Tuesday, July 20, 2010

One of the classic bug reports of all time


So, later on in the afternoon yesterday, I got a bug report. It came from Marina here at work. Something like 2.5 years ago, I wrote a piece of software for our media partners which delivers advertisement campaign reports, according billing information, and facilitates requests for "advertising cap increases".

Our advertisement program works on a pre-paid basis. It is one of the key reasons we are still afloat in these dark economic times. Mortgage companies need to pay us upfront before we begin advertising their 'financial products'. They give us a corporate credit card, we bill them, the money hits our bank account, we begin metering out advertisement rotations to them. We never get cheated. That is why we still live.

This brings us to the subject of "advertising cap increases". I constructed a very simple .ASPX page which allows an authenticated, permission rich user to request a fresh billing of those corporate credit cards. Of course, this uses https super-secure sockets, and 128 bit encryption.

I was a little flummoxed that a problem had arisen. The app is deadly simple, not rocket science by any means, and it had been functioning flawlessly for 2.5 years. Nobody every complained. More than 6,000 billing requests had been made (according to the log) without error over the past 2+ years.

Of course, my thinking was typical of most programmers in this situation. What happened? What changed? Who changed some server or system security setting(s). My code has not been altered in 2.5 years so some externalities must be impacting my system.

I went over to talk to Marina and we went through the steps of recreating the error. She spotted the problem before I did. The almighty user who has the authority to order cap increases needs to provide us with an email address. This is partially for authentication, and partially for notification. We notify the almighty one when his or her corporate card has been charged, we notify of the billing results, we notify when the advertisement rotations increase, begin again, or cease.

Guess what the almighty one typed in for his (and it was a him) email address? He put in http://www.bgnobgno.com. The URL has been changed to protect the guilty, in this case. As you can see, this is not an email address. This is a web address. There is a difference between a eMail address and a URL, just as surely as there is a difference between a mail server and an http server.

Marina quickly changed the web URL to the proper eMail address. She had the eMail address because the almighty one had been sending her complaints about my web work. Marina is a Capricorn (yeah!) and she is good at handling the organizational politics of an embarrassing user error like this one. As a tactless, blunt and factual Virgo, I would have simple sent him a short mail telling him he put his website were his email should have gone. You complained about me too! Embarrassing aye?

She will find a nice way to smooth this over without alienating or embarrassing a paying client.

Anyway, this event served as a reminder of why I am so damn bored around here all the time, and yet still employed. I wrote some pretty good software in the first 18 active months I was here. I wrote at least 3 small apps that are continuously pumping money into the corporate coffers. That is not exceptional for a corporate programmer. That is the way it should be. I am not boasting about that.

What I am boasting about is that my software has been clicking away flawlessly for some 30 months without error, and it took a nice dumb error on the part of a user to produce a failure. I would say that this is an example of the "Do it once and do it right" mentality I love, except for one little nasty little fly in the ointment.

It would appear that my input validation failed in this case. I used simple JavaScript to validate the User's inputs in this case. I chose a routine that was recommended by Google Codeplex some 4 years ago. I did not write the JS myself. It would appear that this smart little piece of code is just too smart. It does more than I originally thought it would. It will parse FTP addresses, email addresses, and URLs. It will tell you if your string conforms to any of these specs.

Of course, this is not what I had in mind. I wanted to validate eMail and just eMail. Only this and nothing more. I don't want a boolean true value when a URL is entered. I am going to have to fix that code.