Comment On Reverse Brute Force

Let's just hope he, you know, grepped the code for special cases before deleting it...

I did a similar thing when i was 13 and wrote my about fifth little program in basic. I taught it to myself using the help file, back then i didn't know yet what loops are.

So i wrote 1120 lines of code (640+480) to display a moiré pattern on the screen that could have been made with two simple loops.

I'm pretty sure that at some other point of code they do have something like this:

if (firstCharIsLowerCaseChar($username)) {
$Usertype = GUEST;
} else {
$Usertype = LOGGED_IN_USER;
}

You don't even need a builtin function, just *name -= 'a'-'A';

*Sigh* the old times when men were men...

Ah, there it is...last changed on January 2 of 1994, i was 11 back then:

SCREEN 12
WINDOW (0, 0)-(640, 480)
LINE (0, 0)-(640, 480), 1
LINE (1, 0)-(639, 480), 2
LINE (2, 0)-(638, 480), 3
LINE (3, 0)-(637, 480), 4
LINE (4, 0)-(636, 480), 5
LINE (5, 0)-(635, 480), 6
LINE (6, 0)-(634, 480), 7
LINE (7, 0)-(633, 480), 8
LINE (8, 0)-(632, 480), 9
LINE (9, 0)-(631, 480), 10
LINE (10, 0)-(630, 480), 11
LINE (11, 0)-(629, 480), 12
LINE (12, 0)-(628, 480), 13
LINE (13, 0)-(627, 480), 14
LINE (14, 0)-(626, 480), 1
LINE (15, 0)-(625, 480), 2
LINE (16, 0)-(624, 480), 3
LINE (17, 0)-(623, 480), 4
[snip]
LINE (640, 466)-(0, 14), 13
LINE (640, 467)-(0, 13), 14
LINE (640, 468)-(0, 12), 1
LINE (640, 469)-(0, 11), 2
LINE (640, 470)-(0, 10), 3
LINE (640, 471)-(0, 9), 4
LINE (640, 472)-(0, 8), 5
LINE (640, 473)-(0, 7), 6
LINE (640, 474)-(0, 6), 7
LINE (640, 475)-(0, 5), 8
LINE (640, 476)-(0, 4), 9
LINE (640, 477)-(0, 3), 10
LINE (640, 478)-(0, 2), 11
LINE (640, 479)-(0, 1), 12

Except of course for not working on names that are already capitalized.

So if the name was "Aaron" then the function will return that it's not in the database. Funny and sad at the same time.
Good example of achieving bad results after putting in a lot of work, or better said, a lot of typing.

Odoboy:

So if the name was "Aaron" then the function will return that it's not in the database. Funny and sad at the same time.

No, it'll return "Aaron" - the bit about the name not being in the "database" is a comment.

What if your name is LaForge?

It does only seem to be doing first names. But still, Billy-Jo and Mary-Jane are going to be unhappy.

Tom Melly:

This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

Never underestimate the power of stupidity.

I wonder whether there was someone with a name mid-alphabet, say between Kevin and Peter, who got back an insult. It would be a fine way to cover it up.

Anigel:

Well thats all the O'Driscolls and McDonalds buggered then aint it.

Some times saving many lines of code is really not as clever as it sounds.

The real WTF is trying to fix people's names at all. MaYBe I WaNT to See mY naMe with CaPs tHat WAY?

The US gubbernmint solves this problem by UP-casing all names... so McDonalds becomes MCDONALDS and so on. Nobody can complain because everyone's name has been equally screwed up.

As far as your little website goes. If the user types their name as laForge or la Forge or LaForge or FaGeorge you shouldn't care... really... you just shouldn't care.

If marketing wants to make names "uniform" then you wash the strings how ever the hell they say but do it only on _their_ display/page not in the database... not anywhere else.

Once they notice Mcdonald they'll have that conversation with you and you can point out that what if the name is La Forge and that's the name not La as the middle name and Forge as the last name but literally La and then Forge... and so on.

It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. Not your marketing program, not the US government, not your mamma, and sure as hell not your rinky-dink little web page with revenues less than fifty million a year.

The real WTF is Who the F do you think you are to "correct" how people spell their own names?

The updated code should have been; echo ucfirst(strtolower($name));

I did this when I was around 8. I was coding a ball-bouncing "demo". Instead of doing

x += dx
if (x < 0 || x > xmax) dx = -dx

i did something like (dxconst was always > 0):

if (x < 0) x = x + dxconst, dir = right
if (x > xmax) x = x - dxconst, dir = left
if (x > 0 && x < xmax) {
if (dir=right) x = x + dxconst
else if (dir=left) x = x - dxconst
}

, and that's still not even close to this WTF. So the guy who wrote todays WTF is effectively ages behind a eight year old in intelligence. 'Nuff said.

echo ucfirst($_GET['name']);

The real WTF is how this guy just added an XSS vulnerability.

That code made me want to pluck out my own eyeballs and use them as paperweights. I'm not sure why I thought of paperweights, particularly.

Tom Melly:

This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

Or at the very least, found a way to generalize the approach? Like maybe setting the string to lowercase and then replacing the first character with its uppercase equivalent? Rewriting a framework function because you don't know it's there is forgiveable. Completely ignoring the possibility that there is a "better way" is just stupid.

How did someone actually generate that code? That must've taken a concerted effort to do so.

foo:

It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. Not your marketing program, not the US government, not your mamma, and sure as hell not your rinky-dink little web page with revenues less than fifty million a year.

The real WTF is Who the F do you think you are to "correct" how people spell their own names?

You misspelled Fu.

The sad part is how much time and pride went into the original programmer's script to generate the switch statement.

Ben:

echo ucfirst($_GET['name']);

The real WTF is how this guy just added an XSS vulnerability.

Nope, the original has the same problem. So no new bugs added.

foo:

The real WTF is Who the F do you think you are to "correct" how people spell their own names?

The real WTF is that you're getting this worked up over a WTF post. Relax.

And nobody's telling people how to spell their own names. They're correcting how their data is stored. We do it here all the time, so that there's consistency.

Take a chill pill, dude. You're way too stressed.

deShawnda was very displeased at the misspelling of her name in company forms from that day forward.

Wow... One honestly has to wonder how they slip through the cracks.

GalacticCowboy:

Tom Melly:

This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

Or at the very least, found a way to generalize the approach? Like maybe setting the string to lowercase and then replacing the first character with its uppercase equivalent? Rewriting a framework function because you don't know it's there is forgiveable. Completely ignoring the possibility that there is a "better way" is just stupid.

Back in the good old days (circa 1984), when I was writing 6809 assembler for the Tandy Color Computer, I would have ANDed the ASCII value of the first letter with hex DF. Whip out your little scientific calculator and try it.

Looks like a dutch website.

Must be a 'productive' programmer
I would have been to lazy to type all the names and would prefer to look for a different solution.
Even if it took me all week.

FredSaw:

foo:

It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. Not your marketing program, not the US government, not your mamma, and sure as hell not your rinky-dink little web page with revenues less than fifty million a year.

The real WTF is Who the F do you think you are to "correct" how people spell their own names?

You misspelled Fu.

LMAO! pwned. though, i also must agree with foo. don't tell me how to spell my own name.

What happens to the name of the-artist-no-longer-known-as-Prince?

lol

CAPTCHA: ludus

Greg:

Ben:

The real WTF is how this guy just added an XSS vulnerability.

Nope, the original has the same problem. So no new bugs added.

Can you guys please explain this problem you're talking about? Thanks...

I just threw up in my mouth a little.

FredSaw:

GalacticCowboy:

Tom Melly:

This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

Or at the very least, found a way to generalize the approach? Like maybe setting the string to lowercase and then replacing the first character with its uppercase equivalent? Rewriting a framework function because you don't know it's there is forgiveable. Completely ignoring the possibility that there is a "better way" is just stupid.

Back in the good old days (circa 1984), when I was writing 6809 assembler for the Tandy Color Computer, I would have ANDed the ASCII value of the first letter with hex DF. Whip out your little scientific calculator and try it.

Wow, interesting...

<?php

$name = $_GET['name'];

echo chr(ord($name{0}) & hexdec('DF')) . strtolower(substr($name, 1));

?>

Haha :P

Cloaked User:

Odoboy:

So if the name was "Aaron" then the function will return that it's not in the database. Funny and sad at the same time.

No, it'll return "Aaron" - the bit about the name not being in the "database" is a comment.

Wait... maybe that script was the database... in that case David screwed up royally ;o)

German B.:

Greg:

Ben:

The real WTF is how this guy just added an XSS vulnerability.

Nope, the original has the same problem. So no new bugs added.

Can you guys please explain this problem you're talking about? Thanks...

The name could be Daniel<script>alert(document.cookie)</script> for example.

German B.:

Greg:

Ben:

The real WTF is how this guy just added an XSS vulnerability.

Nope, the original has the same problem. So no new bugs added.

Can you guys please explain this problem you're talking about? Thanks...

The text of the name isn't quoted and it is output directly to the browser. This (in the absence of any other code to sanitize the data) allows people to use "names" that include HTML markup and Javascript. Some innocent victim clicks on the "name" and the victim's browser follows a link or executes some Javascript that the victim would not have chosen to follow or execute.

Or just read http://en.wikipedia.org/wiki/Xss

Thanks guys.

being paid per line thats just scary.

foo:

It is utter fallacy to think that you GET to tell people how their names are spelled.

Deep breaths....

Actually, though, I POST when I tell people how to spell their own names.

Jason:

I just threw up in my mouth a little.

I bet you read this site just so that happens. You must really like your breakfast to do this so much. So do you hold it there, or just swallow it again?

Tj:

being paid per line thats just scary.

It'd certainly put me off programming in Whitespace...

Daniel15:

German B.:

Greg:

Ben:

The real WTF is how this guy just added an XSS vulnerability.

Nope, the original has the same problem. So no new bugs added.

Can you guys please explain this problem you're talking about? Thanks...

The name could be Daniel<script>alert(document.cookie)</script> for example.

Little Danny Scripts, we call him...

WhiskeyJack:

Daniel15:

German B.:

Greg:

Ben:

The real WTF is how this guy just added an XSS vulnerability.

Nope, the original has the same problem. So no new bugs added.

Can you guys please explain this problem you're talking about? Thanks...

The name could be Daniel<script>alert(document.cookie)</script> for example.

Little Danny Scripts, we call him...

ah, an xkcd reader, as it appears :o)

RazZziel:

You don't even need a builtin function, just *name -= 'a'-'A';

*Sigh* the old times when men were men...

Except that that assumes the first letter is lower-case. If it was already upper-case then it would be unsuitable.

Also, technically, that wouldn't be guaranteed to be portable. Granted, 99.99% of the time it'll work, but... what if you really, really wanted it to run on an EBCDIC machine? For some odd, obscure reason. (:PP)

RazZziel:

You don't even need a builtin function, just *name -= 'a'-'A';

*Sigh* the old times when men were men...

Yes, the old tiems when men knew that 'a' = 97 and 'A' = 65, which obviously mean that lowercase letters have set bit 6. So you just do if (isalpha(name[0]) name[0] &=~32; (not checking it's a letter, could give funny things)

A co-worker had a quote from the legal profession, but it applies to software as well:

I could have made it shorter, but I didn't have any more time.

KISS. Live by it.