Skip to main content

#fakecode

Unless you've managed to somehow filter out everything about US politics over the last few months (and if you have, please let me know your secret), then you've likely heard about "fake news".  From a high level, my basic understanding of "fake news" is that it refers to stories or websites that are fabricated to advance the political beliefs and/or ideologies of one site or the other.  Your definition may differ.

So what is fake code?  That, I can at least try to explain in a bit more detail.

The other day, I saw this image posted on Kris Rice's twitter feed:



I thought it was a joke, but it's actually a real book. That made me laugh.  Then cry.  Then I read the book, mainly since it's only 4 pages.  Believe it or not,  there's actually some really good content packed in there.  Let me summarize:

If you choose to copy code from Stack Overflow, the OTN forum, or anywhere, really, there's a few things to keep in mind:


  1. Who owns the code.  It's more than likely perfectly legal to copy and use the code you find on these sites "as is", but keep in mind there may be exceptions to this rule.  The first page in the booklet offers some insight as to what they are.
  2. Who gets credit for the code.  While not required, it's a good idea to credit the author of the snippet that you used.  This is not just courteous, but also provides a reference back to the source of the code, so when it breaks, you know where to start looking.  Which brings me to the third and most important thing to consider:
  3. How good is the code. Unfortunately, there is no easy way to verify this.  You can look at the number of up votes for a specific response, but even that can be easily faked - or more likely, just be wrong because it is based on an older version.

The first two issues don't concern me all that much, as the first is rarely an issue and the second is simple to solve.  The third however, does concern me a lot.  FAKE code - where FAKE stands for Found Another Killer Example (yes, I made that up) - is fast becoming the way that we develop solutions.  Simply enter in some string of what you're trying to do into Google, and a set of possible solutions will magically appear on the page.

With very little effort, you can copy & paste that snippet into your application, run it, and if it works, then you're job is done and you're a hero.  If it doesn't, some more searching and some more tinkering is in order.  Maybe it's a 15 minute task instead of a 5 minute one.  But that doesn't matter, as what you were asked to do is done, and you can move on to the next problem.

There's definitely some problems with this approach.  If you don't understand what the code is doing, who is going to fix it when it breaks?  And it will break at some point.  As other libraries or components get upgraded and/or browser versions change, code will eventually break - usually at the worst possible time.

If you get lucky, and it doesn't break, then who is going to change how it works when the users come up with new requirements?  If you don't have a full grasp as to what it does or how it does it, then you'll have little success in changing how it works.

And just because there's a solution, does it mean that is the best, most secure, most performant solution?  It may work fine for a single user on a development environment, but what happens when its implemented in the real world?  This is especially a concern when you're implementing something in a language that you're not as proficient in, as you won't be able to readily spot bad practices.

In no way am I saying that any of these sites are bad, nor saying don't use them.  I use them all of the time to find solutions to problems and contribute solutions, as do many others.  They are all a valuable resource that makes our jobs a lot easier to do.

What I do want to emphasize is that when you do use any site that presents a solution or code snippet, be sure to not only vet the solution, but also ensure that you completely understand how it works, and be ready to fix it if it breaks.  If you can't do either of these things easily, then perhaps its best to find an alternate solution to your problem - one that you can understand and maintain

FAKE code is a real danger to any development project.  Sprinkle enough of it around, and you're essentially creating a ticking time bomb, that's just waiting to explode.  But FAKE code can be spotted and stopped fairly easily: Document the source of any snippet or blog you use.  Take the time to learn what it does line-by-line, and document that, too.  Be ready to support it if in the case it breaks.  And if you're not comfortable doing so, have alternative resources lined up or at least identified.

Together, with a little bit of work, we can stop the FAKEcode epidemic.

Comments

Karen said…
Right on. If you cut/paste and use it, take the time to
a) Learn what it really does
b) Document where you got it from and what you think it does (since you probably skipped a)
c) Test it!!
This is common sense, but from experience that gets lost a lot too.
Thank you Scott!
Scott said…
Common sense is a commodity that is in scarce supply these days.

- Scott -

Popular posts from this blog

Custom Export to CSV

It's been a while since I've updated my blog. I've been quite busy lately, and just have not had the time that I used to. We're expecting our 1st child in just a few short weeks now, so most of my free time has been spent learning Lamaze breathing, making the weekly run to Babies R Us, and relocating my office from the larger room upstairs to the smaller one downstairs - which I do happen to like MUCH more than I had anticipated. I have everything I need within a short walk - a bathroom, beer fridge, and 52" HD TV. I only need to go upstairs to eat and sleep now, but alas, this will all change soon... Recently, I was asked if you could change the way Export to CSV in ApEx works. The short answer is, of course, no. But it's not too difficult to "roll your own" CSV export procedure. Why would you want to do this? Well, the customer's requirement was to manipulate some data when the Export link was clicked, and then export it to CSV in a forma

Refreshing PL/SQL Regions in APEX

If you've been using APEX long enough, you've probably used a PL/SQL Region to render some sort of HTML that the APEX built-in components simply can't handle. Perhaps a complex chart or region that has a lot of custom content and/or layout. While best practices may be to use an APEX component, or if not, build a plugin, we all know that sometimes reality doesn't give us that kind of time or flexibility. While the PL/SQL Region is quite powerful, it still lacks a key feature: the ability to be refreshed by a Dynamic Action. This is true even in APEX 5. Fortunately, there's a simple workaround that only requires a small change to your code: change your procedure to a function and call it from a Classic Report region. In changing your procedure to a function, you'll likely only need to make one type of change: converting and htp.prn calls to instead populate and return a variable at the end of the function. Most, if not all of the rest of the code can rem

Logging APEX Report Downloads

A customer recently asked how APEX could track who clicked “download” from an Interactive Grid.  After some quick searching of the logs, I realized that APEX simply does not record this type of activity, aside from a simple page view type of “AJAX” entry.  This was not specific enough, and of course, led to the next question - can we prevent users from downloading data from a grid entirely? I knew that any Javascript-based solution would fall short of their security requirements, since it is trivial to reconstruct the URL pattern required to initiate a download, even if the Javascript had removed the option from the menu.  Thus, I had to consider a PL/SQL-based approach - one that could not be bypassed by a malicious end user. To solve this problem, I turned to APEX’s Initialization PL/SQL Code parameter.  Any PL/SQL code entered in this region will be executed before any other APEX-related process.  Thus, it is literally the first place that a developer can interact with an APEX p