It was a Java project and every class was in a separate Maven module.

First of all, lack of ORM isn’t bad. It’s not a good or bad thing to use them out not use them. What’s bad is not sanitizing your query inputs and you don’t need an ORM to do that.

I think the worst thing I’ve seen is previous devs not realize there’s a cost to opening a DB connection. Especially back when DBs were on spinning rust. So the report page that ran one query to get the all the items to report on, then for each row ran another individual query to get that row’s details was probably one of the slowest reports I’ve ever seen. Every DB round trip was at minimum 0.1 seconds just to open the connection, run the query, send back the data, then close the connection. So 10 rows per second could be returned. Thousands of rows per page has people waiting several minutes, and tying up our app server. A quick refactor to run 2 queries instead of hundreds to thousands and I was a hero for 10 min till everyone forgot how bad it was before I fixed it.

I basically fix other people shitty voice for a living (replacing it with my own shitty code), the “best” one was by a guy, I suppose he was a self taught c programmer from how he wrote code, writing a complex python program. I saw:

• a function called randomNumberGenerator. It was a function which started a webserver. While looking for a python tutorial for something I found out why: he copy pasted the tutorial snippet but then didn’t bother renaming the function
• a program whose job was to listen to all other services and send them to another service via udp BUT it had a maximum buffer size so messages sometimes got truncated. I just directly put the listener in the target program and deleted it
• like another guy in this thread he didn’t use git. First day on the job they told me “yes, we need to check which machine has the latest code because he ssh into them and work there”. His version control was basically putting code in different machines
• lot of copied variables, because of c I suppose? Things like var = self.var
• camelCase python (ok this is just styling in the end)
• files with 10k lines of code
• half the services were in python 2, half in python 3. Don’t ask me why
• variables name in his original language (not English, not the client language)
• single letter variables, I fondly remember self.I (upper case i)
• I remember an if a == a: (I left it there because lol)
• he added a license check which used the ethernet mac address. Too bad ethernet was removed from the machine, and his code launched an exception which returned 00:00:00:00 as mac address, so all licenses were working on all machines

And many other things…

In another project I saw a backend running on the frontend, as in, this guy wrote the logic for a machine on the Javascript running the user interface of the screen

It was a single PHP file containing upper tens of thousands of lines of code (i.e. probably 60k+ but I no longer recall the exact amount). And the horrors didn’t stop there. Function names and code formatting were haphazard, some functions were descriptive enough to be helpful(ish) like check_if_first_friday_of_month() but most were literally along the lines of function12() with no comments to indicate the purpose. A̸n̶d̷ ̴t̵h̵e̵ ̸h̷o̵r̶r̸o̷r̵s̸ ̸d̷i̸d̵n̷’̷t̶ ̵s̶t̴o̸p̸ ̷t̵h̶e̶r̵e̶.̴ This application was storing sensitive personal information in the database in plain text. And the horrors didn’t stop there.

Congrats to the developer, though. This project was the one that finally got him fired and he immediately pivoted into a management position at a big tech company (don’t recall which but it might’ve been Microsoft or IBM) making an order of magnitude more money.

My current workmate unironically calls his variables as “cat1”, “cat2”, etc.

He also didn’t knew about git, so before I arrived, he uploaded the code to production with scp.

Finally, my boss told me that he is priority, so if he doesn’t underestand git, we won’t keep using it. I would underestand if this was about a different language, but it’s git vs scp we’re talking about.

Mine.

I should state that I’m not a programmer. I’m a network engineer.

I work for a space (among other things) contractor, and there are days I feel like I’m mission control for Apollo 13.

I was told about a bug in a specific tool. It was being used in production. Apparently we’ve gotten a lot of complaints about it over the years, and they would complain if the site was actively used it always failed.

I couldn’t find it in the development branch in source control.

I asked if this tool was purchased from a third party. My boss, who was not a developer, said no. And he was very sure of that. But he didn’t know where the code was.

I was the developer with the most seniority, and I was there for less than a year at this point.

I looked again. I finally found it… In an unapproved pull request from a few years prior.

The meat of this tool basically took information to make an order and create an order in the system.

Any time we needed to insert a record, it would find the highest Id in the table, increment 1, and insert the new record, id and all. It did this for every entity that needed to be inserted. Address, customer… Everything.

Worse, very little validation was done. Want to order something but it’s out of stock? No problem, this tool just pushed it right through.

Want to ship something using a shipping method that doesn’t exist? You got it.

Want to ship something to an address that doesn’t exist? Sounds like the warehouse’s problem.

Knowing about the level of knowledge here, you know that there were no transactions. All sorts of unused records were left in the database when there was an error. The users would get a generic error and try again several times, too.

The worst part was, we have an already existing function that would take order information and try to make an order. And it would give you actionable errors!

