Comment On Starring The Admin

What was the site URL again?

Sweet, now I have Alex's credit card number! Crap, it got rejected...

Too broken to hack.

inb4TRWTFisPHP (even though the choice of language has nothing to do with anything)

At first, I assumed that this was happening AFTER the log-in procedure, but I can see now that this is not the case.

Even scarier, if this is actually the case, it would appear that it grants admin access BEFORE validating the credentials... Yeah, what site is this again?

It's not working right...

When does the hurting stop?

In fact, TheDailyWTF runs on similar software. I expect a deposit of $200,000, or the lights go out...

You can find my bank account details under payment/data.php

I once worked on a contract at a University and found the login page put the username and password into a URL and did a GET to login. Plus for fun, I found one could delete all the records in the database by editing the URL. This database was used to justify all the payments from the state for their entire budget. Oopsy.

Security through obscurity. Nothing wrong with that, right?

Buh....

/me eyes KB
/me targets KB
/me aligns head with KB
/me starts to slameknmn234398ym a 4xjkrdfxc ujkigvcf jmkrdfex8ioghv**

Whoa! Admin access! Coo!! Maybe I should have used a simpler method of getting a random username than having to use jmkrdfex8ioghv

..like Bobby Tables..
http://bobby-tables.com/ (bobby-tables dot com)

captcha: augue - how they do it in Bruk-lin, New Yawk.

These two issues can be explained easily when you know the previous admin wanted to make his app as transparent as possible without revealing the source code. The double stars mean that user is double special and can act as an admin. The access to admin payments is another attempt at transparency. You have to learn a little more about his intentions before you call it a WTF.

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

You do realize PHP hasn't stood for "Personal Home Pages" since 1997, right?

And PHP is plenty fine for large scale applications, just as C is. It just depends on having a coder that isn't completely retarded. But then so does JSP, Java Servlets, or asp.NET.

Is it any of these?

http://www.google.co.uk/search?hl=en&q=allinurl%3A++%22admin%2Fpayments%22&btnG=Search&meta=&aq=f&oq=

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

Nonsense. Choosing a moron to develop this is the issue - it has nothing to do with the plaform.

And Alex - this is straight to Classic TDWTF. If this reappears on, say, Wednesday I'll be more than happy.

I thought PHP stood for programmers hacking porn.

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

I believe Facebook is written in PHP.

Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

Top Cod3r lookout society:

I thought PHP stood for programmers hacking porn.

No you didn't.

Sorry but... we are talking about Credit Cards Numbers and payments etc... the last thing that this should be is transparent.
in my country we have a saying that is "the hell is full of good intentions", and this is one of those cases.

Don't blame the gun, blame the shooter.

Wow.



Wow.



My brain has locked up. That was too retarded for 8:30 on a Monday.

phargoth:

Sorry but... we are talking about Credit Cards Numbers and payments etc... the last thing that this should be is transparent.
in my country we have a saying that is "the hell is full of good intentions", and this is one of those cases.

Sorry to be a pedant, but I thought the phrase was...

"The road to hell is paved with good intentions"

Alex Papadimoulis:

There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.

There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

You guys are all wrong. This is totally secure. Now, if it were ONE star, then THAT would be insecure. But TWO stars? Now, who would ever guess that??!!

bjolling:

Alex Papadimoulis:

There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.

There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

evilspoons:

My brain has locked up. That was too retarded for 8:30 on a Monday.

Good thiong then that it's 3:30PM here...

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page...

Yes, writing an application in Personal Home Page is stupid, especially considering it doesn't even support database connectivity. Now, Imma let you finish, but this PHP is Hypertext Pre-Processor, which is the best web language of all time!

(I'm sorry, I couldn't help it...)

PHP Man:

bjolling:

There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

Imagine a single Twinkie represents all the WTFs ever created in LAMP. Active Directory itself would be a Twinkie 35-feet long, weighing approximately 600 pounds.

PHP Man:

bjolling:

Alex Papadimoulis:

There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.

There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

PHP Man:

bjolling:

Alex Papadimoulis:

There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.

There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

Some bloated crap Micro$oft made to give admins job security. Basically, every function of an application is a "task", Users can be assigned multiple "roles" and if that role can perform a specific task, then permission is granted. Some tasks can be performed by more than one role, and if lots of users are given the same roles, the roles can instead be assigned to a "group" that the users then become "members" of. Administrators have access to all roles, so only one administrator account is needed - in case you lose the user with the role of assigning roles.

Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.

C# Man:

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

I believe Facebook is written in PHP.

Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

Well, Facebook's one example. They seem to be doing alright.

just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

So...the name is what makes a language suitable or not? Because thus far, that's the only criteria you have offered by which to judge PHP.

A poor craftsman blames his tools.

tim:

C# Man:

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

I believe Facebook is written in PHP.

Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

You're an idiot.
PHP is plenty fine. It comes down to whether you are competent enough to harness the capabilities of the language.

Hey, it's still better than one student's site, where admin interface was phpmyadmin. The user (old lady in reception) had to edit tables and write html code... just briliant.

hobbes**:

just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

So...the name is what makes a language suitable or not? Because thus far, that's the only criteria you have offered by which to judge PHP.

