|
D34THROW posted:Uh is he not sanitizing input or am I that inexperienced with SQL? Aight, this is one people usually learned the hard way in the 90s. Its an SQL injection risk. When you write an SQL query and directly inject user supplied strings into it, you end up with a situation where someone can write a specifically coded string that subverts the original sql into something evil. So you take something like;- code:http ://someurl/blah.php?message=');DROP TABLE logs;-- And instead of adding the message to the log, the log table is deleted, not just the data but the entire table. So the correct practice is to use prepared statements. Something like this in pseudocode;- code:Yes sanitizing those inputs helps, but its *rare* to find a sanitization method that hasnt been thoroughly defeated multiple times over by stupid poo poo like unicode exploits or whatever.
|
#
¿
May 19, 2022 17:46
|
|
|
|
| # ¿ May 14, 2024 09:49 |
|
|
ExcessBLarg! posted:Wonder what his interview was like. I do not know, but it was during my week off work with the coronavirus, because I would have vetoed that dude *hard*
|
|
#
¿
May 19, 2022 18:06
|
|
|
OddObserver posted:Was there any performance problem to justify those "scalability" concerns in the first place? No. And he flat out lied to the boss about it. I've been reviewing the code on this thing. I've found nearly 20 cases of string interpolation for queries, and when I looked at why we're not getting device notifications anymore on our AMQP network, he's replaced another nodejs system with a laravel instance where he's using DB::statement queries with, you guessed it, string interpolation queries. And he's being coding directly to the production servers. I've scheduled an emergency meeting with the boss, and shut down that server and revoked his passwords.
|
|
#
¿
May 20, 2022 08:41
|
|
|
YanniRotten posted:It takes more than a rogue engineer to make a rogue engineer. Yeah. I've been having quiet talks with the other devs about this guy and are gonna be putting together bit of an intervention. None of us wants to be *that guy* that pushes someone out of their job, but goddamn this things a brutal mess. So I've been working on a fairly extensive security plan thats gonna involve security linting and a bunch of other stuff, pull all DB into the managed services (ie no loving mysql on a 1gig vhost like this guys just tried to deploy) and shutting down all the vhosts and moving all that poo poo into the kubernetes cluster. Via CI. With code review, with a shortlist of approved platform and library choices. And yes his work will fail that test on every count. One of the other guys is working on a project management plan to instutite proper SCRUM, as well as trying to yeet a bit of staffing control off the suits so we dont get another goose like the current one.
|
|
#
¿
Jun 12, 2022 18:41
|
|
|
lifg posted:I never learned how to pronounce HATEOAS. I normally go for something that sounds like “Hate O/S”. Its always sounded like a merging of "hate" and "cheetos", which makes me think the name should be used for "standard implementation for image board to provide entertainment for malicious children" rather than "thing a committee designed for talking to apis"
|
|
#
¿
Jul 26, 2022 15:08
|
|
|
Guido never was a fan of the functional coding crowd. Turns out he laid a cunning trap!
|
|
#
¿
Sep 8, 2022 08:41
|
|
|
Found in code by the lovely PHP guy at work that I've mentioned earlier (This is from some JS);-code:
|
|
#
¿
Sep 8, 2022 08:49
|
|
|
Xarn posted:uuuugh why not use a loving loop? This is by the new recruit thats replaced our node.js TCP edge server that could handle 40K connections without breaking a sweat with a PHP abomination filled with SQL interpolations and other "Didnt PHP coders learn this lesson in the 90s?!" horrors that pegs the server on 80 connections, and nobody can convince the boss that he's incompetent. And yeah that entire bit of code and the lookup table it references replaced a very accurate 3rd order polynomial model that we spent weeks working out the coefficients for, because this clown doesnt do maths. 2 lines of code is what it replaced. For this abomination. And yes I'm pissed off. But management will management. duck monster fucked around with this message at 11:17 on Sep 8, 2022 |
|
#
¿
Sep 8, 2022 11:14
|
|
|
Volmarias posted:Quietly revert the changes and get him assigned to some kind of pet project for someone who won't actually be there next year. I did, and he flipped the gently caress out and reverted it back, and then the boss yelled at me.
|
|
#
¿
Sep 9, 2022 08:03
|
|
|
Doom Mathematic posted:...Code review?? We do code review. This fucker codes on the production server. I cant convince the boss. ToxicFrog posted:Holy poo poo, where I work checking in something that increases serving latency by 0.1ms is a Big loving Deal I hear you. But what can I do? duck monster fucked around with this message at 08:06 on Sep 9, 2022 |
|
#
¿
Sep 9, 2022 08:04
|
|
|
Doom Mathematic posted:Okay so, one, deploy to production over the top of this person's changes, instantly trashing any changes they've made. Do this repeatedly every time they touch production, until they get the message. You have a deployment process, right? Which this person is circumventing? I've already made it clear I refuse to have anything to do with his code. He's broke it, he fixes it. The TCP Server is his hosed up baby now. This other recent thing was an incursion in my code, and yeah, he can keep changing it on the server, but it dies on deploy day. Because the CI process has been there longer than he has. And if the boss doesnt like it, he's not going to get any cooperation to deliberately break a system that protects us to enable a guy who doesnt. Anyway. Were working on rebuildin to a serverless system, so this dude either gets with the program or he's gonna get left in the dust. Boss protection only goes far when it comes to incompetence.
|
|
#
¿
Sep 11, 2022 14:21
|
|
|
zokie posted:How is he allowed to access production servers? When he was handed access to the TCP server (I'm being vague here, NDA. Its an end point for a IOT type thing) he was handed that whole project over from me so I could turn to other parts of the system. After an argument over his idiot plan to replace the old nodejs server with a PHP one (after he lied to the boss and told him nodejs cant do multitasking. like gently caress?) I just gave up and said "Fine, I want nothing to do with it" and the boss gave him the full keys to that one. That PHP replacement is a hot mess. All the SQL is via interpolated strings, the front end is a jquery horrorshow (He actually flew into a fit when he first started and wrote a full page rant about how he wanted our front end people to drop vuejs for jquery, and was soundly told to gently caress off and keep away) He has no access to the two main clusters (data ingress , where the TCP server is sending info too and front end) because its a kubernetes system and I suspect he'd have no idea where to even begin with it. And in all honesty if he tried I suspect the boss would have a mutiny from the rest of the devs. That said, I've been interviewing new developers for the team and have been carefully but covertly insisting on requirements that would let us drop in a replacement for this guy. On the side I've been working with security on building a new set of security guidelines enforced by policy that he'll need to either adapt to or gently caress off. Mandatory code reviews, security linting to turn all those SQL injections into giant blaring sirens, etc, prohibiting uses of unprepared SQL as well as a policy that is phasing out PHP entirely so that everything is going to be using either lambda or kubernetes python architecture gated behind CI. And this guy has proven himself almost violently unwilling to learn anything that isnt old school PHP
|
|
#
¿
Sep 13, 2022 03:49
|
|
|
Bruegels Fuckbooks posted:dude, i've fired people who would be 10x developers in comparison to this guy. have you had the "this dude may unironically have a learning disability or brain damage, I know you're concerned about an ada violation, but can you consider putting him on a project that will cause fewer problems" talk with your boss? the only times I've ever had problems as bad as this one involved developers who literally had part of their brain removed (brain cancer) / an addiction to painkillers, etc. and I got the real story just by being certain there is no way hosed up co-worker was working there on their own merit. That unfortunately is not up to me. I'm 2IC to the project manager. The problem is this guy has big-boss protection and project manager has *no* interested in rocking that boat. Might be a clients son or something (We had one of those before with similarly catastrophic effects, thankfully THAT guy quit on his accord.)
|
|
#
¿
Sep 13, 2022 06:46
|
|
|
Jazerus posted:sadly, many people emerged from the early 2000s with a terminal case of php & jquery brain yet it's not a recognized medical condition Our main front end guy refuses to even interview people with jquery on the resume lol. As in "This person is too stupid to live, do not even interview". That bluntness is why I've been asking the boss to let me include front end guy in the interview panels. I'm far too polite, but front end guy isnt and he's been with the company since it opened the door so he gets to say things I consider my 1year on the job here not quite leveled up for yet.
|
|
#
¿
Sep 13, 2022 06:52
|
|
|
Jesus wept: https://stackoverflow.com/questions/6023461/php-variables-made-with-foreach PHP Coders are loving nightmare factories. necrotic posted:I saw a website still using prototype.js last year, that was quite a site. Did it have sick flames above the "construction site" sign? Prototype was the most ruby on railsest of js libraries, a cornocopia of magical nonsense that ultimately caused more problems than it solved.. Fucken thing actually monkeypatched .prototype.blah poo poo into the DOM which as you could imagine was something that would produce pretty friggin inconsistent results. Although in its defense, at least it didnt require a loving buildchain. Or common sense. duck monster fucked around with this message at 15:15 on Sep 14, 2022 |
|
#
¿
Sep 14, 2022 15:07
|
|
|
FlapYoJacks posted:Coding Horrors: Lord grant me the confidence of a mediocre C++ programmer. ......And the wisdom to know its time I hit up my job agent. *sigh*. Boss canvased us the idea of terrible terrible coder being promoted to project manager. Today the boss learned what we *really* think. , Enforced deploy pipelines with CI (inc security linting) and code review and a return of unit testing is coming back, finally. And we might be hiring. Or I just outed myself as the disaffected goony greybeard to the boss, and we might be hiring. One of the two lol.
|
|
#
¿
Sep 20, 2022 07:56
|
|
|
Volmarias posted:Would his being a PM result in him no longer coding anything and also not being part of your chain? If so, it might be possible that they're trying to sideways promote him to someplace where he can be effectively ignored even if he cannot be fired or directly sidelined. No. It would make him my boss, for all of the mimimum time it takes to see out my contract notification period, and likely the entire teams notification period. I've told the boss that I consider it a move that would be a company killer. And the boss has now been made told the same by pretty much everyone on our team. Also I sat down with the boss and demonstrated completely pwning a demo install of his "improved" TCP stack including burning down the database. The boss agreed to me running the new stack through the load tester even if new guy objects (He had been objecting for a while. Because the old stack was stable up to around 20K connections, (while I know from private tests the new one seems to start OOMing the VM after about 30 connections from all the race conditions and other horrors that happened when innexperieced people try and roll their own servers). New guy is informed this will be to test how it handles under 10-20K client conditions. I expect this to be a blood bath. They might be transfering him out to the engineering team since he spends almost his entire time there instead of doing his job. Good luck trying to terrorise our hardware guys with THAT level of coding incompetence, Our main embedded guy is a *lot* less polite than I.
|
|
#
¿
Sep 26, 2022 06:56
|
|
|
take boat posted:well that sucks, I was definitely wrong in asking if moving to project manager would mean he'd managing bureaucracy without power over engineering The difference is, the head of hardware engineering is the bosses best friend, writes immaculate C in his sleep, is a stickler for process (You kind of have to be with firmware stuff), and has a much less polite toungue than I. The imposter is dead meat in that environment.
|
|
#
¿
Oct 10, 2022 08:51
|
|
|
more falafel please posted:My first experience with assembly was learning about the other, secret graphing calculator language that was how you made the good games. I pretty much learned z80 from a series of 3 articles in Amstrad Action, and I built my own assembler out of basic because I never had a good memory so remembering how to translate mneumonics to bytes just didnt work for me. That said, as kid written code, I suspect most of that would fit under the "coding horror" category. That shits burnt into my brain. nearly 40 years later I can still more or less read z80 and I can probably with a bit of a refresher, write it too. My C64 enthusiast friend says the same thing (Although he's *still* hacking away on that gnarly old beast. I havent seen an Amstrad in 20 years, though I've always fancied buying one, just to gently caress about with the old games and show the kids how real "8 bit" games look). Those 8 bit microprocessors where great little things, simple enough for a child to learn it, quite literally. duck monster fucked around with this message at 03:16 on Oct 11, 2022 |
|
#
¿
Oct 10, 2022 09:05
|
|
|
Volmarias posted:I cannot emphasize enough how damaging this was for my attempts at learning programming as a child. Oh I assure you I do that often. Especially stuff I wrote in my 20s back in the 90s and early 2000s. That poo poo was just amateurish. Hell sometimes I look at code I've just written and thought "wtf dude, your better than this..."
|
|
#
¿
Dec 16, 2022 01:17
|
|
|
dougdrums posted:I want github to add a feature where if you git blame a line and it shows you as the author, the price is right losing sound plays Or bombards them with rubber missiles. https://github.com/codedance/Retaliation
|
|
#
¿
Dec 21, 2022 07:34
|
|
|
Volmarias posted:Very pro click right here, it's great advice and it's way, way ahead of its time. Unless you're someone like me whos been around long enough to have PTSD from their first programming job being actual COBOL. *does the thousand mile greybeard stare*
|
|
#
¿
Dec 30, 2022 08:37
|
|
|
|
| # ¿ May 14, 2024 09:49 |
|
|
wolfman101 posted:I am siding with the narrator for the fact that this code is just some sales software. No one is going to die because 0.33 is precise or not. There was an entire genre of 1980s/90s hackers that made their money off siphoning off those missing fractions of a cent.
|
|
#
¿
Dec 30, 2022 08:39
|
|