Code review

Company is evaluating financial software from three different vendors, and one of the reviews is assigned to this pilot fish.

"The one I was given to look at was originally written for Microsoft SQL Server, but was recently ported to Oracle," fish says. "All the source code was provided, along with a non-disclosure agreement, of course.

"It relied heavily on a large number of database-compiled PL/SQL packages and stand-alone procedures/functions, which is usually a good design. All the SQL needed was embedded in the database, and the front-end only needed to call these routines."

But as fish quickly discovers when he peruses the source code, all those packages have been compiled under the SYSTEM schema, which means they're running with almost all available administrative privileges.

Fish knows how much power that gives this standalone application -- its routines can take complete control of the database management system.

That's makes it one of the worst design decisions the programmers who ported the application could make.

"This is the sort of design error I would expect a SQL Server programmer to make, since they wouldn't be aware of how Oracle databases are organized," says fish. "The vendor made the mistake of hiring a consulting company to port their software -- one that apparently knew very little about Oracle."

That's not all. The PL/SQL code looks like it was written by a junior-level programmer, using inefficient cursor loops where SQL could have done it faster as sets.

But it might still be salvageable, fish thinks. He decides to try porting the application to a different schema with just the minimum number of system and object privileges needed. How hard could that be?

It doesn't take long for him to find out. It seems the SYSTEM schema qualifier is used everywhere, both in the front-end and back-end code. Cleaning up all that over-privileged code will be a monumental task.

"And it really wasn't my job to rewrite a badly written port of someone else's application," fish adds.

"I completed my evaluation, and let my boss know we should give this product a pass."

Pass your true tale of IT life on to Sharky. Send me your story at sharky@computerworld.com. You'll get a stylish Shark shirt if I use it. Comment on today's tale at Sharky's Google+ community, and read thousands of great old tales in the Sharkives.

Get Sharky's outtakes from the IT Theater of the Absurd delivered directly to your Inbox. Subscribe now to the Daily Shark Newsletter.

Related:
7 questions to ask your EMM provider about GDPR compliance
  
Shop Tech Products at Amazon