What's the worst codebase you've ever worked in?

Public sector contractor code is always the worst possible thing, but there was one that really took the cake.

This was C#. There was an abstract base class a lot of classes inherited from. The subclasses all called a protected method in the abstract base class.

As designs go, that's not bad, right? We can bicker over the value of inheritance, but there are worse things, right?

No! There aren't! Because the way that the protected method in the abstract base was implemented is it was using reflection to get the class name from this and comparing the reflected name of the calling subclass using a switch statement to find the right implementation based on hardcoded strings of subclass names!

I will die mad at that piece of code and how much more money that senior developer made than me.

One time I worked for an agency, which I won't name but will refer to as The Bad Place. The management decided that instead of giving us, the web folks, a website to build, they'd get a contractor in to do it. It was in the days where the designers (who only worked on magazines) would send you a PSD and say, "make it web".

Anyway, it was a photo competition site, where people could submit photos and they'd appear in a gallery.

The only thing I can say about the code that's positive is that it resisted SQL injections. Because it didn't let people sign up. When the contractor left, without the management agreeing to spend any money on QA, it turned out that most of the buttons on the site were images that did nothing, because they'd never specified what they should do.

The killer code though... anyone could submit a picture of any size and it'd store it and serve it, uncached, no CDN, for anyone to see. So, a lot of spam, broken images and nudity.

People didn't complain about the spam though, because the gallery page was coded in PHP using:

• mysql_connect()
• a gratuitous SELECT *
• a for() loop for pagination giving every 10 photos a wrapper div.
• a bit of Javascript to hide or reveal pages

If you can imagine this, it means that every picture ever uploaded was rendered to the page all at once.

We got 80,000 uploaded photos over the first weekend.

The contractor did not respond to email.

var thisVariableDoesShitButICannotFindAMeaningfulName = 0
var this_var_uses_snake_case_since_I_feel_like_it = 1
...
// line 1001
...
// line 2001 and still goes on

^ Codebase of a simple plugin from my previous company 🤮

The code was created by a third party dev team five or six years before I joined the company.

The data structures were so unnecessarily complex that they were built with macros. The macros were probably generated from a spreadsheet (we found a spreadsheet that defined the macros) using something that is lost to time.

We're talking hundreds of macros. The macros have to use macros that run macros because the parameters for the macros are generated by macros. Some of the parameters in the macros are never used.

Why write C when you can just put everything in preprocessor instructions?

No unit tests. Practically no documentation.

This means that if we had wanted to change the structures at all we'd have to either reverse engineer the generator or go about it by hand, and then run two days worth of end to end tests to make sure we'd not broken anything.

Luckily I only ever had to read the code.

All my early projects are hot garbage codebases... I do look back sometimes to remind myself of how far I've come in my coding journey

Once was hired as a Senior engineer to refactor a codebase for an app that handles sensitive employee data. I'm a full-stack JavaScript engineer with some experience in other languages and found myself in a sea of Java engineers that had chosen GWT, which is deprecated, and the company can't figure out how to roll off GWT onto a modern stack. I quickly became Principal in one year because I successfully architected and prototyped a solution for the company's dynamic form layouts in a JavaScript environment. I built it to be server-side renderable, but those words "server-side renderable" were "bad words" at the company. No matter no hard I tried to sell it, no Java engineer could wrap their head around dynamic forms being server-side rendered, so the project remained client-side rendered and performed better than the prior implementation.

Engineers had tried and failed to integrate React with GWT because all they did was swap out the components and not the engine. JavaScript engineers that were being hired had no idea where to begin because GWT is not documented well and it's Java. At times it felt like engineers were sabotaging the migration by making painful ways to migrate off GWT that took a long time, so when leadership was told it would more time they bulked. Within a year I had prototyped an engine that could wrangle many of the views, but it lacked the support of many of the aging components built in Java that needed conversion.

No one invested in the migration due to a lack of leadership or vision. There was a gross under-appreciation for the user experience by leadership that banked on how they had amassed so much of the HR space, they didn't care if the UX was bad, because all they cared about is the data. What's worse, there are most likely many security vulnerabilities in the aging codebase that handles a bunch of employee data.

For me, not worked on but consulted/advised on, and I've seen this a few times: Passing all form data via GET requests.

