- 1,105
- Bakewell UK
- dunkrez
- spunwicked
So this week I finished building a very robust admin system for a mid-sized firm, designed to make the processing of their orders a lot easier.
Orders for their products can be taken online once they have been registered by their owner, but for those people that want to pay over the phone, a separate interface was built so that their admin team could place orders manually. Each of this firm's products has a unique code which must be supplied upon registering. It's a good system they have in place with MySQL database back end server side validation and lots of regular expressions to ensure nobody puts data where it shouldn't be via their secure online admin area.
When a product is successfully registered or a manual order is placed a report is generated which is then sent onto the sales team and management. If it's a manual order, and the customer hasn't registered then the system automatically registers them. If a customer has previously registered and have placed a manual order, the system flags this up so that they can be double checked for security reasons.
I got a phone call from a member of their management team this week explaining that they weren't receiving the manual order auto-emails.
💡 So I checked over the code. Nothing wrong there. Performed some tests. Still nothing
. Management confirmed they were receiving the test emails, so the matter was closed.
Then today, management got back in touch to explain they were experiencing the same issue as before. No automated emails from the manual order system.
Worse still, management forwarded one of the manual order auto-emails over to me and there was no postcode field filled in, some fields had data in that defied regular expressions that were being used.
I logged onto their web server and looked through the database registrations table and there wasn't even an entry with the unique ID each product has. How was this possible? I was getting edgy.
I thought, "Mother of god, what have I built?" How is this genius hacker from admin able to circumvent my ajax server side reg ex validation scripts and get the auto-emailer to work totally foobarring my DB insertion scripts?
I decided to dig a little deeper.
I call admin of their company up and asked to speak to whoever was registering these mysterious products.
Me: "Hi Mandy, this is Spun calling from Mr.Potatoes Web Firm"
Mandy: "Hi Spun, how can I help you?"
Me: "I just wanted to run through your manual product ordering system with you to check out these errors that keep cropping up."
Mandy: "Okay."
Me: "Please could you begin by giving me a brief run down of how you are adding manual orders?"
Mandy: "Sure Spun."
Mandy: "I click on the order form and then I press delete, then edit the fields, then send the email."
Me: "Huh?"
Mandy: "I am editing the right bits aren't I?"
Me: "Are you using the address to log in that was sent to you?"
Mandy: "I click onto Outlook, and open the order email, change it and then send it."
Me: *By Christ
Me: "I'm going to send you a link via email, please can you stay on the line and tell me when you have got it."...
And that was that. A firm spends thousands on having a simple to use and comprehensive system put in place and Mandy from admin thinks it was just an email she edited and forwarded on. She now knows what she's doing. Well, we can hope.
Personally, I'm surprised she knows how to switch her PC on.
Anyone else have any stuuuuupid customer stories to share?
Orders for their products can be taken online once they have been registered by their owner, but for those people that want to pay over the phone, a separate interface was built so that their admin team could place orders manually. Each of this firm's products has a unique code which must be supplied upon registering. It's a good system they have in place with MySQL database back end server side validation and lots of regular expressions to ensure nobody puts data where it shouldn't be via their secure online admin area.
When a product is successfully registered or a manual order is placed a report is generated which is then sent onto the sales team and management. If it's a manual order, and the customer hasn't registered then the system automatically registers them. If a customer has previously registered and have placed a manual order, the system flags this up so that they can be double checked for security reasons.
I got a phone call from a member of their management team this week explaining that they weren't receiving the manual order auto-emails.
💡 So I checked over the code. Nothing wrong there. Performed some tests. Still nothing
. Management confirmed they were receiving the test emails, so the matter was closed.Then today, management got back in touch to explain they were experiencing the same issue as before. No automated emails from the manual order system.
Worse still, management forwarded one of the manual order auto-emails over to me and there was no postcode field filled in, some fields had data in that defied regular expressions that were being used.
I logged onto their web server and looked through the database registrations table and there wasn't even an entry with the unique ID each product has. How was this possible? I was getting edgy.
I thought, "Mother of god, what have I built?" How is this genius hacker from admin able to circumvent my ajax server side reg ex validation scripts and get the auto-emailer to work totally foobarring my DB insertion scripts?
I decided to dig a little deeper.
I call admin of their company up and asked to speak to whoever was registering these mysterious products.
Me: "Hi Mandy, this is Spun calling from Mr.Potatoes Web Firm"
Mandy: "Hi Spun, how can I help you?"
Me: "I just wanted to run through your manual product ordering system with you to check out these errors that keep cropping up."
Mandy: "Okay."
Me: "Please could you begin by giving me a brief run down of how you are adding manual orders?"
Mandy: "Sure Spun."
Mandy: "I click on the order form and then I press delete, then edit the fields, then send the email."
Me: "Huh?"
Mandy: "I am editing the right bits aren't I?"
Me: "Are you using the address to log in that was sent to you?"
Mandy: "I click onto Outlook, and open the order email, change it and then send it."
Me: *By Christ
Me: "I'm going to send you a link via email, please can you stay on the line and tell me when you have got it."...
And that was that. A firm spends thousands on having a simple to use and comprehensive system put in place and Mandy from admin thinks it was just an email she edited and forwarded on. She now knows what she's doing. Well, we can hope.
Personally, I'm surprised she knows how to switch her PC on.
Anyone else have any stuuuuupid customer stories to share?
Last edited:
