING NO, it hardly takes 30 seconds to figure out that there is a missing semi-colon. Really People, stop the ; thing!

Worst legacy experience...

Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.

Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.

The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.

Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).

You can't imagine how many lines of pure and utter horseshit, seemingly written in PHP, I had to dig through this whole weekend. (relating to my 2 previous rants)

How is it even possible to write code this unbelievably ugly?

Examples:
- includes within loops
- included files use variables from parent files
- start- and endtags separated to different files
- SQL queries generated by string concatenation, no safety measures at all (injection)
- repeating DB calls within loops
- multiple directories with the same code (~40 files), only different by ~8 lines, copied
- a mixture of <?php echo ... ?> and <?= ... ?>
- a LOT of array accesses and other stuff prefixed with "@" (suppress error messages)
- passwords in cleartext
- random non-RESTful page changes with a mixture of POST and GET
- GET parameters not URL-encoded
- ...

My boss told me it took this guy weeks and weeks of coding to write this tool (he's an "experienced dev", of course WITHOUT Git).

Guess what?
It took me only 20 hours and about 700 lines of code.

I must confess, since this task, I don't hate PHP anymore, I just simply hate this dev to death.

Addendum: It's Monday, 5:30am. Good night. 😉

The gift that keeps on giving... the Custom CMS Of Doom™
I've finally seen enough evidence why PHP has such a bad reputation to the point where even recruiters recommended me to remove my years of PHP experience from the CV.

The completely custom CMS written by company <redacted>'s CEO and his slaves features the following:
- Open for SQL injection attacks
- Remote shell command execution through URL query params
- Page-specific strings in most core PHP files
- Constructors containing hundreds of lines of code (mostly used to initialize the hundreds of properties
- Class methods containing more than 1000 lines of code
- Completely free of namespaces or package managers (uber elite programmers use only the root namespace)
- Random includes in any place imaginable
- Methods containing 1 line: the include of the file which contains the method body
- SQL queries in literally every source file
- The entrypoint script is in the webroot folder where all the code resides
- Access to sensitive folders is "restricted" by robots.txt 🤣🤣🤣🤣
- The CMS has its own crawler which runs by CRONjob and requests ALL HTML links (yes, full content, including videos!) to fill a database of keywords (I found out because the server traffic was >500 GB/month for this small website)
- Hundreds of config settings are literally defined by "define(...)"
- LESS is transpiled into CSS by PHP on requests
- .......

I could go on, but yes, I've seen it all now.

Just wanted to say cheers to all those coders among you who make sure their login is encrypted, their passwords are hashed and salted, their codes are tested and their forms are code injection safe.

No client will understand what you did, so take my props for it! After all, its our responsibility to make sure software is secure. That's all :)

TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!

As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.

Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.

I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."

Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!

Today I'm going to work on my side project that I haven't touched in weeks.

I want to utilize Angular 2 which means I'll need to learn TypeScript. I also want to use the new .Net Core and EF Core 1.0. Oh and I want to handle authentication using JWT!

Wow, that's gonna be a lot of effort to get things off the ground... maybe instead I'll use this time to learn some new concepts. Maybe watch this episode of Fun Fun Function, or maybe this video on writing Assembly code for an app on Raspberry Pi, that sounds cool!

Actually, you know I should really teach myself dependency injection and unit testing for once. I'm so behind the times.

Well, really I should finish this book on design patterns first. Ok, where did I leave off? Page 20 I think... ehh... maybe I'll just work on my side project.

Tomorrow... tomorrow, I'll work on my side project.

WASM was a mistake. I just wanted to learn C++ and have fast code on the web. Everyone praised it. No one mentioned that it would double or quadruple my development time. That it would cause me to curse repeatedly at the screen until I wanted to harm myself.

The problem was never C++, which was a respectable if long-winded language. No no no. The problem was the lack of support for 'objects' or 'arrays' as parameters or return types. Anything of any complexity lives on one giant Float32Array which must surely bring a look of disgust from every programmer on this muddy rock. That is, one single array variable that you re-use for EVERYTHING.

Have a color? Throw it on the array. 10 floats in an object? Push it on the array - and split off the two bools via dependency injection (why do I have 3-4 line function parameter lists?!). Have an image with 1,000,000 floats? Drop it in the array. Want to return an array? Provide a malloc ptr into the code and write to it, then read from that location in JS after running the function, modifying the array as a side effect.

My- hahaha, my web worker has two images it's working with, calculations for all the planets, sun and moon in the solar system, and bunch of other calculations I wanted offloaded from the main thread... they all live in ONE GIANT ARRAY. LMFAO.If I want to find an element? I have to know exactly where to look or else, good luck finding it among the millions of numbers on that thing.

And of course, if you work with these, you put them in loops. Then you can have the joys of off-by-one errors that not only result in bad results in the returned array, but inexplicable errors in which code you haven't even touched suddenly has bad values. I've had entire functions suddenly explode with random errors because I accidentally overwrote the wrong section of that float array. Not like, the variable the function was using was wrong. No. WASM acted like the function didn't even exist and it didn't know why. Because, somehow, the function ALSO lived on that Float32Array.

And because you're using WASM to be fast, you're typically trying to overwrite things that do O(N) operations or more. NO ONE is going to use this return a + b. One off functions just aren't worth programming in WASM. Worst of all, debugging this is often a matter of writing print and console.log statements everywhere, to try and 'eat' the whole array at once to find out what portion got corrupted or is broke. Or comment out your code line by line to see what in forsaken 9 circles of coding hell caused your problem. It's like debugging blind in a strange and overgrown forest of code that you don't even recognize because most of it is there to satisfy the needs of WASM.

