I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.
-
They were stored in a configuration file, in xml format.
-
The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.
-
This was then sent to the server as pure sql, no orm.
-
Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.
Take from index 10 of the buffer, AND it with some hard-coded hex value.
Bit shift it by a hard-coded amount of 2
Do the first two steps, but with a different hard-coded index, hex value, and bit shift.
OR the two results.
Shove the result back into a buffer.
All of this is one line with no commenting or references to what the fuck this process comes from or why it is applicable. Then there was a second copy of the line, but with different hard-coded values.
// Here be dragons // Call Darren before changing // Darren quit 2 years ago good luck // - PJ 2015Ok that is truly horrid…
Can you say what the point of it actually was?
Nope. It was buried 300 lines into a 600 line C function.
The cherry on top was that testing at this place was all manually done on the hardware. And the “unit testing” comprised of making one off tests to prove line coverage, then throwing out the unit tests because the IDE we were using would have an aneurysm if it tried to open up existing unit tests.
I was the poor fuck tasked with writing throw away “unit testing” code for that bastard of a function. All of it was probably written before I was born.