I’ll give an example. At my previous company there was a program where you basically select a start date, select an end date, select the system and press a button and it reaches out to a database and pulls all the data following that matches those parameters. The horrors of this were 1. The queries were hard coded.

  1. They were stored in a configuration file, in xml format.

  2. The queries were not 1 entry. It was 4, a start, the part between start date and end date, the part between end date and system and then the end part. All of these were then concatenated in the program intermixed with variables.

  3. This was then sent to the server as pure sql, no orm.

  4. Here’s my favorite part. You obviously don’t want anyone modifying the configuration file so they encrypted it. Now I know what you’re thinking at some point you probably will need to modify or add to the configuration so you store an unencrypted version in a secure location. Nope! The program had the ability to encrypt and decrypt but there were no visible buttons to access those functions. The program was written in winforms. You had to open the program in visual studio, manually expand the size of the window(locked size in regular use) and that shows the buttons. Now run the program in debug. Press the decrypt button. DO NOT EXIT THE PROGRAM! Edit the file in a text editor. Save file. Press the encrypt button. Copy the encrypted file to any other location on your computer. Close the program. Manually email the encrypted file to anybody using the file.

  • Scrubbles@poptalk.scrubbles.techEnglish
    201·
    7 hours ago

    Rules I’ve learned from software engineering for almost 2 decades.

    • Never roll your own ORM
    • Never roll your own Auth

    No matter what you think, someone else did it better. Trying to do either of those outside of a hobby environment is pure hubris. “But I can do it better” - no you fucking can’t. I have wasted much much more time debugging shitty “home grown” ORM solutions that clearly some dev just was bored and did than I have spent figuring out the quirks of whatever one I’m using. Same goes for auth. Just learn it.

    • chocrates@piefed.worldEnglish
      3·
      5 hours ago

      I never fuck with auth. If I can throw it up the stack I’ll do it as much as I can. When I can’t I find an open source solution and Im sure I still misconfigure it

    • TootSweet@lemmy.worldEnglish
      101·
      7 hours ago

      Never roll your own ORM

      I’ve done this. Probably 10 years ago. Even today, I maintain the same application that has the ORM in it that I designed. If I could go back in time and do something else, I’d do the same thing again. Honest to god. For my use case, I feel it was warranted. It was risky, but it worked out surprisingly well.

    • Pieisawesome@lemmy.dbzer0.comEnglish
      5·
      6 hours ago

      The SVP over my org keeps wanting to design his own RBAC/Auth/IAM system.

      We have entra, auth0, and keycloak.

      The reason he wants it is he doesn’t want secrets to setup auth. Like that’s how it (mostly) works, sunshine.