Reply
cancel
Showing results for 
Search instead for 
Did you mean: 
Reply

Insecure Script and fixed price contract

Highlighted
Active Member
Ryan M Member Since: Mar 31, 2014
1 of 2
Looking for advice on how I can handle this situation. I already have an image rating site where you select 1-10 and it tells you what the new average score is after voting. There is no backend for the script so I thought I'd have someone put WordPress behind it as a content management system. I set up a fixed price contract on odesk and found someone I thought was capable of doing the job. They shot me a message a week later saying to check the work. I looked at it and it was a total hack job and they just bought and used an image rating plugin, which wouldn't be a big deal if they could set it up like the old site. I asked them to mimic the functionality of the old site (sort by highest rated, lowest rated, and random) with the current image in the middle, a thumbnail on the left to show the image that was previously voted on, and a thumbnail of the next upcoming image. He finally completes the work and I take a look at it again. I notice all the voting values are being passed to the database are right there in javascript and point out that this allows people to modify the value of a vote. He tells me I am wrong so I use inspect element and change the value of a vote to equal 1000000 votes and hit the vote button. I do this to a few images so they all have huge values and he acknowledges that he was wrong. I tell him there needs to be a server side check after the value of the vote is posted to make sure its within 1-10. He says OK and I don't hear from him for a few days. He sends me a message saying the work is completed and I take a peak. They inserted a jquery script to check the value to make sure it's within 1-10 but obviously being on the front end this is not a real solution to the problem because I can then just inspect element on that to remove it. I tell him that I can still modify the value of the votes and he throws a tantrum telling me that nobody is going to hack it and that he wants his payment. I then ask him some questions and can tell he doesn't know anything about development and he's obviously not even the person doing the work. I confront him about this and he confesses that it's his "team" doing the work. I told him I already had a working system that was secure and that I don't want to pay for something that's worse off than what I started with. He wants payment but I'm not going to pay for something that I can't use because his script is so insecure and he says is "impossible" to secure. TL;DR: Contractor wrote very insecure code and wants payment. It's easily hackable but he says that is not his concern. I already have a site with a working script and just wanted someone to put WP behind it for a content management system.
Highlighted
Active Member
Miko Gandhi P Member Since: Nov 1, 2014
2 of 2

Provided that you already have a working script and all you need is to integrate a WordPress CMS, they don't need to redo the image rating script but integrate your existing one into the WordPress setup.  There is a WP feature where you can integrate custom pages into WordPress, another option would be to convert your existing script into a plugin.

TOP KUDOED MEMBERS