Comment On Authenticate or Math

"I was recently assigned to work on a project that had been abandoned by its developer," wrote George Z. "After I checked-out the code for the first time, I started sifting through hundreds of lines of bad syntax, and bad practices." [expand full text]
« PrevPage 1 | Page 2 | Page 3Next »

Re: Authenticate or Math

2012-04-04 11:58 • by Greg (unregistered)
378462 in reply to 378444
Or a Radiohead fan

Re: Authenticate or Math

2012-04-04 12:03 • by cellocgw
378463 in reply to 378453
Nagesh:
#ifdef REQUIRES_LOGIN
#define 4 5
#endif

Then 4 == 4 is still TRUE, sadly. Try

#ifdef REQUIRES_LOGIN
# define 4 5 BUT_ONLY on lefthandside
#endif

Re: Authenticate or Math

2012-04-04 12:09 • by veggen
378464 in reply to 378425
Do I get extra credit for recognizing CodeIgniter? ... No? ... Ok...

Re: Authenticate or Math

2012-04-04 12:10 • by Don L (unregistered)
Nah, it's because 2 is defined as a variable
The function logged_in() can modify that variable, thus enabling or disabling the following code block....

Re: Authenticate or Math

2012-04-04 12:14 • by emaN ruoY (unregistered)
378467 in reply to 378444
Quicksilver:
Chopper:
Anketam:
normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt:
2+2=5
For extremely large values of 2


Not if you're a banker!


Or you are living in Airstrip One!


Then 2+2=3 and you keep the change.

Re: Authenticate or Math

2012-04-04 12:14 • by dkf
378468 in reply to 378464
veggen:
Do I get extra credit for recognizing CodeIgniter? ... No? ... Ok...
But you do get credit towards your next visit to the psychotherapist.

Re: Authenticate or Math

2012-04-04 12:19 • by toth
378469 in reply to 378424
RogL:
Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".



On the other hand, you could probably safely remove all "|| true"s.

Re: Authenticate or Math

2012-04-04 12:20 • by Rfoxmich (unregistered)
378470 in reply to 378415
It was thrown so it could be caught. Just try and you will understand.

Qpirate:
I'm just looking at the WTF in the text:
I started sifting throw hundreds
Should it not be I started sifting through hundreds

Re: Authenticate or Math

2012-04-04 12:22 • by myName (unregistered)
2.4 + 2.4 = 4.8

If you round those values to the nearest integer you get:

2 + 2 = 5

Re: Authenticate or Math

2012-04-04 12:23 • by Rfoxmich (unregistered)
378473 in reply to 378431
Even that will fail if == has been overloaded so that it no longer tests for equality or modifies the value of two.

Leo:
No good, because what if 2 changes so that 2+2 no longer equals 4? Should be "|| 2+2 == 2+2", so even if 2+2 = 6, it will still evaluate correctly.

Re: Authenticate or Math

2012-04-04 12:25 • by Re: The Gonvert (unregistered)
378474 in reply to 378410
KattMan:
So realyl, it doesn't matter if you are logged in.
The || essentially makign it so if you are logged in you can upload, if you are not logged in, you can upload, because in our reality 2+2 does equal 4.
Why not do away with the check in it's entirety? You will get the same results.


Wow, considering the number of replies, this is the best troll ever!

Re: Authenticate or Math

2012-04-04 12:34 • by tj (unregistered)
378475 in reply to 378410
lol...pentium math error. good old days.

Re: Authenticate or Math

2012-04-04 12:37 • by Anketam
His logic is so wrong 2+2 obviously equals 10 (base-4).

Re: Authenticate or Math

2012-04-04 12:48 • by IV (unregistered)
378477 in reply to 378410
KattMan:

EDIT:
Just thought of a reason for this. It is to prevent anyone using one of those really old pentium processors where 2 might become a float and the math error might make 2+2 != 4.


I imagined this as authentication code running on a server. So it won't matter what your users are running; it will matter what you are running. And it will always evaluate as true or false for all users (even assuming your theory).

Re: Authenticate or Math

2012-04-04 12:54 • by Zylon
THERE. ARE. FOUR. INTEGERS!

Re: Authenticate or Math

2012-04-04 13:02 • by Fred Flintstone (unregistered)
378479 in reply to 378416
Agreed. I would add code review and any testing from build verification to user acceptance to the TRWTF?