And because it takes so long to debug, it takes a massively long time to create things, and by the time you're done, the dependent package you're building for has 'moved on' and find you suddenly need to update a bunch of crap when you're not even finished. All of this, purely because of a horribly designed technology.

And do they have sympathy for you for forcing you to update all this stuff? No. They don't owe you sympathy, and god forbid they give you any. You are a developer and so it is your duty to suffer - for some kind of karma.

I wanted to love WASM, but screw that thing, it's horrible errors and most of all, the WASM heap32.

Easy cop out for people who wrote code vulenerable to SQL injection: It's not a bug, it's a feature that let's users search using SQL syntax.

Before 10 years, a WordPress site hacked with sql injection. They had access to site, they modified many php files and installed commands to download random malwares from over the internet.

At first I didn't know that it hacked and I was trying to remove any new file from the server. That was happening every 1-2 days for a week.

Then I decided to compare every WordPress file with the official, it was too many files, and I did it manually notepad side notepad!! :/

Then I found about over 50 infected files with the malware code.

Cleaned and finished my job.

No one else knows that I did a lot of hard job.

I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...

#1 - Most expensive lesson learned

Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.

This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...

After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.

Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.

#2 - Hardest to find

This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.

Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.

#3 - Most elegant fix

Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.

My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.

So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.

I forgot what it was like to have a productive day!

I’m rewriting the Apple wallet pass code to make it fully customizable instead of mostly static, and it’s beautiful.

The code was horrible tangled spaghetti before (and soo slow) but now it’s clean and fast and modular and absolute bliss to spec. Yay, dependency injection!

I actually had fun working today! 😊
It’s been the first time in months.

It has been bugging the shit out of me lately... the sheer number of shit-tier "programmers" that have been climbing out of the woodwork the last few years.

I'm not trying to come across as elitist or "holier than thou", but it's getting ridiculous and annoying. Even on here, you have people who "only do frontend development" or some other lame ass shit-stain of an excuse.

When I first started learning programming (PHP was my first language), it wasn't because I wanted to be a programmer. I used to be a member (my account is still there, in fact) of "HackThisSite", back when I was about 12 years old. After hanging out long enough, I got the hint that the best hackers are, in essence, programmers.

Want to learn how to do SQL injection? Learn SQL - write a program that uses an SQL database, and ask yourself how you would exploit your own software.

Want to reverse engineer the network protocol of some proprietary software? Learn TCP/IP - write a TCP/IP packet filter.

Back then, a programmer and a hacker were very much one in the same. Nowadays, some kid can download Python, write a "hello, world" program and they're halfway to freelancing or whatever.

It's rare to find a programmer - a REAL programmer, one who knows how the systems he develops for better than the back of his hand.

These days, I find people want the instant gratification that these simpler languages provide. You don't need to understand how virtual memory works, hell many people don't even really understand C/C++ pointers - and that's BASIC SHIT right there.

Put another way, would you want to take your car to a brake mechanic that doesn't understand how brakes work? I sure as hell wouldn't.

Watching these "programmers" out there who don't have a fucking clue how the code they write does what it does, is like watching a grown man walk around with a kid's toolbox full or plastic toys calling himself a mechanic. (I like cars, ok?!)

*sigh*

Python, AngularJS, Bootstrap, etc. They're all tools and they have their merits. But god fucking dammit, they're not the ONLY damn tools that matter. Stop making excuses *not* to learn something, Mr."IOnlyDoFrontEnd".

Coding ain't Lego's, fuckers.

i understand some developers like to write wrapper functions to handle tedious things, I even understand how to write dynamic SQL queries, but for the love of fucking god and sanity, NEVER FUCKING DO THIS!!!!

Yes its PHP, but its not even bad PHP, its a fucking abomination from hell of PHP.

The IT guy at client made a spaghetti code website to replace their time entry software. I come in to “finish it up in a week to two” (just me). I start by removing 1200+ lines of convoluted data access code that doesn’t work, SQL injection prone too. I quickly gave up and started from scratch; just copyied some of his actually decent HTML.

Friday, he proceeded to try to install node on the server and run main.JS. Now he’s all concerned my repo is too complex because he can’t deploy a static website 🙁

He didn’t ask me how it gets deployed nor did he listen when I said “node is NOT THE BACKEND we have .NET core for that”.🤦‍♂️

I’m gonna spend a week writing documentation at 5th grade level and hand holding him so he understands how this code works because he’s going to be the one maintaining it.

Well on my last full-time job, that ware using cookies for authentication (not something new, eh?). The thing is, you see, the cookies had the 'accountId' which if you change to another number, kaboom you're that account, oh but that was not all, there was an option to mark the account type in there 'accountType', which was kind of obvious in VLE (virtual learning environment), 'Teacher', 'Student', 'Manager' put what of those values and boom you are that role for the session

Thing was open of SQL injection from the login form, from said cookies and form every part you can pass input to it, when I raised the question to my TL he said 'no one is going to know about thatt, I don't see what is the problem', then escalated to higher management 'oh well speak to *tl_guy*'

Oh and bonus points for it being written in ASP CLASSIC in 2014+ (I was supposed to rewrite, but ended up patching ASP code and writing components in PHP)

In 2015-2016, in a private college, charging kind-of big money per year

I found this gem today.
It perfectly generated ~5 GBs of useless log in the past 2 years.

