The Daily WTF

Cid works for a German company. From day one, management knew that they wanted their application to be multi-lingual, if nothing else because they knew they needed to offer it in English. So from the ground up, the codebase was designed to make localization easy; resource files contained all the strings, the language specific ones could be loaded dynamically, and even UI widgets could flex around based on locale needs.In the interests of doing it right, when it came time to make the English version, they even went out and contracted a translation company. A team of professional translators went through the strings, checked through the documentation and the requirements, even talked to stakeholders to ensure accurate translations. The English version shipped, and everyone- company and customers included were happy with the product.Cid’s employer got a lot of good press- their product was popular in its narrow domain. Popular enough that a Russian company called Инитеч came around. They wanted to use the product, but they wanted a Russian localization.“No problem,” said the sales beast. “We can make that happen!”Management was less enthused. When localizing for English, they knew they had a big market, and they knew that it was worth doing it right, but even then, it was expensive. Looking at the bottom line, it just didn’t make sense to put that kind of effort into the project for just one customer.The sales beast wasn’t about to let this sale slip through their fingers, though. And Инитеч really wanted to use their product. And hey, Инитеч had a few employees who had taken a semester of English in school at some point. They could do the translation! They weren’t even looking to score a deal on support, they’d buy the software and do the translation themselves.“Free” sounded good, so management gave their blessing. Since the customer was doing all the work, no one put too much thought into timelines, or planning, or quality control. Which meant that timelines slipped, there was no plan for completing the translation, and the quality control didn’t happen until Cid had the bright idea of realizing that co-worker Marya was natively Russian and asked her to take a look at the translations.“Oh, these are great,” Marya said, “if the translator doesn’t speak either German or Russian.” The translations were roughly equivalent to taking the German original, slapping it through Google Translate to get to English, then eventually migrating to Russian by way of Hindi and Portuguese.The problems with the translation were escalated up to management, and a bunch of meetings happened to debate what to do. On one hand, these were the translations the customer made, and thus they should be happy with it. On the other, they were terrible, and at the end of the day, Cid’s employer needed to be able to stand behind its product.At this point, Инитеч was getting antsy. They’d already put a lot of work into doing the translations, and had been trying to communicate the software changes to their users for months. They didn’t have anything at all to show for their efforts.Someone in the C-level offices made the call. They’d hire a professional translator, but they’d aggressively manage the costs. They laid out a plan. They set a timeline. They established acceptance criteria.They set their timeline, however, without talking to the translation company. Essentially, they were hoping to defeat the “triangle”: they wanted to have the translation be good, be cheap, and be done fast. Reality stepped in: either they needed to pay more to bring on more translators, or they needed to let timelines slip farther.What started as a quick sale with only minimal upfront investment stretched out into a year of effort. With everyone rushing but making no progress, mistakes started cropping up. One whole module’s worth of text was forgotten in the scope document agreed to by the translation company. Someone grabbed an old version of the resource file when publishing a test build, which created a minor panic when everything was wrong. Relations with Инитеч started to break down, and the whole process went on long enough that the Инитеч employee which started the purchase changed jobs, and another contact came in with no idea of what was in flight.Which is why, when the sales beast finally was able to tell Инитеч that they had a successful Russian localization, the contact at Инитеч said, “That… is nice? Is this a sales call? Are you trying to sell us this? We just purchased a similar product from your competitor six months ago.” [Advertisement] Continuously monitor your servers for configuration changes, and report when there's configuration drift. Get started with Otter today!

Content Management Systems always end up suffering, at least a little, from the Inner Platform Effect. There’s the additional problem that, unlike say, a big ol’ enterprise HR system or similar, CMSes are useful for just about everyone. It’s a quick and easy way to put together a site which anyone can maintain. But it never has enough features for your content. So you always install plugins- plugins of wildly varying quality and compatibility.Lucio Crusca was doing a security audit of a Joomla site, found this block inside an installed plugin:

Jim J's co-worker showed him this little snippet in the codebase.

Julien’s employer has switched their payroll operations to a hosted solution. The hosted solution has some… interesting features. The fact that it has a “share” button, implying you can share your paystub infromation with other people is unusual (but good: keeping salaries confidential only helps management underpay their employees). More problematic is that this feature emails it, and instead of putting in an email address manually, you instead pick off a drop-down list- which contains the email of every user of the hosted system.Seeing this, Julien had to take a peek at the code, just to see what other horrors might lurk in there.Let’s open with some ugly regexes:

Here in the US, “tax season” is extended into the summer. No one likes dealing with taxes, obviously, but we agree that the social benefits outweigh the costs.I can’t speak to how folks feel in Italy. But Riccardo B was perusing the Italian Revenue Service’s (INPS) website, and was having a bad time of it. This website was recently “modernized”, which Riccardo tells us cost €300M (I wasn’t able to track down much on this, and since I don’t speak Italian, I’ll take Riccardo’s word on it), so “having a bad time” doesn’t seem like it should be part of the process.Like most of us, when he started having problems, Riccardo pulled up the inspector and started debugging. Which is how he spotted this €300M treat:

Kerry (previously) has a long held belief: people that can’t get the little things right have no hope of getting the big things right, and not just when it comes to software.Personally, I don’t think that’s truly universal, but it’s certainly a good guideline. If nothing else, seeing certain simple mistakes gives you a hint of worse things to come. Like this interface definition:

Marissa's not-for-profit organization sought a college graduate with the ability to code and create basic software solutions. Given their organization's financial limitations, they couldn't afford to pay employees as well as many other places could, thus they'd been struggling for over a year to find a qualified entry-level candidate. Finally, a fresh graduate came along who made a strong impression during his interview. Greg was personable and possessed the required fundamentals. There was potential for him to learn more on the job.Once the interview had ended, while Marissa escorted Greg out of the building, he told her, "Hey, I really didn't do very well today."Marissa had formed the opposite impression, but didn't interrupt."If you really want to see what I'm capable of," Greg continued, "check out my GitHub. That's where you'll see what my code is like."Marissa was more than happy to do that. She and her whole software team accessed his GitHub to examine their potential coworker's code, assuming they'd be impressed with what they found.Most of the projects were nothing special. The pièce de résistance, however, was a comprehensive open-source tool called iStarling. This particular repository had quite a bit more content to sift through than any of the others.Something struck Marissa as fishy. Acting on instinct, she did some googling and found a similar open-source tool called iWren, made by a completely different person. It wasn't merely similar—a comparison of files showed that Greg had copied the repository wholesale into his own GitHub only a few days earlier, then had done a mass find/replace of the word "Wren" to "Starling."This bird-brained attempt at plagiarism left Marissa scratching her head. If Greg had never made that parting comment to her, he probably would've been hired. Greg had done the company a solid favor by warning them about what Greg was capable of. The search for a decent employee continued. [Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!

When I was a baby programmer, I was taught that part of the power of SQL was that we had a generic, abstract language which meant we could easily change database engines out under our code without having to think about it. In short, I was taught a horrible pack of lies.For all that SQL has a standard, every database vendor has non-standard features, especially around various built-in functions. The end result is that, if you adopt SQL Server, you’re going to be on SQL Server for the life of the application. If you adopt Oracle, you will suffer that choice for the remainder of your existence on this plane and perhaps the next.What this means is that it behooves you to learn the standard functions of your chosen RDBMS. For example, in T-SQL, SQL Server’s dialect of SQL, one of the built-in functions is EOMONTH. Given a date, it tells you the last day of the month, useful for a lot of business processes.You could use that, or you could do what Darrin’s co-worker did:

Years ago, Samuel’s company brought in some Highly Paid Consultants. The HPCs brought with them a binder full of best practices, a dedicated Agile coach, and a slick project plan that promised to accomplish everything the company needed in half the time budgeted.One of their “best practices” was the advice that “ORMs are considered harmful,” and while the existing codebase already made liberal use of .NET’s Entity Framework, their new code would be “optimized”.Those optimizations must have thrown off the project timeline- they burned through their “aggressive” project plan’s budget, then the original time-and-cost estimates, and then lingered for months trying to finish their tasks. Eventually, they moved on to the next contract, and Samuel was handed their code and told to fix the bugs and performance issues.This was HR software, so among other things, it would track employees’ “career plans”. One example query the software needed to answer was to find the one plan that was the greatest number of “challenge units” below a certain threshold.The “harmful” Entity Framework/LINQ way of answering this question would be code akin to this:

When working on a programming team, you need to make sure everyone on the team is aware of the changes you make. This is to ensure that everyone knows what task they're doing, what feature the rest of the team might not have to worry about, or any potential conflicts - among other reasons.Once those changes are made, you want them reviewed. Perhaps one other developer does it, perhaps a group, or perhaps the whole team. Once approved, the changes get applied to the live application.Adam's team has their process and it's not too different from most other software companies. Team-member Ted, however, decided that he can make changes over and over again, without telling anyone.There were three main reasons Ted wasn't reprimanded in the beginning - the first is Ted is a talented programmer, and on a team with only a handful of programmers, that's valuable. The second reason and probably more important is Ted was programming for this company since the beginning; meaning Ted knows the inside and outside of the app. And finally Ted was the only remote employee – meaning it's harder to be direct when Ted isn't even in the building.Ted thought he was doing the company a favor by improving the software to meet his needs. In practice, it meant the entire development team would have to fix, correct, or flat out remove everything Ted did. But since Ted didn't tell anyone, didn't correlate changes with any tickets, or even include clear commit comments, it was often difficult to know what exactly were his "just because" changes, and which were "real" features.During their virtual standups, Ted described himself as "a teacher," showing the younger developers the way, and preparing them for their careers. He was like a teacher, but instead of following the approved curriculum, he taught what he felt best, standards be damned. He might have the best intentions, but Ted wasn't preparing them for anything but frustration.With Ted being the only remote employee, this meant it was easy for Adam, the team-lead, to meet without Ted, and discuss what to do with Ted's constant changes. Ted couldn't simply be fired- the office politics didn't permit it. But Adam could cut his hours, and put him on tasks that didn't matter if Ted tampered with the requirements and did his own thing.Even though Ted was warned a number of times, in terms ranging from "gentle" to "this is serious, Ted", he still didn't stop making his own changes. He still let his work interfere with other developers.The reprimands got to the point where even Ted realized that his job was jeopardy. Still, he insisted on doing things his own way. Adam and the team tried to talk to him about it, tried to offer suggestions, but Ted was too stubborn to take his team's advice.Adam and the team worked on an e-commerce portal, and Ted was performing these changes on the live site; bypassing all protocol. This means that customers could actually view the changes that Ted made, in real time.Adam tried giving Ted less work, so the team wouldn't have to worry about his meddling behind the scenes as much, but Ted couldn't be stopped. The breaking point was when Ted made a change, directly merged it into master, and then published it to the live site. The change ruined mobile formatting for the features the other programmers were working on, which was annoying. But it also broke the customer's ability to purchase from the site- customers literally couldn't make purchases because of Ted's "improvements".The team had to scramble to revert to the previous build, and then unpick Ted's many commits from the history to fully revert that feature. Adam had to let Ted go – everyone on a team needs to work together. [Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

At a previous job, I became "The Code Review Guy". It was a big company, with a lot of bureaucracy. They were transitioning from VB6 to VB.NET and didn't trust developers to adapt to this new world, so they positioned code reviews as a "gateway" and the reviewers were guards, tasked with ensuring that any code going past met the standards.That was already a pretty bad, and pretty hostile approach. Then some code would get submitted which didn't just violate the standards, but was barely comprehensible nonsense which followed no coherent convention and couldn't be tested let alone debugged. But it was mission critical and had a scheduled release date already, so the code review process had to let it pass. "Just make some notes, and they'll fix it in a future release," was the attitude. You can imagine how much of that code got fixed.In any case, one of our standards was that developers should use a StringBuilder object, not string concatenation. Concatenation produces many, many intermediate strings, which can cause performance and garbage collection issues, while a StringBuilder avoids that.This standard was commonly violated.Which brings us to this representative line of C#, which Adeline found in a customer's code-base. I can assume that they had a similar standard: use a StringBuilder. Whoever wrote this followed those instructions to the letter:

As we’ve harped upon many, many, many, many, many, many times: writing your own date functions is bad. Use the built-ins or a library or anything but your own awful string-mangling date code.But you can and should wrap the date handling stuff in your own functions as convenient. That’s just good programming.Krystian S inherited some code, which wraps date handling functions in its own abstractions, with method names like:

If I were to catalog my biggest failings as a developer, it’s a carelessness around defensive programming. It’s tedious, and it takes work and forethought, and honestly, I just want to get the thing working and see the results. But I recognize it’s important, and work on developing that mindset.Today’s anonymous submitter found some Java code that is extremely defensive.

Java’s history with web applications is, well, complicated. Java, heavily focused on being the True Object Oriented language, went the route of containers and service-providing classes and runtime bindings and dynamic hooks and lookups well before anyone else.The core layer which underpins a lot of the web interactions is the Servlet specification. Servlets are just classes which are wired up to handle HTTP requests. Do whatever you want there. Slap a bunch of annotations for JAX-RS on there, and it’s a restful web service. Drop a JSP file in there, a it runs as a servlet with a template. Start playing with Java Server Faces? It’s servlets all the way down.But what happens when you want to be even more Enterprise than Java normally is? What if you want a portal application with drop-in modules that can be configured from the front end? Portlets.Portlets are servlets for portals. It’s the Java flavor of SharePoint development. Build a CMS. Build an ERP. Build any giant enterprise product, and Portlets are there for you. They inherit huge piles of functionality important to hooking into the portal. They’re a giant mess.Which is why Jan G was working with a “legacy portlet”. No one ever wants to start a new portlet, so they’re all basically legacy from the minute they’re written. The previous developer didn’t really understand some of the key portlet methods or concepts.

Frankie was handed a pile of PHP and told, "Move this to a new host." The process didn't go well- simply copying the code to the server chucked out a 500 error. So Frankie started digging into the code.Like a lot of PHP code, this code wasn't written. It happened. A long chain of revisions, emergency fixes, quick and dirty hacks, and "I dunno what I did, but that fixes it," meant that it was a twisty pile of spaghetti that wasn't drained properly and now is all sort of sticking together into a starch blob that only vaguely resembles the pasta it once was.While trying to unpick the mess, Frankie spotted this:

Let’s say you’re a native English speaker. Let’s say you’re writing a library which is going to be used by Czech speakers, like our submitter Jan Krynický. You’ve been told to make sure the code is usuable by them, so you decided to use C#’s annotations to provide Czech documentation of various fields.There’s just one problem: you don’t know Czech. You know enough to know that the Czech equivalent of “-ed”, as in “uploaded” is “-ováno”, so “uploadováno” seems perfectly reasonable to you. Czech documentation, done. It might not be the best choice, but they'll get the point.There’s just one problem:

Thomas K was browsing around, trying to give folks some technical help. While doing that, he found a poor, belaguered soul who had been given a task: convert some Java code to Python.This was the code:

Most of our WTFs are produced on modern hardware, but today we're taking you back to the dawn of computing, back to the 1960s, when our submitter, Robert, was in college. Rob was taking a class in Numerical Analysis, which allowed people to submit their programs to the university computer (singular, as this was before computers were cheap enough to have a whole lab of 30+ of them just lying around for students). This involved using a keypunch machine to punch cards to run a FORTRAN program that might give you the answers to your homework. It was marginally faster than using a slide rule, until you factored in that students had low priority on the queue to submit their programs to be run, so they'd have to wait hours, if not days, to get access. Most students didn't even bother with the expensive machine, simply doing their maths the old-fashioned way and leaving it at that.Our submitter, however, was clever.You see, Rob had a part-time programming job in the evenings that made enough to pay for his schooling, something that was entirely possible in the 1960s though it may seem fantastical today. At this job, he had access to a much newer business computer: the IBM 1130, with a whopping memory capacity of 4,096 16-bit words. It was made for scientific purposes, but was also used by small businesses who were "sensitive to price concerns" (aka: frugal) and wanted a cheap machine that would run all their programs. Best of all, Rob had sole access to the machine all evening, meaning nobody would blink if he ran a quick program to do his homework in between batch jobs for the business.However, he was used to running business programs, not scientific or mathematical ones. One subroutine package the business used frequently allowed for easier currency manipulation, but it required a compiler directive called "*ONE WORD INTEGERS". This limited integers to one word, which was sufficient for currency manipulation. Leaving it out would cause a number of headaches for the subroutine package they used, which expected it to be turned on.I'm sure you can see where this is going: when Rob did his homework, he put the directive in place, making his answers a couple orders of magnitude less correct, as decimals were rounded far closer than they would've been using a slide rule. But just you wait, dear reader, for the real WTF is yet to come.The day came for the instructor to return the graded papers, and to Rob's surprise, there was much grumbling and disgust. It seems almost everyone had messed up their homework, receiving markdowns for having incorrect answers. Everyone, that is, except Rob. Rob's paper sported a shiny red A."I see most of you had incorrect answers this time around," remarked the teacher, scowling. "One of you was clever enough to turn in a FORTRAN program that solved the problems correctly. I used that to produce the rubric to grade the rest of you, so don't come crying to me about it being a grader error."Rob, being clever, decided to take his A and slink off in shame once he realized what had happened. Thankfully, the rest of the class never found out who had busted the curve—which was good for Rob's mental health and his kneecaps. [Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how!

Eyal N works on some code which relies on "bit matrices": 2D arrays of bits. Since they are working in C, in practice this means that they have one giant array of bytes and methods to handle getting and setting specific entries in the matrix.One day, Eyal sat down to do a remote pair-programming session with a co-worker. It started out alright, but the hours ticked by, the problem they were dealing with kept showing thornier and thornier edge cases, and instead of calling it a day, they worked late into the night.The next morning was full of regrets, both in terms of too little sleep and in terms of code artifacts. The code that they'd written over night was tangled, incoherent nonsense. It compiled, and it looked like the outputs were correct, but the actual process was as opaque as lead painted with Vantablack.Deep inside that pile of sewage-smeared spaghetti code, Eyal found that they had found a special approach to zeroing out a block of memory.Now, if you've ever worked in C, you know that creating and setting blocks of memory is easy- arguably too easy. If, for example, you want an array of bytes that's initialized to zero, you can do it with one step using the method calloc. If, for some reason, you want to do it in two steps, you can combine malloc with a memset call.Or, if you want to do it in many, many more steps, you can do this:

If there’s a hell for programmers, it probably involves C-style strings on some level. C’s approach to strings is rooted in arrays, and arrays are rooted in pointers, and now suddenly everything is memory manipulation, and incautious printf and memcpy commands cause buffer overruns. I'm oversimplifying and leaving out some of the better libraries that make this less painful, but the roots remain the same.Fortunately, most of the time, we’re not working with that sort of string representation. If you’re using a high-level language, like Java, you get all sorts of perks, like abstract string methods, no concerns about null termination, and immutability by default.In C, a string is just a pointer to a block of memory and you can do anything you like with it. In Java, a string is an object that can’t have its contents changed.Cid has a co-worker that comes from a C background, and constantly equates “references” in Java to “pointers” in C, which is largely accurate, but highlights certain misunderstandings in this case.Since, obviously, every non-primitive variable is holding an object reference, and it’s like pointers, and that means if you mutate the object in one place, it mutates everywhere. Much like a C-string, it’s just a pointer to memory and anybody can do anything.That means, when this developer writes getters and setters for string properties, they want to make sure that nobody’s ever sharing a reference. That means thousands of lines of code like this:

Generating SQL statements is a necessary feature of many applications. String concatenation is the most obvious, and also the most wrong way to do this. Most APIs these days offer a way to construct SQL statements out of higher-level abstractions, whether we’re talking about .NET’s LINQ, or the QueryBuilder objects in many languages.But let’s say you’re doing string concatenation. This means you need to have lots of literals in your code. And literal values, as we know, are bad. So we need to avoid these magic values by storing them in variables.That, at least, seems to be the logic behind this code. Richard G just inherited this C# code from a senior engineer who left:

