back to article You've seen things people wouldn't believe – so tell us your programming horrors

Shellshock. Heartbleed. That CCTV storage firmware with a hardcoded password. We've all seen some really bad code. Maybe that's just me. Given that many of our sysadmin readers have poured in tales of fixing impossibly broken servers for our On-Call series, we know our software-wrangling readers have faced similar battles …


  1. CT14.IT


    I've just tried searching but I can't see a mention of it.

    I seem to recall years ago reading of an issue with a certain VNC implementation where the client basically dictated whether it was authenticated or not. I think the logic was, client sends password to server, server responds with an authenticated bool, client sets local variable to authenticated bool.

    You could hijack the server response, set it to true and then you'd be connected!

    Can anyone remember this?

  2. Anonymous South African Coward Silver badge

    Programming in x86 assembler without the virtue of a virtual machine was very nice, especially if your buggy code caused the PC to go titsup :)

    Or locking up the PC solid was also easy to do :)

  3. Anonymous Coward
    Anonymous Coward

    Fixed the core file problem

    It was around 1984. Pre GUI. We had built a text-mode UI that let the user browse their files and edit them. One day the user filesystem ran out of space. Something had crashed and created a core file. A user tried to open it, which crashed the editor leaving a bigger core file. He tried again ... and again ... and again, until disk was exhausted.

    Our architect's "solution" was a change to the kernel.

    In the code that handles writing a core file, he changed the string "core" to ".cor".

    (On *nix files starting with "." are not displayed by default.)

  4. Anonymous Coward
    Anonymous Coward

    rm -rf /

    I did that! Deleted every single file from the hospital's office systems file server.

    This was 1993 or thereabouts storage wasn't exactly cheap in those days and so we decided to ask everyone to dump anything they didn't think they would need anymore.

    Sent a note out "Please place everything you don't need in the Junk folder, we'll back it up and then delete it"

    We used login scripts and batch files for pretty much everything - we had a full desktop management system that pushed s/w updates and did user environment management stuff all through login scripts, so a bit of housekeeping shouldn't have presented a problem.

    I added a couple of lines to the login script to recursively run through the user's junk folder and delete all it's contents.


    cd \%user%\junk

    del *.* /s /r

    or something like that

    Everyone had a junk folder, it was created during user account setup and the users didn't have permission to delete it, so we knew we were good but we tested it to may sure, and it worked just as intended.

    Except the night shift help desk guy had just been given a promotion to junior network admin and he'd been "learning on the job" by changing permissions on his user account and folders and testing the results.

    The phone rang at 2 am, "the login script was taking too long, and some of the nursing staff had called in to report that their files were missing.

    He's deleted his Junk folder and when he logged in the del *.* command ran from the root and nuked everything. By the time he called me it had ripped through all but a couple of hundred files.

    Fortunately what salvage.exe didn't recover, ARCserve did.

    It still makes me feel ill to think about it today.

  5. Anonymous Coward
    Anonymous Coward

    SQL Injection - 2005

    It was the year 2004 and modern Java and known fallacies of SQL Injection were known. My colleague refused to use Prepared Statements within the Java Database Connectivity API when querying Oracle. Refused. This was discovered in a test run when a crash occurred. He still refused.

    I fixed and committed the code without co-review to save our company. He works in a Bank now.

  6. Anonymous Coward
    Anonymous Coward

    SQL NULL disallowed!

    A colleague with no SQL / database experience refused to define an Oracle database column as NOT NULL. The column would only be storing optional / non-mandatory data.

    As this was a VARCHAR2 field type, they stated they wanted to store an empty string "" instead and not use any NULL statements in queries.

    Needless to say, after banging heads with the n00b, a presentation had to be made to a senior to decide whether NULLs were allowed. Thankfully they were.

    The colleague had a massive hump at me. Then went a bit nutty after I stated that Oracle stores "" as NULLs anyway.