Security!

Offensive and defensive at both code and infrastructure levels.

So many times I see devs not give a flying pancake about security. Whether it be rolling integers for sql injection or permission guarding to prevent someone executing something they shouldn't.

Why is security in this industry always the last thing to be concerned about when it's the first thing that's going to kill your business.

😓

rant & question

Last year I had to collaborate to a project written by an old man; let's call him Bob. Bob started working in the punch cards era, he worked as a sysadmin for ages and now he is being "recycled" as a web developer. He will retire in 2 years.

The boss (that is not a programmer) loves Bob and trusts him on everything he says.

Here my problems with Bob and his code:
- he refuses learning git (or any other kind of version control system);
- he knows only procedural PHP (not OO);
- he mixes the presentation layer with business logic;
- he writes layout using tables;
- he uses deprecated HTML tags;
- he uses a random indentation;
- most of the code is vulnerable to SQL injection;
- and, of course, there are no tests.
- Ah, yes, he develops directly on the server, through a SSH connection, using vi without syntax highlighting.

In the beginning I tried to be nice, pointing out just the vulnerabilities and insisting on using git, but he ignored all my suggestions.

So, since I would have managed the production server, I decided to cheat: I completely rewrote the whole application, keeping the same UI, and I said the boss that I created a little fork in order to adapt the code to our infrastructure. He doesn't imagine that the 95% of the code is completely different from the original.

Now it's time to do some changes and another colleague is helping. She noticed what I did and said that I've been disrespectful in throwing away the old man clusterfuck, because in any case the code was working. Moreover he will retire in 2 years and I shouldn't force him to learn new things [tbh, he missed at least last 15 years of web development].

What would you have done in my place?

developer: *deploying spaghetti code to production*
hacker: *alters the code with an injection*
developer:

When I was in college OOP was emerging. A lot of the professors were against teaching it as the core. Some younger professors were adamant about it, and also Java fanatics. So after the bell rang, they'd sometimes teach people that wanted to learn it. I stayed after and the professor said that object oriented programming treated things like reality.

My first thought to this was hold up, modeling reality is hard and complicated, why would you want to add that to your programming that's utter madness.

Then he started with a ball example and how some balls in reality are blue, and they can have a bounce action we can express with a method.

My first thought was that this seems a very niche example. It has very little to do with any problems I have yet solved and I felt thinking about it this way would complicate my programs rather than make them simpler.

I looked around the at remnants of my classmates and saw several sitting forward, their eyes lit up and I felt like I was in a cult meeting where the head is trying to make everyone enamored of their personality. Except he wasn't selling himself, he was selling an idea.

I patiently waited it out, wanting there to be something of value in the after the bell lesson. Something I could use to better my own programming ability. It never came.

This same professor would tell us all to read and buy gang of four it would change our lives. It was an expensive hard cover book with a ribbon attached for a bookmark. It was made to look important. I didn't have much money in college but I gave it a shot I bought the book. I remember wrinkling my nose often, reading at it. Feeling like I was still being sold something. But where was the proof. It was all an argument from authority and I didn't think the argument was very good.

I left college thinking the whole thing was silly and would surely go away with time. And then it grew, and grew. It started to be impossible to avoid it. So I'd just use it when I had to and that became more and more often.

I began to doubt myself. Perhaps I was wrong, surely all these people using and loving this paradigm could not be wrong. I took on a 3 year project to dive deep into OOP later in my career. I was already intimately aware of OOP having to have done so much of it. But I caught up on all the latest ideas and practiced them for a the first year. I thought if OOP is so good I should be able to be more productive in years 2 and 3.

It was the most miserable I had ever been as a programmer. Everything took forever to do. There was boilerplate code everywhere. You didn't so much solve problems as stuff abstract ideas that had nothing to do with the problem everywhere and THEN code the actual part of the code that does a task. Even though I was working with an interpreted language they had added a need to compile, for dependency injection. What's next taking the benefit of dynamic typing and forcing typing into it? Oh I see they managed to do that too. At this point why not just use C or C++. It's going to do everything you wanted if you add compiling and typing and do it way faster at run time.

I talked to the client extensively about everything. We both agreed the project was untenable. We moved everything over another 3 years. His business is doing better than ever before now by several metrics. And I can be productive again. My self doubt was over. OOP is a complicated mess that drags down the software industry, little better than snake oil and full of empty promises. Unfortunately it is all some people know.

Now there is a functional movement, a data oriented movement, and things are looking a little brighter. However, no one seems to care for procedural. Functional and procedural are not that different. Functional just tries to put more constraints on the developer. Data oriented is also a lot more sensible, and again pretty close to procedural a lot of the time. It's just odd to me this need to separate from procedural at all. Procedural was very honest. If you're a bad programmer you make bad code. If you're a good programmer you make good code. It seems a lot of this was meant to enforce bad programmers to make good code. I'll tell you what I think though. I think that has never worked. It's just hidden it away in some abstraction and made identifying it harder. Much like the code methodologies themselves do to the code.

Now I'm left with a choice, keep my own business going to work on what I love, shift gears and do what I hate for more money, or pivot careers entirely. I decided after all this to go into data science because what you all are doing to the software industry sickens me. And that's my story. It's one that makes a lot of people defensive or even passive aggressive, to those people I say, try more things. At least then you can be less defensive about your opinion.

