Langbahn Team – Weltmeisterschaft

Hard coding

Hard coding (also hard-coding or hardcoding) is the software development practice of embedding data directly into the source code of a program or other executable object, as opposed to obtaining the data from external sources or generating it at runtime.

Hard-coded data typically can be modified only by editing the source code and recompiling the executable, although it can be changed in memory or on disk using a debugger or hex editor.

Data that is hard-coded is best suited for unchanging pieces of information, such as physical constants, version numbers, and static text elements.

Softcoded data, on the other hand, encodes arbitrary information through user input, text files, INI files, HTTP server responses, configuration files, preprocessor macros, external constants, databases, command-line arguments, and is determined at runtime.

Overview

Hard coding requires the program's source code to be changed any time the input data or desired format changes, when it might be more convenient to the end user to change the detail by some means outside the program.[1]

Hard coding is often required, but can also be considered an anti-pattern.[2] Programmers may not have a dynamic user interface solution for the end user worked out but must still deliver the feature or release the program. This is usually temporary but does resolve, in a short term sense, the pressure to deliver the code. Later, softcoding is done to allow a user to pass on parameters that give the end user a way to modify the results or outcome.

The term "hard-coded" was initially used as an analogy to hardwiring circuits - and was meant to convey the inflexibility that results from its usage within software design and implementation. In the context of run-time extensible collaborative development environments such as MUDs, hardcoding also refers to developing the core engine of the system responsible for low-level tasks and executing scripts, as opposed to softcoding which is developing the high-level scripts that get interpreted by the system at runtime, with values from external sources, such as text files, INI files, preprocessor macros, external constants, databases, command-line arguments, HTTP server responses, configuration files, and user input. In this case, the term is not pejorative and refers to general development, rather than specifically embedding output data.

Hardcoding and backdoors

Hardcoding credentials is a popular way of creating a backdoor. Hardcoded credentials are usually not visible in configuration files or the output of account-enumeration commands and cannot be easily changed or bypassed by users. If discovered, a user might be able to disable such a backdoor by modifying and rebuilding the program from its source code (if source is publicly available), decompiling, or reverse-engineering software, directly editing the program's binary code, or instituting an integrity check (such as digital signatures, anti-tamper, and anti-cheat) to prevent the unexpected access, but such actions are often prohibited by an end-user license agreement.

Hardcoding and DRM

As a digital rights management measure, software developers may hardcode a unique serial number directly into a program. Or it is common to hardcode a public key, creating the DRM for which it is infeasible to create a keygen.

On the opposite case, a software cracker may hard-code a valid serial number to the program or even prevent the executable from asking the user for it, allowing unauthorized copies to be redistributed without the need of entering a valid number, thus sharing the same key for every copy, if one has been hard-coded.

Fixed installation path

If a Windows program is programmed to assume it is always installed to C:\Program Files\Appname and someone tries to install it to a different drive for space or organizational reasons, it may fail to install or to run after installation. This problem might not be identified in the testing process, since the average user installs to the default drive and directory and testing might not include the option of changing the installation directory. However, it is advisable for programmers and developers not to fix the installation path of a program, since the default installation path depends on the operating system, OS version, and sysadmin decisions. For example, many installations of Microsoft Windows use drive C: as their primary hard disk, but this is not guaranteed.

There was a similar issue with microprocessors in early computers, which started execution at a fixed address in memory.

Startup disk

Some "copy-protected" programs look for a particular file on a floppy disk or flash drive on startup to verify that they are not unauthorized copies. If the computer is replaced by a newer machine, which doesn't have a floppy drive, the program that requires it now can't be run since the floppy disk can't be inserted.

This last example shows why hard coding may turn out to be impractical even when it seems at the time that it would work completely. In the 1980s and 1990s, the great majority of PCs were fitted with at least one floppy drive, but floppy drives later fell out of use. A program hard-coded in that manner 15 years ago could face problems if not updated.

Special folders

Some Windows operating systems have so called Special Folders which organize files logically on the hard disk. There are problems that can arise involving hard coding:

Profile path

Some Windows programs hard code the profile path to developer-defined locations such as C:\Documents and Settings\Username. This is the path for the vast majority of Windows 2000 or above, but this would cause an error if the profile is stored on a network or otherwise relocated. The proper way to get it is to call the GetUserProfileDirectory function or to resolve the %userprofile% environment variable. Another assumption that developers often make is assuming that the profile is located on a local hard disk.

