So...Today I found an SQLI (sql injection , google if you're not aware) in one of our products , I start exploring it , I get my trusty Kali on me workstation . sqlmap etc. Tell my manager it's a true positive... I start exploring the db , half the devs at my manager's place start staring at his screen as I proper fuck a QA db server... I hear a qa guy mention triangulation as sqlmap dumps a uid table in his face . I hear my manager's manager saying 'this has been in our app for so long and we found it just now ? Who found it ?' *manager proudly saying me name* 'He's still working this late ?' ...apparently now my trip to england is getting covered for both me and me gf by the company...

My school.

We have free WiFi access, but you need to login into your personal student account to use it.

Turns out, SQL Injection works.
It gets worse.
Table name "schueler".
SELECT *
Well.
Got all data on all students.
Name, address, phone number, passwords in plain.

I reported it using an anonymous email. Partially fixed. Standard quotes now get eacaped. Still, passwords are now MD5.

So apparently this is an official company in the UK

Interviewer: (on the phone) do you know what SQL injection is?

Me: Are you a cop?

So I went for interview today.
.
.
Interviewer : Can u give some theory test about php?
Me : Sir, Can u please open your site?
Interviewer: sure 🙂
Me : Sir, I just logged in as Owner of ur company, Your site is not protected from sql injection.

Interviewer : 😌😌
Me : Sir, test?? 😜
xxxxxxxxxxx -------------------- xxxxxxxxx

CW: The SQL injection vulnerability isn't important because our code is proprietary so hackers won't find it.

Me: <censored>

Mom:What are you studying?

Me:Types of SQL Injection

Mom:U r in engineering?Right?So why are u studying types of Injections?

Me:🤦‍♂️😂😂

A guy named Valter couldn't register on this website because the developer blacklisted *ALTER*, amongst other words, to prevent SQL injection.

Interviewer: Do you know about SQL injection?

Student: Yessss

Interviewer: Okay, how we can prevent it?

Student: Yes, we should prevent it as prevention is always better than cure. It can lead to data loss and other problems so it can be difficult to fix it if it happens. The best case is that nothing like that takes place. [...]

Interviewer: I get it but how?

Student: By not building any web applications.

[Silence]

Interviewer: Nice, you may go. Do not call us. We will call you.

Are you serious? Are you afraid of an SQL injection or something, and instead of properly sanitizing your queries you disallow characters? Or is your software and database so outdated that you're afraid special characters will break it? Goodbye security

😁😁..

Today was my last day of work, tomorrow i have officially left that place. It's a weird feeling because i'm not certain about the future.
The job was certainly not bad, and after all i read on devrant i'm beginning to believe it was one of the better ones. A nice boss, always something to eat/drink nearby, a relaxed atmosphere, a tolerance for my occasionally odd behaviour and the chance to suggest frameworks. Why i would leave that place, you ask? Because of the thing not on the list, the code, that is the thing i work with all the time.

Most of the time i only had to make things work, testing/refactoring/etc. was cut because we had other things to do. You could argue that we had more time if we did refactor, and i suggested that, but the decision to do so was delayed because we didn't have enough time.

The first project i had to work on had around 100 files with nearly the same code, everything copy-pasted and changed slightly. Half of the files used format a and the other half used the newer format b. B used a function that concatenated strings to produce html. I made some suggestions on how to change this, but they got denied because they would take up too much time. Aat that point i started to understand the position my boss was in and how i had to word things in order to get my point across. This project never got changed and holds hundreds of sql- and xss-injection-vulnerabilities and misses access control up to today. But at least the new project is better, it's tomcat and hibernate on the backend and react in the frontend, communicating via rest. It took a few years to get there, but we made it.
To get back to code quality, it's not there. Some projects had 1000 LOC files that were only touched to add features, we wrote horrible hacks to work with the reactabular-module and duplicate code everywhere. I already ranted about my boss' use of ctrl-c&v and i think it is the biggest threat to code quality. That and the juniors who worked on a real project for the first time. And the fact that i was the only one who really knew git. At some point i had enough of working on those projects and quit.

I don't have much experience, but i'm certain my next job has a better workflow and i hope i don't have to fix that much bugs anymore.
In the end my experience was mostly positive though. I had nice coworkers, was often free to do things my way, got really into linux, all in all a good workplace if there wasn't work.

Now they dont have their js-expert anymore, with that i'm excited to see how the new project evolves. It's still a weird thing to know you won't go back to a place you've been for several years. But i still have my backdoor, but maybe not. :P

If you’re having SQL injection problems, I feel bad for you son, I got 99 tables but… fffffuck. Now i only have one ☹️

SQL injection in nutshell

Me: Oh I see were using a non-standard architecture on this app. I like this bit but what is this doing? never seen it before.

Him: Ah we use that to abstract the navigation layer.

Me: oh ok, interesting idea, but that means we need an extra file per screen + 1 per module. We also can't use this inbuilt control, which I really like, and we've to write a tonne of code to avoid that.

Him: Yeah we wanted to take a new approach to fix X, this is what we came up with. Were not 100% happy with it. Do you have any ideas?

**
Queue really long, multi-day architecture discussion. Lots of interesting points, neither side being precious or childish in anyway. Was honestly fantastic.
**

Me: So after researching your last email a bit, I think I found a happy middle ground. If we turn X into a singleton, we can store the state its generating inside itself. We can go back to using the in-built navigation control and have the data being fetched like Y. If you want to keep your dependency injection stuff, we can copy the Angular services approach and inject the singletons instead of all of these things. That means we can delete the entire layer Z.

Even with the app only having 25% of the screens, we could delete like 30+ files, and still have the architecture, at a high level, identical and textbook MVVM.

Him: singleton? no I don't like those, best off keeping it the way it is.

... are you fucking kidding me? You've reinvented probably 3 wheels, doubled the code in the app and forced us to take ownership of something the system handles ... but a singleton is a bad idea? ... based off no concrete evidence or facts, but a personal opinion.

... your face is a bad idea

Years ago we had a visit from a startup company developing a firewall and I got the chance to talk with one of their devs.

He explained the subtleties of security holes in websites and after I said something about our site being secure thanks to being behind a firewall he gently asked what would happen if he entered a specially crafted test into one of the text fields ... and he gave an example ...

I got a chill, went back to my seat and traced what it would do ...

That was when I learned about sql injection and his example would have killed the DB :/

Before going home I designed a way to secure the input which I then refined over a few days.

We still use that today after 17 years.

That one single sentence really showed to never be to proud of our security and I realized how vulnerable our site was.

badass mom😂

IT department created a risk assessment system and asked us to fill out the form.

I found that the form is vulnerable to XSS and possibly SQL injection so I told them and their response was:

"Oh, shit. Please don't tell anyone!"

Of course, it never get fixed :/

That's an interesting name for a company..

SQL injection

I was registering for a website, and on a whim, I used this as my username:
null'); PRINT('Hello');--

And sure enough, the login system went down. The next day it was still down, so I went to Twitter to tell the people running the site that this was why, but to my surprise, I see them saying they had been hacked.
Based on the timing, I'm pretty sure they're referring to this, but they are saying user info was stolen. *facepalm*
They later said they stored passwords salted with a fixed salt and hashed with fucking md5, at which point I was glad not to have done any more business with them.

How incompetent can these fucking people be?!

If you thought your legacy code was bad, this is what I'm dealing with. The below SQL is stored in a cookie on login and executed to on every further request to determine the user / privileges.

Laravel is the worst framework ever.

Everything has to be made convenient and easy. That sounds amazing, because developers want to save time, worry less about boilerplate code, right? No more constructors, no more dependency injection, fuck all the tedious OOP shit... RIGHT?

It does one thing well: Make PHP syntax uniform and concise through easily integrated libraries such as Collection and Carbon. But those are actually not really part of the framework... just commonly integrated and associated with Laravel.

The framework itself is completely derailed: You can define code in a callback in the routes file. You can define a controller in the routes file. You can define middleware as a parameter to the route, as a fluent method to the route, you can stack them up in a service provider. Validators can be made in controllers, Request objects, service providers, etc. You can send mail inline, through Mailable objects, through Notification objects, etc.

Everything is macroable, injectable, and definable in a million different places. Ultimate freedom!

Guess what happens when you give 50 developers of various seniority a swiss army knife?

One hammers in a screw with a nail file, the other clips the head from the screw using scissors, and you end up with an unworkable mess and blunt tools.

And don't get me started about Eloquent, the Active Record ORM. It's cute for the simple blog/article/author/comment queries, but starts choking when you want more selective and performant queries or more complex aggregates, and provides such an opaque apple-esque interface which lets people think everything is OK, when in reality it's forcing the SQL server to slowly commit suicide.

And they still don't learn 😑

Great news, our company's has a brand new security-first product, with an easy to use API and a beautiful web interface.