How do you deal with massively poorly-performing and unknowledgeable teams?

For background, I've been in my current position for ~7 months now.

A new manager joined recently and he's just floored at the reality of the team.

I mean, a large portion of my interview (and his) was the existing manager explicitly warning about how much of a dumpster fire everything is.

But still, nothing prepares you for it.

We're talking things like:
- Sequential integer user ids that are passable as query string args to anonymous endpoints, thus enabling you to view the data read by that view *for any* user.
- God-like lookup tables that all manner of pieces of data are shoved into as a catch-all
- A continued focus on unnecessary stored procedures despite us being a Linq shop
- Complete lack of awareness of SOLID principles
- Actual FUD around the simplest of things like interfaces, inversion of control, dependency injection (and the list goes on).

I've been elevated into this sort of quasi-senior position (in all but title - and salary), and I find myself having to navigate a daily struggle of trying to not have an absolute shit fit every time I have to dive into the depths of some of the code.

Compounded onto that is the knowledge that most of the team are on comparable salaries (within a couple thousand) of mine, purely owing to length of service.

We're talking salaries for mid-senior level devs, for people that at market rates would command no more (if even close) than a junior rate.

The problem is that I'm aware of how bad things are, but then somehow I'm constantly surprised and confronted with ever more insane levels of shitfuckery, and... I'm getting tired.

It's been 7 months, I love the job, I'm working in the charity sector and I love the fact that the things I'm working on are directly improving people's lives, rather than lining some fintech fatcat's pockets.

I guess this was more a rant than a question, and also long time no see...

So my question is this:

- How do you deal with this?
- How do you go on without just dying inside every single day?

Dependency Injection Frameworks are absolute shit. I have yet to encounter one that doesn't make code take hours to understand or debug, and usually requires a debugger to even begin to unravel it. Not to mention the "context" god objects that just are glorified versions of passing an array from function to function. You guys aren't avoiding global state you're just making it a clusterfuck. Stop being stupid for 2 minutes software development "progress" challenge. Level: impossible.

It’s late, and stupid RSpec has decided to only mock calls to a particular method in some specs but not in others.

`allow(object).to receive(:method).with(resource_arg).and_return(“some\ntext”)`

Works in a few specs, but not the rest. Why? Who the fuck knows. Probably some shared state between specs that isn’t supposed to happen.

HAHA JUST KIDDING

After refactoring my specs to use unique ‘resource’ names for each call because I’ve had shared state issues before.

and after refactoring my model code to remove a lot of now-unused dependency injection (because maybe it was mocking a different object than got passed in?)

Guess what?
When creating my mock objects, I forgot to link them together. That’s it. A 14-character change. And suddenly they all pass.

Asdjklfajg.
Time for bed.

Developers who think complex code is good.

"Oh, lookie here, I can swizzle methods and inject dependencies in the runtime!"

"Although we have no valid use case, let's use dependency injection and follow the commandory stateor patterns because I watched a video."

Just because you learn something new that looks cool does not make it practical, you tosser.

# Retrospective as Backend engineer

Once upon a time, I was rejected by a startup who tries to snag me from another company that I was working with.
They are looking for Senior / Supervisor level backend engineer and my profile looks like a fit for them.
So they contacted me, arranged a technical test, system design test, and interview with their lead backend engineer who also happens to be co-founder of the startup.

## The Interview

As usual, they asked me what are my contribution to previous workplace.
I answered them with achievements that I think are the best for each company that I worked with, and how to technologically achieve them.

One of it includes designing and implementing a `CQRS+ES` system in the backend.
With complete capability of what I `brag` as `Time Machine` through replaying event.

## The Rejection

And of course I was rejected by the startup, maybe specifically by the co-founder. As I asked around on the reason of rejection from an insider.

They insisted I am a guy who overengineer thing that are not needed, by doing `CQRS+ES`, and only suitable for RND, non-production stuffs.

Nobody needs that kind of `Time Machine`.

## Ironically

After switching jobs (to another company), becoming fullstack developer, learning about react and redux.
I can reflect back on this past experience and say this:

The same company that says `CQRS+ES` is an over engineering, also uses `React+Redux`.
Never did they realize the concept behind `React+Redux` is very similar to `CQRS+ES`.

- Separation of concern
- CQRS: `Command` is separated from `Query`
- Redux: Side effect / `Action` in `Thunk` separated from the presentation
- Managing State of Application
- ES: Through sequence of `Event` produced by `Command`
- Redux: Through action data produced / dispatched by `Action`
- Replayability
- ES: Through replaying `Event` into the `Applier`
- Redux: Through replay `Action` which trigger dispatch to `Reducer`

---

The same company that says `CQRS` is an over engineering also uses `ElasticSearch+MySQL`.
Never did they realize they are separating `WRITE` database into `MySQL` as their `Single Source Of Truth`, and `READ` database into `ElasticSearch` is also inline with `CQRS` principle.

## Value as Backend Engineer

It's a sad days as Backend Engineer these days. At least in the country I live in.
Seems like being a backend engineer is often under-appreciated.
Company (or people) seems to think of backend engineer is the guy who ONLY makes `CRUD` API endpoint to database.

- I've heard from Fullstack engineer who comes from React background complains about Backend engineers have it easy by only doing CRUD without having to worry about application.
- The same guy fails when given task in Backend to make a simple round-robin ticketing system.
- I've seen company who only hires Fullstack engineer with strong Frontend experience, fails to have basic understanding of how SQL Transaction and Connection Pool works.
- I've seen company Fullstack engineer relies on ORM to do super complex query instead of writing proper SQL, and prefer to translate SQL into ORM query language.
- I've seen company Fullstack engineer with strong React background brags about Uncle Bob clean code but fail to know on how to do basic dependency injection.
- I've heard company who made webapp criticize my way of handling `session` through http secure cookie. Saying it's a bad practice and better to use local storage. Despite my argument of `secure` in the cookie and ability to control cookie via backend.

Work Computer antivirus marked FireFox as a remote code injection and blocked it. Okay then. Chrome it is?

Choose the most stylish:

' OR 1 = 1 -- vs :(){ :|: & };:

Not sure if it's the worst code review but it's a recent one.

We don't really do code reviews where I work unfortunately but my coworker used my framework for the first time (build some nice composer libraries for cmdline projects) and asked if I could make them do autoloading.
He never used namespaces before so I was glad to help him out.

What I saw was a dreadful mess. His project was called "scripts" so good luck picking a namespace...

Than it was all lose functions in the executable file. All those functions are however called by a class in another file (if they where not calling eachother as a cascading mess). That class was extending an abstract class from my library as instructed. However I never imagined my lib being raped like that.

The functions themselves are a horrible mess. Nothing uniform completely different style (our documentation states PSR's should be used).
Parameters counts higher than 5.
Variable names like Object and Dobject (in calling function Dobject is Object but it needs a fresh one.

If statements on parameters that need basically split it in two (should simply be to functions)
If else statement with return of same variable as a single line (sane people use ternary for that)

Note that I said functions. All of it should have been OO and methods. Would have saved at least some of the parameter hell.

I could go on and on. Do I think the programmer is bad yes (does not even grasp interfaces, dep injection, foreach loops). Is this his best work no. He said that for a one of script like this it just has to work. Not going to be used elsewhere. I disagree as it is a few thousand lines of code that others have to read too.

That this one component being object orientated is necessary and good design.
We have uh interfaces, theyre contracts.

Spoiler: it wasn't, I could have written it in half the code and half the time. But no, we gotta have those patterns, can't miss on dependency injection!

It was the last year of high school.

We had to submit our final CS homework, so it gets reviewed by someone from the ministry of education and grade it. (think of it as GPA or whatever that is in your country).

Now being me, I really didn’t do much during the whole year, All I did was learning more about C#, more about SQL, and learn from the OGs like thenewboston, derek banas, and of course kudvenkat. (Plus more)

The homework was a C# webform website of whatever theme you like (mostly a web store) that uses MS Access as DB and a C# web service in SOAP. (Don’t ask.)

Part 1/2:

Months have passed, and only had 2 days left to deadline, with nothing on my hand but website sketches, sample projects for ideas, and table schematics.

I went ahead and started to work on it, for 48 hours STRAIGHT.

No breaks, barely ate, family visited and I barely noticed, I was just disconnected from reality.

48 hours passed and finished the project, I was quite satisfied with my it, I followed the right standards from encrypting passwords to verifying emails to implementing SQL queries without the risk of SQL injection, while everyone else followed foot as the teacher taught with plain text passwords and… do I need to continue? You know what I mean here.

Anyway, I went ahead and was like, Ok, lets do one last test run, And proceeded into deleting an Item from my webstore (it was something similar to shopify).

I refreshed. Nothing. Blank page. Just nothing. Nothing is working, at all.

Went ahead to debug almost everywhere, nothing, I’ve gone mad, like REALLY mad and almost lose it, then an hour later of failed debugging attempts I decided to rewrite the whole project from scratch from rebuilding the db, to rewriting the client/backend code and ui, and whatever works just go with it.

Then I noticed a loop block that was going infinite.

NEVER WAIT FOR A DATABASE TO HAVE MINIMUM NUMBER OF ROWS, ALWAYS ASSUME THAT IT HAS NO VALUES. (and if your CPU is 100%, its an infinite loop, a hard lesson learned)

The issue was that I requested 4 or more items from a table, and if it was less it would just loop.

So I went ahead, fixed that and went to sleep.

Part 2/2:

The day has come, the guy from the ministry came in and started reviewing each one of the students homeworks, and of course, some of the projects crashed last minute and straight up stopped working, it's like watching people burning alive.

My turn was up, he came and sat next to me and was like:

Him: Alright make me an account with an email of asd@123.com with a password 123456

Me: … that won't work, got a real email?

Him: What do you mean?

Me: I implemented an email verification system.

Him: … ok … just show me the website.

Me: Alright as you can see here first of all I used mailgun service on a .tk domain in order to send verification emails you know like every single website does, encrypted passwords etc… As you can see this website allows you to sign up as a customer or as a merc…

Him: Good job.

He stood up and moved on.

YOU MOTHERFUCKER.

I WENT THROUGH HELL IN THE PAST 48 HOURS.

AND YOU JUST SAT THERE FOR A MINUTE AND GAVE UP ON REVIEWING MY ENTIRE MASTERPIECE? GO SWIM IN A POOL FULL OF BURNING OIL YOU COUNTLESS PIECE OF SHIT

I got 100/100 in the end, and I kinda feel like shit for going thought all that trouble for just one minute of project review, but hey at least it helped me practice common standards.