A bit of Perl code from the late 90s/early 2000s that worked something like this (working from memory, untested):

my $hits = `grep $search_string $file`;
my @lines = split /\n/, $hits;
my @real_hits;
for( my $i = 0; $i < scalar(@lines); $i++ ) {
    my $line = $lines[0];
    if( $line =~ /$search_string/ ) {
        push @real_hits, $line;
    }
}

Let me explain a bit about what this does. Instead of reading a file line-by-line and using Perl’s regex engine to match, it uses backticks to call out to the shell for grep. Those are split up by line. Then go through those lines (in a C-style for loop, not the perfectly good foreach version that Perl has had for a long time) and now we use a regex to match that line. You know, just in case shell grep didn’t do its one job.

If anything, I’m probably making this code look better by declaring variables with my and following use strict standards.

This was written by a guy who was the main programmer before I was hired. I was told he was a real piece of shit. He often had some checks in his code that, if not passed, threw messages to the client like “WE HAVE DETECTED YOUR HACKING AND LOGGED YOUR IP ADDRESS WE’RE GOING TO GET YOU”. Never met him personally, but his code is a pretty good example of why everyone came to hate Perl.

A registration form and backend that would return the error “please choose more unique password” if you choose a password that was already stored (in plain text) in the database against another username.

I shit you not.

I’m not going to share it here because it’s code I’ve written. I’m hiding in my own shame

It was a huge codebase in c# with a single file in VB.net with a comment at the top “copied from codinghorrors.com/…”. I never dared to try understanding what that file was supposed to do and why nobody bothered converting it in c#

Php, ob_start + ob_clean and friends. On backend. Nothing could go wrong, right

Another kind of “code” but:

The poll in a excel sheet the office sent via email. You had to fill it out and send it back, so they could type it off in another excel sheet.

That’s where i realized that people have fundamentally different approaches in thinking and problem-solving.

Our CFO’s social security number, contact info, and just about everything you’d need to impersonate them inside a random shell script that was being passed around like drugs at a party for anyone to use. Oh and it had an API key to our payments processor hard coded into it.

That was the tip of the iceberg of how bad the systems were at the company. All of these are from the same company:

• A fintech based company with no billing team
• An event system that didn’t event
• A permissions system that didn’t administer permissions
• A local cache for authentication sessions. Which means that requests would intermittently fail auth because the session was only on one replica. If you hit any of the other ones, you’d get an unauthenticated error
• A metrics collection system that silently lost 90% of it’s data
• Constant outages due to poorly designed and implemented systems (and lack of metrics… hmmm)
• Everything when I joined was a single gigantic monolith that was so poorly implemented they had to run at least 3 different versions of it in different modes to serve different use cases (why the fuck did you make it a monolith then?!)
• The subscriptions system was something like 20 or 30 database tables. And they were polymorphic. No one could touch the system without it breaking or that person declaring failure, which leads me to …
• A database schema with over 350 tables, many of which were join tables that should have been on the original table (fuck you scala/java for the limitations to the number of fields you can have in a case class). Yes you read that right. Table A joined to table B just to fill in some extra data that was 1:1 with table A. Repeat that a few dozen times
• History tables. Not separate from the original table, but a table that contained the entire history of a given piece of data. The worst example was with those extraneous join tables I just mentioned. If you went and changed a toggle from true to false to true to false, you’d have 4 records in the same table. One for each of those small changes. You’d have to constantly try to figure out what the ‘latest’ version of the data was. Now try joining 5 tables together, all of them in this pattern.
• Scala… I could go on a tirade about how bad scala is but needless to say, how many different error handling mechanisms are there? Scala decided to mix all of them together in a blender and use them all together. Scala is just two white paper languages in a trenchcoat. Never use it in a production system
• A dashboard for “specialists” that was so easy to overwhelm that you could do it by breathing on it due to the LACK of events that it needed
• Passwords stored in plain text (admittedly this was in the systems of the company we acquired while I was there). Doesn’t matter if they were actually <insert algorithm here>, they were visible in a dashboard accessible by employees. Might as well have been plain text
• A payments system that leaked it’s state into a huge part of the rest of the system. The system ended up being bifurcated across two systems, I was brought in to try to clean up some of the mess after only a couple of months. I desperately tried to get some help because I couldn’t do it solo. They ended up giving me the worst engineer I’ve ever worked with in my 15 year career, and I’ve seen some bad engineers. Looking back, I’m reasonably confident he was shoving our codebase into an AI system (before it was approved/secured, so who knows who had access) and not capable of making changes himself. I could make several posts about this system on its own
• I could go on but I’ll cut it off there

I once saw an ‘encryption’ function where the key had a range of 32. Not 32 bits. I mean there were 32 different keys. And it was prepended as the first byte in the stream, so the decryption function didn’t have to go out of the way to find it.

Thankfully I noticed that it got torn out and replaced with real encryption at some point.