- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It's not a bug, it's a feature!
Gotta love marketing firms.
Admin
This is just unbelievable. Web 2.0 at its best.
I just wonder why ';DROP TABLE users;
Admin
“comment” is a field in the “users” table?
Admin
Gah! I hate those kinds of firms. I know at least two small charitable organisations who've recently outsources their websites and both have ended up with sites that are non-standard and inaccessible - one to the point where if you switch javascript off there is NO site navigation at all (the entire menu system is built dynamically in client-side javascript).
If I was Brandon, I'd've gone to the nearest EasyEverything, run the SQL attack on the site, gone back to work, and when the product manager came running up to me to say "The website's gone down! What's going on?" I would've laughed in his face and walked out. Seriously. I've walked away from one job recently because the managers simply wouldn't listen to common sense (they wanted to outsource our website to a design company who, when asked about accessibility, said "We don't really worry about that kind of thing"). I have friends who fight a battle every day to get the information they want on their website because they've outsourced to some cheapass design company who promised great things and then WYSIWYGed the site in Dreamweaver. I cannot stand these people.
Admin
Admin
This is almost unbelievable.
They had the ability to write an AJAX only site and their own framework but ignored all of the basics.
I am trying to decide if this is a developer who is just getting bored and trying to have fun or if this was created by some out of the box website builder such as front page or dreamweaver.
Admin
I predict seven references to Little Bobby Tables in this thread.
Admin
It was a mistake to fix their code.
The company paid for a product, he should have not altered the product. They didn't pay him to make the website. In fact they paid him not to.
Fixing their code, only invalidated his claims and strengthened their position.
He should have left it alone and let management get egg on their face and then ASK him to fix it.
That is the real WTF.
Admin
function Go(){return}
</script> <script type='text/javascript' src='setup_menu.js'></script> <script type='text/javascript' src='display_menu.js'></script> <noscript> Your browser does not support javascript </noscript>(n.b. I've changed the actual names of the scripts to anonimise the snippet, but this is the entire body of the top frame) I particularly like the creative use of noscript in this one - they know that some browsers don't support Javascript, and they're kind enough to inform these users of the problem (but not to actually do anything about it!)
Admin
Admin
What "users" table? I can't find any "users" table.
Admin
Why was he not more assertive? He should have told the marketing manager his concerns, and been stern about it.
If that fails, he should have just injected some SQL and be done with it.
So yeah, TRWTF is that the developer caved so easily when it was his work at stake.
Admin
Agreed... He was an absolute moron to fix their code for them... He made himself look like an idiot, and made them look good to management.
Admin
Admin
Admin
Didn't want to let the "Little Bobby Tables" person down!
http://xkcd.com/327/
Admin
Don't blame that kind of site on Dreamweaver. My wife is a graphic designer, uses Dreamweaver CS3. I had used old versions of Dreamweaver back around 2000, and assumed it would produce ghastly nightmares of twisted code. But when I looked at the pages it created, I was actually very impressed with the html CS3 produced: clear, standards-compliant, but concise. No bloat or rubbish to be seen.
A site as bad as the one described here requires a special kind of stupid which only a human can provide.
Captch: praesent (guess I'm getting Alex a spell checker for Christmas)
Admin
I'm using NoScript and all I get is a blank comment.
Admin
I hope I'm not the only one furiously searching, trying to find such a website? Free copy of Mosaic for the winner.
Admin
Admin
Admin
Pfft, i'll just avoid homegrown frameworks and use something designed by pros. Like the Google Web Toolkit! It uses AJAX! Makes for a lean server. Leaves all the hard work to the client. ... and it's not indexable by Google. :(
Admin
Next you'll be telling me that version 2 is made in protected flash files with a robots.txt stating Deny All.
Admin
"Organisations" is standard spelling in the UK.
Admin
it sound pretty much like some of the applications i'm having to pickup, (i work in a design agency). It's a quagmire of javascript generated html, using a custom built Ajax solution.
But with these you at least you don't get a blank screen when javascript is turned off, you do get a message.. "Javascript needs to be enabled"
Admin
Only big organizations have to worry about SQL Injection? What an idiot. 13yo smart kids get very interested. and finding something like that makes them very happy!
Admin
I have no doubt that modern versions of Dreamweaver are quite adept at what they do, and that some users of Dreamweaver can produce beautifully rendered standards-compliant web sites with them (in fact, I used to work at a place where Dreamweaver was part of the default web-dev setup; but used as a proper IDE, rather than a drag-and-drop WYSIWYG designer. They did some damn good work there (as well as some fairly mediocre stuff!)).
However, it was the Dreamweaver and FrontPage of ~ 2000 that persuaded people who had a vague familiarity with DTP packages that they could design and build complex, interactive, dynamic websites. And those people (and their proteges) are the ones building all this WTF-worthy Javascripted no-content CRAP that keeps polluting the internet.
So however good it might be now, I will continue to blame Dreamweaver (and, to be fair, FrontPage) for the travesties of websites that get heaped upon so many small charities and companies by design firms.
Admin
<noscript></noscript><!--/DO NOT REMOVE/-->
Admin
Not necessarily
Admin
Honestly, just go to an internet cafe or a public WiFi hotspot and drop a bunch of tables with a SQL injection attack. Sometimes a practical example is the only way to beat good practices into stupid development managers. I have sabotaged my company's software on several occasions 'just to prove a point' - but every time, those points needed to be made before some script kiddie did some real damage.
