| « Prev | Page 1 | Page 2 | Page 3 | Page 4 | Next » |
|
So what happens when a user goes to "http://idioticapplication.com/securityhole.php?doaction=system&forclient=rm%20-rf%20/"?
|
|
A two dimensional $_SESSION array? That's weird as hell right there. I
mean, all he really needs is a regular array, or a hash, or a database. Why bother to effectively globalize all your variables? Php is hell with 2d arrays as well; it's not really supported. Though I have to admit I once saw a 14 dimensional array in Java...Worked perfectly, but it hurt my mind to look at it. |
|
The actual WTF happens rather at the beginning:
/* ED: Dump the request (form or querystring) hash into the session */ Otherwise _SESSION variables are just persisted variables that are only controlled serverside. |
A security hole gets closed. |
|
Okay, I feel the need to post for the first time.
What's up with the PHP bashing? I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least. Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it. It is possible to write very good, clean and secure code in PHP, just as its possible in any language. In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in. |
My biggest problem with it, as with Perl, is the tenuous use of the alphabet |
Absolutely correct. Yahoo, IBM, Oracle and MySQL (to name a few) are embracing PHP as a serious language. |
|
I think:
$_SESSION['VAR']['doaction']($_SESSION['VAR']['forclient']); has serious WTF potential. He's calling a function stored in an array on a value in
a later part of the same line of the 2 dimensional array. This would be okay, though seriously obfuscated in a normal application with a normal array, but the $_SESSION array is not a normal array, and doesn't always behave like a normal array. You could really shaft yourself with some cryptic, unfindable errors that way. It's a terrible way to work with get/post data as well. |
|
I write in php as well, and while it does have it's good points, it is
seriously weak in other areas. If I need something that's purely a web database frontend, I'll use php, but if I need anything more complex, I'll use perl or java. |
Absolutely. Unfortunately, the amount of bad code is proportional to how easy it is to use the language, not to how securethe language can be. Any language that's fairly easy to learn will have many WTFs.
More importantly, it'll execute any function the user submits, with a parameter specified by them. As someone pointed out, system('rm -rf /') is the obvious one... |
|
Someone must have told him once that PHP variables weren't (type) safe. He didn't like the thought of producing un-safe code... so, away with the variables.
|
just a territorial skirmish: http://thedailywtf.com/forums/AddPost.aspx?PostID=43896&Quote=True |
|
> PHP is used primarily by hobbyists Perhaps 5 years ago. Wake up and smell the PHP takeover. |
Oh, I smell it alright. |
I agree that good and/or bad code can be written in any language. It's just that PHP as a language and the standard library is rather repulsive. It seems to combine the worst bits of Perl and C. But I guess that's just me.. |
|
It wouldn't be *too* bad. Basically everything owned by the httpd user would be deleted. That probably wouldn't include the script, system files, or other user's files. A while back php-nuke had a similar problem with include($_GET['file']) and php allowing for http requests in the include function. Basically you got a remote non-interactive user which gets you a step closer to running local exploits. |
Learn Python or Ruby and then tell me php is nice. php is good for quick and dirty web applications where you don't need to worry about security, and don't need anything complex. As soon as you want something secure, or complex php starts to get in the way. It may take longer to use Python or Ruby (though I've heard good things about frameworks for those that make is quick and easy), but because they are cleaner languages, in the long run your code will be cleaner and easier to maintain. Php puts everything into one namespace, and the internal functions have to consistency. lsplit is useful, but it should be part of a string namespace (if not the object), not a top level. Sure back in the early 70s you could claim nobody knew better (though I suspect someone who remembers the good languages of the time will disagree), but repeating the sins of C today isn't a good idea. Sure you can do anything in php you can in any other web language. However if you pick a good one you can do it in a much more readable and therefore maintainable fashion. If what you are doing is complex there is a reasonable chance that the better language can do it in less code as well, meaning less cost. Of course there is also a lot of bad PHP libraries out there, but that isn't the fault of php. Any language can have them. Python (at least, I don't know ruby well) tries to discourage things from getting as bad as php is, but I suspect if python was as popular as php there would be plenty of bad python libraries to choose from. That said, I can do a better job with php, than the programmer of this WTF could do with python, even if he was given twice as long to do it. |
|
Sorry ... I just thought that the statement "gives you just enough rope to shoot yourself with" was a good WTF ... it reminds me of some other good quotes. http://www.dilbert.com/comics/dilbert/dnrc/html/newsletter59.html |
Ahem! Superglobalize.
