Meltdown Imminent
note: fairly personal, rather angsty, and especially whiny post. I would heartily condone skipping it, unless you like reading cheesy teen drama novels or like listening to emo alternative rock. you have been warned.
I don’t think I can take this anymore.
I am not the world’s greatest programmer. Not even close. I follow the work of people far greater than me, I know my place on the Hierarchy of Computer Science, and it’s midling, at best.
But… i just… I can’t fathom how these fucking idiots keep getting jobs to write software. Jobs that pay more than $80/hour, well more than twice what I make… and why after they inevitably end up failing to produce something that works, I have to clean up after it. This code is… every project I’ve worked on in my professional endeavors - every last single one - was apparently written by the most clueless fucking morons on the planet.
I know I’m not some sole soul stranded out in the Idiot Programmer Woods. I know that most Good programmers stuck in Commercial settings end up working on Horrific Code. Why do any of us have to put up with this shit? If car engineers consistently produced parts that just broke or exploded or dissolved the second they were put in a simulator, the engineers would be fired. Why do shitty coders get away with this kind of crap you can’t get away with anywhere else, and why do they get hired over the people who have a freaking clue? Why do sites like WorseThanFailure even have to exist, when those kinds of mistakes and incompetence just flat out aren’t tolerated in almost any other field?
I work mostly on web stuff for a living. Now, I dislike that in and of itself. “Programming the Web” is a lot like programming a VCR, except slightly easier. It’s mindnumbingly boring. The challenges in this kind of work are far and few between. It’s boring. It’s really, really, really boring. I LIKE hard challenges. They’re exciting. Something to do. Something to learn. Something to get a rush off of. Web programming does not offer those challenges, not even close. Yet, somehow, doing it right seems to be beyond 90% of the employed web programming work force.
The current HUGE client I’m working for has a codebase written partly by a man who has published books on PHP programming. This man, clearly, knows his stuff. Except, not so clearly. Aside from just being ugly code (you know what I mean - the kind that’s just hard to read, even though it really shouldn’t be), it’s way over-complicated. Can you say “design pattern?” Because he obviously can. a lot. If it’s possible to maybe kind of find a way to make one of the four or five Super Popular Patterns fit the code, he found a way to do it. Even if there’s a simpler one-line equivalent that a nice dynamic language like PHP offers, his code instead favors the 18-classes-over-12-files approach that strict and forced-OO languages like Java shove down your throat. And he doesn’t even program in Java, so what’s his excuse? Worse, the code is in some spots just flat out wrong, to a dangerous level.
Super basic security holes like not checking user input before opening a file, or going through the effort to make sure that all SQL query code is using place-holders, but using the ! placeholder instead of the ? placeholder (note: ? replaces the input with its escaped equivalent, while ! is really no different than passing %s to *printf functions). The code rigorously checks for errors on every single possible call into PEAR or MDB2 or other library functions, but does not in even a single place anywhere check for errors in user input. Users can, aside from trivially causing SQL injection attacks, also just insert data into the database with no value for a ‘name’ column which, in the admin UI, is the content of the link used to edit/delete the item. So link content, no link, so no way to edit the content the user submitted with calling up a DB admin. Eventually I will fix all of this. Assuming the client can be convinced that he needs it. Because, if the client is not convinced, he’ll go with what he has, with is maybe 5% my work at tops, and when it finally does come crashing down, I’ll be blamed for it instead of the idiot friends-of-the-CTO or whatever they hired in to write the original mess.
Let’s not forget that apparently not one freaking PHP programmer on the planet that I’ve had the luck to be hired after seems to understand the basics of XSS and related attacks. It’s not hard at all for a user to fill in a contact form, put some quite malicious JavaScript in the body (which when viewed in the admin UI could then easily reload the page in a frame and keep a key logger or other kind of trojan running on every page that admin user access there-after, it’s really quite trivial to do this, even for a javascript novice). Unfortunately, it’s a bit easier to understand how attacks like these get in with a language like PHP, since it’s a fucking langauge _designed solely for doing websites_ that makes it harder to do the Right Thing than the Wrong Thing. Nobody with a clue is using PHP to generate all of the HTML of the page; they use templates and such for most of the actual content. Most of the dynamic content spit out by PHP is stuff that needs to be properly escaped (just like with DB queries). So why then by default does PHP not escape its output? Wouldn’t it make more sense to escape by default and then, in those much rarer cases when you code does need to spit out raw HTML, add a method to do that? Shouldn’t the easiest, shortest way of doing something be the correct way to do it?