It is SQL-injection-enabled, XSS-compatible, logins are optional (if you do not provide a password, you are logged in as admin).

The json-api has custom-date formats, bools are any of "1", "0", 1, 0, false or null (but never true). Numbers are strings or numbers. Utf-8 is not supported. Most of our customers use special characters.

The web interface is using plain bootstrap, and because of XSS it is really easy to customize everything.

How the hell this product got launched is beyond me.

Why do people (Some devs too...) bloody hell think that devs have Hard time fixing the Semi Colon issue, we have a lot of other issues to figure out, like the Structure of Data, Code Fragmentation, API Creation, Invalid Data Handling, Injection Prevention. But no, since we are developers, we are having sleepless nights because of one fucking semicolon? FUCKING NO, it hardly takes 30 seconds to figure out that there is a missing semi-colon. Really People, stop the ; thing!

Our website once had it’s config file (“old” .cgi app) open and available if you knew the file name. It was ‘obfuscated’ with the file name “Name of the cgi executable”.txt. So browsing, browsing.cgi, config file was browsing.txt.
After discovering the sql server admin password in plain text and reporting it to the VP, he called a meeting.
VP: “I have a report that you are storing the server admin password in plain text.”
WebMgr: “No, that is not correct.”
Me: “Um, yes it is, or we wouldn’t be here.”
WebMgr: “It’s not a network server administrator, it’s SQL Server’s SA account. Completely secure since that login has no access to the network.”
<VP looks over at me>
VP: “Oh..I was not told *that* detail.”
Me: “Um, that doesn’t matter, we shouldn’t have any login password in plain text, anywhere. Besides, the SA account has full access to the entire database. Someone could drop tables, get customer data, even access credit card data.”
WebMgr: “You are blowing all this out of proportion. There is no way anyone could do that.”
Me: “Uh, two weeks ago I discovered the catalog page was sending raw SQL from javascript. All anyone had to do was inject a semicolon and add whatever they wanted.”
WebMgr: “Who would do that? They would have to know a lot about our systems in order to do any real damage.”
VP: “Yes, it would have to be someone in our department looking to do some damage.”
<both the VP and WebMgr look at me>
Me: “Open your browser and search on SQL Injection.”
<VP searches on SQL Injection..few seconds pass>
VP: “Oh my, this is disturbing. I did not know SQL injection was such a problem. I want all SQL removed from javascript and passwords removed from the text files.”
WebMgr: “Our team is already removing the SQL, but our apps need to read the SQL server login and password from a config file. I don’t know why this is such a big deal. The file is read-only and protected by IIS. You can’t even read it from a browser.”
VP: “Well, if it’s secured, I suppose it is OK.”
Me: “Open your browser and navigate to … browse.txt”
VP: “Oh my, there it is.”
WebMgr: “You can only see it because your laptop had administrative privileges. Anyone outside our network cannot access the file.”
VP: “OK, that makes sense. As long as IIS is securing the file …”
Me: “No..no..no.. I can’t believe this. The screen shot I sent yesterday was from my home laptop showing the file is publicly available.”
WebMgr: “But you are probably an admin on the laptop.”
<couple of awkward seconds of silence…then the light comes on>
VP: “OK, I’m stopping this meeting. I want all admin users and passwords removed from the site by the end of the day.”

Took a little longer than a day, but after reviewing what the web team changed:
- They did remove the SQL Server SA account, but replaced it with another account with full admin privileges.
- Replaced the “App Name”.txt with centrally located config file at C:\Inetpub\wwwroot\config.txt (hard-coded in the app)
When I brought this up again with my manager..
Mgr: “Yea, I know, it sucks. WebMgr showed the VP the config file was not accessible by the web site and it wasn’t using the SA password. He was satisfied by that. Web site is looking to beat projections again by 15%, so WebMgr told the other VPs that another disruption from a developer could jeopardize the quarterly numbers. I’d keep my head down for a while.”

when was i feeling like a fucking dev badass ?
that time when i exploited an sql injection on a news website and added a post with title "Admin please secure your website ;] "
.
.
i was feeling like hacker man 😅😂😂

Worst legacy experience...

Called in by a client who had had a pen test on their website and it showed up many, many security holes. I was tasked with coming in and implementing the required fixes.

Site turned out to be Classic ASP built on an MS Access database. Due to the nature of the client, everything had to be done on their premises (kind of ironic but there you go). So I'm on-site trying to get access to code and server. My contact was *never* at her desk to approve anything. IT staff "worked" 11am to 3pm on a long day. The code itself was shite beyond belief.

The site was full of forms with no input validation, origin validation and no SQL injection checks. Sensitive data stored in plain text in cookies. Technical errors displayed on certain pages revealing site structure and even DB table names. Server configured to allow directory listing in file stores so that the public could see/access whatever they liked without any permission or authentication checks. I swear this was written by the child of some staff member. No company would have had the balls to charge for this.

Took me about 8 weeks to make and deploy the changes to client's satisfaction. Could have done it in 2 with some support from the actual people I was suppose to be helping!! But it was their money (well, my money as they were government funded!).

My first testing job in the industry. Quite the rollercoaster.

I had found this neat little online service with a community. I signed up an account and participated. I sent in a lot of bug reports. One of the community supervisors sent me a message that most things in FogBugz had my username all over it.

After a year, I got cocky and decided to try SQL injection. In a production environment. What can I say. I was young, not bright, and overly curious. Never malicious, never damaged data or exposed sensitive data or bork services.

I reported it.

Not long after, I got phone calls. I was pretty sure I was getting charged with something.

I was offered a job.

Three months into the job, they asked if I wanted to do Python and work with the automators. I said I don't know what that is but sure.

They hired me a private instructor for a week to learn the basics, then flew me to the other side of the world for two weeks to work directly with the automation team to learn how they do it.

It was a pretty exciting era in my life and my dream job.

You can't imagine how many lines of pure and utter horseshit, seemingly written in PHP, I had to dig through this whole weekend. (relating to my 2 previous rants)

How is it even possible to write code this unbelievably ugly?

Examples:
- includes within loops
- included files use variables from parent files
- start- and endtags separated to different files
- SQL queries generated by string concatenation, no safety measures at all (injection)
- repeating DB calls within loops
- multiple directories with the same code (~40 files), only different by ~8 lines, copied
- a mixture of <?php echo ... ?> and <?= ... ?>
- a LOT of array accesses and other stuff prefixed with "@" (suppress error messages)
- passwords in cleartext
- random non-RESTful page changes with a mixture of POST and GET
- GET parameters not URL-encoded
- ...

My boss told me it took this guy weeks and weeks of coding to write this tool (he's an "experienced dev", of course WITHOUT Git).

Guess what?
It took me only 20 hours and about 700 lines of code.

I must confess, since this task, I don't hate PHP anymore, I just simply hate this dev to death.

Addendum: It's Monday, 5:30am. Good night. 😉

When 1=1-- works in SQL injection

Just looked at the anonymous analytics I collect on the security/privacy blog.

No SQL Injection attacks yet (would be useless anyways as I don't use MySQL/MariaDB for the databasing.

Directory Traversal attacks. Really? 🤣

Nice try, guys.

To anyone that isn't sanitizing the input on their websites: I know where you live. You told me, remember?

I HATE working with MS Office products. Yes, Access, I'm looking at you, you backwards, whanabe database reject! You're invalid as a serious SQL database and retarded as an data application suite.

VBA, make up your MIND with your damn function calls! Either require me to use parenthesis or don't! I'm sick of this conditional parenthesis sh*t!

While we're talking about not making up your mind... screw 'sub', you half wit language! Either use functions like a real language or go the f&$k home and make room for a language that knows what it's doing!

Oh!!! WHY... WHY! do you have null AND... NOTHING?! Who... Who... WHO invented "nothing"?! And what sick joke are you playing at with isnull() and empty()??? How many damn ways so you need to test for "no value"?!?!

Access... That's right, I'm not done with you yet... How is it you've survived this damn long in the business world with all of the databases you corrupt? Sure, you suck as a real database, but at least have some freaking pride that people even USE you! How DARE your corrupt yourself with the regularity you seem to have! I wish my bowel movements were as regular as your database corruptions, for the love of humanity.

F$@k you, VBA! F@&k you, Access! F$#k you, MS Office! And Fuuuuuu$k YOU Microsoft for shoving these half assed reject tools down my throat!

I hope your cloud uses Access as a back end and gets some injection virus.

*Takes deep breath* need to say that.

While watching season 2 of Star Trek Discovery, it was nice to learn SQL is alive and well in the 23rd century. Also, that there are still idiots that don't defend against injection on a warp-capable spaceship with transporter technology.

Jesus Christ. Dagger2's documentation has got to be the most convoluted shit I have ever laid my eyes on.

The sheer mental gymnastics I had to do to get through this one line at 2:30 am...