Re: Authenticate or Math

2012-04-04 13:09 • by Gurth
378480 in reply to 378443
iToad:

// DEBUG
% DEBUG
REM DEBUG
(* DEBUG *)
/* DEBUG */
; DEBUG
<!-- DEBUG -->
# DEBUG
' DEBUG
{- DEBUG -}
etc...

Using debug code? Pick one from the list above.

>>> if 2+2 == 4: etc...

File "<stdin>", line 1
if 2+2 == 4: etc...
^
SyntaxError: invalid syntax

Re: Authenticate or Math

2012-04-04 13:14 • by foo (unregistered)
378481 in reply to 378441
jonny_q:
Anketam:
normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt:
2+2=5
For extremely large values of 2


If 2+2==4 is his favorite debugging alias for "true" then it's easier to search for to remove later. It's a built-in todo.

Still dumb, but that's the thought process.

I've gotten very good as learning to think like the retard I have to clean up after.
You're still giving him too much credit. More like: "I want this condition to always be true (for a change request, or for debugging, doesn't matter), but I don't want/know to comment it out, or remove it (even if it's a permanent change request, after all I might lose some code, what's source control?), so perhaps I can add something to make it always true, oh yeah, I'm so clever, I'll add || and something that's always true, but what could this be? <think hard> Oh right, remember how in kindergarten I learned 2+2=4, and that's always true, wow, I'm really so clever, look how I can put my kindergarten knowledge to practical use, yeah, this looks great, and it actually works. Problem solved, and took me only 10 minutes."

TRWRF is so called programmers who don't know shit about Boolean logic, including the dreaded "if foo then return true; else return false;" antipattern, or other lengthy if-else-spaghetti code (or worse, goto) instead of a simple Boolean expression.

Re: Authenticate or Math

2012-04-04 13:18 • by foo (unregistered)
378482 in reply to 378478
Zylon:
THERE. ARE. FOUR. INTEGERS!
+1

Re: Authenticate or Math

2012-04-04 13:19 • by foo (unregistered)
378483 in reply to 378469
toth:
RogL:
Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".



On the other hand, you could probably safely remove all "|| true"s.
if (foo || true == false)

Re: Authenticate or Math

2012-04-04 13:41 • by geoffrey, MCP, PMP (unregistered)
It is a commonly accepted practice to place OR logic into a conditional in order to bypass some dependency for testing purposes, or to stub out code that will do an authentication check at some later point, but is OK to leave unauthenticated for now. George Z should tread carefully in this code, lest he introduce a defect into something that is working in production.

Re: Authenticate or Math

2012-04-04 14:04 • by Steve (unregistered)
378485 in reply to 378476
Anketam:
His logic is so wrong 2+2 obviously equals 10 (base-4).


Or 2+2=11 (base-3). Of course, if the compiler is using base-3 or base-4 arithmetic, then "4" is an undefined value and this expression should generate an error (the same as if it was "2+2=Fred" (unless, of course, Fred is 4)).

Re: Authenticate or Math

2012-04-04 14:09 • by the beholder (unregistered)
378486 in reply to 378478
Zylon:
THERE. ARE. THREE. DOT. NINE. NINE. SEVEN. EIGHT. NINE. SEVEN. FIVE. INTEGERS!

(ftfy)

Re: Authenticate or Math

2012-04-04 14:14 • by Boolean Troll (unregistered)
378487 in reply to 378483
foo:
if (foo || true == false)


by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

adding the || true in that case would not change the truthiness of the expression.

Re: Authenticate or Math

2012-04-04 14:14 • by da Doctah
We all realize, of course, that logged_in() has side effects, and this is a way to ensure that those side effects take place while in effect throwing away the result of the check?

Re: Authenticate or Math

2012-04-04 14:19 • by Franz Kafka (unregistered)
378489 in reply to 378424
RogL:
Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".



or you could throw in a //BUGBUG and scan for those before releasing

Re: Authenticate or Math

2012-04-04 14:26 • by Meep (unregistered)
378490 in reply to 378424
RogL:
Could make sense as a temporary debugging change, to force the login to work while testing.

A distinctive "true" value is easier to remove when testing is done.

When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ?
You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".



Rather than relying on stupid codes, use source control. hg status to see which files you changed, and then revert them. Or if you've committed, hg diff -r with the revision before the changes.

Re: Authenticate or Math

2012-04-04 14:28 • by Meep (unregistered)
378491 in reply to 378487
Boolean Troll:
foo:
if (foo || true == false)


by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

adding the || true in that case would not change the truthiness of the expression.


Nice try Mr. Boolean Troll, but it fails with three-valued logic.

