Security is a big deal. The days of open mail relays and anonymous file upload sites are long gone. No one executes binaries they find in an email inbox. If only.

That's why when Gabriel was asked to take a look at a PHP application on which her school relies --- an application that stores student's name, grades, and social security numbers --- she expected top-notch security. Here's what she found.

 

  function CheckRightsOnTheCurrentPage()
  {
      // Beware ! . "Cabbage" is necesarry for the authentication to
work corectly.
      // THIS IS NOT A JOKE !
      if ( strpos( strtolower("Cabbage" . $_SERVER["PHP_SELF"]) ,
"/admin" ) )
      {
          if ( ( !isset($_SESSION["IS_ADMIM"] ) ) ||
($_SESSION["IS_ADMIM"] == 0 ) )
          {
              header("HTTP/1.x 403 Forbidden");
              header("Content-Type: text/html; charset=iso-8859-1");
              header("Expires: Mon, 01 Jan 1990 05:00:00 GMT");
              header("Cache-Control: no-store, no-cache, must-revalidate");
              header("Cache-Control: post-check=0, pre-check=0", FALSE);
              header("Pragma: no-cache");
              die();
          }
      }
      return true;
  }

 

And it turns out, the comment was right: it wasn't a joke, which she verified by removing the produce from the PHP. Though she isn't quite sure why it makes a difference, she returned the cabbage to its rightful place and decided not to change any other functions that declare their sincerity in capital letters.