I’ve written before about tips for offshoring. One specific thing I said to watch for is the bait-and-switch of talent: during the sales process you’re shown rockstars, but the real code you get is written by clueless newbies. When you set up a project such that you’ve minimized the cost per hour of development, but you don’t have anyone checking the work product (i.e. code reviews) coming from the subcontractor, very bad things happen.
Here’s a doozy: In 2007, people are still writing JSP like this…
Check out the 4th message in the thread, with the big code sample.
- Table based HTML layout, and no CSS at all? Check. Heck, the table width % values don’t even add up to 100%.
- SQL in the JSP? Check.
- Making a new JDBC connection for each page view, instead of using a connection pool? Check.
- Unescaped strings in the SQL? Check. (Not strings coming from the browser in this particular JSP page, but you don’t know where those strings originate. Why wouldn’t you escape it just in case?)
- Failing to use a prepared statement? Check. (That would also solve the escaping problem.)
- Using a string literal in a SQL or command line context, so you can’t log it beforehand? Check. Even better, the code makes a query string first, prints it (commented out), and then uses a different string in the actual query. Nice!
- Using the JdbcOdbc driver? Check. (From Sun’s JDBC Basics: The JDBC-ODBC Bridge driver provided with JDBC is recommended only for development and testing, or when no other alternative is available.) I’m guessing that the use of ODBC here is the only reason why the database username and password aren’t embedded in the code sample and posted for all to see.
- Empty exception catch block? Check.
I’d have a hard time coming up with a fake example of bad code that was worse.
But wait, what else has this person asked about?
No way. Yes! Error in Socket and File Writing!
The post includes the router’s username and password, and its configuration including:
- Its IP address, and all of the routes it contains, and all of its interfaces and where they go
- A couple of other passwords stored in the router
- A crypto key that appears to be to a VPN (looks like a pre-shared key, meaning not a public key but one that must be kept secret)!
I’m not gonna say “you get what you pay for” since open source software has served me very well, but I will say that you get what you bargain for. If your bargain includes not looking at the work product of the people you hire, which is to say, hiring the cheapest people available and not supervising them, you’re not going to be happy with what you get.
Of course, this could have been written by a U.S. citizen who works in a cube on-site and makes $200/hour. Point is, hire carefully, and supervise your workers. It seems simple when put that way, but it’s amazing how often companies are willing to hire software subcontractors carelessly (solely on price?) and then pay little or no attention to the resulting work, when the arrangement involves offshore outsourcing.
By the way, the IP addresses in the original post (with the awful code sample) are listed next to the name “Areva”, implying that this code is part of a project for Areva. Who is Areva? They make nuclear power plants. Sweet dreams!
It’s 2007 and people are still using JSP? Java even?
I bet your code stinks worse than that which you are critical of. There is a name for this phenomena.
>I bet your code stinks worse than that which you are critical of.
Samples, personal hacks, and experimentation? Perhaps. Work for pay? Absolutely not. That’s a really important distinction.
Any honest coder will admit that the quality level of the code they write that doesn’t matter is lower than that of code they write that does matter. Code written for an employer is one kind of code that definitely matters.
The code I criticized was clearly work for hire, but was of lower quality than my own throwaway hacks and sample code from my first year as a Java developer. I feel justified in criticizing it, and I seriously doubt that the folks who paid for it were told that the code they got would be of lower quality than the code samples found in a book or available for free on a web site.
Excellent analysis, Jamie.
Welcome to the real world, Tony.
Looks like “sani” sanitized his posts :(
You scared him away, you bad bad man.