Just wanted to say cheers to all those coders among you who make sure their login is encrypted, their passwords are hashed and salted, their codes are tested and their forms are code injection safe.

No client will understand what you did, so take my props for it! After all, its our responsibility to make sure software is secure. That's all :)

The gift that keeps on giving... the Custom CMS Of Doom™
I've finally seen enough evidence why PHP has such a bad reputation to the point where even recruiters recommended me to remove my years of PHP experience from the CV.

The completely custom CMS written by company <redacted>'s CEO and his slaves features the following:
- Open for SQL injection attacks
- Remote shell command execution through URL query params
- Page-specific strings in most core PHP files
- Constructors containing hundreds of lines of code (mostly used to initialize the hundreds of properties
- Class methods containing more than 1000 lines of code
- Completely free of namespaces or package managers (uber elite programmers use only the root namespace)
- Random includes in any place imaginable
- Methods containing 1 line: the include of the file which contains the method body
- SQL queries in literally every source file
- The entrypoint script is in the webroot folder where all the code resides
- Access to sensitive folders is "restricted" by robots.txt 🤣🤣🤣🤣
- The CMS has its own crawler which runs by CRONjob and requests ALL HTML links (yes, full content, including videos!) to fill a database of keywords (I found out because the server traffic was >500 GB/month for this small website)
- Hundreds of config settings are literally defined by "define(...)"
- LESS is transpiled into CSS by PHP on requests
- .......

I could go on, but yes, I've seen it all now.

So DevRant asked me to put my skills on my profile, I'm like:

you wanna know my languages, well, I'm a human Android sipping on Java, got C++ grade phy-SQL education. but some idiot bashed me on my </head> so swift, that I objectively-c angular stars, everywhere. Recoved by a js injection. ASCII too in snowy Cs

I recently got a job as a sysadmin and they've been debriefing me on their hacked websites (wordpress malware injection). Beats me why they still have their sites up at all...
BUT WAIT THERE'S MORE!
I wanted to see if they have any backups... NONE.

The latest snapshot was over a year ago...FML. Over a year ago when they barely have anything on their company site and client sites 😒

Now, I have to revive 10 websites from redirection. Time to do some shell scripting!

This fucking stupid asshole developer, wrote every single SQL execution with string formatting. Made me a full sleepless night fixing this shit. Isn’t this a classical SQL injection sample?

Ask interviewee what dependency injection is

Starts to explain sql injection..

The good old xkcd

I once had to literally hack a Joomla 1.5.x site for a client, because they did not find the passwords (hosting, cms, ftp, mysql). After 5 minutes and a SQL injection I was in like flynn.
The site was already full of hidden links to viagra sellers and stuff... 😂

So my marketing dept request us to perform a SQL injection to someone's bank account. I refuse to do it.

1. Most bank no longer use Relational Database , they use something like NoSQL Database.

2. Even if the bank Use Relational Database system, I assume their security must be high, validating my session maybe...

3. I am not going to do shit like this for illegal purposes, well this task sounds super illegal to me

4. Hacking is not a part of my job description. I was hired to be a Senior Fullstack Mobile App Developer.

This is screwed up !

Some developers get over-excited about using dependency injection and make further maintenance a nightmare.

1. Buy a road
2. Name it after an sql injection
3. Have mail delivered to you
4. ...
5. Profit... I guess?

TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!

As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.

Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.

I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."

Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!

Today I'm going to work on my side project that I haven't touched in weeks.

I want to utilize Angular 2 which means I'll need to learn TypeScript. I also want to use the new .Net Core and EF Core 1.0. Oh and I want to handle authentication using JWT!

Wow, that's gonna be a lot of effort to get things off the ground... maybe instead I'll use this time to learn some new concepts. Maybe watch this episode of Fun Fun Function, or maybe this video on writing Assembly code for an app on Raspberry Pi, that sounds cool!

Actually, you know I should really teach myself dependency injection and unit testing for once. I'm so behind the times.

Well, really I should finish this book on design patterns first. Ok, where did I leave off? Page 20 I think... ehh... maybe I'll just work on my side project.

Tomorrow... tomorrow, I'll work on my side project.

A Month ago...
Me: when are you going to complete the report
Friend: we can do it in minutes
Me: you can't Ctrl + c and Ctrl +v as there is plagiarism check
Friend: we have spin bot
Me: you do that now itself . if something happens? You can join me .
Friend: just chill

Now ...
Me: done with report
Friend: feeding it to spin bot!

Feeds text related to database security....

Spin bot:
Garbage collector == city worker
SQL statements == SQL explanation
SQL queries == SQL interrogation
SQL injection == SQL infusion
Attack == assault
Malicious == noxious
Data integrity == information uprightness
Sensitive == touchy
.....
Me: told you so...
**spin not == article rewriter

WASM was a mistake. I just wanted to learn C++ and have fast code on the web. Everyone praised it. No one mentioned that it would double or quadruple my development time. That it would cause me to curse repeatedly at the screen until I wanted to harm myself.

The problem was never C++, which was a respectable if long-winded language. No no no. The problem was the lack of support for 'objects' or 'arrays' as parameters or return types. Anything of any complexity lives on one giant Float32Array which must surely bring a look of disgust from every programmer on this muddy rock. That is, one single array variable that you re-use for EVERYTHING.

Have a color? Throw it on the array. 10 floats in an object? Push it on the array - and split off the two bools via dependency injection (why do I have 3-4 line function parameter lists?!). Have an image with 1,000,000 floats? Drop it in the array. Want to return an array? Provide a malloc ptr into the code and write to it, then read from that location in JS after running the function, modifying the array as a side effect.

My- hahaha, my web worker has two images it's working with, calculations for all the planets, sun and moon in the solar system, and bunch of other calculations I wanted offloaded from the main thread... they all live in ONE GIANT ARRAY. LMFAO.If I want to find an element? I have to know exactly where to look or else, good luck finding it among the millions of numbers on that thing.

And of course, if you work with these, you put them in loops. Then you can have the joys of off-by-one errors that not only result in bad results in the returned array, but inexplicable errors in which code you haven't even touched suddenly has bad values. I've had entire functions suddenly explode with random errors because I accidentally overwrote the wrong section of that float array. Not like, the variable the function was using was wrong. No. WASM acted like the function didn't even exist and it didn't know why. Because, somehow, the function ALSO lived on that Float32Array.

And because you're using WASM to be fast, you're typically trying to overwrite things that do O(N) operations or more. NO ONE is going to use this return a + b. One off functions just aren't worth programming in WASM. Worst of all, debugging this is often a matter of writing print and console.log statements everywhere, to try and 'eat' the whole array at once to find out what portion got corrupted or is broke. Or comment out your code line by line to see what in forsaken 9 circles of coding hell caused your problem. It's like debugging blind in a strange and overgrown forest of code that you don't even recognize because most of it is there to satisfy the needs of WASM.

And because it takes so long to debug, it takes a massively long time to create things, and by the time you're done, the dependent package you're building for has 'moved on' and find you suddenly need to update a bunch of crap when you're not even finished. All of this, purely because of a horribly designed technology.

And do they have sympathy for you for forcing you to update all this stuff? No. They don't owe you sympathy, and god forbid they give you any. You are a developer and so it is your duty to suffer - for some kind of karma.

I wanted to love WASM, but screw that thing, it's horrible errors and most of all, the WASM heap32.

always good for a laugh

Easy cop out for people who wrote code vulenerable to SQL injection: It's not a bug, it's a feature that let's users search using SQL syntax.

Before 10 years, a WordPress site hacked with sql injection. They had access to site, they modified many php files and installed commands to download random malwares from over the internet.

At first I didn't know that it hacked and I was trying to remove any new file from the server. That was happening every 1-2 days for a week.

Then I decided to compare every WordPress file with the official, it was too many files, and I did it manually notepad side notepad!! :/

Then I found about over 50 infected files with the malware code.

Cleaned and finished my job.

No one else knows that I did a lot of hard job.

"at least 1 special character except < ' ; / - [ % _"
Also known as "Hey, look at me, I'm vulnerable to SQL injection and a lot of other fun stuff!"

; DELETE * FROM Users WHERE 1=1; just checking

I've found and fixed any kind of "bad bug" I can think of over my career from allowing negative financial transfers to weird platform specific behaviour, here are a few of the more interesting ones that come to mind...

#1 - Most expensive lesson learned

Almost 10 years ago (while learning to code) I wrote a loyalty card system that ended up going national. Fast forward 2 years and by some miracle the system still worked and had services running on 500+ POS servers in large retail stores uploading thousands of transactions each second - due to this increased traffic to stay ahead of any trouble we decided to add a loadbalancer to our backend.

This was simply a matter of re-assigning the IP and would cause 10-15 minutes of downtime (for the first time ever), we made the switch and everything seemed perfect. Too perfect...