This is not true. PHP supports multi-dimensional arrays just fine. |
|
Too obscure to comment about. No more php/perl!
|
It's Ad Hoc. Work with a language like java, and you can just declare an array with more than one dimension. In php you have to declare a bunch of one dimensional arrays that happen to be inside other one dimensional arrays. So yea, you can do it, but it's awkward, and it can get you in trouble if you don't go through the trouble of writing your own methods to deal with multi-dimensional issues. I prefer to just skip the whole mess wherever possible and dump it into a database. |
Nothing on a wind'ohs box. |
|
You're definitely right about the standard library. Nothing against
function-based interfaces, and after all, the library is simply large - but it's also chaotic. The various search functions for example - you never know whether the needle or the haystack comes first. |
Arrays of arrays should not be confused with multidimensional arrays. |
Could you give us an example? I use PHP exclusively at work and use 2D arrays constantly, so I would like to know why you think this way. I hope the explanation involves a little more than "They don't work like they do in {language}." |
Oh man, there's a WTF!!! LOL I hope you were being facetious. |
|
*throws a brick into the author*
Ahhh... Feels good :) |
|
php deosn't have multidimensional arrays, in fact it doesn't even have real arrays. they are more like hash tables.
multidimensional basicaly implies a grid, you can think of it as rows and colums and you put data in the cells. With php it isn't this way, you have an array where an element can be a value OR another array. something like array(0, array(0,1,2), "foo") is not uncommon. While index 1 there behaves like a multidim array, it's not one, it's an array within an array. confusing, but very handy. |
I'm sorry but you're wrong. You're simply stating a preference, and that's fine, but it doesn't make PHP bad or unsafe. I like Python but I could list several things I hate about it. I use Perl daily and could go on for an hour about my particular dislikes. One of the greatest advantages of using php for web apps is the ability to embed code into html, even if it's just basic looping or printing variable values (yeah, 3-tier, separation of logic and layout, blah blah). Trying to do this with Perl, even using one of the template modules, is awkward and clunky and a pain in the ass. I remember once playing with Embedded Perl but that never really caught on, unfortunately. "However if you pick a good one you can do it in a much more readable and therefore maintainable fashion" Again, this is an opinion. I've developed many largescale, secure web apps that are very easily maintanable. Experience is more important than the tool. Also, I know you didn't mention Perl but i'd hardly consider perl code readable. Regarding variable variables, if people abuse them then that's their problem, not PHP's. Perl has variable variables also but I don't hear Perl getting ripped for them. Sure, they can be effectively turned off with use strict, but someone like the person who wrote this WTF wouldn't use strict anyway. Variable vars can be useful, for instance when dealing with extracting and typechecking a large number of form fields: foreach(array('int1', 'int2', 'int3', '...') as $f) $$f = (int)$_POST[$f]; foreach(array('fname', 'lname', 'address', '...') as $f) $$f = trim($_POST[$f]); |
There is a difference between a hobbyist language and a language used primarily by hobbyists. Most things built in PHP are by hobbyists. Hobbysts generally do things much more poorly than professionals. Hence, there is a much higher percentage of bad PHP code than in other languages, like, say, PL/SQL, which I don't think anyone hobbies around in ... |
|
Actually, saving $_POST into $_SESSION can be useful sometimes, like when you have to go back to a form and fill it in. But this guy is just a WTF:er...
For the PHP vs other languages debate: When I see .Net code, I just shake my head. The "paths" to the wanted functions are so f~cking long: System.Web.HttpContext.Current.Session["admin"].ToString(); Also, I surely would prefer the well-tested phpBB forum than this crap. |
The WTF is that PHP does not have true multidimensional (rectangular) arrays. It implements them as arrays of arrays (otherwise known as jagged arrays). They're not even real arrays, but ordered maps similar to a hashtable. In languages that support both multidimensional arrays and jagged arrays (C#), not only is the syntax different, but the functionality differs. |
|
ugh, the link didn't work.
check out http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csref/html/vcwlkarraystutorial.asp if you're interested. |
|
here here!
