• (cs)

    It's not a bug, it's a feature!

    Gotta love marketing firms.

  • Tamas (unregistered)

    This is just unbelievable. Web 2.0 at its best.

    I just wonder why ';DROP TABLE users;

  • (cs) in reply to Tamas
    Tamas:
    This is just unbelievable. Web 2.0 at its best.

    I just wonder why ';DROP TABLE users;

    “comment” is a field in the “users” table?

  • (cs)

    Gah! I hate those kinds of firms. I know at least two small charitable organisations who've recently outsources their websites and both have ended up with sites that are non-standard and inaccessible - one to the point where if you switch javascript off there is NO site navigation at all (the entire menu system is built dynamically in client-side javascript).

    If I was Brandon, I'd've gone to the nearest EasyEverything, run the SQL attack on the site, gone back to work, and when the product manager came running up to me to say "The website's gone down! What's going on?" I would've laughed in his face and walked out. Seriously. I've walked away from one job recently because the managers simply wouldn't listen to common sense (they wanted to outsource our website to a design company who, when asked about accessibility, said "We don't really worry about that kind of thing"). I have friends who fight a battle every day to get the information they want on their website because they've outsourced to some cheapass design company who promised great things and then WYSIWYGed the site in Dreamweaver. I cannot stand these people.

  • (cs) in reply to kennytm
    kennytm:
    Tamas:
    I just wonder why ';DROP TABLE users;
    “comment” is a field in the “users” table?
    I doubt it... what makes you say that?
  • SoonerMatt (unregistered)

    This is almost unbelievable.

    They had the ability to write an AJAX only site and their own framework but ignored all of the basics.

    I am trying to decide if this is a developer who is just getting bored and trying to have fun or if this was created by some out of the box website builder such as front page or dreamweaver.

  • (cs)

    I predict seven references to Little Bobby Tables in this thread.

  • DrFloyd5 (unregistered)

    It was a mistake to fix their code.

    1. The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.

    2. Fixing their code, only invalidated his claims and strengthened their position.

    He should have left it alone and let management get egg on their face and then ASK him to fix it.

    That is the real WTF.

  • (cs) in reply to SoonerMatt
    SoonerMatt:
    This is almost unbelievable.

    They had the ability to write an AJAX only site and their own framework but ignored all of the basics.

    I am trying to decide if this is a developer who is just getting bored and trying to have fun or if this was created by some out of the box website builder such as front page or dreamweaver.

    I doubt a developer. My guess is a mix of out-of-the-box design software AND designers who taught themselves just enough code to get information into and out of a database. That's the type that come up with the following "menu" (in a frames-based site no less...)

    <body>
    [image] <script type='text/javascript'>

    function Go(){return}

    </script> <script type='text/javascript' src='setup_menu.js'></script> <script type='text/javascript' src='display_menu.js'></script> <noscript> Your browser does not support javascript </noscript>
    </body>

    (n.b. I've changed the actual names of the scripts to anonimise the snippet, but this is the entire body of the top frame) I particularly like the creative use of noscript in this one - they know that some browsers don't support Javascript, and they're kind enough to inform these users of the problem (but not to actually do anything about it!)

  • Steenbergh (unregistered)
    <html> <head> <script src="comment.js"></script> </head> <body onLoad="assembleComment();"> </body> </html>
  • dumbfounded (unregistered) in reply to kennytm
    kennytm:
    Tamas:
    This is just unbelievable. Web 2.0 at its best.

    I just wonder why ';DROP TABLE users;

    “comment” is a field in the “users” table?

    What "users" table? I can't find any "users" table.

  • ShatteredArm (unregistered)
    1. Why was he not more assertive? He should have told the marketing manager his concerns, and been stern about it.

    2. If that fails, he should have just injected some SQL and be done with it.

    So yeah, TRWTF is that the developer caved so easily when it was his work at stake.

  • anon (unregistered) in reply to DrFloyd5
    DrFloyd5:
    It was a mistake to fix their code.
    1. The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.

    2. Fixing their code, only invalidated his claims and strengthened their position.

    He should have left it alone and let management get egg on their face and then ASK him to fix it.

    That is the real WTF.

    Agreed... He was an absolute moron to fix their code for them... He made himself look like an idiot, and made them look good to management.

  • (cs) in reply to JimM
    JimM:
    Gah! I hate those kinds of firms. I know at least two small charitable organisations who've recently outsources their websites and both have ended up with sites that are non-standard and inaccessible - one to the point where if you switch javascript off there is NO site navigation at all (the entire menu system is built dynamically in client-side javascript).
    Totally true, but I still don't know why this organizations (with a 'z' btw) waste precious money on this kind of stuff when many people would do them for free, as volunteer work. At least I would show them the right direction.
    JimM:
    If I was Brandon, I'd've gone to the nearest EasyEverything, run the SQL attack on the site, gone back to work, and when the product manager came running up to me to say "The website's gone down! What's going on?" I would've laughed in his face and walked out. Seriously. I've walked away from one job recently because the managers simply wouldn't listen to common sense (they wanted to outsource our website to a design company who, when asked about accessibility, said "We don't really worry about that kind of thing"). I have friends who fight a battle every day to get the information they want on their website because they've outsourced to some cheapass design company who promised great things and then WYSIWYGed the site in Dreamweaver. I cannot stand these people.
    Totally true, and some people see me as some weird specimen for testing my sites with text based browsers they didn't even know existed. It's just a step forward and a minimum accessibility thing to do.
  • Ozz (unregistered) in reply to DrFloyd5
    DrFloyd5:
    It was a mistake to fix their code.
    1. The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.

    2. Fixing their code, only invalidated his claims and strengthened their position.

    He should have left it alone and let management get egg on their face and then ASK him to fix it.

    That is the real WTF.

    I agree. Been there, done that, learned my lesson.

  • ;DROP TABLE users (unregistered)

    Didn't want to let the "Little Bobby Tables" person down!

    http://xkcd.com/327/

  • sheepdan (unregistered)

    Don't blame that kind of site on Dreamweaver. My wife is a graphic designer, uses Dreamweaver CS3. I had used old versions of Dreamweaver back around 2000, and assumed it would produce ghastly nightmares of twisted code. But when I looked at the pages it created, I was actually very impressed with the html CS3 produced: clear, standards-compliant, but concise. No bloat or rubbish to be seen.

    A site as bad as the one described here requires a special kind of stupid which only a human can provide.

    Captch: praesent (guess I'm getting Alex a spell checker for Christmas)

  • Ovidiu (unregistered) in reply to Steenbergh
    Steenbergh:
    <html> <head> <script src="comment.js"></script> </head> <body onLoad="assembleComment();"> </body> </html>

    I'm using NoScript and all I get is a blank comment.

  • ajax fun (unregistered)

    I hope I'm not the only one furiously searching, trying to find such a website? Free copy of Mosaic for the winner.

  • Dirk Diggler (unregistered) in reply to Ozz
    Ozz:
    DrFloyd5:
    It was a mistake to fix their code.
    1. The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.

    2. Fixing their code, only invalidated his claims and strengthened their position.

    He should have left it alone and let management get egg on their face and then ASK him to fix it.

    That is the real WTF.

    I agree. Been there, done that, learned my lesson.
    I used to try to 'help' in situations like this. Often it just made things worse and with no upside. When you argue with a fool there are two fools arguing.

  • (cs) in reply to ubersoldat
    ubersoldat:
    ... I still don't know why this organizations (with a 'z' btw) waste precious money on this kind of stuff when many people would do them for free, as volunteer work.
    That bit I do understand. Contract a company to do this work and pay for it and you have some kind of support to fall back on. If you take this from a volunteer you risk reaching a point where you can't update or change your site anymore! (btw, organisation is a perfectly acceptable spelling where I come from...)
    ubersoldat:
    At least I would show them the right direction.
    I actually tendered for the project, guaranteeing to meet all accessibility regulations and ensuring compiance with web standards. Unsurprisingly, the company they went with was slightly cheaper, and was based nearer their offices. Good luck to them.
  • Gnubeutel (unregistered)

    Pfft, i'll just avoid homegrown frameworks and use something designed by pros. Like the Google Web Toolkit! It uses AJAX! Makes for a lean server. Leaves all the hard work to the client. ... and it's not indexable by Google. :(

  • (cs)

    Next you'll be telling me that version 2 is made in protected flash files with a robots.txt stating Deny All.

  • (cs) in reply to ubersoldat
    ubersoldat:
    JimM:
    ... I know at least two small charitable organisations ...
    Totally true, but I still don't know why this organizations (with a 'z' btw) waste precious money ...

    "Organisations" is standard spelling in the UK.

  • (cs)

    it sound pretty much like some of the applications i'm having to pickup, (i work in a design agency). It's a quagmire of javascript generated html, using a custom built Ajax solution.

    But with these you at least you don't get a blank screen when javascript is turned off, you do get a message.. "Javascript needs to be enabled"

  • Piercy (unregistered)

    Only big organizations have to worry about SQL Injection? What an idiot. 13yo smart kids get very interested. and finding something like that makes them very happy!

  • (cs) in reply to sheepdan
    sheepdan:
    Don't blame that kind of site on Dreamweaver.
    I'm afraid I do.