  7. Anonymous Coward
    Anonymous Coward

    Timezones in databases

    It was interesting working in a company that dealt with a mission critical application that recorded times in database tables, but without the timezone. Each time recorded was from a different timezone though and complicated by servers having different timezones as well.

    This is why n00bs and arrogant idiots should not define schemas or play with databases without an expert on hand.

  8. Anonymous Coward
    Anonymous Coward

    Authentication module and plain text passwords

    I was making a new internal app for our mission critical system. Using the existing authentication framework, I discovered that all passwords were sent plain text over the wire.

    Having setup a demo server for the team, it was interesting to see the passwords people used.

  9. Anonymous Coward
    Anonymous Coward

    Comment out failing regression tests!

    I was hired to provide sanity (check, verify, report) for a major Fortune 100 company that utilised an outsourced company for "cheaper" labour/expertise.

    Discovered something strange, in the neighbourhood, and it was JUnit tests... commented out as they failed! But reported as AOK to the bosses. Much "passing" functionality had actually not passed.

    Running a "copy-paste-detector" on the code reported reams of code that should have just used OO design with an actual one line change between each class.

    That's when my addiction to Mars bars started thinking about it.

    The same thing again in a Banking environment where the in-house team commented out regression tests because it was too hard/tiring/taxing to fix f****d up test data or code.

    Moral: Don't hire lazy people unless lazy means efficient coding practices.

  10. Martin Silver badge

    I remember my very FIRST intermittent issue....

    I was still at school, in the early seventies. It was a BASIC program which typed out (on a Teletype!) a horserace commentary based on a simulated horserace. It obviously needed a sort to decide which horse was leading, which I wrote myself.

    It worked fine most of the time, and I'd have my friends all watching, cheering on their horses. But every so often, it froze - just stopped dead. Took me a while to discover that my handcrafted bubble sort had a bug - it used a >= instead of a > - which meant that if two numbers were the same, it swapped them, and the sort never finished.....

  11. Gerhard Mack

    A few years back I was maintaining software in C and added a bunch of declarations to the function definitions to enable GCC to detect and warn on format string errors. The other programmer got angry and promptly turned them all off again because they were "creating too many warnings." and making it harder to see bugs he needed to find. (he liked to refer to what I did as the "code nazi thing")

    Fast forward a few weeks, and we tried the software on 64 bit servers for the first time and my software works perfectly but his won't run for more than a minute without crashing. Our boss ended up having all of the servers reformatted with 32 bit Linux just to accommodate him.

    A few years after that, he left the company and I inherited the code complete with an enormous bug list. First thing I did was enable every possible warning and correct the compiler's complaint (something he liked to tell me he never had time for). The result was a 90% reduction of bugs for two weeks of effort.

    1. Anonymous Coward
      Anonymous Coward

      When I've inherited code, I've frequently fixed bugs simply by turning on all warnings. Like the function that would intermittently fail because someone passed it three arguments instead of four (it was grabbing the value of the fourth argument from what ever was on the stack).

  12. DF118

    Haven't seen much of other people's code...

    ...but what I have seen makes me feel (a lot) less embarrassed about my own.

    Worst was some consultant who'd taken what should've been a simple string padding operation in VBA to get a valid 8-character payroll number and turned it into a multi-line conditional...

    If Len(strPayNo) = 1 Then

    strPayNo = "E000000" & strPayNo

    ElseIf Len(strPayNo) = 2 Then

    strPayNo = "E00000" & strPayNo

    ElseIf Len(strPayNo) = 3 Then

    strPayNo = "E0000" & strPayNo

    ElseIf Len(strPayNo) = 4 Then

    strPayNo = "E000" & strPayNo

    ElseIf Len(strPayNo) = 5 Then

    strPayNo = "E00" & strPayNo

    ElseIf Len(strPayNo) = 6 Then

    strPayNo = "E0" & strPayNo

    ElseIf Len(strPayNo) = 7 Then

    strPayNo = "E" & strPayNo

    End If

    Not only had he done this, but he had replicated it EVERYWHERE. That code block appeared something like 140 times. At first I thought he'd cut and pasted it, but then one of the users told me the guy had been charging £1k+ per day for his services (working on site) and I got the sinking certainty that he had just sat there for days on end and typed every single line out by hand.

    This was a public sector (NHS) organisation he'd fleeced, and it was just a one-man project for a few weeks. I shudder to think what else is out there in public sector land.

  13. Tom -1

    @richardcox13 Re: Lower to uppercase

    No, it works for most accented Western European alphabetic characters; no real problem with accents within the extended ascii range (U+00 - U+FF)

    the vowels á à â ã ä å æ é è ê ë í ì î ï ó ò ô õ ö ø ú ù û ü ý are ok

    (capitals: À Á Â Ã Ä Å Æ È É Ê Ë Ì Í Î Ï Ò Ó Ô Õ Ö Ø Ù Ú Û Ü Ý)

    and so are the consonants ç ð ñ þ (Ç Ð Ñ Þ).

    The only vowel it doesn't work for in that range is ÿ (U+FF), which I think is always lower case in modern West European languages (in some African languages it can be upper case, maybe in some East European languages too, and that's U+176 I think). The only consonant (in that range) it doesn't work for is ß (sharp s, 0xDF) which is used only in German and is traditionally lower-case only.

    So he bit flipping trick (xor with 0x20) works for every alphabetical character in the range 0x00 to 0xFF except those two, which have to be left unchanged if you're capitalising West European text. Of course not mucking up the non-alphabetical characters (you don't want to change space into null, for example) means you have to have a list of unchangeable characters for that task anyway, and adding these two to that list is rather trivial.

  14. Mike Lewis

    Near hit

    Thirty years ago when I first used Unix, running as root because I didn't know any better, I created a file then decided to delete it "the Unix way" by moving it to /bin and doing rm -rf /bin/*. I thought /bin was the Unix equivalent of the Macintosh's rubbish bin icon. Fortunately, I decided to do ls /bin first in case there were files that other people didn't want deleted. Guess what I found.

  15. dakra

    Distributed system ignoring error messages from its partner

    Two custom programs talking to each other across a network.

    Sometimes, transactions from the client were not being recorded at the server online. There was a batch process to upload all the day's transactions at end of day, so they all eventually got there. This problem of occasionally "not getting" online transactions went on intermittently for over a year.

    I looked at the server side code, and found that problematic transactions would be sent to a named destination. I asked the programmer where that was. He didn't know, it was just a name. I asked the system administrator, who told me it was the console log. I asked where that went. He told me, to check the job control language. That indicated it went to print. I asked the clerk where the printouts went. She pointed to a cabinet. I looked at the previous week's printouts. Did you lose a transaction from this account on this date? and that account on that date? Yes, how did I know? Uh, it's right here on the printout.

    I went back to the server code and saw that if there was a problem it not only logged the request, but also sent back an error code to the client.

    I looked at the client side code.

    On the client side, the coding technique to catch error indications sent from the server was to register the address of the routine that would handle the error. Unfortunately, the client developer had never implemented any error handling routine.

    At the same time, I pointed out to the programmers how some of the code would fail in Y2K. They said they had no intention of working there for the next 22 years.

  16. viz

    ---force that thing, force it in there!

    git push origin master --force

    (repeat all weekend)

    People should be shot for that (or at the very least be forced to fix their destruction and merge their code properly)

  17. The Vociferous Time Waster

    Goodbye AD

    A developer where I used to work (sub prime mortgages, 2008) was working on a portal that stored user information in active directory inside a DMZ (it was a weird architectural decision made by an idiot IT Ops manager trying to be an architect). The developer, let's call him Roger because that was his name, had written a fairly useless function to delete the entirety of AD.

    1) Why was he making a button to do that?

    2) Why did he even have the permissions to do stuff like that on a wholesale basis?

    Anyway one Friday afternoon at around 5pm he tested the button, as a good developer does, on the live system, like a bad developer does.