A poor craftsman blames his tools.

<grammar nazi>criterion</grammar nazi>.

You were doing well there, right up to the platitude. There are things that PHP is good for (not necessarily best for, but good for); the OP is clearly not one of them. Now for the platitude.

When people say "A poor craftsman blames his tools," they are generally ignoring the following:

(1) The original meaning of this phrase is that a good craftsman would have sharpened the tools, greased the wang-nuts, and generally taken more care. It isn't immediately obvious how this applies to the choice of PHP.
(2) Should your choice of tools ("Look! I have a hammer! It must be a nail!") be inappropriate, a good craftsman will upgrade their tool-set.
(3) On the unlikely assumption that the good craftsman was, in this, case, forced to use a totally inadequate tool, much against their will, then a good craftsman will do the best f**king job they can -- and then leave, for a job where they can use proper tools.

The guy in the OP is, however, simply a Tool.

Best find a more credible defense for the 99.999% of PHP programmers out there who should be doing something more useful, like crocheting.

Nick:

tim:

C# Man:

Anonymous:

Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??

I believe Facebook is written in PHP.

Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.

just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

You're an idiot.
PHP is plenty fine. It comes down to whether you are competent enough to harness the capabilities of the language.

An extremely skilled craftsman can build a house with enough cardboard and duct tape... but should he?

I'm not against PHP as a language for enterprise scale websites, just the argument of 'it takes a competent developer' is weak. Very weak.

Bim Job:

hobbes**:

just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites

So...the name is what makes a language suitable or not? Because thus far, that's the only criteria you have offered by which to judge PHP.

A poor craftsman blames his tools.

<grammar nazi>criterion</grammar nazi>.

You were doing well there, right up to the platitude. There are things that PHP is good for (not necessarily best for, but good for); the OP is clearly not one of them. Now for the platitude.

When people say "A poor craftsman blames his tools," they are generally ignoring the following:

(1) The original meaning of this phrase is that a good craftsman would have sharpened the tools, greased the wang-nuts, and generally taken more care. It isn't immediately obvious how this applies to the choice of PHP.
(2) Should your choice of tools ("Look! I have a hammer! It must be a nail!") be inappropriate, a good craftsman will upgrade their tool-set.
(3) On the unlikely assumption that the good craftsman was, in this, case, forced to use a totally inadequate tool, much against their will, then a good craftsman will do the best f**king job they can -- and then leave, for a job where they can use proper tools.

The guy in the OP is, however, simply a Tool.

Best find a more credible defense for the 99.999% of PHP programmers out there who should be doing something more useful, like crocheting.

Have a look at http://en.wikipedia.org/wiki/Php under section "Usage", it lists Facebook, Wikipedia, Yahoo, Digg, Joomla, Wordpress, YouTube and Drupal as example web sites built using PHP, those are pretty big/major web applications built in a technology that you say isn't suitabke for large enterprise applications (then what the hell is Yahoo then!?).

My original statement stills stands that the technology is largely irrelavent (as long as it isn't MUMPS), it's the competancy of the developer that counts.

TRWTF here is that instead of using, oh i dont know, a boolean in the database (See below...) they've decided that its ok to just drop things in. *cough* guess it went to the lowest bidder.


My note on databases:
I've done database work for authentication. It can be quite useful. However, if you're going to use a database to authenticate your users, make sure its behind some form of NAT. Beside your webserver behind a NAT. I saw once a table that almost generally met the requirements for a moderately secure system:

-----------------------------------------------------------

name                   type    len

uname                  STRING  32

uname_hash             STRING  512

uname_isAdmin          BOOLEAN 1

uname_isSuperAdmin     BOOLEAN 1

pass                   STRING  1024

pass_hash              STRING  1024

------------------------------------------------------------

the password was (gasp) plaintext. isAdmin and isSuperAdmin showed if the user had admin priveledges and could use sudo (under SSH, which every night a cron job kicked in to update sudoers). However, pass_hash had a particular quirk: it was the SHA-512 of the password, concat'd to the hash of THAT hash. so 512 bytes of SHA1, then 512 bytes of more SHA1.

Mike Caron:

At first, I assumed that this was happening AFTER the log-in procedure, but I can see now that this is not the case.

If that was the case, I can see it being less WTFy (from a final result/security POV. Still Dumb.) If '**' in a username meant admin (requiring admin access to set up) and it did the authentication first, it would at least be secure. I can see then removing the metainformation before saying "Welcome Joe**".

Of course, upon reflection, he wouldn't have done that. But it was my initial and charitable view.

So speaking as a desktop-app programmer who's only just starting to do more web development: if PHP is so evil, all you naysayers, what *should* I be using? (If anybody comes back with "JSP" I'll laugh them off the site).

Steve-O:

I'm not against PHP as a language for enterprise scale websites, just the argument of 'it takes a competent developer' is weak. Very weak.

I'd argue that "it takes a competent developer to write non-WTF-worthy code" is a universal truth, rather than a language-specific observation.

I would also argue that there's no such thing as a WTF-proof language.

Sure, some languages make it easy to write WTFy code. Visual Basic is one example. PHP is another. But used properly, both languages can be useful tools.

I'm not saying "everyone should use PHP"; I don't think that's the case. I'm just saying if you want to avoid WTF-worthy code, language choice should be the last thing you're concerned about, not the first.

Indrora:

However, if you're going to use a database to authenticate your users, make sure its behind some form of NAT. Beside your webserver behind a NAT.

I think you mean "firewall", not "NAT". While NAT can often act like a firewall, it isn't a firewall, and is not a replacement for a firewall.

There's no need for NAT if your firewall is set up properly (and NAT is often undesirable). Want to avoid people connecting to your database server? Set your database server's firewall to only accept incoming connections from your webserver's IP address.

What issues do you have with active directory?

PHP Man:

Have a look at http://en.wikipedia.org/wiki/Php under section "Usage", it lists Facebook, Wikipedia, Yahoo, Digg, Joomla, Wordpress, YouTube and Drupal as example web sites built using PHP, those are pretty big/major web applications built in a technology that you say isn't suitabke for large enterprise applications (then what the hell is Yahoo then!?).

My original statement stills stands that the technology is largely irrelavent (as long as it isn't MUMPS), it's the competancy of the developer that counts.

Jesus, you really do need to learn how to spell, don't you? It's "competency." And yes, the competency of the developer certainly counts. But, in a lot of cases, you have to question why they chose PHP in the first place. I mean, it's not exactly friendly to an MVC solution, is it?

The choice of "technology" is never irrelevant. (I'm kindly granting you the unexamined assertion that PHP is a "technology" rather than a "lash-up.")

Can we have a detailed argument as to why MUMPS (Oh, Poo!) is somehow inferior to PHP? I wouldn't choose either, myself (and I've worked with both). Intrinsically, either would work. Extrinsically, neither is a good choice.

I notice you didn't choose to defend your dimwit platitude on tools and workmen, btw. I put a bit of effort into explaining why that was a cretinous interpretation. Care to defend your views on that?

Oh yeah, I know. You've got those quotes from Wikipedia. Killer. And you've got attention deficit disorder (blog-related), which means that apparently PHP is "a technology that you say isn't suitable for large enterprise applications."

I said no such thing. People can do what they want. I'm simply maintaining that 99.999% of PHP programmers should concentrate on crochet.

Got that?

Bim Job:

Can we have a detailed argument as to why MUMPS (Oh, Poo!) is somehow inferior to PHP? I wouldn't choose either, myself (and I've worked with both). Intrinsically, either would work. Extrinsically, neither is a good choice.

I think it would be easy to argue that for web development PHP is a better choice than MUMPS, given that PHP was (ostensibly) designed for web development, whereas MUMPS was not.

That said, I'd agree that most people who write PHP nowadays should take up some other non-computer-related hobby instead.

Bim Job:

PHP Man:

Have a look at http://en.wikipedia.org/wiki/Php under section "Usage", it lists Facebook, Wikipedia, Yahoo, Digg, Joomla, Wordpress, YouTube and Drupal as example web sites built using PHP, those are pretty big/major web applications built in a technology that you say isn't suitabke for large enterprise applications (then what the hell is Yahoo then!?).

My original statement stills stands that the technology is largely irrelavent (as long as it isn't MUMPS), it's the competancy of the developer that counts.

Jesus, you really do need to learn how to spell, don't you? It's "competency." And yes, the competency of the developer certainly counts. But, in a lot of cases, you have to question why they chose PHP in the first place. I mean, it's not exactly friendly to an MVC solution, is it?

The choice of "technology" is never irrelevant. (I'm kindly granting you the unexamined assertion that PHP is a "technology" rather than a "lash-up.")

Can we have a detailed argument as to why MUMPS (Oh, Poo!) is somehow inferior to PHP? I wouldn't choose either, myself (and I've worked with both). Intrinsically, either would work. Extrinsically, neither is a good choice.

I notice you didn't choose to defend your dimwit platitude on tools and workmen, btw. I put a bit of effort into explaining why that was a cretinous interpretation. Care to defend your views on that?

Oh yeah, I know. You've got those quotes from Wikipedia. Killer. And you've got attention deficit disorder (blog-related), which means that apparently PHP is "a technology that you say isn't suitable for large enterprise applications."

I said no such thing. People can do what they want. I'm simply maintaining that 99.999% of PHP programmers should concentrate on crochet.

Got that?

Wow.

1. Who gives a shit if he misspelled a word? You obviously understood what he meant which means he communicated with you in an unambiguous manner, and thus the point of language was served. What grammar/spelling Nazi’s tend not to understand is that there is nothing intrinsically pure about language. As long as it serves its purpose, who cares?

2. I maintain that 99.999% of ALL programmers should concentrate on crochet. It would drastically raise the number of crochet related deaths, but I'm OK with that.

3. The choice of technology is almost always less relevant than speed to market. If PHP allows for rapid prototyping then it wins.