Bad, Bad Code

I’ve written before about tips for offshoring. One specific thing I said to watch for is the bait-and-switch of talent: during the sales process you’re shown rockstars, but the real code you get is written by clueless newbies. When you set up a project such that you’ve minimized the cost per hour of development, but you don’t have anyone checking the work product (i.e. code reviews) coming from the subcontractor, very bad things happen.

Here’s a doozy: In 2007, people are still writing JSP like this…

Check out the 4th message in the thread, with the big code sample.

• Table based HTML layout, and no CSS at all? Check. Heck, the table width % values don’t even add up to 100%.
• SQL in the JSP? Check.
• Making a new JDBC connection for each page view, instead of using a connection pool? Check.
• Unescaped strings in the SQL? Check. (Not strings coming from the browser in this particular JSP page, but you don’t know where those strings originate. Why wouldn’t you escape it just in case?)
• Failing to use a prepared statement? Check. (That would also solve the escaping problem.)
• Using a string literal in a SQL or command line context, so you can’t log it beforehand? Check. Even better, the code makes a query string first, prints it (commented out), and then uses a different string in the actual query. Nice!
• Using the JdbcOdbc driver? Check. (From Sun’s JDBC Basics: The JDBC-ODBC Bridge driver provided with JDBC is recommended only for development and testing, or when no other alternative is available.) I’m guessing that the use of ODBC here is the only reason why the database username and password aren’t embedded in the code sample and posted for all to see.
• Empty exception catch block? Check.

I’d have a hard time coming up with a fake example of bad code that was worse.

But wait, what else has this person asked about?

No way. Yes! Error in Socket and File Writing!
The post includes the router’s username and password, and its configuration including:

• Its IP address, and all of the routes it contains, and all of its interfaces and where they go
• A couple of other passwords stored in the router
• A crypto key that appears to be to a VPN (looks like a pre-shared key, meaning not a public key but one that must be kept secret)!

I’m not gonna say “you get what you pay for” since open source software has served me very well, but I will say that you get what you bargain for. If your bargain includes not looking at the work product of the people you hire, which is to say, hiring the cheapest people available and not supervising them, you’re not going to be happy with what you get.

Of course, this could have been written by a U.S. citizen who works in a cube on-site and makes $200/hour. Point is, hire carefully, and supervise your workers. It seems simple when put that way, but it’s amazing how often companies are willing to hire software subcontractors carelessly (solely on price?) and then pay little or no attention to the resulting work, when the arrangement involves offshore outsourcing.

By the way, the IP addresses in the original post (with the awful code sample) are listed next to the name “Areva”, implying that this code is part of a project for Areva. Who is Areva? They make nuclear power plants. Sweet dreams!