| throwaway to hide my deep shame 14) Having to explain to my employers what JSON is and why it's better than the weird CSV-like serialization format they just invented to pass things around because they don't know what AJAX is, then watching them reject it entirely because JSON looks too complicated and go with their thing, which proceeds to break the site in weird ways because they're dropping user data and queries from the database (which is not, mind you, even remotely optimized) directly into PHP generated javascript functions and surprise, surprise, shit gets messy. 14.5) Having to explain to them once they discover AJAX that writing to the database with it is a bad idea when there's no real authentication for the requests. And that, no, POST isn't somehow 'more secure'. 14.5b) Writing a barebones JSON API for them and watching their eyes glaze over when I explain what it is and why it's a good idea. 15) Writing a session-based login for them because up until that point, you could authenticate as any user by storing their username in a cookie(because "authentication" was, literally "do they have a cookie with a username? Ok."). Because my code caused people to log in every few hours the site was considered "unusuable" from a user experience standpoint and the code was rejected entirely, and rewritten from scratch, and then when they couldn't get it to work the entire concept of session-based logins was considered "impossible." Any future user authentication is planned to be handled using, and this is a paraphrase from the 'CEO', "if statements and hiding javascript or something." 16) Explaining why using mail() to send emails from a shared server account to maybe every email address in the database might not be the best use of the limited resources we have but being told to add a mailer to the site anyway because it creates a more unified user experience. Bear in mind - nobody is paying us for anything. 17) Pointing out that using usernames as primary keys is a bad thing. There are no foreign keys - usernames are just copied as as strings where relevant. Some usernames have spaces in them. These are also echoed into javascript and passed back as function parameters. To say there are occasional issues with double-escaping and encoding would be an understatement. 18) Pointing out that encrypting passwords is actually not that great an idea and that being able to log in as an arbitrary user with nothing but javascript is actually a bad thing and being sorry I ever showed them that because now it's apparently an indispensable part of the admin control panel. 19) Oh yes - the only way to develop is on the live server with FTP. Version control is asking if anyone is working on the file you want to edit first. 19.5) Includes including includes including includes. Including css. Because all of the css and javascript is inline and half generated on the server. Many stalwart souls have tried to chart it out, all have failed. 20) Dealing with a pathological fear and mistrust of third party libraries. If we can't write it ourselves then it probably won't be written. The rationale for this is not having to deal with code they don't understand and that might not be supported in the future. Never mind the time they're wasting discovering half-assed ways of implementing things there are already tested solutions for, and the fact that their understanding is rudimentary at best. And at another job I was told to manually audit our database against a parts database because our boss didn't "trust the algorithms." I was fired after this took longer than he expected. |
> 19) Oh yes - the only way to develop is on the live server with FTP. Version control is asking if anyone is working on the file you want to edit first.