Admin
128 bytes! what a waste of bandwidth! why not use this? ;-)
<script src="code.js"/> which contains (as the last line) assemblePage();Admin
As an IT person your job is to support the business needs of the company that pays you. Business needs are typically determined by the people who actually bring money into the company -- sales and customer support. If the sales side says "our business needs include a product website in order to market and sell this product", IT's responsibility is to ensure that the website exists and can work to market and sell the product.
In this case the first step -- expressing concerns to the vendor -- was correct but not handled correctly. The phone call described was absolutely needed. The problem is that faults should have been noted so that the marketing guy couldn't say, "the concerns were addressed." The IT guy should have said, "so you don't have an answer to our concern?" instead of being struck dumb.
The second step should have been to write up the concerns and make sure that memo was in the hands of management as soon as possible. The concerns aren't "this code sucks" but "this product is less likely to meet business needs because A, B, C, D, ... limit search engine indexing to reduce marketing value and may result in failures and public embarassment which reduce the positive impact of the marketing efforts." The problem isn't technical. Potential SQL injection isn't the problem. SQL injection is a potential cause of problems including loss of sales leads and damage to reputation. Lack of crawlability isn't the problem. The loss of sales leads is the problem.
In a perfect world it stops there... management tells marketing to find a better solution and a little while later the process starts again. In the real world that doesn't -- can't -- always happen. Maybe the company doesn't have resources to get a better solution. Maybe there are reasons you aren't aware of for going with this solution.
At that point your responsibility as IT is to fill the business needs of your employer in the best way possible. That may indeed mean changing a vendor's code, adding a list of keywords or dummy text to that initial index/javascript-starting page, or adding special monitoring or firewalls that would not otherwise be necessary. It sucks, and it makes the vendor look better than they should, but you covered that with stage 2 and by explaining that your IT budget must be higher to support this product.
If you can't do that, can't contribute to meeting company needs, quit. It is unprofessional and unethical to take a "I don't like the vendor, let it fail" approach when you are paid to meet business needs. You may have no choice but to fail -- no doctor can save every patient -- but doctors can't say, "I would've aborted a child with trisomy 21 before birth so I refuse to vaccinate patients with that condition -- let them die." You are advocating exactly that attitude.
Admin
I agree. Better yet, he should have posted the URL on this site.
Admin
Wow you attempt to correct someone because they use an alternate (and correct) spelling all while making a grammatical error yourself. Nicely done!
Admin
I admire Brandon. I wouldn't care enough to save my company against it's own wishes.
Admin
This is the type of thing you have to discuss with your boss and tell him the implications instead of trying to flip the marketing guy on a phone call.
Admin
Someone still uses NoScript? It became unstable after a flurry of patches two months ago. I disabled it.
Admin
This is not a single WTF; this is a layer cake of WTFs. While reading this I actually was having an emotional response. This site would be a screw-up for a pizza parlor website let alone a site to support a billion dollar product. As for the SQL injection. The worst is not DROP table users; The worst is when they get your poorly permissioned SQL server to execute code and turn your servers into spam zombies that get your IP addresses black-listed resulting in your sales dropping off a cliff.
Captcha: Quis - This is what the architect of the site was; a quis.
Admin
I agree with ALMOST everything you've said, Asiago, except for one thing: add a step where the IT professional asks their bosses for permission to fix the bugs in the code he pointed out and documented. If there is documentation and proof available to management that these problems are serious enough to warrant attention, then usually the boss will say "yes, make a backup and go ahead".
However, if for whatever reason they say no, then there may be a valid reason that you don't know about for their refusal (and you could ask why if you wanted, though don't always expect an answer), and so you should move on until you are asked to work on it.
This also helps prevent blame-games later: if you just go and fix it without asking first, and later on it breaks (for whatever reason) and they discover you "made changes" without permission, guess who's butt gets disciplined for "breaking the website"?
To build on your excellent doctor metaphor: you are correct that a doctor should try and treat patients even with 0 percent chance of success, but ONLY after receiving permission FOR treatment. They must do what they can to convince patients that the treatment is viable and usefull in some way, but when a patient says "no", the doctor should back off and move on.
Captcha: pecus. Strangely appropriate for my nit-picking here.
Admin
Admin
Could you post the sites address. I'd like to, uhmm, look at it.
Admin
Thoze Brittizh Englizh people like zpelling all wordz with an S. Zomehow their Z'z end up mizzing. Thiz iz what confuzez me az to their ztandard zpellingz.
Admin
"Organisations" is the standard spelling in every English-speaking country other than the US
Admin
The Americans caught so many Zs the last 8 years, there are probably enough to go around for all languages in this world.
Admin
This reminds me of this webcomic
[image]Oh and let's not forget http://xkcd.com/327/
or http://imgs.xkcd.com/comics/exploits_of_a_mom.png
Ah hell, here you go: http://xkcd.com/327/ http://xkcd.com/327/ http://xkcd.com/327/ http://xkcd.com/327/
Oops? did I just bust your prediction?
Admin
This is what happens when you use The Last One to design your web pages...
Admin
who's Brian?
Admin
Your browser does not support comments.
Admin
Admin
"As an IT person your job is to support the business needs of the company that pays you."
No, as an "IT person" your job is the specific duties listed in your job description. Which are of course intended to contribute to supporting the business needs of the company that pays you, but that's not the point.