Don't you just love it when some part of your app just suddenly and magically STOPS working all of a sudden?Our submitter David sure does (not). While working on his Android app, much to his surprise, he noticed that after one build, it wasn't displaying pop-up toast style notifications.He was positively stymied. It's not like this functionality is weird and custom with black magic UI coding behind it. No, this is something basic and ancient that one would normally expect to just work. However, upon checking the function behind the notifications below, the reason became immediately clear. At some point, David had accidentally pasted a URL in the middle of the function.

The virus threats we worried about in the late 90s are quite different than the one we're worrying about in 2020, because someone looked at word processors and said, "You know what that needs? That needs a full fledged programming language I can embed in documents."Alex was a sailor for the US Navy, fresh out of boot, and working for the Defense Information School. The school taught sailors to be journalists, which meant really learning how to create press releases and other public affairs documents. The IT department was far from mature, and they had just deployed the latest version of Microsoft Word, which created the perfect breeding ground for macro viruses.Alex wasn't in the IT department- not yet- and was actually learning to be a journalist. At the end of classes one day, he saved a bunch of Word documents to a shared computer. The next day, he came in and found they were all destroyed- as were everyone else's.The chiefs in the school sent out stern warnings about viruses, and not running any unfamiliar executables. Lots of work was lost, but this was the late 90s: many of the documents got printed out for review anyway, so there were hard copies of much of the classwork. After a week, things were basically back to normal.And then the virus hit again.Cue another round of stern warnings, and NCOs chewing out anybody who even looked at the computers wrong, or thought about running an unauthorized executable. One Seaman got caught with a floppy containing WOLF3D.EXE, and while no one in the barracks knew exactly what happened to him, everyone agreed it must have been pretty dire.After the third time, Alex decided to offer his services. He wasn't an IT professional, but he was pretty technical. Maybe he could take a look?Chief Donaldson thought it over for a few moments. "Well, kid, it's already jacked up. You probably can't make it any worse. Take a look."Anti-virus protection was provided by Norton. It had been configured to use a whitelist to decide which files to scan. That whitelist didn't include *.doc files. Alex made that fix on his computer, and showed Chief Donaldson what he'd done.The IT department was notified, but had no interest in listening to some kid fresh out of boot camp. They'd been in the service for years, so there was no need for them to change their policies or procedures.Alex shared his knowledge with his peers. It quickly percolated out through the Navy barracks at the Defense Information School, and without the IT department doing anything, very quickly nearly all of the computers the Navy used were protected against macro viruses. The same couldn't be said about the other branches of military service, which each had their own barracks at the Defense Information School.Still, the virus activity was severely curtailed. For months, nobody thought about anything, and the IT department patted themselves on the back for making a really good show of stopping the virus. And then came the "field trip": the budding military journalists would go to another military base to participate in a war game, simulating a "real world" scenario which would let them hone their journalistic skills under fire.There was one problem. The only computers that had been configured to defend against macro viruses were the ones Alex and his peers had personally protected. Those were back at the Defense Information School Navy barracks. Here, they were using computers that were tagged for field deployments.This meant they were about 15 minutes into the wargame when a Word virus started forwarding itself through every newsroom computer on the simulated battlefield. Since this was a number of branches at the same time, it was an even more varied collection: some raced to delete files, others opened as many porn sites as they possibly could, and yet others simply played an animation claiming that they were formatting your hard drive (they weren't).You might think that makes this more of an IT education than a journalistic experience. Certainly, Alex eventually moved on to become an IT professional in the civilian sector. But there was a very valuable lesson on military journalism to be had, in the form of the after action report on the exercise. It managed to bury the entire IT disaster with a brief blurb: "Computer viruses and malfunctions were not part of the exercise parameters. These should be part of the plan for future exercises." [Advertisement] Otter - Provision your servers automatically without ever needing to log-in to a command prompt. Get started today!