!RANT

Oh, the SORROW that is JEST! 😡

Endless days have been swallowed by the abyss in my quest to configure Jest with TypeScript and ECMAScript modules instead of CommonJS. Triumph seemed within my grasp until - BAM! - suddenly the tool forgets what "import" or "export" means. And the kicker? On the CI, it still runs like nothing’s amiss!

Allow me to elucidate for the uninitiated: Jest is supposed to be a testing safeguard, a protective barrier insulating devs from the errors of their peers, ensuring a smooth, uninterrupted coding experience.

But OH, how the tables have turned when the very shield becomes the sword, stabbing me with countless, infuriating errors birthed from Jest’s own design decisions!

The audacity to reinvent the whole module loading process just to facilitate module mocking is mind-boggling! Imagine constructing an entirely new ecosystem just to allow people to pretend modules are something they're not. This is not just overkill; it's a preposterous reinvention of a wheel that insists on being a pentagon!

Sure, if devs want to globally expose their variables, entwining everything in a static context, so be it. BUT, why should we, who walk the righteous path of dependency injection, be subjugated to this configured chaos?!

My blood boils as the jestering Jest thrusts upon me a fragile, perpetually breaking system, punishing ME for its determination to support whole module mocking! A technique, mind you, that I wouldn’t touch with a ten-foot pole, because, you know, DEPENDENCY INJECTION!

Where are the alternatives, you ask? Drowned in the abyss, it seems! Why can’t we embrace snapshots and all the delectable integrations WITHOUT being dragged through this module-mocking mire? Can’t module mocking just be a friendly sidekick, an OPTIONAL add-on, rather than the cruel dictator forcing its agenda upon our code?

Punish those clinging to their static contexts, their global variables – NOT those of us advocating for cleaner, more stable practices!

It’s high time we decouple the goodness of Jest from its built-in bad practices. Must we continue to dance with the devil to delight in the depth of Jest’s capabilities?

WHY, Jest, WHY?! 😭

I've been wondering about SQLite, how it decides to execute your SQL and then generates byte code to do it.

Hypothetically if you were sufficiently familiar with the quarks of SQLite at a low enough level, one could craft web requests on sites running it, such that the results of each subsequent request, leave the SQLite engine in a particular state, no?

Suppose previous states, when interleaved with subsequent carefully crafted states, lead to execution and injection vulnerabilities.

Arent ideas like this what lead to the randomization of jump addresses in modern architectures?

A lot of this might be an assumption based on not enough research on both NestJS and TypeScript, so if something here is not well put or incorrect then please feel free to provide the necessary info to correct me since I care far more about getting dat booty than I do being right on the internet :D

Sooo, a year or so ago I got a hold on the Nest JS framework. A TypeScript based stack used to build microservices for node. Sounded good enough in terms of structure, it is based on the same format that Angular uses, so if you use Angular then the module system that the application has will make sense.

I attempted (last night) to play with the framework (which I normally don't since I am not that much of a big fan of frameworks and prefer a library based approach) and found a couple of things that weird me out about their selling points, mainly, how it deals with inversion of control.

My issue: This is dependency injection for people that don't really understand the concept of dependency injection. SOLID principles seem to be thrown out of the window completely due to how coupled with one another items are. Literally, you cannot change one dependency coming from one portion to the other(i.e a service into a controller) without changing all references to it, so if you were using a service specification for a particular database, and change the database, you would have to manually edit that very same service, or define another one....AND change the hardwire of the code from the providers section all the way into the controllers that use it....this was a short example, but you get the gist. This is more of a service locator type of deal than well....actual dependency injection. Oh, and the documentation uses classes rather than interfaces WHICH is where I started noticing that the whole intention of dependency injection was weird. Then I came to realize that TypeScript interfaces are meeheed out during transpilation.

Digging into the documentation I found about custom providers that could somehowemaybekinda work through. But in the end it requires far too much and items that well, they just don't feel as natural as if I was writing this in C# or Java, or PHP (actually where I use it the most)

I still think it is a framework worth learning, but I believe that this might be a bias of mine of deriving from the norm to which I was and have been used to doing the most.

My visceral hate of Spring.Net burns with the force of a thousand suns.

Almost everything it does is done wrong or solved better by other solutions.

Specifying which classes to instantiate from .xml files? Sure why not, compile type safety (the whole reason for using a static programming language) is obviously overrated and dependency based injection is surely impossible!
And for extra bonus points, now our client code must be aware of the internals of the service classes, and all of their references as well, because, encapsulation? Who cares.

Have you made an typo? Good fucking luck finding out from which of the 100 config files we have floating around...

And, because it has baked in AOP and Transactions its woven into the fabric of the project like a tapewom.

Of course this may just be how our "special snowflake" project uses Spring.

What makes it more painful is that I love good DI tools (ninject, castlewindsor, autofac, there are so many...) and we're stuck with this turd because 7 years ago some java devs couldn't be arsed to learn a new library...

I hate this modern fad of "composed" , "modular" extension/plug-in development. ALL I want to do is add two dropdowns to a phpBB forum, one for users and one for a single admin setting.

Guess what? I need TEN fucking files to make this extension work. Fuck your fucked dependency injection, fuck learning your whole bloody "ecosystem" (kill me already), fuck having a "tutorial" that doesn't explain what half the settings are...

It really drives me nuts that I have to spread my code over so many files to make this work.

That said, I don't really hate phpBB, but maaaaaaaan, making the simplest, dumbest thing is unnecessarily complicated.

/rant

I am just student looking for job, and got this pre interview test:
Develop an Android or iOS app with login and password input field, download button, place for image we prvided.

... reading further:
What we are looking for in the code ?
internal quality:
-consistent formatting of the source code
-clean, robust code without smells
-consistent abstractions and logical overall structure
-no cyclic dependencies
-code organized in meaningful layers
-low coupling and high cohesion
-descriptive and intention-revealing names of packages, classes, methods etc.
-single small functions that do one thing
-truly object-oriented design with proper encapsulation, sticking to DRY and SOLID principles, without procedural anti-patterns
-lots of bonus points for advanced techniques like design patterns, dependency injection, design by contract and especially unit (or even functional or integration) tests

external quality:
-the app should be fully functional, with every state, user input, boundary condition etc. taken care of (although this app is indeed very small, treat it as a part of big production-ready project)
-the app should correctly handle screen orientation changes, device resources and permissions, incoming calls, network connection issues, being pushed to the background, signing deal with the devil :D and other platform intricacies and should recover from these events gracefully
-lowest API level is not defined - use what you think is reasonable in these days
-bonus points if the app interacts with the user in an informative and helpful way
-bonus points for nice looks - use a clean, simple yet effective layout and design

... I mean really ? and they give me like 2 days ?

Wk25: Objective C. I was working on a project for a plugin, the host for which was in objective C. Basically the language lets you get away with arbitrary code injection and runtime inspection of everything. You can print class names, function names and variable names, then use all.

We had to "use" these features slightly creatively to get access to everything we needed. And symbol stripping doesn't stop jack.

I was scanning over a dreadful code base I had to work on and found SQL injection vulnerabilities. THE SITE WAS LAUNCHED IN 2017!!!! 😢

I know that DI(dependency injection) is probably just another good pattern out there like many others, but dear lord have I been burned on it with acumatica. Acumatica just loves having friggen magic crap everywhere with no damn explanation(*may be in a blog post somewhere but that’s no replacement for good documentation).

I believe they use AutoFac in C# on an asp.net server. They love to utilize reflection and injection and in turn the server takes multiple minutes to startup whilst it dynamically registers everything, as well on any individual pages.

Development is a pain in the ass on this damn system.

I’m constantly having to dive into the damn code using dotpeek to understand what the fuck they are doing and it’s often friggen stupid shit. They like to reinvent the wheel a fair bit.

Hey guys, first time writing here.
Around 8 months ago I joined a local company, developing enterprise web apps. First time for me working in a "real" programming job: I've been making a living from little freelance projects, personal apps and private programming lessons for the past 10 years, while on the side I chased the indie game dev dream, with little success. Then, one day, realized I needed to confront myself with the reality of 'standard' business, where the majority of people work, or risk growing too old to find a stable job.
I was kinda excited at first, looking forward to learning from experienced professionals in a long-standing company that has been around for decades. In the past years I coded almost 100% solo, so I really wanted to learn some solid team practices, refine my automated testing skills, and so on. Also, good pay, flexible hours and team is cool.

Then... I actually went there.

At first, I thought it was me. I thought I couldn't understand the code because I was used reading only mine.
I thought that it was me, not knowing well enough the quirks of web development to understand how things worked.
I though I was too lazy - it was shocking to see how hard those guys worked: I saw one guy once who was basically coding with one hand, answering a mail with another, all while doing some technical assistance on the phone.

Then I started to realize.

All projects are a disorganized mess, not only the legacy ones - actually the "green" products are quite worse.
Dependency injection hell: it seems like half of the code has been written by a DI fanatic and the other half by an assembly nostalgic who doesn't really like this new hippy thing called "functions".
Architecture is so messed up there are methods several THOUSANDS of lines long, and for the love of god most people on the team don't really even know WHAT those methods are for, but they're so intertwined with the rest of the codebase no one ever dares to touch them.
No automated test whatsoever, and because of the aforementioned DI hell, it's freaking hard to configure a testing environment (I've been trying for two days during my days off, with almost no success).
Of course documentation is completely absent, specifications are spread around hundreds of mails and opaquely named files thrown around personal shared folders, remote archives, etc.

So I rolled my sleeves up and started crunching as the rest of the team. I tried to follow the boy-scout rule, when the time and scope allowed. But god, it's hard. I'm tired as fuck, I miss working on my projects, or at least something that's not a complete madness. And it's unbearable to manually validate everything (hundreds of edge cases) by hand.

And the rest of the team acts like it's all normal. They look so at ease in this mess. It's like seeing someone quietly sitting inside a house on fire doing their stuff like nothing special is going on.

Please tell me it's not this way everywhere. I want out of this. I also feel like I'm "spoiled", and I should just do like the others and accept the depressing reality of working with all of this. But inside me I don't want to. I developed a taste for clean, easy maintainable code and I don't want to give it up.

I'm an iOS developer and I cringe when I read job specs that require TDD or excessive unit testing. By excessive I mean demanding that unit tests need to written almost everywhere and using line coverage as a measure of success. I have many years of experience developing iOS apps in agencies and startups where I needed to be extremely time efficient while also keeping the code maintainable. And what I've learned is the importance of DRY, YAGNI and KISS over excessive unit testing. Sadly our industry has become obsessed with unit tests. I'm of the opinion that unit tests have their place, but integration and e2e tests have more value and should be prioritised, reserving unit tests for algorithmic code. Pushing for unit tests everywhere in my view is a ginormous waste of time that can't ever be repaid in quality, bug free code. Why? Because leads to making code testable through dependency injection and 'humble object' indirection layers, which increases the LoC and fragments code that would be easier to read over different classes. Add mocks, and together with the tests your LoC and complexity have tripled. 200% code size takes 200% the time to maintain. This time needs to be repaid - all this unit testing needs to save us 200% time in debugging or manual testing, which it doesn't unless you are an absolute rookie who writes the most terrible and buggy code imaginable, but if you're this terrible writing your production code, why should your tests be any better? It seems that especially big corporate shops love unit tests. Maybe they have enough money and resources to pay for all these hours wasted on unit tests. Maybe the developers can point their 10,000 unit tests when something goes wrong and say 'at least we tried'? Or maybe most developers don't know how to think and reason about their code before they type, and unit tests force them to do that?

I'm trying. I'm really trying to understand you Dagger 2. But every time I read articles, look at source code and just try to understand how your magic works, I end up copy pasting the sample code. And then I don't know what I even did ffs.
Maybe it's so damn hard for me because I don't understand Dependency injection? But I think I do... What can I do to understand you? Please tell me?
Especially when my use case requires nested fragments and isn't just that typical inject fragment to activity sample...

And now I have to fill in all of the injected fields in my integration tests by hand because I can't figure out how to fucking make you piece of shit do the motherflipping injection!! Fuck.

I need painkillers... My head starts hurting

Am I the only one having a really hard time grasping code when it involves more than just a few classes devided into several files?! I simply can't follow what happens when method a in class b instantiates class c and d while implementing interface e injection dependency f and extending class g...!?

Does this make sense?

So today was my first time combining mocking, depenancy injection and promises. I thought I had a relatively good understanding of everything until I started writing tests - now my head is spinning.

The actual coding has gone really well - implimented the strategy pattern so I can reuse my code whenever I want to make an API call - and everything is nicely decoupled so it should be easy to test. In theory.

If anyone here happens to write tests for a living, I have a new found respect for you today...

Time for a beer 😅

30 years old PHP code (PHP 5.3). One big global variable holding system settings, entire row sets of data! and database cursors. Oh and HTML was mixed in between. Worst part, I had the task to secure the application. Sql injection didnt even exist back then.

Inherited a legacy system from a previous "developer" who wrote code to sanitize input from sql injection in the front end and then called an web method called execSql which accepts am sql statement in a string value!

Obviously the app ran under admin privileges.

My project setup:
-Entity Framework (Code first)
-Autofac (Dependency Injection)
-Asp.Net MVC C# with service layer pattern.

How is your setup? :)

Completed whole code in spring framework and client asked when will you add dependency injection. :/

Some of my previous rants mention a web application that I wrote for my then-employer. As it is still in use and I have the whole code, too, I figured to check on security a little with a friend. It's all fine, except for one page, were I was sloppy and didn't escape strings, thus allowing for SQL injection.
This is however only possible if already logged in, which has shown to be secure (and the tool is for employees only).
Nobody is ever going to find out, as the only one who knew what injection even is was me. I left 2 years ago.

Just received code review from interview technical task. 50 percent of it was because of encapsulation (that 5-8 variables could have been private instead of public). 20 percent was about shit that was expected but missing (error validation, dependency injection). It was missing because it was not specified in app requirements and also noone said that I have to build a production level application for a simple interview here. 10 percent was nitpicking about formatting(I used default intellij formatter) and one ide error that appeared because of project importing. And only 20 percent of feedback was actually constructive and useful. Cool. Also developer said that he was shocked that I made loading animation but didnt call it in my app. However I made it, but if you have fast internet connection it doesnt show up. I mean if you run my app on a phone with gprs connection u will see that damn animation. What Im supposed to do slow down the app so u could see it? But we are building production level app here no? Shit. It feels like he applied double standards to me or something. Half of review nitpicking about useless details and another half about shit that is expected to be in the app but was not even communicated. Also I did not get developers contact so I could ask him what the fck he wanted from me.

Someone took my source code to a different company changed the source code and brought it back without documentation.

Am like hoNknawMHdFrStVz

This tuesday I saw a really badly made PHP web application. Two actually. I was giving a time estimate for how long it would take to transfer these applications to our servers. While I was reading the code it became apparent that they had more security holes than Emmental cheese. Most views had obvious SQL-injection vulnerabilities and most probably XSS too. Although I didn't think too look for XSS in the moment. It just puzzled me that this bad code even exists.

But cherry on top was that the password wasn't checked at all. The login form was on the organization's website and was sent to the selected application. But the password wasn't checked in the application. And this was made by a real Finnish software development firm, like what the fuck.

Time to redo the applications I guess. Not like there's anything wrong in that if they pay for it.

Nextjs 14 just came out and they added a new server actions syntax which is the same bullshit syntax like php where you insert server side code in the middle of html div! And not only is that ridiculous enough but also vulnerable to sql injection 😂😂😂

How do folks feel about IoC/DI?

I used Spring and Angular for the first few years of my career, so it seemed like it was a mandatory pattern of a framework and my team would never deploy an app that couldn't use it (even if it was just a Lamda or something, we found smaller DI libraries). Now I work in Express and React, and I look back and feel that those patterns required me to write more code, created more complexity, and wasn't any easier to read or understand, and was way more bug prone, and debugging the injection pipeline itself was effectively not possible.

I guess I'm wondering: what do people feel that it buys them?