    I have no doubt that modern versions of Dreamweaver are quite adept at what they do, and that some users of Dreamweaver can produce beautifully rendered standards-compliant web sites with them (in fact, I used to work at a place where Dreamweaver was part of the default web-dev setup; but used as a proper IDE, rather than a drag-and-drop WYSIWYG designer. They did some damn good work there (as well as some fairly mediocre stuff!)).

    However, it was the Dreamweaver and FrontPage of ~ 2000 that persuaded people who had a vague familiarity with DTP packages that they could design and build complex, interactive, dynamic websites. And those people (and their proteges) are the ones building all this WTF-worthy Javascripted no-content CRAP that keeps polluting the internet.

    So however good it might be now, I will continue to blame Dreamweaver (and, to be fair, FrontPage) for the travesties of websites that get heaped upon so many small charities and companies by design firms.

  • Yep (unregistered) in reply to ajax fun
    ajax fun:
    I hope I'm not the only one furiously searching, trying to find such a website? Free copy of Mosaic for the winner.
    Only because you mentioned it! Actually, I was quite surprised to find that cnn.com looks basically the same with or without javascript enabled. They even get the metrics stuff right:

    <noscript></noscript><!--/DO NOT REMOVE/-->

  • foo (unregistered) in reply to ubersoldat
    Totally true, but I still don't know why this organizations (with a 'z' btw)

    Not necessarily

  • KD (unregistered)

    Honestly, just go to an internet cafe or a public WiFi hotspot and drop a bunch of tables with a SQL injection attack. Sometimes a practical example is the only way to beat good practices into stupid development managers. I have sabotaged my company's software on several occasions 'just to prove a point' - but every time, those points needed to be made before some script kiddie did some real damage.

  • harold (unregistered)

    128 bytes! what a waste of bandwidth! why not use this? ;-)

    <script src="code.js"/> which contains (as the last line) assemblePage();
  • Asiago Chow (unregistered) in reply to DrFloyd5
    DrFloyd5:
    It was a mistake to fix their code.
    1. The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.

    2. Fixing their code, only invalidated his claims and strengthened their position.

    He should have left it alone and let management get egg on their face and then ASK him to fix it.

    As an IT person your job is to support the business needs of the company that pays you. Business needs are typically determined by the people who actually bring money into the company -- sales and customer support. If the sales side says "our business needs include a product website in order to market and sell this product", IT's responsibility is to ensure that the website exists and can work to market and sell the product.

    In this case the first step -- expressing concerns to the vendor -- was correct but not handled correctly. The phone call described was absolutely needed. The problem is that faults should have been noted so that the marketing guy couldn't say, "the concerns were addressed." The IT guy should have said, "so you don't have an answer to our concern?" instead of being struck dumb.

    The second step should have been to write up the concerns and make sure that memo was in the hands of management as soon as possible. The concerns aren't "this code sucks" but "this product is less likely to meet business needs because A, B, C, D, ... limit search engine indexing to reduce marketing value and may result in failures and public embarassment which reduce the positive impact of the marketing efforts." The problem isn't technical. Potential SQL injection isn't the problem. SQL injection is a potential cause of problems including loss of sales leads and damage to reputation. Lack of crawlability isn't the problem. The loss of sales leads is the problem.

    In a perfect world it stops there... management tells marketing to find a better solution and a little while later the process starts again. In the real world that doesn't -- can't -- always happen. Maybe the company doesn't have resources to get a better solution. Maybe there are reasons you aren't aware of for going with this solution.

    At that point your responsibility as IT is to fill the business needs of your employer in the best way possible. That may indeed mean changing a vendor's code, adding a list of keywords or dummy text to that initial index/javascript-starting page, or adding special monitoring or firewalls that would not otherwise be necessary. It sucks, and it makes the vendor look better than they should, but you covered that with stage 2 and by explaining that your IT budget must be higher to support this product.

    If you can't do that, can't contribute to meeting company needs, quit. It is unprofessional and unethical to take a "I don't like the vendor, let it fail" approach when you are paid to meet business needs. You may have no choice but to fail -- no doctor can save every patient -- but doctors can't say, "I would've aborted a child with trisomy 21 before birth so I refuse to vaccinate patients with that condition -- let them die." You are advocating exactly that attitude.

  • (cs) in reply to DrFloyd5
    DrFloyd5:
    It was a mistake to fix their code.
    1. The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.

    2. Fixing their code, only invalidated his claims and strengthened their position.

    He should have left it alone and let management get egg on their face and then ASK him to fix it.

    That is the real WTF.

    I agree. Better yet, he should have posted the URL on this site.

  • (cs) in reply to ubersoldat
    ubersoldat:
    Totally true, but I still don't know why this organizations (with a 'z' btw) waste precious money on this kind of stuff when many people would do them for free, as volunteer work. At least I would show them the right direction.

