Home > Development, Security > Opening the box: 2 of 2

Opening the box: 2 of 2

In my previous post, I extolled the virtues of a system developed by another software development firm, which had been passed to us for evaluation and potential support and maintenance. As a result, I thought it best to calm the rhetoric down slightly when discussing the code.

First things first, check the connection to the database. Curiously, we’d already noticed that the application was working despite us not having changed the connection string. Must be some magical force we’re not aware of.

Ah, sadly not. They’ve very kindly left their original SQL server wide open for us to use. Firewalls just make development awkward, so it’s good to avoid them.

Then I found this, which brought me right down to earth again. It’s a typical example of the level we’re looking at:

Just to clarify exactly what is being shown here:

  • A function, having checked (across several ‘if’ statements – they obviously don’t know what && and short-circuiting is) that they need to output a message, then:
    • Takes a simple error message.
    • Hard-codes every single bit of styling (fonts, etc) into the HTML, and embeds the text string somewhere into this.
    • Adds that HTML into a text string.
    • Outputs this text string in such a way as it becomes a parameter into a function call to be rendered by the browser through a jQuery plugin.

Then, this …

Now, personally I’d have just used CSS classes, and had the message as a parameter into a template defined in a separate resource file – but, I’m picky like that.

For a start, it may be that they simply haven’t heard of stylesheets:

… or “Stored Procedures” ….

… or “SQL Injection Attacks”…

Several steps beforehand, it does filter out some characters – < > \ ” ‘ % ; ( ) & – but the fact that they’re filtering it in the first place means that they’re already doing it the wrong way.

I could go on, but – on a serious note – this was code delivered to a client expecting a professional level of service. Whether this is typical or not I don’t know, but it’s a simple example of why, if you cut corners in your development budget and go for the cheapest quote, you will end up paying more in the future.

Technical debt is a big problem in the software development industry. We will take this client on, but under the strict instruction that they will pay us for a rewrite, from scratch, of the entire back-end. Whether they will accept it or not, we don’t know; after all, they don’t know what’s inside the magical black box. And until it impacted on their bottom line, they didn’t even care.

Advertisements
  1. No comments yet.
  1. September 22, 2011 at 3:06 pm
  2. September 23, 2011 at 10:02 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: