Comment On Authenticate or Math

Or a Radiohead fan

Nagesh:

#ifdef REQUIRES_LOGIN
#define 4 5
#endif

Then 4 == 4 is still TRUE, sadly. Try

#ifdef REQUIRES_LOGIN
# define 4 5 BUT_ONLY on lefthandside
#endif

Do I get extra credit for recognizing CodeIgniter? ... No? ... Ok...

Nah, it's because 2 is defined as a variable
The function logged_in() can modify that variable, thus enabling or disabling the following code block....

Quicksilver:

Chopper:

Anketam:

normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt:
2+2=5
For extremely large values of 2

Not if you're a banker!

Or you are living in Airstrip One!

Then 2+2=3 and you keep the change.

veggen:

Do I get extra credit for recognizing CodeIgniter? ... No? ... Ok...

But you do get credit towards your next visit to the psychotherapist.

RogL:

Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

On the other hand, you could probably safely remove all "|| true"s.

It was thrown so it could be caught. Just try and you will understand.

Qpirate:

I'm just looking at the WTF in the text:
I started sifting throw hundreds
Should it not be I started sifting through hundreds

2.4 + 2.4 = 4.8

If you round those values to the nearest integer you get:

2 + 2 = 5

Even that will fail if == has been overloaded so that it no longer tests for equality or modifies the value of two.

Leo:

No good, because what if 2 changes so that 2+2 no longer equals 4? Should be "|| 2+2 == 2+2", so even if 2+2 = 6, it will still evaluate correctly.

KattMan:

So realyl, it doesn't matter if you are logged in.
The || essentially makign it so if you are logged in you can upload, if you are not logged in, you can upload, because in our reality 2+2 does equal 4.
Why not do away with the check in it's entirety? You will get the same results.

Wow, considering the number of replies, this is the best troll ever!

lol...pentium math error. good old days.

His logic is so wrong 2+2 obviously equals 10 (base-4).

KattMan:

EDIT:
Just thought of a reason for this. It is to prevent anyone using one of those really old pentium processors where 2 might become a float and the math error might make 2+2 != 4.

I imagined this as authentication code running on a server. So it won't matter what your users are running; it will matter what you are running. And it will always evaluate as true or false for all users (even assuming your theory).

THERE. ARE. FOUR. INTEGERS!

Agreed. I would add code review and any testing from build verification to user acceptance to the TRWTF?

iToad:

// DEBUG

% DEBUG

REM DEBUG

(* DEBUG *)

/* DEBUG */

; DEBUG

<!-- DEBUG -->

# DEBUG

' DEBUG

{- DEBUG -}

etc...

Using debug code? Pick one from the list above.

>>> if 2+2 == 4: etc...

  File "<stdin>", line 1

    if 2+2 == 4: etc...

                      ^

SyntaxError: invalid syntax

jonny_q:

Anketam:

normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt:
2+2=5
For extremely large values of 2

If 2+2==4 is his favorite debugging alias for "true" then it's easier to search for to remove later. It's a built-in todo.

Still dumb, but that's the thought process.

I've gotten very good as learning to think like the retard I have to clean up after.

You're still giving him too much credit. More like: "I want this condition to always be true (for a change request, or for debugging, doesn't matter), but I don't want/know to comment it out, or remove it (even if it's a permanent change request, after all I might lose some code, what's source control?), so perhaps I can add something to make it always true, oh yeah, I'm so clever, I'll add || and something that's always true, but what could this be? <think hard> Oh right, remember how in kindergarten I learned 2+2=4, and that's always true, wow, I'm really so clever, look how I can put my kindergarten knowledge to practical use, yeah, this looks great, and it actually works. Problem solved, and took me only 10 minutes."

TRWRF is so called programmers who don't know shit about Boolean logic, including the dreaded "if foo then return true; else return false;" antipattern, or other lengthy if-else-spaghetti code (or worse, goto) instead of a simple Boolean expression.

Zylon:

THERE. ARE. FOUR. INTEGERS!

+1

toth:

RogL:

Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

On the other hand, you could probably safely remove all "|| true"s.

if (foo || true == false)

It is a commonly accepted practice to place OR logic into a conditional in order to bypass some dependency for testing purposes, or to stub out code that will do an authentication check at some later point, but is OK to leave unauthenticated for now. George Z should tread carefully in this code, lest he introduce a defect into something that is working in production.

Anketam:

His logic is so wrong 2+2 obviously equals 10 (base-4).

Or 2+2=11 (base-3). Of course, if the compiler is using base-3 or base-4 arithmetic, then "4" is an undefined value and this expression should generate an error (the same as if it was "2+2=Fred" (unless, of course, Fred is 4)).

Zylon:

THERE. ARE. THREE. DOT. NINE. NINE. SEVEN. EIGHT. NINE. SEVEN. FIVE. INTEGERS!

(ftfy)

foo:

if (foo || true == false)

by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

adding the || true in that case would not change the truthiness of the expression.

We all realize, of course, that logged_in() has side effects, and this is a way to ensure that those side effects take place while in effect throwing away the result of the check?

RogL:

Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

or you could throw in a //BUGBUG and scan for those before releasing

RogL:

Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

Rather than relying on stupid codes, use source control. hg status to see which files you changed, and then revert them. Or if you've committed, hg diff -r with the revision before the changes.

Boolean Troll:

foo:

if (foo || true == false)

by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

adding the || true in that case would not change the truthiness of the expression.

Nice try Mr. Boolean Troll, but it fails with three-valued logic.

I feel obligated to write this since no one has done it yet. TRWTF is PHP!

Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?

Chopper:

Anketam:

normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt:
2+2=5
For extremely large values of 2

Not if you're a banker!

exactly, there the calculation is always: 2 + 2 = 3 + 1-for-the-own-pocket :D

Canonymous Oward:

Actually, the code might have a pretty legit reason. In some cases you can not just put "true" into "if" condition if there is "else" branch in the code, the compiler will complain about unreachable code.

Seeing this in the production code kind of sucks though.

There's a good reason why it would complain of unreachable code.

Because it is.

fishdude:

wbrianwhite:

And I don't consider it a WTF. When appending various conditions to dynamic sql it's easier to start with a no-op condition and then append all the other conditions starting with "AND" without keeping track of "is this my first condition? no? then throw in and".

Since you are dynamically building an SQL statement, I'll assume you are using PHP.

Put all your WHERE clauses into an array, then use `implode()` to join the arrays into a string.

$where[] = "param1 = 'fish'";
$where[] = "param2 = 'slap'";
$sql = "SELECT * FROM table WHERE " . implode(" AND ", $where);

You'd still have to test for an empty $where array, though!

ubersoldat:

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?

They'd be better off using “»»”. Maximizes the annoyance for US Windows users for type-ability reasons and for many others because of charset issues… Fun for all!

ubersoldat:

I feel obligated to write this since no one has done it yet. TRWTF is PHP!

Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?

If I remember correctly, from C++, which PHP is written in:

a.MyValue() if a is a reference
a->MyValue() if a is a pointer

-> looks like a pointer, get it?

I can't even find those keys :-)

ubersoldat:

I feel obligated to write this since no one has done it yet. TRWTF is PHP!

Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?

Maybe consider using a normal keyboard? Seriously, {, [, ], } and \ are all three keystrokes on a Belgian keyboard (which has a retarded design, by the way). If programming languages were supposed to be easy to type on every keyboard in the world, we'd be stuck with letters only. Hurray for END IF.

Now obligatory--

Anketam:

Reminds me of the shirt:
2+2=5
For extremely large values of 2

A better version of this is "For sufficiently large values of 2": 2.5 isn't really extremely large.

Probably didn't know he could just have made it || 1) if he wanted it to always test true.

fishdude:

wbrianwhite:

And I don't consider it a WTF. When appending various conditions to dynamic sql it's easier to start with a no-op condition and then append all the other conditions starting with "AND" without keeping track of "is this my first condition? no? then throw in and".

Since you are dynamically building an SQL statement, I'll assume you are using PHP.

Put all your WHERE clauses into an array, then use `implode()` to join the arrays into a string.

$where[] = "param1 = 'fish'";
$where[] = "param2 = 'slap'";
$sql = "SELECT * FROM table WHERE " . implode(" AND ", $where);

I am not using PHP, nor am I building the SQL in the front end. This is dynamic sql as in a stored procedure that builds a sql string based on input parameters and uses sp_executesql to execute it. It is more performant in situations where totally different plans will be generated based on whether you need to join to this table or that table and apply this filter or that filter. Amusing that implode is a built in function of PHP.

Does this better capture the original programmer's intent:

if ($this->ion_auto->logged_in() || assert(2 +2==4))

Warlaan:

Seriously guys, that's like basic optimization knowledge.

Yes, 2+2==4 is always true, but as it is an expression it is not for free. Now if logged_in() is true, 2+2==4 does not have to be evaluated at all, saving valueable processor time.

Basic optimization knowledge? Been a long time since I seen a compiler that doesn't evaluate constant expressions during compile time unless told not to do so with some command line argument or project configuration.

Jason:

It's obviously debug code that either the original developer forgot to take out, or was purposely left in to bypass having to constantly log in. Since it was an unfinished project it's likely the latter and the new guy needs to get off his high horse. In my experience many developers when having to take over a new project will trash the work of the previous generation since it's easier to do than actually having to really learn the architecture.

I subscribe to that.

The actual WTF here is George's lack of experience that prevents him from understanding debugging patterns and enables him to make fun of it.

Qpirate:

I'm just looking at the WTF in the text:
I started sifting throw hundreds
Should it not be
I started sifting through hundreds

Freudian slip. The code made him throw.

Boolean Troll:

foo:

if (foo || true == false)

by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

adding the || true in that case would not change the truthiness of the expression.

Kick the fucking stupid cunt to death before the fucker breeds. Too late? Kick its fucking offsping to fucking death too. Burn the dwellings it lived in. Salt the ground it wanked on. Exterminate it from the universe.

Anon') or 1=1:

The very first infinite loop I wrote when I was a noob looked like this:

while(6 != 7)

{

   ...

}

I thought I was so clever.

Alternatively:

#define EVER ;;

for (EVER) { ... }

Poorly written backdoor?

<script type="text/javascript">

var count = 2;

function validate()

{

var un = document.myform.username.value;

var pw = document.myform.pword.value;

var valid = false;

var unArray = ["hussan","ayaz","mehmood","faraz"]; //as many as you like = on comma after final entry

var pwArray = ["password1","password2","password3","password4"]; // the corresponding password;

for (var i=0; i <unArray.length;i++)

{

if ((un == unArray[i]) && (pw == pwArray[i]))

{
valid = true;

break;

}

}

if (valid)

{

alert ("login was successful");

window.location = "http://www.facebook.com";

return false;

}

var t ="tries";

if (count == 1) {t = "try"}

if (count >= 1)

{

alert ("user name or password to dal pagal admin ajeeb hai?" + count + t + "left");

document.myform.username.value="";

document.myform.pword.value="";

setTimeout("document.myform.username.focus()",2);

setTimeout(document.myform.username.select()",2);

count --;

}

else

{

alert ("still incorrect you have no more tries left!");

document.myform.username.value = "no more tries allowed";

document.myform.pword.value = "";

document.myform.username.disabled = true;

document.myform.pword.disabled = true;

return false;

}

}

</script>




<form>

<p>

ENTER USER NAME <input type="text" name="username
">

ENTER PASSWORD <input
type=password name="pword">


<input type="button" value="Check In" name="submit" onClick= "validate"()">
</p>

</form>

When you're a hacker, old habits die hard...

cellocgw:

Nagesh:

#ifdef REQUIRES_LOGIN
#define 4 5
#endif

Then 4 == 4 is still TRUE, sadly. Try

#ifdef REQUIRES_LOGIN
# define 4 5 BUT_ONLY on lefthandside
#endif

but 2 + 2 doesn't equal 5, right? (although I guess we're talking stupid anyways)