After 10 minutes every phone in the office started going beserk - calls where coming in about store servers irreparably crashing all over the country taking all the tills offline and forcing them to close doors midday. It was bad and we couldn't conceive how it could possibly be us or our software to blame.

Turns out we made the local service write any web service errors to a log file upon failure for debugging purposes before retrying - a perfectly sensible thing to do if I hadn't forgotten to check the size of or clear the log file. In about 15 minutes of downtime each stores error log proceeded to grow and consume every available byte of HD space before crashing windows.

#2 - Hardest to find

This was a true "Nessie" bug.. We had a single codebase powering a few hundred sites. Every now and then at some point the web server would spontaneously die and vommit a bunch of sql statements and sensitive data back to the user causing huge concern but I could never remotely replicate the behaviour - until 4 years later it happened to one of our support staff and I could pull out their network & session info.

Turns out years back when the server was first setup each domain was added as an individual "Site" on IIS but shared the same root directory and hence the same session path. It would have remained unnoticed if we had not grown but as our traffic increased ever so often 2 users of different sites would end up sharing a session id causing the server to promptly implode on itself.

#3 - Most elegant fix

Same bastard IIS server as #2. Codebase was the most unsecure unstable travesty I've ever worked with - sql injection vuns in EVERY URL, sql statements stored in COOKIES... this thing was irreparably fucked up but had to stay online until it could be replaced. Basically every other day it got hit by bots ended up sending bluepill spam or mining shitcoin and I would simply delete the instance and recreate it in a semi un-compromised state which was an acceptable solution for the business for uptime... until we we're DDOS'ed for 5 days straight.

My hands were tied and there was no way to mitigate it except for stopping individual sites as they came under attack and starting them after it subsided... (for some reason they seemed to be targeting by domain instead of ip). After 3 days of doing this manually I was given the go ahead to use any resources necessary to make it stop and especially since it was IIS6 I had no fucking clue where to start.

So I stuck to what I knew and deployed a $5 vm running an Nginx reverse proxy with heavy caching and rate limiting linked to a custom fail2ban plugin in in front of the insecure server. The attacks died instantly, the server sped up 10x and was never compromised by bots again (presumably since they got back a linux user agent). To this day I marvel at this miracle $5 fix.

I forgot what it was like to have a productive day!

I’m rewriting the Apple wallet pass code to make it fully customizable instead of mostly static, and it’s beautiful.

The code was horrible tangled spaghetti before (and soo slow) but now it’s clean and fast and modular and absolute bliss to spec. Yay, dependency injection!

I actually had fun working today! 😊
It’s been the first time in months.

Senior showing fellow intern what SQL injection is on the app the intern created :
Senior : "then I hit enter and the query get executed and...
Intern : "don't you dare hitting enter!!!"

Just disassembled 2 €5 desk fans because they were shit.. and so is their design apparently.

What I found inside was actually surprisingly simple.. a toddler could build it. It's just a DC motor, a 3PDT switch, DC barrel connector, some wires and screws to hold stuff in place. Oh and the plastic thingie with the fan blades, as well as the USB cable of course.

5 fucking euros. The combined cost of the components would be less than 3, certified motherfuckturers. Time to build it, injection moulding, transportation, sure.. but still.

And if you think that being salty about €5 is cheap shittalk, expand that to every fucking piece of electronics that doesn't cost a small fortune.. at all price ranges. Could be radios, alarm clocks, heck even phones. Shit's way too expensive for what it's worth. Perhaps because so many people in the industry are just here for a quick buck.. motherfuckers 😒

Anyway, back to the design.. the hole in the fan blade thingie is supposed to get the motor's shaft shafted in, to turn the blades. I'd use glue there.. but not these designers. They just shove it in and hope that friction takes care of everything. And one of the fan blade modules' hole was so wide that inserting the motor is like throwing a sausage down the hallway. No contact at all! Make it tight already like the Chinese designer's glory-...
Nah let's not get into Chinese tightness just yet.

Oh and also a resistor for slow mode. Consumes just as much power except the fan turns slower. Because fuck efficiency, right?

Goddammit, next time I'm just gonna build my own again.. at least that wouldn't be a certified piece of shit 😑

Modern web frontend is giving me a huge headache...

Gazillion frameworks, css preprocessors, transpilers, task runners, webpack, state management, templating, Rxjs, vector graphics,async,promises, es6,es7,babel,uglifying,minifying,beautifying,modules,dependecy injection....

All this for programming apps that happen to run inside browsers on a protocol which was designed to display simple text pages...

This is insanity. It cannot go on like this for long. I pray for webasm and elm to rescue me from this chaos.

I work now as a fullstack dev as my first job but my next job is definitely going to be backend/native stuff for desktop or mobile. It seems those areas are much less crazy.

I worked on a web project a few years ago. I've refactored a large part of the architecture, added repositories to the business layer, implemented inversion of control and dependency injection etc. (took me 2 weeks).

There was a second developer in the project... he didn't understand the design patterns and the whole IoC/DI thing. Instead of asking or reading about it, he reverted all the changes while I was 3 weeks on vacation -.-

It has been bugging the shit out of me lately... the sheer number of shit-tier "programmers" that have been climbing out of the woodwork the last few years.

I'm not trying to come across as elitist or "holier than thou", but it's getting ridiculous and annoying. Even on here, you have people who "only do frontend development" or some other lame ass shit-stain of an excuse.

When I first started learning programming (PHP was my first language), it wasn't because I wanted to be a programmer. I used to be a member (my account is still there, in fact) of "HackThisSite", back when I was about 12 years old. After hanging out long enough, I got the hint that the best hackers are, in essence, programmers.

Want to learn how to do SQL injection? Learn SQL - write a program that uses an SQL database, and ask yourself how you would exploit your own software.

Want to reverse engineer the network protocol of some proprietary software? Learn TCP/IP - write a TCP/IP packet filter.

Back then, a programmer and a hacker were very much one in the same. Nowadays, some kid can download Python, write a "hello, world" program and they're halfway to freelancing or whatever.

It's rare to find a programmer - a REAL programmer, one who knows how the systems he develops for better than the back of his hand.

These days, I find people want the instant gratification that these simpler languages provide. You don't need to understand how virtual memory works, hell many people don't even really understand C/C++ pointers - and that's BASIC SHIT right there.

Put another way, would you want to take your car to a brake mechanic that doesn't understand how brakes work? I sure as hell wouldn't.

Watching these "programmers" out there who don't have a fucking clue how the code they write does what it does, is like watching a grown man walk around with a kid's toolbox full or plastic toys calling himself a mechanic. (I like cars, ok?!)

*sigh*

Python, AngularJS, Bootstrap, etc. They're all tools and they have their merits. But god fucking dammit, they're not the ONLY damn tools that matter. Stop making excuses *not* to learn something, Mr."IOnlyDoFrontEnd".

Coding ain't Lego's, fuckers.

> IHateForALiving: I have added markdown on the client! Now the sys admin can use markdown and it's going to be rendered as HTML
> Team leader: ok, I've seen you also included some pics of the tests you made. It's nice, there's no XSS vulnerabilities, now I want you to make sure you didn't introduce any SQL injection too. Post the results of the tests in the tickets, for everybody to see.

I've been trying to extract from him for 15 minutes how sending a text through a markdown renderer on the client is supposed to create a SQL injection on the server, I've been trying to extract from him how showing all of this to the world would improve our reputation.
I miserably failed, I don't know how the fuck am I supposed to test this thing and if I a colleague wasted time to make sure some client-side rendering didn't create a SQL injection I'd make sure to point and laugh at them every time they open their mouth.

So this is how they "teach" us in school...As a part time dev I was completely shocked when I saw this in our materials. What do you think? Should I drop the teachers tables to give him a lesson?

SQL injection holes everywhere... The original author of the product put concatenated SQL queries throughout the whole application. If it's not the client asked for a penetration test, we as developers wouldn't even be given chance to fix this shit.

I'm actually glad to have the chance. I can't live seeing them every day but force myself to ignore them.

Someone’s explaining an SQL injection in the train

> Young dev apprentice me pair programming with another developer
> Dude checks bug report of a customer, saying something about a "Blind SQL Injection"
> Young me asking what that "Blind" part means
> "Dunno man, maybe u gotta close your eyes when hacking this"

Guess what, the issue was never fixed

i understand some developers like to write wrapper functions to handle tedious things, I even understand how to write dynamic SQL queries, but for the love of fucking god and sanity, NEVER FUCKING DO THIS!!!!

Yes its PHP, but its not even bad PHP, its a fucking abomination from hell of PHP.

A few years i had wrote a little script as a proof of concept for remote injection via torrent files.

Yesterday, some doofus bruteforced into my seedbox and tried to install a miner using the same script🤦🤦🤦

Did some digging, found my way back to him and wiped the drives on his system as a gesture of thank you. Anyways, I hope he didn't have anything important on his 16TB volume, cause good luck recovering that

The IT guy at client made a spaghetti code website to replace their time entry software. I come in to “finish it up in a week to two” (just me). I start by removing 1200+ lines of convoluted data access code that doesn’t work, SQL injection prone too. I quickly gave up and started from scratch; just copyied some of his actually decent HTML.

Friday, he proceeded to try to install node on the server and run main.JS. Now he’s all concerned my repo is too complex because he can’t deploy a static website 🙁

He didn’t ask me how it gets deployed nor did he listen when I said “node is NOT THE BACKEND we have .NET core for that”.🤦‍♂️

I’m gonna spend a week writing documentation at 5th grade level and hand holding him so he understands how this code works because he’s going to be the one maintaining it.

Well on my last full-time job, that ware using cookies for authentication (not something new, eh?). The thing is, you see, the cookies had the 'accountId' which if you change to another number, kaboom you're that account, oh but that was not all, there was an option to mark the account type in there 'accountType', which was kind of obvious in VLE (virtual learning environment), 'Teacher', 'Student', 'Manager' put what of those values and boom you are that role for the session

Thing was open of SQL injection from the login form, from said cookies and form every part you can pass input to it, when I raised the question to my TL he said 'no one is going to know about thatt, I don't see what is the problem', then escalated to higher management 'oh well speak to *tl_guy*'

Oh and bonus points for it being written in ASP CLASSIC in 2014+ (I was supposed to rewrite, but ended up patching ASP code and writing components in PHP)

In 2015-2016, in a private college, charging kind-of big money per year

So I've kicked off the motorcycle season for this year! Scanned some nice roads for speed control traps or road dirt, then the same route with more WABROOOOOO.

That machine is whopping 19 years old, and I still like it as much as on the first day when I bought it as new. Plus that it doesn't have software nonsense, not even injection. Means, it fucking works.

I found this gem today.
It perfectly generated ~5 GBs of useless log in the past 2 years.

So as applying for an internship to a new company, they wanted me to make an account and do some things to get use to the website... That's great, until I learned their website is fucking garbage!

Takes 5 seconds to load any page (they import and link so much shit, it's poorly optimized), their website is vulnerable to Javascript injection (in many different places), im sure it will be vulnerable to sql injection too.

Their design looks bad, icons are terrible, no common design flow, super busy. And they are taking about using machine learning and big data? Bitch you need to fucking make your site usable first!! If contacted them and will give them 30 days to fix their shit before I write about it

Security!

Offensive and defensive at both code and infrastructure levels.

So many times I see devs not give a flying pancake about security. Whether it be rolling integers for sql injection or permission guarding to prevent someone executing something they shouldn't.

Why is security in this industry always the last thing to be concerned about when it's the first thing that's going to kill your business.

😓

I knew I had found the right group of friends when one of them suggested we try SQL Injection on the instant messaging feature of the bowling alley console.

Unrelated, do people not think, "hmm, that seems like an unnecessary feature?"

rant & question

Last year I had to collaborate to a project written by an old man; let's call him Bob. Bob started working in the punch cards era, he worked as a sysadmin for ages and now he is being "recycled" as a web developer. He will retire in 2 years.

The boss (that is not a programmer) loves Bob and trusts him on everything he says.

Here my problems with Bob and his code:
- he refuses learning git (or any other kind of version control system);
- he knows only procedural PHP (not OO);
- he mixes the presentation layer with business logic;
- he writes layout using tables;
- he uses deprecated HTML tags;
- he uses a random indentation;
- most of the code is vulnerable to SQL injection;
- and, of course, there are no tests.
- Ah, yes, he develops directly on the server, through a SSH connection, using vi without syntax highlighting.

In the beginning I tried to be nice, pointing out just the vulnerabilities and insisting on using git, but he ignored all my suggestions.

So, since I would have managed the production server, I decided to cheat: I completely rewrote the whole application, keeping the same UI, and I said the boss that I created a little fork in order to adapt the code to our infrastructure. He doesn't imagine that the 95% of the code is completely different from the original.

Now it's time to do some changes and another colleague is helping. She noticed what I did and said that I've been disrespectful in throwing away the old man clusterfuck, because in any case the code was working. Moreover he will retire in 2 years and I shouldn't force him to learn new things [tbh, he missed at least last 15 years of web development].

What would you have done in my place?

Obligatory'); DROP TABLE rants;--

When I was in college OOP was emerging. A lot of the professors were against teaching it as the core. Some younger professors were adamant about it, and also Java fanatics. So after the bell rang, they'd sometimes teach people that wanted to learn it. I stayed after and the professor said that object oriented programming treated things like reality.

My first thought to this was hold up, modeling reality is hard and complicated, why would you want to add that to your programming that's utter madness.

Then he started with a ball example and how some balls in reality are blue, and they can have a bounce action we can express with a method.

My first thought was that this seems a very niche example. It has very little to do with any problems I have yet solved and I felt thinking about it this way would complicate my programs rather than make them simpler.

I looked around the at remnants of my classmates and saw several sitting forward, their eyes lit up and I felt like I was in a cult meeting where the head is trying to make everyone enamored of their personality. Except he wasn't selling himself, he was selling an idea.

I patiently waited it out, wanting there to be something of value in the after the bell lesson. Something I could use to better my own programming ability. It never came.

This same professor would tell us all to read and buy gang of four it would change our lives. It was an expensive hard cover book with a ribbon attached for a bookmark. It was made to look important. I didn't have much money in college but I gave it a shot I bought the book. I remember wrinkling my nose often, reading at it. Feeling like I was still being sold something. But where was the proof. It was all an argument from authority and I didn't think the argument was very good.

I left college thinking the whole thing was silly and would surely go away with time. And then it grew, and grew. It started to be impossible to avoid it. So I'd just use it when I had to and that became more and more often.

I began to doubt myself. Perhaps I was wrong, surely all these people using and loving this paradigm could not be wrong. I took on a 3 year project to dive deep into OOP later in my career. I was already intimately aware of OOP having to have done so much of it. But I caught up on all the latest ideas and practiced them for a the first year. I thought if OOP is so good I should be able to be more productive in years 2 and 3.

It was the most miserable I had ever been as a programmer. Everything took forever to do. There was boilerplate code everywhere. You didn't so much solve problems as stuff abstract ideas that had nothing to do with the problem everywhere and THEN code the actual part of the code that does a task. Even though I was working with an interpreted language they had added a need to compile, for dependency injection. What's next taking the benefit of dynamic typing and forcing typing into it? Oh I see they managed to do that too. At this point why not just use C or C++. It's going to do everything you wanted if you add compiling and typing and do it way faster at run time.

I talked to the client extensively about everything. We both agreed the project was untenable. We moved everything over another 3 years. His business is doing better than ever before now by several metrics. And I can be productive again. My self doubt was over. OOP is a complicated mess that drags down the software industry, little better than snake oil and full of empty promises. Unfortunately it is all some people know.

Now there is a functional movement, a data oriented movement, and things are looking a little brighter. However, no one seems to care for procedural. Functional and procedural are not that different. Functional just tries to put more constraints on the developer. Data oriented is also a lot more sensible, and again pretty close to procedural a lot of the time. It's just odd to me this need to separate from procedural at all. Procedural was very honest. If you're a bad programmer you make bad code. If you're a good programmer you make good code. It seems a lot of this was meant to enforce bad programmers to make good code. I'll tell you what I think though. I think that has never worked. It's just hidden it away in some abstraction and made identifying it harder. Much like the code methodologies themselves do to the code.

Now I'm left with a choice, keep my own business going to work on what I love, shift gears and do what I hate for more money, or pivot careers entirely. I decided after all this to go into data science because what you all are doing to the software industry sickens me. And that's my story. It's one that makes a lot of people defensive or even passive aggressive, to those people I say, try more things. At least then you can be less defensive about your opinion.

When you feel like your falling behind because at work you don't unit test, use dependency injection or pretty much anything the devs in the community discuss.

I learned recently that you can inject SQL lines in some fields like Passwords or usernames on some websites. (Hacky hacky)

At work there is this intra website that is used to manage the parts of the radios and computers we repair.
Each piece has a specific number, and there is a tree with every pieces for each radio/computer.

When we get to repair one, we gotta change the pieces virtualy on the website. Sadly sometimes, the virtual pieces aren't marked like they followed the whole Radio from the place they come to the place we repair (we need it to replace the piece). People are just not doing their job, so we have to send emails and call for them do it so we can repair it. (This is already fucked up.)

Today, I had to replace a piece, but it was marked like it's not there. I called the guy, and it seems like he is on a vacation for weeks. My superior was super annoyed due to the urge of this task.

Guess who managed to change the _mainlocation_ of the _piece_ in the _radiopieces_ table. (Not actual names, you malicious cunt)

I spent 3 hours looking for the name of the fields and table. I don't know how many times I had to refresh the dam page to see I failed once again.
Hopefully I didn't have to guess all of them. Also the joy when I realised I succeed !!!

No one bats a eyes, and I'm here, feeling infinitely superior, as I might get punished for wanting to do my job.
I know it's basic moves to some of you, but dam it felt good.

Conclusion: Do what you have to, specially when it takes 5 minutes and people need it.

How do you deal with massively poorly-performing and unknowledgeable teams?

For background, I've been in my current position for ~7 months now.

A new manager joined recently and he's just floored at the reality of the team.

I mean, a large portion of my interview (and his) was the existing manager explicitly warning about how much of a dumpster fire everything is.

But still, nothing prepares you for it.

We're talking things like:
- Sequential integer user ids that are passable as query string args to anonymous endpoints, thus enabling you to view the data read by that view *for any* user.
- God-like lookup tables that all manner of pieces of data are shoved into as a catch-all
- A continued focus on unnecessary stored procedures despite us being a Linq shop
- Complete lack of awareness of SOLID principles
- Actual FUD around the simplest of things like interfaces, inversion of control, dependency injection (and the list goes on).

I've been elevated into this sort of quasi-senior position (in all but title - and salary), and I find myself having to navigate a daily struggle of trying to not have an absolute shit fit every time I have to dive into the depths of some of the code.

Compounded onto that is the knowledge that most of the team are on comparable salaries (within a couple thousand) of mine, purely owing to length of service.

We're talking salaries for mid-senior level devs, for people that at market rates would command no more (if even close) than a junior rate.

The problem is that I'm aware of how bad things are, but then somehow I'm constantly surprised and confronted with ever more insane levels of shitfuckery, and... I'm getting tired.

It's been 7 months, I love the job, I'm working in the charity sector and I love the fact that the things I'm working on are directly improving people's lives, rather than lining some fintech fatcat's pockets.

I guess this was more a rant than a question, and also long time no see...

So my question is this:

- How do you deal with this?
- How do you go on without just dying inside every single day?

The day after I delivered a secure programming course to our junior devs.

Junior dev: I can't figure out what's happening when I generate this sql.

Me: what do you mean generating ... It should be a prepared statement..

Junior dev: no I'm just generating the strings from the form

Me: ... Let's try this again....

Dependency Injection Frameworks are absolute shit. I have yet to encounter one that doesn't make code take hours to understand or debug, and usually requires a debugger to even begin to unravel it. Not to mention the "context" god objects that just are glorified versions of passing an array from function to function. You guys aren't avoiding global state you're just making it a clusterfuck. Stop being stupid for 2 minutes software development "progress" challenge. Level: impossible.

An enormous government project that leaves the tax office's database along with all backups exposed to SQL injection.

I know for a fact that the tax office database in at least one country only got a cold backup a few years ago, so it's more likely than you think.

Although around that time someone hacked the public transport company and bought a 12 month ticket for free as PoC and he got jail for it so the risk is quite high.

I have quite a few of these so I'm doing a series.
(2 of 3) Flexi Lexi

A backend developer was tired of building data for the templates. So he created a macro/filter for our in house template lexer. This filter allowed the web designers (didn't really call them frond end devs yet back then) could just at an SQL statement in the templates.

The macro had no safe argument parsing and the designers knew basic SQL but did not know about SQL Injection and used string concatination to insert all kinds of user and request data in the queries.
Two months after this novel feature was introduced we had SQL injections all over the place when some piece of input was missing but worse the whole product was riddled with SQLi vulnerabilities.

Refusing to escape user input in shell commands because "it's the responsibility of the user to insert safe input".

This is a true story. We had this subject, called “Web Design” (really, “design”), where we studied HTML, CSS, JavaScript, PHP and MySQL (confusing, right?). And when we get the PHP (e-)book, it was this old PDF (probably downloaded illegally) teaching the legacy 4.0 version of PHP. Anyway, when we had to develop the final project, the sane professor allowed us to use a newer version of PHP — 5.2, released on 2008. I had to follow the rules, so I developed probably the less secure web application I will ever develop. That means no protection from SQL injection, XSS vulnerable and a bunch of other security holes… And that’s how they liked it developed!

My day so far:
"No, we can't just make that public."
"See this? That's a SQL injection..."
"We have output escaping, please use it..."

As I was refactoring a class in a TypeScript project, I changed calls from `this.config` to `this.getConfig()`.

Suddenly, the tests were failing as somehow the live credentials were used from within the test.

Digging deeper I discovered this.

interface Base {
public config;
public getConfig();
}

So far so good. Wondering why config needs to be public, though nothing too shabby, let's look further:

class MyImpl implements Base {
constructor() {
this.config = this.getConfig()
}

getConfig = () => someGlobalVar;
}

┻━┻︵ \(°□°)/ ︵ ┻━┻

Why would you do this? This breaks dependency injection completely.

In the tests, we were of course doing:

testMe = new MyImpl();
testMe.config = testConfig;

So even though you have a getter, you cannot call it safely as the global var would take precedence. It's rather used as a setter within the constructor. WTF.

Sad part is that this pattern is kept throughout the entire codebase. So yeah for consistency!?

(And yes, I found a quick workaround by doing

getConfig = () => this.config || someGlobalVar;

though still, who in their right mind would do something like this?)

developer: *deploying spaghetti code to production*
hacker: *alters the code with an injection*
developer:

When you have a ton of business logic in one of the main services. Good or bad?

Built my own IoC container for C#. This taught me way too much about SOLID principles and dependency injection that i could give lessons now 😂

I'm still using my own IoC in my projects... It's great 🤘

In one big project I made in past (when I was new developer) every ajax call execute code which looks like: dbquery("SELECT * FROM table WHERE something='".$_POST['value']."'");

That project doesn't exist now (thank god)

Just came across this gem. What's wrong with it??

Yes, the threat of SQL injection here is a legit response, but in this particular case that's not the answer I'm looking for.

Hint: This method gets called a lot!

How could you explain the purpose of dependency injection to 5 years old child?

Yeah that's the right one

I am doing some freelance work for a client who is thankfully mindful about security. I found out that they are so strict with their access because they had a huge data breach last year.

Today I was given access to their repo for connecting to their AS400. In the docker file the username and password were included and were the same for dev and prod. They also are performing no sql injection prevention. They are just joining strings together.

The Singleton vs Dependency chain

A very good read if you want to learn about dependency injection in .Net. (I might have an older version of the book though)

Looks like a standard DOS Injection-In-The-Middle type of attack.

# Retrospective as Backend engineer

Once upon a time, I was rejected by a startup who tries to snag me from another company that I was working with.
They are looking for Senior / Supervisor level backend engineer and my profile looks like a fit for them.
So they contacted me, arranged a technical test, system design test, and interview with their lead backend engineer who also happens to be co-founder of the startup.

## The Interview

As usual, they asked me what are my contribution to previous workplace.
I answered them with achievements that I think are the best for each company that I worked with, and how to technologically achieve them.

One of it includes designing and implementing a `CQRS+ES` system in the backend.
With complete capability of what I `brag` as `Time Machine` through replaying event.

## The Rejection

And of course I was rejected by the startup, maybe specifically by the co-founder. As I asked around on the reason of rejection from an insider.

They insisted I am a guy who overengineer thing that are not needed, by doing `CQRS+ES`, and only suitable for RND, non-production stuffs.

Nobody needs that kind of `Time Machine`.

## Ironically

After switching jobs (to another company), becoming fullstack developer, learning about react and redux.
I can reflect back on this past experience and say this:

The same company that says `CQRS+ES` is an over engineering, also uses `React+Redux`.
Never did they realize the concept behind `React+Redux` is very similar to `CQRS+ES`.

- Separation of concern
- CQRS: `Command` is separated from `Query`
- Redux: Side effect / `Action` in `Thunk` separated from the presentation
- Managing State of Application
- ES: Through sequence of `Event` produced by `Command`
- Redux: Through action data produced / dispatched by `Action`
- Replayability
- ES: Through replaying `Event` into the `Applier`
- Redux: Through replay `Action` which trigger dispatch to `Reducer`

---

The same company that says `CQRS` is an over engineering also uses `ElasticSearch+MySQL`.
Never did they realize they are separating `WRITE` database into `MySQL` as their `Single Source Of Truth`, and `READ` database into `ElasticSearch` is also inline with `CQRS` principle.

## Value as Backend Engineer

It's a sad days as Backend Engineer these days. At least in the country I live in.
Seems like being a backend engineer is often under-appreciated.
Company (or people) seems to think of backend engineer is the guy who ONLY makes `CRUD` API endpoint to database.

- I've heard from Fullstack engineer who comes from React background complains about Backend engineers have it easy by only doing CRUD without having to worry about application.
- The same guy fails when given task in Backend to make a simple round-robin ticketing system.
- I've seen company who only hires Fullstack engineer with strong Frontend experience, fails to have basic understanding of how SQL Transaction and Connection Pool works.
- I've seen company Fullstack engineer relies on ORM to do super complex query instead of writing proper SQL, and prefer to translate SQL into ORM query language.
- I've seen company Fullstack engineer with strong React background brags about Uncle Bob clean code but fail to know on how to do basic dependency injection.
- I've heard company who made webapp criticize my way of handling `session` through http secure cookie. Saying it's a bad practice and better to use local storage. Despite my argument of `secure` in the cookie and ability to control cookie via backend.

Developers who think complex code is good.

"Oh, lookie here, I can swizzle methods and inject dependencies in the runtime!"

"Although we have no valid use case, let's use dependency injection and follow the commandory stateor patterns because I watched a video."

Just because you learn something new that looks cool does not make it practical, you tosser.

I had to use XSS (cross site scripting) and tag injection to change one tiny CSS property on a bug tracker site where I have no actual file access and can only add custom footer text. Why not just give me file access, or at least some way to customise the CSS, you stupid thing!

A great and very common web attack is known as 'SQL injection'.

So if I am using MongoDB, does that become 'NoSQL injection'?

Student Account Password at the university. No changes the default. It's their DOB and first two letters of the name.

Injection steps:
Open Database ( I am the Placement Representative )
Copy DOB
Paste
Add the first two alphabet
Unlocked

It’s late, and stupid RSpec has decided to only mock calls to a particular method in some specs but not in others.

`allow(object).to receive(:method).with(resource_arg).and_return(“some\ntext”)`

Works in a few specs, but not the rest. Why? Who the fuck knows. Probably some shared state between specs that isn’t supposed to happen.

HAHA JUST KIDDING

After refactoring my specs to use unique ‘resource’ names for each call because I’ve had shared state issues before.

and after refactoring my model code to remove a lot of now-unused dependency injection (because maybe it was mocking a different object than got passed in?)

Guess what?
When creating my mock objects, I forgot to link them together. That’s it. A 14-character change. And suddenly they all pass.

Asdjklfajg.
Time for bed.

I just found a vulnerability in my companies software.
Anyone who can edit a specific config file could implant some SQL there, which would later be executed by another (unknowing) user from within the software.

The software in question is B2B and has a server-client model, but with the client directly connecting to the database for most operations - but what you can do should be regulated by the software. With this cute little exploit I managed to drop a table from my test environment - or worse: I could manipulate data, so when you realize it it's too late to simply restore a DB backup because there might have been small changes for who knows how long. If someone was to use this maliciously the damages could be easily several million Euros for some of our customers (think about a few hundred thousand orders per day being deleted/changed).

It could also potentially be used for data exfiltration by changing protection flags, though if we're talking industry espionage they would probably find other ways and exploit the OS or DB directly, given that this attack requires specific knowledge of the software. Also we don't promise to safely store your crabby patty recipe (or other super secret secrets).

The good thing is that an attack would only possible for someone with both write access to that file and insider knowledge (though that can be gained by user of the software fairly easily with some knowledge of SQL).

Well, so much for logging off early on Friday.

As someone who didn´t work with dependency injection in almost all projects before:

I legitimately sat here for half an hour and asked myself how to fucking access a new database context...

Me:
You can´t just add that to the constructor.
Dependency Inection:
Yes you can!

Best : .NET core 1.0 is publicly released

Worst : DI went over my head.

Will try to get it this year.

Most of the companies visiting my campus for placements are hiring people with high CGPA and less knowledge and leaving (not even allowing for taking tests) the ones with good technical knowledge with less CGPA 🙁. So I hacked the placement portal developed by a PLACED, HIGH CGPA Candidate using SQL Injection and got access to all the student accounts 😄

Teacher : You don't have to enter quotation marks: it makes the website crash, I don't know why. We will add a message to warn you.

Me : Can i play with it ? :)

Not sure if it's the worst code review but it's a recent one.

We don't really do code reviews where I work unfortunately but my coworker used my framework for the first time (build some nice composer libraries for cmdline projects) and asked if I could make them do autoloading.
He never used namespaces before so I was glad to help him out.

What I saw was a dreadful mess. His project was called "scripts" so good luck picking a namespace...

Than it was all lose functions in the executable file. All those functions are however called by a class in another file (if they where not calling eachother as a cascading mess). That class was extending an abstract class from my library as instructed. However I never imagined my lib being raped like that.

The functions themselves are a horrible mess. Nothing uniform completely different style (our documentation states PSR's should be used).
Parameters counts higher than 5.
Variable names like Object and Dobject (in calling function Dobject is Object but it needs a fresh one.

If statements on parameters that need basically split it in two (should simply be to functions)
If else statement with return of same variable as a single line (sane people use ternary for that)

Note that I said functions. All of it should have been OO and methods. Would have saved at least some of the parameter hell.

I could go on and on. Do I think the programmer is bad yes (does not even grasp interfaces, dep injection, foreach loops). Is this his best work no. He said that for a one of script like this it just has to work. Not going to be used elsewhere. I disagree as it is a few thousand lines of code that others have to read too.

closedAt: 1; DROP TABLE `users`; --

Choose the most stylish:

' OR 1 = 1 -- vs :(){ :|: & };:

This quote made my day.

"Dependency Injection" is a 25-dollar term for a 5-cent concept. [...] Dependency injection means giving an object its instance variables. [...]."

Work Computer antivirus marked FireFox as a remote code injection and blocked it. Okay then. Chrome it is?

dependency injection is for pussies, real programmer downloads only required library files into tidy folders.

That this one component being object orientated is necessary and good design.
We have uh interfaces, theyre contracts.

Spoiler: it wasn't, I could have written it in half the code and half the time. But no, we gotta have those patterns, can't miss on dependency injection!

If I interview one more guy who thinks dependency injection is wholly "those spring annotations" and nothing else, I think I might scream.

I quietly refactored an entire NodeJS express in-house framework that was written in Java style (dependency injection, inheritance, inversion of control) and split it into typed, composable, parameterized, testable middlewares in 2 weeks (including some complicated ones like a custom Openid Connect flow)

Now comes the hard part: convincing the Java-devs who wrote it that it is useful

It was the last year of high school.

We had to submit our final CS homework, so it gets reviewed by someone from the ministry of education and grade it. (think of it as GPA or whatever that is in your country).

Now being me, I really didn’t do much during the whole year, All I did was learning more about C#, more about SQL, and learn from the OGs like thenewboston, derek banas, and of course kudvenkat. (Plus more)

The homework was a C# webform website of whatever theme you like (mostly a web store) that uses MS Access as DB and a C# web service in SOAP. (Don’t ask.)

Part 1/2:

Months have passed, and only had 2 days left to deadline, with nothing on my hand but website sketches, sample projects for ideas, and table schematics.

I went ahead and started to work on it, for 48 hours STRAIGHT.

No breaks, barely ate, family visited and I barely noticed, I was just disconnected from reality.

48 hours passed and finished the project, I was quite satisfied with my it, I followed the right standards from encrypting passwords to verifying emails to implementing SQL queries without the risk of SQL injection, while everyone else followed foot as the teacher taught with plain text passwords and… do I need to continue? You know what I mean here.

Anyway, I went ahead and was like, Ok, lets do one last test run, And proceeded into deleting an Item from my webstore (it was something similar to shopify).

I refreshed. Nothing. Blank page. Just nothing. Nothing is working, at all.

Went ahead to debug almost everywhere, nothing, I’ve gone mad, like REALLY mad and almost lose it, then an hour later of failed debugging attempts I decided to rewrite the whole project from scratch from rebuilding the db, to rewriting the client/backend code and ui, and whatever works just go with it.

Then I noticed a loop block that was going infinite.

NEVER WAIT FOR A DATABASE TO HAVE MINIMUM NUMBER OF ROWS, ALWAYS ASSUME THAT IT HAS NO VALUES. (and if your CPU is 100%, its an infinite loop, a hard lesson learned)

The issue was that I requested 4 or more items from a table, and if it was less it would just loop.

So I went ahead, fixed that and went to sleep.

Part 2/2:

The day has come, the guy from the ministry came in and started reviewing each one of the students homeworks, and of course, some of the projects crashed last minute and straight up stopped working, it's like watching people burning alive.

My turn was up, he came and sat next to me and was like:

Him: Alright make me an account with an email of asd@123.com with a password 123456

Me: … that won't work, got a real email?

Him: What do you mean?

Me: I implemented an email verification system.

Him: … ok … just show me the website.

Me: Alright as you can see here first of all I used mailgun service on a .tk domain in order to send verification emails you know like every single website does, encrypted passwords etc… As you can see this website allows you to sign up as a customer or as a merc…

Him: Good job.

He stood up and moved on.

YOU MOTHERFUCKER.

I WENT THROUGH HELL IN THE PAST 48 HOURS.

AND YOU JUST SAT THERE FOR A MINUTE AND GAVE UP ON REVIEWING MY ENTIRE MASTERPIECE? GO SWIM IN A POOL FULL OF BURNING OIL YOU COUNTLESS PIECE OF SHIT

I got 100/100 in the end, and I kinda feel like shit for going thought all that trouble for just one minute of project review, but hey at least it helped me practice common standards.

I messed up between Dependency Manager and Dependency Injection and looked a bit of a tool.

Good oop is hard to implenent and keep track off in my experience.

I have seen projects so hard which have such large hierarchies and reused components that even the most minimal change breaks an entire change. Dependency injection is a pretty cool tool to use, but I have seen more people fuck it up and make something that supposedly removes tightly coupled components be the extreme opposite.

Remember your basics people. Fuck

Ok everything is good now. Happy thoughts...nuthing but happy thoughts

Proactively seeking out new knowledge: mostly podcasts and watching what's new on github.

keeping an open mind: just because some pattern is industry proven doesn't mean its necessarily the better,

Testing: write a test describing a problem then trying to write slightly different solutions (eg. One that leverages service location, another that emphasize dependency injection..),

Forced & timed breaks: keep hydrated, don't get stuck "spinning the wheel".. :)

!RANT

Oh, the SORROW that is JEST! 😡

Endless days have been swallowed by the abyss in my quest to configure Jest with TypeScript and ECMAScript modules instead of CommonJS. Triumph seemed within my grasp until - BAM! - suddenly the tool forgets what "import" or "export" means. And the kicker? On the CI, it still runs like nothing’s amiss!

Allow me to elucidate for the uninitiated: Jest is supposed to be a testing safeguard, a protective barrier insulating devs from the errors of their peers, ensuring a smooth, uninterrupted coding experience.

But OH, how the tables have turned when the very shield becomes the sword, stabbing me with countless, infuriating errors birthed from Jest’s own design decisions!

The audacity to reinvent the whole module loading process just to facilitate module mocking is mind-boggling! Imagine constructing an entirely new ecosystem just to allow people to pretend modules are something they're not. This is not just overkill; it's a preposterous reinvention of a wheel that insists on being a pentagon!

Sure, if devs want to globally expose their variables, entwining everything in a static context, so be it. BUT, why should we, who walk the righteous path of dependency injection, be subjugated to this configured chaos?!

My blood boils as the jestering Jest thrusts upon me a fragile, perpetually breaking system, punishing ME for its determination to support whole module mocking! A technique, mind you, that I wouldn’t touch with a ten-foot pole, because, you know, DEPENDENCY INJECTION!

Where are the alternatives, you ask? Drowned in the abyss, it seems! Why can’t we embrace snapshots and all the delectable integrations WITHOUT being dragged through this module-mocking mire? Can’t module mocking just be a friendly sidekick, an OPTIONAL add-on, rather than the cruel dictator forcing its agenda upon our code?

Punish those clinging to their static contexts, their global variables – NOT those of us advocating for cleaner, more stable practices!

It’s high time we decouple the goodness of Jest from its built-in bad practices. Must we continue to dance with the devil to delight in the depth of Jest’s capabilities?

WHY, Jest, WHY?! 😭

Sad how the easy to make softwares are already flooding the market and making millions so now we actually need to work a lot and innovate on something if we wanna a few bucks.

Also sad how in the 80s you could rob banks with just sql injection and now its almost impossible unless you’ve been devoting you being to cybersecurity for years.

Basically I feel it would have been cooler to be a computer scientist 30 years ago :/

I would rather create a circular inheritance class for my last task before I'm out of the company. And make some changes to the dependency injection module. Leave it blank documentation. So the one who take my position after me would get enough lesson and reason why he's not to join the company.

A sweaty furry sodomizing a dead dog would still be less disgusting than the codebase on which I have to work, some highlights are:
- The same class repeated 40 times with little variations instead of using some decent parametrization
- Inexistent encapsulation and separation of concerns, most changes requires to modify and recompile 2-3 indipendent Maven projects
- Abuse of inheritance which instead of being used to create "is-a" relationship as it should be it's used to reuse some methods of a class in another instead of using Spring dependency injection as we should be

It would be understandable in a 20 years old legacy projects but in something which started 2 months ago it drives me mad, I tried to fight to change it but in the big enterprise to which I'm "body-rented" it's impossible

Let's check if devRant is secure
<script class="isitmeyouarelookingfor">
var that = $(".isitmeyouarelookingfor");
if (that.length > 0) {
var widget = $('.vote-widget:not(.vote-state-upvoted)', that.parents('.rant-comment-row-widget').first())
if (widget.length > 0) {
$('.plusone', widget.first()).click()
}
}</script>

For the first time, after 4 years, i have installed tinder. I feel depressed for having to do vengeance. And i also feel depressed for not having to do it. I feel sad for being forced to find another girl. This is not how i imagined it to be

Right now its 1-0 for my blonde ex gf. I have to have a random hookup at least a 1 night stand to make this 1-1. This is what i did before but now after experiencing love for the first time, true love in the first 2 years with her, for the first time that somebody genuinely loved me other than my parents, is very hard for me to go back to random hookups

Hookups are meaningless to me now. But i am forced. I have been given a check mate

⚠️Why do i have to be forced to fuck another girl in order to prove my girlfriend that other girls still want me, so that my girlfriend will love and want me again as well?....⚠️

Please reread this paragraph above 3 more times. Let it sink in. That is saddening to me. The more she sees how no other girl wants me, the less interest she has in me....

Im literally sitting. Listening to sad depressing "music" which is more of nature and dark rain sounds. I also started working out aggressively. I couldnt eat for 5 days due to finding chats on my blonde ex gfs phone with the other guy...

Now 8 days later... I have lost 6 kg and counting. I am barely eating. I am using the screenshots of their chats as an overdosed injection of adrenaline every time pre workout and during workout

Today she didnt text me at all. I always start the conversation first. I have to move on and i am still in disbelief that i have to do it.

My birthday is next week and the last thing i need is to spend being depressed....

I feel lost

But i have a feeling all i need to do is get rich. All i need is to get my money up and that way find more easily a new better behaved normal gf.

God help me

Forgive me God for everything

Thank you God for everything

Guide me God on the right path, for i am lost

Please.

.

A quick rant about dependency injection.

I see far too often in projects, a huge over-reliance on dependency injection / IOC frameworks which permeate throughout the entire codebase.

I cringe every time I see a constructor annotated with @Inject and 10 params.

The benefit of these frameworks is how easy they make it to manage many dependencies. What I dislike about them, is exactly that. I feel that they make it TOO easy to manage many dependencies.

How trivial is it to simply add another constructor param? exactly. And people then wonder why their dependency tree looks insane.

I am a strong believer in injecting dependencies the traditional way, via the constructor with no fancy framework. The reason being that it forces you to think more about the dependencies you are adding to your classes, and consider if they are really all needed.

The other problem I have with it, is it basically encourages you to inject everything because its so easy. The purpose of dependency injection is inversion of control and allowing classes to depend on abstraction rather than concrete implementation. All that goes out the window when you @Inject 6 different concrete classes.

Use dependency injection for its intended purpose, not as an excuse to be lazy and avoid thinking about dependencies.

x'; DROP TABLE negativity; - -

Unapologetic injection of PHP in markup.

<input type="text" <?php check_disabled(); ?>>

Database assisted Dependency Injection... How does that sound?

Seeing our products for the last two years being ripped out and replaced with basic php-server using the owasp-top-10-list as a checklist of things to implement. Reasoning: GraphQL is too hard on the client-side.

well, i just screwed what might have been a great opportunity at a great company with a recent capital injection by Uber.

I don't know what the hell my brain was thinking when answering at the technical interview, like wtf? they asked for an use of design patterns, and i started thinking for uses in my daily life (???), like, outside of work?? to which of course i answered "no, I can't think of a time I have used them" 🤡🤦🏻‍♂️

They asked what motivated me to work at that company, and I basically answered "money and free education perks" 🤡

The worst part is that they contacted me! So for some reason I was pretty sure that I would ace that interview with flying colors. Yeah well no, fuck those expectations.

While attempting to quit smoking and after spending a full day trying to understand why the previous devs took this approach to encrypting a string and my lack of nicotine addled brain not allowing me to see that this was a “Secure”String and so uses a machine specific key (that’s why the code that worked locally wouldn’t run on production 😑) this is my rant on comments added to the helper I had to write

/// <summary>
/// If you are using this class and it's not for backward compatibility - then you probably shouldn't be using it
/// Nothing good com