Comment On Cabbage Based Authentication

What... The... *head explodes*

the days are gone

Editor's note: Fixed

Mmmmm, cabbage

CheckRightsOnTheCurrentPage

I hate needlessly long function names.

vt_mruhlin:

CheckRightsOnTheCurrentPage

I hate needlessly long function names.

but it's more enterprisey like that!

the reason "Cabbage" is needed is because strpos can return 0 as well as false, so they prepended a random string to make sure the possible position is larger than zero.

a correct version would be

if( strpos( strtolower( $_SERVER['PHP_SELF'] ) , '/admin' ) !== false )

"Cabbage" was appended because they didn't know strpos can return 0 (if $_SERVER["PHP_SELF"] begins with "/admin"), and the evaluation will then fail.

if ( strpos( strtolower($_SERVER["PHP_SELF"]) ,

"/admin" ) !== false )

would have worked.

If anyone is wondering why: PHP's strpos() returns `false' when the second string argument does not occur as a substring of the first argument, and returns 0 when the second string argument occurs at position 0 of the first string argument. Thus, strpos( "/admin", "/admin" ) returns 0, but strpos( "Cabbage/admin", "/admin" ) will return a positive integer.

You're supposed to test the return value explicitly: "if( strpos( $a, $b ) !== false )", but it only says that like five times in giant red letters on the manual page (http://us2.php.net/strpos) so it's easy to see how someone could miss it.

I think is just for incrementing the position with a value of 7. An alternative will be if(position>= 0) instead of if(position). If I'm right is not a WTF but a joke. In the worst case is job protection. Any string containing at least 2 letters will do the trick.

crap, seems i'm 2mins late...

Captcha: scooter. should've typed as fast as it.

if (strpos(strtolower($_SERVER["PHP_SELF"]), "/admin" ) !== false)

some guy:

if (strpos(strtolower($_SERVER["PHP_SELF"]), "/admin" ) !== false)

Damn, I'm slow

if ( ( !isset($_SESSION["IS_ADMIM"] ) ) ||

($_SESSION["IS_ADMIM"] == 0 ) )

IS_ADMIM. Nice.

Even the corrected version is a bit of a WTF, consider:
http://example.com/foo.php/admin

This is a legal URL and $_SERVER['PHP_SELF'] from foo.php will then include the /admin, even though that's clearly not the intention.

Three WTFs:

1) they use PHP. A language where array[''] == array[0] is not for serious work.

2) a woman named Gabriel??

3) This textbox is horrendously small on konqueror

I was wondering what an ADMIM was. That's just asking for trouble, no?

Babbage:

Even the corrected version is a bit of a WTF, consider:
http://example.com/foo.php/admin

This is a legal URL and $_SERVER['PHP_SELF'] from foo.php will then include the /admin, even though that's clearly not the intention.

A legal URL to an admin-locked page. It's a crappy system, but I don't see the problem.

PHP sucks
LL Ruby

A fellow Discordian? :D

Coincidentally enough, just this morning I shredded an entire head of cabbage for dinner tonight. <cue Twilight Zone music>

captcha: Guilty! um I mean "scooter"

No smart ass comments about cole slaw, cabbage patch kids, or cabbage patching yet? Talk about falling down on the job.

Many years ago I worked on a set of programs in COBOL that contained the following statement at seemingly random places in the code.

compute xtdfa = xtdfa * 1.0.

several of them were preceeded by comments indicating that the line of code was essential. In those days everything was upper case so the comment didn't particularly stand out.

This was my first programming job and was mystified by the statements. It was a decimal number on a decimal machine so roundoff wasn't the answer.

I asked others working on the code and the universal response was "We don't know. We took it out once and the program stopped working".

A language where you need to use constructs like boolean_expression !== false in a conditional statement?

Wow. Just. Wow.

My first thought was to change this:
// Beware ! . "Cabbage" is necesarry for the authentication to
work corectly.
// THIS IS NOT A JOKE !
if ( strpos( strtolower("Cabbage" . $_SERVER["PHP_SELF"]) ,
"/admin" ) )

to this:

// Beware ! . "Cabbage" is necesarry for the authentication to
work corectly.
// THIS IS NOT A JOKE !
//if ( strpos( strtolower("Cabbage" . $_SERVER["PHP_SELF"]) ,
"/admin" ) )
//New version uses Corn
if ( strpos( strtolower("Corn" . $_SERVER["PHP_SELF"]) ,
"/admin" ) )

just to mess with the future maintenance programmers. Keeping the old code there and commented out is important to the joke, I think.

"I was wondering what an ADMIM was. That's just asking for trouble, no?"

A slight bit of security by obscurity, I bet. Wouldn't surprise me if register_globals was enabled on this machine, and they don't want hackers guessing the existence of an IS_ADMIN parameter that can be set to true via query string.

akatherder:

No smart ass comments about cole slaw, cabbage patch kids, or cabbage patching yet? Talk about falling down on the job.

Maybe they have, but like yesterday they have been expunged from the system by the men in black because we failed to post without our tin foil hats.

Maybe I am completely wrong here, and it´s also not important, but which nation consider ,,Gabriel,, a girl´s name?

mr. fluffy:

vt_mruhlin:

CheckRightsOnTheCurrentPage

I hate needlessly long function names.

but it's more enterprisey like that!

If you feel the need to comment your code, then your function names are obviously not long enough.

ComaVN:

A language where you need to use constructs like boolean_expression !== false in a conditional statement?

... Except strpos() isn't a boolean expression. It returns an integer giving the position of the needle in the haystack string - so if the needle is at the beginning, it returns zero.

It also returns a boolean false if it can't find the needle at all.

As far as strpos() goes in PHP, I think it would be a lot simpler to just return -1 when the substring is not found, and the starting index when it is.

For example:

if(strpos(strtolower($_SERVER["PHP_SELF"]), "/admin") != -1)

{

    // Admin page - must have admin priviledes.

}

Then you don't need !== or ===, which I find to be rather annoying operators. This is exactly why I prefer staticly-typed langauges.

(The BBCode is extremely horrible on this site) :(

George Nacht:

Maybe I am completely wrong here, and it´s also not important, but which nation consider ,,Gabriel,, a girl´s name?

http://www.babynamesworld.com/search.php?p=qsearch&s_gender=2&s_copt=2&i_search=gab

Its usually shortened to gabby, but it can go both ways. Most people, the smart ones, go with Gabrielle.

Funnily enough, I recently implemented a non-WTFy auth system using cryptographic hashes. I had to choose a secret salt to insert in the data before signing to make it harder to crack. Maybe I should choose "Cabbage".

Or sensible, strongly typed dynamic languages. Not all those beginning with <P> are evil.

A slight bit of security by obscurity, I bet. Wouldn't surprise me if register_globals was enabled on this machine, and they don't want hackers guessing the existence of an IS_ADMIN parameter that can be set to true via query string.

Ah, but even if register_globals was turned in, it wouldn't stuff a query parameter into the $_SESSION superglobal. All you'd get would be an auto-magically created var called $IS_ADMIN, and this particular code isn't testing for that... not to say that this isn't happening elsewhere in this pile of crap, but it's not happening here.

George Nacht:

Maybe I am completely wrong here, and it´s also not important, but which nation consider ,,Gabriel,, a girl´s name?

America, apparently.

It came from nowhere (it says here) to be one of the more popular names in the late '90s (124 per million births). Then it went away again. Seems we have one very precocious young lady here...

I suspect a TV character, though the only reference I can find is to a (male) bisexual drug addict in an British drama series of the mid-90s. This seems to me to be an unlikely reference-point.

Any ideas, pop-pickers?

xtremezone:

As far as strpos() goes in PHP, I think it would be a lot simpler to just return -1 when the substring is not found, and the starting index when it is.

No no no...you can't return -1, you have to return FILE_NOT_FOUND

The funny thing is people do that sort of thing all the time in shell scripting:

if test x$HAVE_AVCODEC = xfalse; then

ImNotGivingMyNameToAMachine:

George Nacht:

Maybe I am completely wrong here, and it´s also not important, but which nation consider ,,Gabriel,, a girl´s name?

http://www.babynamesworld.com/search.php?p=qsearch&s_gender=2&s_copt=2&i_search=gab
Its usually shortened to gabby, but it can go both ways. Most people, the smart ones, go with Gabrielle.

How about Gabriella? Avoids the spelling ambiguity with the terminal LE.

I'm only afraid of two things, nuclear war and carnies. Circus Folk. Nomads, no doubt. Small hands. Smell like cabbage.

why, oh why would you intentionally put a lower-casing function around a hard-coded string that had upper-case characters? ARRRGH! How do you put "Cabbage" and not "cabbage"?!!

I suspect a TV character, though the only reference I can find is to a (male) bisexual drug addict in an British drama series of the mid-90s. This seems to me to be an unlikely reference-point.

Any ideas, pop-pickers?

Gabrielle was Xena: Warrior Princess's "sidekick" on the popular Saturday afternoon cheese-fest.

sir_flexalot:

why, oh why would you intentionally put a lower-casing function around a hard-coded string that had upper-case characters? ARRRGH! How do you put "Cabbage" and not "cabbage"?!!

...Why do you pass a hard-coded string into a lower-casing function in the first place?!?!?!?!

PHP, like this code, is a steaming heap of shit.

Paul:

IS_ADMIM. Nice.

I browsed around a bit, and this seems to be a common (mis?)usage. I like it. I'm going to start using it. I hope I have a job someday where my title is Sizzly Admim.

Late 90s?

sounds about right for http://en.wikipedia.org/wiki/Gabrielle_%28Xena%29

Captcha: pointer. What this message is.

so this person really didn't know why it "needed" cabbage?

i'm sure this code is gonna get a lot better in her hands.

The real WTF is that "Cabbage" was used. Clearly, such a workaround requires a proper word like "fnord", "foo" or "bar". Or, of course "fhtagn" for the Lovecraft fans.

Though personally, I've become used to using preg_match(), which always returns a boolean. True, it isn't as efficient to use the regex engine for a simple string search, but the performance hit is negligible, and it's more fool- and typo-proof than "str_pos()!==false".

Duston:

xtremezone:

As far as strpos() goes in PHP, I think it would be a lot simpler to just return -1 when the substring is not found, and the starting index when it is.

No no no...you can't return -1, you have to return FILE_NOT_FOUND

<pre>
define(FILE_NOT_FOUND,-1);

if (is_file($full_path) === FILE_NOT_FOUND) echo "what file? where? huh?"
</pre>

I was thinking of Gabrielle Reece.

http://en.wikipedia.org/wiki/Gabrielle_Reece

kg:

Paul:

IS_ADMIM. Nice.

I browsed around a bit, and this seems to be a common (mis?)usage. I like it. I'm going to start using it. I hope I have a job someday where my title is Sizzly Admim.

Admim is obviously the original application administrator, and since there was only one, you only need one session variable to check if it's really him.

All of my applications know me by name, too (IS_JIMMY).