If a language is 90% SQL queries and HTML template processing, you’d think that those two things would be a core language feature that makes it super freaking simple to do the right thing. You wouldn’t expect database access to be a horrendously misdesigned and inconsistent add-on that requires 8 times the work to write safe SQL queries that aren’t injection-susceptible, and you wouldn’t expect the language that is itself meant to be embedded in HTML to require an add-on template engine to make up for all the design mistakes of the original language (while introducing a billion more, in the case of Smarty), would you? PHP programmers seem to think it’s pretty damn normal. You’d be surprised how hard it is to convince some of these Professionals that there just might be an easier way to do things that produces safer, faster, smaller code. Because, you know, they get paid six-figure salaries and have published books and are employed by huge Top 10 Internet Companies and I’m just the guy who fixes their broken shit that (news to them) doesn’t smell like roses.
I’d love to replace PHP. It wouldn’t be hard. I’ve written high-performance general-purpose and special-domain language runtimes before. Really, I would have to suffer repeated head trauma to even be capable of producing something as bad as PHP. But what’s the point? None of the jobs I’d get would ask for that language, they’d all ask for PHP (Or Java, or C#, or even C++ - yes, there are people who try to use C++ to write web apps, great idea, geniuses). Maybe 10 years down the road any new language I publish for this would be popular enough that I could work in it for a living, but by then I will have already gone batshit fucking insane and jumped in front of a bus from working on projects like this current one for a living every single day of my life.
I mean, this project… When you have bug after bug after bug after hole after bug all on top of a gigantic codebase that requires you to edit 12+ files (literally) just to do the basic handling of a 3 column database table used on one page on the site… i can’t take this. And it’s not even just this project. Every single one, save the very few that I have gotten to do from scratch, and gigantic messes that will take MONTHS to clean up and make work properly and securely. I just can’t imagine how people can write code like this and not say to themselves, “This is horrifically wrong, I should learn to do better.” I don’t understand how people can just shovel this shit out and realize that they could not only do it better, but do it _easier_ too. I just don’t get it. I’m not the best, but I don’t understand how you could possibly be this bad and let yourself get away with it.
I cannot keep doing this for a living. I can’t. I can’t do this. Just the thought of having to do this for another 10 years, much less 50, is making me want to cry.
The answer might appear to be to go back to school and finish that CS degree I was barely a year away from earning, and then maybe I’d be the fresh hire and not the after-thought budget coder pulled in to fix the mess the Rock Star coder couldn’t manage to build, but is that really going to make a difference? Or am I just going to get a degree that cements me in a career that I’m just going to hate for the rest of my life? Should I get a degree in something else? What? What else could I possibly do? Christ, do you know how hard it is to go back to school when you’re in my position? Especially a Good School, which invariably means “hates undergrads with a passion because they’re just a pain in the ass that gets in the way of research,” like the University of Michigan where I suffered through two years of attending and having to figure out how to keep working enough hours to pay for over-priced classes where nobody wanted to actually teach anything but wanted to take a ton of my money for the honor of not being taught anything at their prestigious school. Yeah, that’s worthwhile.
I’ve loved working on software since I was 9. I spent most of my childhood coding and learning how to do better. It’s really the only damn thing I know how to do. At this age, with an entire life devoted to one field, a field I am coming to hate more than anything else in the world… what the hell am I going to do now, if not computers?
Is there some small hope that maybe somehow I can get a job programming somewhere that I’m actually accomplishing something? Where I’m not just cleaning up after people who can’t name the difference between an integer and a b-tree? Where maybe - just maybe - I’m doing something that is actually useful, actually going to result in software people will actually use and actually need? Something where I’m actually challenged? Something where I don’t literally dread going to sleep because I know it’s followed by waking up to another day of this kind of work?
What the hell am I doing wrong that I can’t work at a company that does interesting things and hires actual programmers and not script-monkeys and where real software is produced by skilled people that ends up being used by people to actually accomplish things? Is my lack of a degree really that big of a show-stopper, in the face of damn near 10 years of real work experience? Am I just as bad of a programmer as the script-monkeys and I don’t realize it, just another worthless unhirable with too big of an ego to know what I really am? Do I just not know how to find a job, the lack of such a simple skill that shouldn’t even need much use somehow holding me back from finding work I can finally enjoy? Am I holding myself back, or is this kind of job exactly what someone like me deserves?
I don’t want to do this anymore.
Argh. Well, back to trying to hack something functional out of this pile of crap before I go to bed. Rent isn’t free after all, and only the movie critics get paid to bitch.
Syndicated 2007-11-29 08:24:08 from Sean Middleditch