A Rather Curious Pattern

2008-05-12

by Alex Papadimoulis in CodeSOD (104 Comments)

"While exploring a rather large PHP codebase at my new job," Anthony C writes, "I kept coming across a rather curious pattern from the previous developers:

src="content.php?NoCache=<?php $random = make_random_code(); echo("$random"); ?>"

"Clearly, it was just being used to prevent 'content.php' (or whatever page) from being cached, so I never bothered looking into it any further. Eventually though, curiousity got the better of me, and I just had t take a look...

<?php
   // Function to generate a random code
   function make_random_code() {
      // Salt value
      $salt = "abcdefghijklmnopqrstuvwxyz0123456789";
      // Use the time to create a random value
      srand((double)microtime()*1000000);
      // Set i = 0
      $i = 0;
      
      // Do while i <= 7
      while ($i <= 7) {
         // Generate a random number
         $num = rand() % 33;
         // Create a tmp value
         $tmp = substr($salt, $num, 1);
         // Create the random code
         $random_code = $random_code . $tmp;
         // Increment i by 1
         $i++;
      }
      // Return the random code
      return $random_code;
   }
   
   // Call the function to generate a random code
   $random = make_random_code();
?>

"I wasn't quite sure what to think. Why is '$salt' named that way... at a stretch, I could understand 'seed'; but 'salt'? Why seed ('salt'?) the randomizer with (double)microtime()*1000000, when microtime() already returns a string that looks like '0.53138500 1203062920'? Why srand - which is basically deprecated as of PHP4, and accepts an int as an argument, not a double. And why, oh why use a loop?

"I decided against any further exploration or even trying to figure out why my predecessors chose such an elaborate routine to generate a random string to prevent a browser from cacheing. I just quitely replaced it with content.php?rnd=<?php echo time(); ?>.

Share A Rather Curious Pattern:

Featured Comments (All Comments • Add Comment)

Re: A Rather Curious Pattern

2008-05-12 08:27 • by http://jobs.thinkaloud.in (unregistered)

194202

Reply Quote

I know another term that will act as "an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity. "

its called PEPPER

CAPTCHA : validus

Re: A Rather Curious Pattern

2008-05-12 08:28 • by Andrew (unregistered)

194203 in reply to 194200

Reply Quote

perhaps he's a seasoned developer *rim shot*

Re: A Rather Curious Pattern

2008-05-12 08:58 • by illum (unregistered)

194213

Reply Quote

I think this says it all:

Italian Proverb:
Give neither counsel nor salt till you are asked for it

and

Stephen King:
Talent is cheaper than salt. What separates the talented individual from the successful one is a lot of hard work.

The comments were the problem

2008-05-12 09:38 • by Dark (unregistered)

194230

Reply Quote

I think we have agreement that the comments were the most WTFy part. So I fixed the comments:


<?php

   // Create a string-token that is

   // (a) impossible to predict and

   // (b) different for every request 

   // Both requirements are taken more seriously than is

   // usual for PHP code. Instead of half-assed, this will

   // be done fully-assed.

   function make_random_code() {

      // The characters from which the random code is made.

      // The string is called $salt because I read

      // a cryptography book once.

      $salt = "abcdefghijklmnopqrstuvwxyz0123456789";

      // Reinitialize the random generator every time through

      // because I bet it would otherwise start repeating

      // itself when I'm not looking.

      // Since srand expects an int, passing microtime()

      // directly would always get truncated to 0 and

      // that would be embarrassing.

      // Use double-size math because we care deeply

      // about the precision of our random numbers.

      srand((double)microtime()*1000000);



      // Make a random string, 7 characters long

      $i = 0;

      while ($i <= 7) {

         // Generate a random number suitable for indexing

         // $salt. Use a simple modulo because we're not

         // really serious about the whole random thing,

         // so it doesn't matter that the resulting

         // distribution is skewed towards 0.

         // Also, calling rand(0, 32) seemed too complicated.

         // Use modulo 33 because $salt is 36 characters

         // long and the numbers 7, 8 and 9 traumatized me

         // when I was young.

         $num = rand() % 33;

         // Extract the somewhat-randomly chosen

         // character from $salt.

         $tmp = substr($salt, $num, 1);

         // Building strings one character at a time

         // builds character.

         $random_code = $random_code . $tmp;

         $i++;

      }

      return $random_code;

   }



   // Make sure it doesn't throw an error

   // like the last time I edited it.

   // Also, it would be a pity to leave

   // without polluting the global namespace.

   $random = make_random_code();

?>

« Where Does the Line End?

Nuns and Regexes Do Not Mix »

A Rather Curious Pattern

Featured Comments (All Comments • Add Comment)

Re: A Rather Curious Pattern

Re: A Rather Curious Pattern

Re: A Rather Curious Pattern

The comments were the problem

SUBMIT YOUR WTF

Content

Random Article

All Articles

Free WTF Swag!

Sponsored by

Side Bar WTF