The interview went well, but I had a decidedly uneasy feeling about it. It would be me, the owner, and a 17 year old who's getting paid $7.50 an hour to program. The code is awful and when he showed me the their hand-rolled HTML templating system that they've been selling for years, I started asking some questions.
"Where does that variable come from?"
"From an HTML form submitted by the user."
"And you're inserting it directly into the SQL?"
"Have you heard of an SQL injection attack?"
At this point, the interviewer gives me a funny look and tells me that they just discovered this security hole. Apparently, they've been selling this product for years, but never knew about this. Here I am, looking at this unknown language for just a few seconds and I see it.
So he decides to show me something else. As he's scrolling through the page, I ask him if I can look at the top of the document again. The syntax is pretty clear and it looks like the page sets a variety of cookies. Some of the cookie names suggest that sensitive information is being stored (I don't say that, though). I ask him if the page is setting multiple cookies and he replies "yeah, we should probably just set a session id."
A couple of minutes looking at two documents in an unknown language and I'm seeing security holes left and right. Then he shows me some of the regular expressions they use to parse HTML ...
- At best, a 10K pay cut
- No vacations (he says he can't afford it)
- Terrible, terrible code (he admitted this freely)
- My backup programmer is a 17 year old who wrote much of what I've just described
- Even in the interview, he was taking swipes at Democrats left and right
- He said he may not want to do business with French companies for political reasons
I don't think I will get the job offer due to my politely balking at the pay (at first, he was talking about a pay cut of over $20,000 per year), but I'll have to turn it down if it comes. Damn. I can live on unemployment if I have to. At least then I could get back to writing for while.