My Documents folder path

Some Windows programs hardcode the path to My Documents as ProfilePath\My Documents. These programs would work on machines running the English version, but on localized versions of Windows this folder normally has a different name. For example, in Italian versions the My Documents folder is named Documenti. My Documents may also have been relocated using Folder Redirection in Group Policy in Windows 2000 or above. The proper way to get it is to call the SHGetFolderPath function.

Solution

An indirect reference, such as a variable inside the program called "FileName", could be expanded by accessing a "browse for file" dialogue window, and the program code would not have to be changed if the file moved.

Hard coding is especially problematic in preparing the software for translation to other languages.

In many cases, a single hard-coded value, such as an array size, may appear several times within the source code of a program. This would be a magic number. This may commonly cause a program bug if some of the appearances of the value are modified, but not all of them. Such a bug is hard to find and may remain in the program for a long time. A similar problem may occur if the same hard-coded value is used for more than one parameter value, e.g. an array of 6 elements and a minimum input string length of 6. A programmer may mistakenly change all instances of the value (often using an editor's search-and-replace facility) without checking the code to see how each instance is used. Both situations are avoided by defining constants, which associate names with the values, and using the names of the constants for each appearance within the code.

One important case of hard coding is when strings are placed directly into the file, which forces translators to edit the source code to translate a program. (There is a tool called gettext that permits strings to be left in files, but lets translators translate them without changing the source code; it effectively de-hard codes the strings.)

Hard coding in competitions

In computing competitions such as the International Olympiad in Informatics, contestants are required to write a program with specific input-output pattern according to the requirement of the questions.

In rare cases where the possible number of inputs is small enough, a contestant might consider using an approach that maps all possible inputs to their correct outputs. This program would be considered a hard-coded solution as opposed to an algorithmic one (even though the hard-coded program might be the output of an algorithmic program).

Softcoding

Softcoding is a computer coding term that refers to obtaining a value or function from some external resource, such as text files, INI files, preprocessor macros, external constants, configuration files, command-line arguments, databases, user input, HTTP server responses. It is the opposite of hardcoding, which refers to coding values and functions in the source code.

Programming practice

Avoiding hard coding of commonly altered values is good programming practice. Users of the software should be able to customize it to their needs, within reason, without having to edit the program's source code. Similarly, careful programmers avoid magic numbers in their code, to improve its readability, and assist maintenance. These practices are generally not referred to as softcoding.

The term is generally used where softcoding becomes an anti-pattern. Abstracting too many values and features can introduce more complexity and maintenance issues than would be experienced with changing the code when required. Softcoding, in this sense, was featured in an article on The Daily WTF.[3]

Potential problems

At the extreme end, soft-coded programs develop their own poorly designed and implemented scripting languages, and configuration files that require advanced programming skills to edit. This can lead to the production of utilities to assist in configuring the original program, and these utilities often end up being 'softcoded' themselves.

The boundary between proper configurability and problematic soft-coding changes with the style and nature of a program. Closed-source programs must be very configurable, as the end user does not have access to the source to make any changes. In-house software and software with limited distribution can be less configurable, as distributing altered copies is simpler. Custom-built web applications are often best with limited configurability, as altering the scripts is seldom any harder than altering a configuration file.

To avoid softcoding, consider the value to the end user of any additional flexibility you provide, and compare it with the increased complexity and related ongoing maintenance costs the added configurability involves.

Achieving flexibility

Several legitimate design patterns exist for achieving the flexibility that softcoding attempts to provide. An application requiring more flexibility than is appropriate for a configuration file may benefit from the incorporation of a scripting language. In many cases, the appropriate design is a domain-specific language integrated into an established scripting language. Another approach is to move most of an application's functionality into a library, providing an API for writing-related applications quickly.

See also

References

  1. ^ Elfriede Dustin (2002). Effective Software Testing: 50 Specific Ways to Improve Your Testing. Addison-Wesley Professional. pp. 188–. ISBN 978-0-201-79429-8.
  2. ^ Tanya Janca (14 October 2020). Alice and Bob Learn Application Security. Wiley. pp. 15–. ISBN 978-1-119-68740-5.
  3. ^ Softcoding from The Daily WTF