Not only is this a security nightmare, it also limits data to the maximum length of a url (2048) — which leads to confusing errors if you didn't realize this.

This has always been advising startups run by people with minimal webdev and/or "real world" software development experience. Given my duty of advising/consulting, it generally is a matter of picking your battles to help the folks there get a sense on which issues to pay most attention to, because generally these codebases are a mess and you can'g fix everything.

A few years back: minified, obfuscated 'Backbone JS' code... 🫠🫠🫠

Marketing wanted us to change the styling or the links or something, can't remember now, must have blanked it out my memory!! Below is a sample of the sort of thing I was dealing with:

'use strict';function _0x30f8(){var _0x2de6f7=['Hey!\x20Give\x20this\x20thing\x20a\x20title.','Model','5267007PnMaoG','NoteCollection','51982bmypLe','random','929960cVahjY','author','NoteModel','219354XmrIkE','You\x20gotta\x20write\x20a\x20description,\x20duh!','isEmpty','850056xVAnlj','Put\x20your\x20name\x20in\x20dumb\x20dumb...','LocalStorage','extend','74BNrnsZ','825bexrUW','description','186JvwgBt','1631695lbCLVr'];_0x30f8=function(){return _0x2de6f7;};return _0x30f8();}var _0xc9e65e=_0x535d;(function(_0x54d5fa,_0xa4bef9){var _0x49fd76=_0x535d,_0x14a1f4=_0x54d5fa();while(!![]){try{var _0x2745f5=parseInt(_0x49fd76(0x181))/0x1*(-parseInt(_0x49fd76(0x180))/0x2)+-parseInt(_0x49fd76(0x179))/0x3+parseInt(_0x49fd76(0x17c))/0x4+parseInt(_0x49fd76(0x184))/0x5+-parseInt(_0x49fd76(0x183))/0x6*(-parseInt(_0x49fd76(0x174))/0x7)+parseInt(_0x49fd76(0x176))/0x8+-parseInt(_0x49fd76(0x172))/0x9;if(_0x2745f5===_0xa4bef9)break;else _0x14a1f4['push'](_0x14a1f4['shift']());}catch(_0x23fda5){_0x14a1f4['push'](_0x14a1f4['shift']());}}}(_0x30f8,0x2ff56));function _0x535d(_0x439dcb,_0x125d0c){var _0x30f895=_0x30f8();return _0x535d=function(_0x535dc9,_0x2d4a0a){_0x535dc9=_0x535dc9-0x172;var _0x3ba041=_0x30f895[_0x535dc9];return _0x3ba041;},_0x535d(_0x439dcb,_0x125d0c);}APP[_0xc9e65e(0x178)]=Backbone[_0xc9e65e(0x186)][_0xc9e65e(0x17f)]({'defaults':{'title':'','description':'','author':'','id':_[_0xc9e65e(0x175)](0x0,0x2710)},'validate':function(_0x5267d3){var _0x42dbb1=_0xc9e65e,_0x4a1eab={};if(!_0x5267d3['title'])_0x4a1eab['title']=_0x42dbb1(0x185);if(!_0x5267d3[_0x42dbb1(0x182)])_0x4a1eab['description']=_0x42dbb1(0x17a);if(!_0x5267d3[_0x42dbb1(0x177)])_0x4a1eab[_0x42dbb1(0x177)]=_0x42dbb1(0x17d);if(!_[_0x42dbb1(0x17b)](_0x4a1eab))return _0x4a1eab;}}),APP[_0xc9e65e(0x173)]=Backbone['Collection'][_0xc9e65e(0x17f)]({'localStorage':new Backbone[(_0xc9e65e(0x17e))](_0xc9e65e(0x173)),'model':APP[_0xc9e65e(0x178)]});

One long-ass ruby script with lots of system() calls to another ruby script but with different parameters to run different steps of a process; duplicated entirely into three separate projects that were all the same two scripts but with subtle differences.

The worst codebase I ever inherited was a hand rolled PHP application from the bad-old-days. Thousands of lines of in-line MySQLi and templates in a single file that handled POST and GET requests. Single character variable names. Unhelpful comments that were just a series of curse words. JOE detritus everywhere.

Critical company software, no source control, no local development strategy. All edited live on the FTP server.