Re: Authenticate or Math

2012-04-04 14:41 • by ubersoldat
I feel obligated to write this since no one has done it yet. TRWTF is PHP!

Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?

Re: Authenticate or Math

2012-04-04 14:48 • by Franky (unregistered)
378493 in reply to 378426
Chopper:
Anketam:
normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt:
2+2=5
For extremely large values of 2


Not if you're a banker!

exactly, there the calculation is always: 2 + 2 = 3 + 1-for-the-own-pocket :D

Re: Authenticate or Math

2012-04-04 14:52 • by Edward (unregistered)
378494 in reply to 378439
Canonymous Oward:
Actually, the code might have a pretty legit reason. In some cases you can not just put "true" into "if" condition if there is "else" branch in the code, the compiler will complain about unreachable code.

Seeing this in the production code kind of sucks though.


There's a good reason why it would complain of unreachable code.

Because it is.

Re: Authenticate or Math

2012-04-04 15:04 • by pedantic (unregistered)
378495 in reply to 378459
fishdude:
wbrianwhite:
And I don't consider it a WTF. When appending various conditions to dynamic sql it's easier to start with a no-op condition and then append all the other conditions starting with "AND" without keeping track of "is this my first condition? no? then throw in and".


Since you are dynamically building an SQL statement, I'll assume you are using PHP.

Put all your WHERE clauses into an array, then use `implode()` to join the arrays into a string.

$where[] = "param1 = 'fish'";
$where[] = "param2 = 'slap'";
$sql = "SELECT * FROM table WHERE " . implode(" AND ", $where);

You'd still have to test for an empty $where array, though!

Re: Authenticate or Math

2012-04-04 15:08 • by dkf
378496 in reply to 378492
ubersoldat:
If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?
They'd be better off using “»»”. Maximizes the annoyance for US Windows users for type-ability reasons and for many others because of charset issues… Fun for all!

Re: Authenticate or Math

2012-04-04 15:21 • by Re: The Gonvert (unregistered)
378497 in reply to 378492
ubersoldat:
I feel obligated to write this since no one has done it yet. TRWTF is PHP!

Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?


If I remember correctly, from C++, which PHP is written in:

a.MyValue() if a is a reference
a->MyValue() if a is a pointer

-> looks like a pointer, get it?

Re: Authenticate or Math

2012-04-04 15:34 • by ubersoldat
378498 in reply to 378496
I can't even find those keys :-)

Re: Authenticate or Math

2012-04-04 15:57 • by briverymouse
378499 in reply to 378492
ubersoldat:
I feel obligated to write this since no one has done it yet. TRWTF is PHP!

Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?


Maybe consider using a normal keyboard? Seriously, {, [, ], } and \ are all three keystrokes on a Belgian keyboard (which has a retarded design, by the way). If programming languages were supposed to be easy to type on every keyboard in the world, we'd be stuck with letters only. Hurray for END IF.

Re: Authenticate or Math

2012-04-04 16:11 • by Zylon
Now obligatory--

Re: Authenticate or Math

2012-04-04 16:17 • by Peter (unregistered)
378502 in reply to 378418
Anketam:
Reminds me of the shirt:
2+2=5
For extremely large values of 2
A better version of this is "For sufficiently large values of 2": 2.5 isn't really extremely large.

Re: Authenticate or Math

2012-04-04 16:26 • by Spencer Ryan (unregistered)
Probably didn't know he could just have made it || 1) if he wanted it to always test true.

Re: Authenticate or Math

2012-04-04 16:35 • by wbrianwhite
378506 in reply to 378459
fishdude:
wbrianwhite:
And I don't consider it a WTF. When appending various conditions to dynamic sql it's easier to start with a no-op condition and then append all the other conditions starting with "AND" without keeping track of "is this my first condition? no? then throw in and".


Since you are dynamically building an SQL statement, I'll assume you are using PHP.

Put all your WHERE clauses into an array, then use `implode()` to join the arrays into a string.

$where[] = "param1 = 'fish'";
$where[] = "param2 = 'slap'";
$sql = "SELECT * FROM table WHERE " . implode(" AND ", $where);


I am not using PHP, nor am I building the SQL in the front end. This is dynamic sql as in a stored procedure that builds a sql string based on input parameters and uses sp_executesql to execute it. It is more performant in situations where totally different plans will be generated based on whether you need to join to this table or that table and apply this filter or that filter. Amusing that implode is a built in function of PHP.

Re: Authenticate or Math

2012-04-04 16:37 • by DEEmery (unregistered)
Does this better capture the original programmer's intent:

if ($this->ion_auto->logged_in() || assert(2 +2==4))

Re: Authenticate or Math

2012-04-04 16:46 • by default_ex (unregistered)
378509 in reply to 378433
Warlaan:
Seriously guys, that's like basic optimization knowledge.

Yes, 2+2==4 is always true, but as it is an expression it is not for free. Now if logged_in() is true, 2+2==4 does not have to be evaluated at all, saving valueable processor time.


Basic optimization knowledge? Been a long time since I seen a compiler that doesn't evaluate constant expressions during compile time unless told not to do so with some command line argument or project configuration.

Re: Authenticate or Math

2012-04-04 17:36 • by Dima (unregistered)
378511 in reply to 378423
Jason:
It's obviously debug code that either the original developer forgot to take out, or was purposely left in to bypass having to constantly log in. Since it was an unfinished project it's likely the latter and the new guy needs to get off his high horse. In my experience many developers when having to take over a new project will trash the work of the previous generation since it's easier to do than actually having to really learn the architecture.
I subscribe to that.

The actual WTF here is George's lack of experience that prevents him from understanding debugging patterns and enables him to make fun of it.

Re: Authenticate or Math

2012-04-04 18:02 • by Matt Westwood
378513 in reply to 378415
Qpirate:
I'm just looking at the WTF in the text:
I started sifting throw hundreds
Should it not be
I started sifting through hundreds


Freudian slip. The code made him throw.

Re: Authenticate or Math

2012-04-04 18:07 • by Matt Westwood
378514 in reply to 378487
Boolean Troll:
foo:
if (foo || true == false)


by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

adding the || true in that case would not change the truthiness of the expression.


Kick the fucking stupid cunt to death before the fucker breeds. Too late? Kick its fucking offsping to fucking death too. Burn the dwellings it lived in. Salt the ground it wanked on. Exterminate it from the universe.

Re: Authenticate or Math

2012-04-04 18:24 • by Mr.'; Drop Database -- (unregistered)
378515 in reply to 378445
Anon') or 1=1:
The very first infinite loop I wrote when I was a noob looked like this:
while(6 != 7)

{
...
}
I thought I was so clever.
Alternatively:
#define EVER ;;

for (EVER) { ... }

Re: Authenticate or Math

2012-04-04 18:32 • by leeter (unregistered)
Poorly written backdoor?

Please tell me why its now working Help he

2012-04-04 18:32 • by hussan
<script type="text/javascript">

var count = 2;

function validate()

{

var un = document.myform.username.value;

var pw = document.myform.pword.value;

var valid = false;

var unArray = ["hussan","ayaz","mehmood","faraz"]; //as many as you like = on comma after final entry

var pwArray = ["password1","password2","password3","password4"]; // the corresponding password;

for (var i=0; i <unArray.length;i++)

{

if ((un == unArray[i]) && (pw == pwArray[i]))

{
valid = true;

break;

}

}

if (valid)

{

alert ("login was successful");

window.location = "http://www.facebook.com";

return false;

}

var t ="tries";

if (count == 1) {t = "try"}

if (count >= 1)

{

alert ("user name or password to dal pagal admin ajeeb hai?" + count + t + "left");

document.myform.username.value="";

document.myform.pword.value="";

setTimeout("document.myform.username.focus()",2);

setTimeout(document.myform.username.select()",2);

count --;

}

else

{

alert ("still incorrect you have no more tries left!");

document.myform.username.value = "no more tries allowed";

document.myform.pword.value = "";

document.myform.username.disabled = true;

document.myform.pword.disabled = true;

return false;

}

}

</script>




<form>

<p>

ENTER USER NAME <input type="text" name="username
">

ENTER PASSWORD <input
type=password name="pword">


<input type="button" value="Check In" name="submit" onClick= "validate"()">
</p>

</form>











Re: Authenticate or Math

2012-04-04 18:51 • by aw4 (unregistered)
When you're a hacker, old habits die hard...

Re: Authenticate or Math

2012-04-04 18:52 • by a;sleo (unregistered)
378519 in reply to 378463
cellocgw:
Nagesh:
#ifdef REQUIRES_LOGIN
#define 4 5
#endif

Then 4 == 4 is still TRUE, sadly. Try

#ifdef REQUIRES_LOGIN
# define 4 5 BUT_ONLY on lefthandside
#endif

but 2 + 2 doesn't equal 5, right? (although I guess we're talking stupid anyways)
« PrevPage 1 | Page 2 | Page 3Next »

Add Comment