I am also a coder that does PHP on a professional basis. Yes I used to code in VB with ASP and HATED it. I never tried ASP.net but i think its probably garbage as well. I love PHP running on Apache servers. I like reading wtf, as a lurker, only because I enjoy learning more coding and things not to um do.....but i find the php bashing a disappointment. this site is truely a disappointment to me now, i can tolerate the vb code, as i just see it as vb bashing since vb is garbage anyways. C++ is the only language to develop worthy code for applications. C# doesnt even come close, sorry. |
|
The arrays in PHP function as arrays, lists and structs at the same time:
$persons = array (
|
I wouldn't do that. Imho, if you require an in-between page (like this: form => error message => back to form), to store the input temporarily in a form consisting only of hidden fields. Sessions don't scale well: the data for each session is stored on the server's disk, and kept there for a while before it's being deleted, since HTTP applications are essentially connectionless. I believe they're stored for half an hour, or that's the time a session cookie remains valid, at least. Multiply with the number of visitors and you'll see that the data stored in sessions should be kept to a minimum. |
So it's OK to bash languages, as long as they're the ones you think suck. |
|
PBPbasher++;
This language is ugly, very ugly, even compared to C; the fact that it took a decade to develop a built-in database abstraction layer so you can easily switch e.g. from MySQL to PostgreSQL is a WTF for a "language" mainly used for web apps requiring database connectivity. |
|
Hopefully we can all at least agree that ColdFusion really sucks.
|
I don't see what's so ugly about C. |
|
Argh, wasnt logged in, my quote didnt work, etc etc.... Jonathan ur a tool just shuddup and laff :) |
Dude, I agree that VB with ASP is horrible, I've used it and don't think much of it. However, ASP.NET is actually very good. You're showing your age/inexperience by saying "i think its probably garbage as well" and "C# doesnt even come close". To everyone who might be about to flame this guy - leave him alone :) |
Good to see Alex backing up his words - and I agree that PHP is a bit of a hack language. However it has gained a certain amount of respect over the past few years, hasn't Yahoo ported everything to PHP? Having said all of that, I've worked on quite a few different large scale IT projects and none of them have even mentioned PHP. It's been java or .net. And I can't remember the last time a client has asked for PHP. |
I'd argue that a large portion of the 'hobbyists' coding in PHP these days are also professionals, and that when that is the case, the PHP produced as a 'hobby' is just as clean and secure as anything produced in a 'professional' capacity. Also, fwiw, according to the Tiobe Programming Community Index PHP is ranked 5th in popularity, beating out both VB and C#. PL/SQL is a lowly 12th, so it looks like not many folks "professional" around in it much anymore either =) |
Absolutely! Sorry to snip all of your post, but, that sentence in particular is dead on. If you know what you are doing, and the language has the basic tools you need (which PHP most certainly does), you can create a SECURE web application to do whatever you desire. I can't stand when people bash a language and ignore the solid fact that experience, intelligence, and to a lesser extent talent can surpass any nit-picky issues. A great coder can solve a problem regardless of the language. |
Quite a lot. It starts with the preprocessor: You can hardly write a usefull C program without preprocessor directives, but they break the style of the rest of the C program. Some other issues: strings: they chose to implement them in the most ineffective way. gets() - a WTF by itself. if (a=1) ooopsa=1,2||3; compiles |
|
Okay, show me an example in which it fucking matters. Just
because Bill makes "rectangular arrays" an "industry standard" doesn't mean that they are actual programming concepts. PHP automatically assigns intermediary indeces when you access another part of a "jagged" array, so it makes no difference, other than the fact that C# just wastes memory, and maybe gains a little performance. If someone is that worried about the performance of PHP when it is doing the runtime memory allocation, then perhaps they should move to a compiled language, as that would afford the most performance increase. |
Two words: buffer overflow. C itself is a security hole. |
Yeah, great logic there; "It's popular so it must be good." Oh no, I use Ruby, and IT'S NOT EVEN SHOWN THERE. Goddamn, PHP is popular because it's TOO easy to start using (i.e. any idiot now has a new tool to fuck things up with), and a lot of free web hosting has support for it, not due to it actually being a well designed language. Making something very simple and web-based, ok PHPs fine, anything more complex and I'd rather chew broken glass than build it in PHP. |
| « Prev | Page 1 | Page 2 | Page 3 | Page 4 | Next » |
Anonymous: