Gatekeepers of Bad Software

Software development gone wrong: ASP plus Access not equal to secure Web portal.

The HR department at a financial services firm wanted to hire GlobalComp to build a Web portal.

Getting approval was straightforward: the purchaser set up a meeting between GlobalComp and an "integration services" developer on the IT team, and then waited a few days.

After a brief spiel from the GlobalComp sales rep, Steve opened with a softball question: "Is it secure?"

"Of course it's secure," the rep said. "At GlobalComp we take security very seriously. In fact, our pages are delivered over Secure Socket Lay—"

"Wait a sec," Steve cut him off, as he played around with the Web portal. "I think I just broke into your admin console."

The GlobalComp rep stumbled through an apology. It was clear that the developers had never anticipated someone typing ' OR ''=' in the password field. Steve thought it'd be a good idea to do a code review to see what else they had missed.

A Code Tour
Before Steve was permitted to even talk to a developer at GlobalComp, they had him sign a an NDA. As an added security measure, Steve could only review the code while the immaculately dressed Dave, GlobalComp's lead developer, watched him. "You'd be surprised," Dave said in a serious tone, "there are a lot of people who would steal our software ideas."

Steve's first port of call was login.asp. But it wasn't the security snafus or the FrontPage meta-tags that caught his eye. Not only were they using Access, but they had come up with a rather interesting way of caching huge amounts (400K+) of user-specific info. They used the ASP Session object:

set cn = Server.CreateObject(_
cn.Provider = _
cn.Open "C:\inetpub\wwwroot\db.mdb"
set rs = Server.CreateObject(_
rs.Open "SELECT * FROM Users " & _
" WHERE Username = '" & _
Username & _
"' AND Password = '" & _
Password & "'", cn
do until rs.EOF
session("USERNAME") = rs("username")
session("COMPANY") = rs("company")
session("LOCATION") = rs("location")
session("ADDRESS1") = rs("address1")
session("ADDRESS2") = rs("address2")
session("ADDRESS3") = rs("address3")
session("ADDRESS4") = rs("address4")
session("HTML_BLOCK_1") = rs("html1")
…180 columns later…
session("YET_ANOTHER_FIELD") = _
"I can't help but notice that this is in ASP," Steve said to Dave. "I'm curious: why not .NET? Do you have a lot of ASP libraries that you're reusing?"

"It's 2006," Dave snapped back, "not 2015. Everyone knows that .NET hasn't really taken off yet. It's slow, difficult to code and very buggy. Maybe in a few years we'll consider it, but until then, ASP is far quicker and more powerful."

"For optimization," Steve commented, "wouldn't it have made sense to go with SQL Server? This portal is meant to be used by thousands of users across the country. Do you think Access is up to the job?"

"What's wrong with Access?" Dave defensively questioned. "When I was at Accenture, we used it all the time."

Steve had seen enough. "In light of the numerous performance, security and dataintegrity issues," his review read, "we do not approve GlobalComp's Web portal software for use in our production environments."

It was the first time anyone in the department had ever given a non-approval for vendor software. They felt relieved to have successfully acted as the gatekeeper of bad software.

Tell Us Your Tale
Each issue Alex Papadimoulis, publisher of the popular Web site The Daily WTF, recounts first-person tales of software development gone terribly wrong. Have you experienced the darker side of development? We want to publish your story. E-mail your tale to Executive Editor Kathleen Richards at [email protected] and use "DevDisasters" as the subject line.

About the Author

Alex Papadimoulis lives in Berea, Ohio. The principal member of Inedo, LLC, he uses his 10 years of IT experience to bring custom software solutions to small- and mid-sized businesses and to help other software development organizations utilize best practices in their products. On the Internet, Alex can usually be found answering questions in various newsgroups and posting some rather interesting real-life examples of how not to program on his Web site You can contact Alex directly via email at [email protected].,

comments powered by Disqus


  • Death of the Dev Machine?

    Here's a takeaway from this week's Ignite 2020 event: An advanced Azure cloud portends the death of the traditional, high-powered dev machine packed with computing, memory and storage components.

  • COVID-19 Is Ignite 2020's Elephant in the Room: 'Frankly, It Sucks'

    As in all things of our new reality, there was no escaping the drastic changes in routine caused by the COVID-19 pandemic during Microsoft's big Ignite 2020 developer/IT pro conference, this week shifted to an online-only event after drawing tens of thousands of in-person attendees in years past.

  • Visual Studio 2019 v16.8 Preview Update Adds Codespaces

    To coincide with the Microsoft Ignite 2020 IT pro/developer event, the Visual Studio dev team shipped a new update, Visual Studio 2019 v16.8 Preview 3.1, with the main attraction being support for cloud-hosted Codespaces, now in a limited beta.

  • Speed Lines Graphic

    New for Blazor: Azure Static Web Apps Support

    With Blazor taking the .NET web development world by storm, one of the first announcements during Microsoft's Ignite 2020 developer/IT event was its new support in Azure Static Web Apps.

  • Entity Framework Core 5 RC1 Is Feature Complete, Ready for Production

    The first release candidate for Entity Framework 5 -- Microsoft's object-database mapper for .NET -- has shipped with a go live license, ready for production.

Upcoming Events