    3) Why was there no dev/cert/test environment?

    4) Why even test a function that nobody asked you to make?

    He then got a bit embarrassed and waited about 15 minutes before telling the operations guys. This happened to be exactly the time interval between replications from the main site DMZ to the DR site. Consequently the replication wiped out all the objects there too.

    He then went home.

    5) Why was he ever allowed back in the building?

    The story had a happy ending because we recovered from an hourly ntbackup to disk in under an hour but it didn't do much to cement the ops/dev friendship.

  18. Matt Bryant Silver badge

    Not coding as such, just manglement.

    Not really a bad code issue but an example of how manglement can break a good project. The code in question was specifically designed so it could be small and run on 48MB of RAM. The problem was it was an European project. Having written and successfully tested our tiny bit of code, our team was asked to add code comments, which we managed well inside the 48MB limit. Then the French insisted the comments all be repeated but in French. Not to be outdone, the Germans then decided (having initially agreed that comments in English were fine) that there should be German comments simply because there were now French comments. Then the Dutch, Spanish and Italians piled in. Soon our code would not load in the 48MB required because it was almost 50% multilingual comments! There was now way to stretch the physical limit of the RAM, the code couldn't be trimmed and no country would back down, so in the end the working product was scrapped!

  19. Unix Ronin

    Wait, what...?

    Four horrifying words in SQL:


    No, I can't imagine how anyone ever thought that could possibly have been a good idea.

  20. phr0g

    A very long time ago, we had an in-house written time-recording application that worked just fine. One day, it just crashed, for everyone.

    It was December 1st.

    The month array had been defined for 11 (fine as it begins at 0), (not so fine as the month was then directly mapped as in 1 - Jan, 2 - Feb, etc).

    This was back in the days when we used an interpreted version of basic (VBB) and used 12" dumb orange screens to develop on, connected to "mini-computers".

    All programs would crash out with buffer overflow if you rested your hand on the keyboard...We even had one issue from a customer that simply read "Problem - Banana on keyboard"

  21. ld123s

    Never trust the client

    Companies website was defaced over the weekend, their login system was all custom made so we looked into how it worked.. some pseudocode:

    $userId = login($username, $password);

    if($userId != 0) // login success

    cookie_set('userId', $userId);

    // later on in other pages


    die('You must be logged in');

    $userId = cookie('userId');

    I guess the developers never knew about PHP sessions and thought they could trust the users cookies, it was pretty clear at this point how they were defaced so easily.

  22. Anonymous Coward
    Anonymous Coward


    Back in the very early 90s I was working on the National Unemployment Benefit System (2) when we had a crisis. The entire system had been written with one fundamental flaw - the number of records it could handle. You see some politician had decided that the UK would never exceed 3 million unemployed so NUBS2 didn't need to support any more than that...

    Things got very crazy, we had a lot of long days (and some very long nights) but thankfully managed to fix it before the entire system crashed - which would have left literally millions of people in the UK without their unemployment benefit and all payments would have had to be processed manually (hand written giros) until it was fixed.

  23. mark jacobs

    BBC B Micro days...

    I wrote a BBC Basic program to write random values between 0 and 255 to random memory locations in the machine's whole address space. This meant it clobbered code and data areas with impunity, and quite slowly. It was interesting to see how the machine slowly crashed, until I demonstrated it to a colleague. I had just helped him finish a spreadsheet which was now stored on a floppy in the machine. I ran my clobber program and the smiles were wiped off our faces as the disk drive activated and rendered the disk unusable! Laugh? No, we didn't.

  24. AlbertH

    Paper Tapes...

    End of Term - please empty your User Area. I wrote a little File Erase routine and fed it on paper tape to the Teletype. Upon prompt, I entered the requisite filename - a few seconds passed, and the "File Deleted" report came back.

    Three times 'round, and the paper tape was starting to get tatty. I had dozens of files to delete: A quick re-write of the programme, to ignore EOF characters......

    The DEC 10 never replied to confirm that the files were deleted..........


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022