We have a new web-based client portal application we are going to use for my company extranet. However, because it was originally designed to be a hosted application, there are several variables involved in all areas that don’t apply to us, since we host it ourselves.
When using said portal, every URL looks something like:
domain.com/login.aspx?QS=jasbndfiaubnfoaeuifwoeifbwfe
The only difference is that the “QS” GET variable is even longer. I made the request of our developers to get rid of this query string for the login page, and the login page only. This is what that code looks like in PHP, inserted at line 1.
if(!$_GET['QS']) { $_GET['QS'] = 'jasbndfiaubnfoaeuifwoeifbwfe'; } |
That’s it. One line of code. In ASP.net, this cost me 3 hours of developer time. THREE hours.
Then I asked our old developers to make a change to their code. It was doing a check in login if they are customers from the new app or the old one. If they are old, it processes the login. If it’they are new, it gives them an error message. So I said, instead of giving them the error, let’s redirect them to /new-directory/login.aspx?email=[base64_encoded email]&password=[base64_encoded password].
This is that code in PHP:
if($is_new) { header("Location: /newdirectory/login.aspx?email=" .base64_encode(stripslashes($_POST['email'])) . "&password=" .base64_encode(stripslashes($_POST['password']))); } else { //process login } |
This cost me 2 hours at $165. Am I getting taken for a ride? I keep telling them – this would take 30 seconds in PHP. And they tell me, yes but ASP.net doesn’t work that way, and we need to change the web.config, and we need to recompile the entire site, etc, etc. If it were just one vendor, I’d be more suspicious, but two separate, unrelated developers are giving me crazy quotes like this.
I hear people bitch about PHP online ad nauseum. Every time I see real code, it appears PHP is FAR faster and far more friendly when it comes to customization.
asp.net:
string QS = Request.QueryString[“QS”] ?? “some Default String”;
As for the 2nd part, there is no reason why they should need to modify the web.config. If they are using codebehind then yes a recompile is necessary (though it should take seconds to compile and deploy). The bigger question is why are you passing sensitive info w/o salting in addition to the base64 encoding otherwise doing a dictionary attack is very easy. Regardless, if you needed to do that in asp.net (psuedocode):
if (IsNew)
byte[] dataBytes = new byte[yourString.Length];
databytes = System.Text.Encoding.UTF8.GetBytes(yourString);
string encodedString = Convert.ToBase64String(encData_byte);
Hardly what I’d call rocket science. You’re getting fed BS.
This particular login is a VERY temporary conversion code. Bu it seemed odd how long the quotes were, both from different vendors.
Is it customary for web developers to pad their quotes like this?
Heh, the first thing I thought about when you mentioned padded quotes was SQL.
Regardless, I have no idea…I’m sure there are plenty of not so honest web devs who will try to take advantage of folks. What I find very odd is that you did the right thing by getting multiple quotes, but they were all high. Very strange indeed. Maybe they’re all in cahoots together, running up an asp.net racket ;-).
If you’d like to continue this conversation offline, I’d be happy to tell you what I think an honest quote would be for the work you were looking to get done (I’m not looking for work, however I’d like to help out if it means saving you some money).
It’s pretty typical, I’m going to feed you whatever BS I can and charge whatever I feel you’re capable of paying.
Same thing applies in PHP as well, I charged another client $2,000 to write one line of code.
I used to sell used cars in my prior life, so that helps heh.