    Wow you attempt to correct someone because they use an alternate (and correct) spelling all while making a grammatical error yourself. Nicely done!

  • Daniel (unregistered)

    I admire Brandon. I wouldn't care enough to save my company against it's own wishes.

  • (cs)

    This is the type of thing you have to discuss with your boss and tell him the implications instead of trying to flip the marketing guy on a phone call.

  • (cs)

    Someone still uses NoScript? It became unstable after a flurry of patches two months ago. I disabled it.

  • OhDear (unregistered)

    This is not a single WTF; this is a layer cake of WTFs. While reading this I actually was having an emotional response. This site would be a screw-up for a pizza parlor website let alone a site to support a billion dollar product. As for the SQL injection. The worst is not DROP table users; The worst is when they get your poorly permissioned SQL server to execute code and turn your servers into spam zombies that get your IP addresses black-listed resulting in your sales dropping off a cliff.

    Captcha: Quis - This is what the architect of the site was; a quis.

  • darkmage0707077 (unregistered) in reply to Asiago Chow
    Asiago Chow:

    ...At that point your responsibility as IT is to fill the business needs of your employer in the best way possible...

    I agree with ALMOST everything you've said, Asiago, except for one thing: add a step where the IT professional asks their bosses for permission to fix the bugs in the code he pointed out and documented. If there is documentation and proof available to management that these problems are serious enough to warrant attention, then usually the boss will say "yes, make a backup and go ahead".

    However, if for whatever reason they say no, then there may be a valid reason that you don't know about for their refusal (and you could ask why if you wanted, though don't always expect an answer), and so you should move on until you are asked to work on it.

    This also helps prevent blame-games later: if you just go and fix it without asking first, and later on it breaks (for whatever reason) and they discover you "made changes" without permission, guess who's butt gets disciplined for "breaking the website"?

    To build on your excellent doctor metaphor: you are correct that a doctor should try and treat patients even with 0 percent chance of success, but ONLY after receiving permission FOR treatment. They must do what they can to convince patients that the treatment is viable and usefull in some way, but when a patient says "no", the doctor should back off and move on.

    Captcha: pecus. Strangely appropriate for my nit-picking here.

  • (cs) in reply to JamesQMurphy
    JamesQMurphy:
    Better yet, he should have posted the URL on this site.
    Quite right. Although it would have been tempting to sabotage the site with a SQL injection attack, that could have gotten Brandon fired or worse. Merely including the URL with this story, however, would have given him plausible deniability when the inevitable attack occurred.
  • NTL (unregistered)

    Could you post the sites address. I'd like to, uhmm, look at it.

  • (cs) in reply to jeremypnet
    jeremypnet:
    ubersoldat:
    JimM:
    ... I know at least two small charitable organisations ...
    Totally true, but I still don't know why this organizations (with a 'z' btw) waste precious money ...
    "Organisations" is standard spelling in the UK.

    Thoze Brittizh Englizh people like zpelling all wordz with an S. Zomehow their Z'z end up mizzing. Thiz iz what confuzez me az to their ztandard zpellingz.

  • commonwealthguy (unregistered) in reply to jeremypnet

    "Organisations" is the standard spelling in every English-speaking country other than the US

  • monkay (unregistered) in reply to commonwealthguy

    The Americans caught so many Zs the last 8 years, there are probably enough to go around for all languages in this world.

  • Yanman.be (unregistered) in reply to rbonvall
    rbonvall:
    I predict seven references to Little Bobby Tables in this thread.

    This reminds me of this webcomic

    [image]

    Oh and let's not forget http://xkcd.com/327/

    or http://imgs.xkcd.com/comics/exploits_of_a_mom.png

    Ah hell, here you go: http://xkcd.com/327/ http://xkcd.com/327/ http://xkcd.com/327/ http://xkcd.com/327/

    Oops? did I just bust your prediction?

  • (cs)

    This is what happens when you use The Last One to design your web pages...

  • (cs)

    who's Brian?

  • Bobby Tables (unregistered)

    Your browser does not support comments.

  • (cs) in reply to harold
    harold:
    128 bytes! what a waste of bandwidth! why not use this? ;-) <script src="code.js"/> which contains (as the last line) assemblePage();
    This is actually different. The original renders the blank page and then stuffs things into it. Your version starts stuffing things into the web page before it's done loading.
  • (cs) in reply to Asiago Chow

    "As an IT person your job is to support the business needs of the company that pays you."

    No, as an "IT person" your job is the specific duties listed in your job description. Which are of course intended to contribute to supporting the business needs of the company that pays you, but that's not the point.

Leave a comment on “Google Botched”

Log In or post as a guest

Replying to comment #:

« Return to Article