• mystery (unregistered)

    Try as i might, i can't think of a way to make this worse.

    Also FRIST

  • (cs) in reply to mystery
    mystery:
    Try as i might, i can't think of a way to make this worse.

    Also FRIST

    They could have created an array instead of a string (which, to be perfectly fair, is already WTF enough on itself), and loop through that one as well

  • Pessimiser (unregistered)

    How could this be worse?

    Take the input string, do a String.Split to break it into an array of characters. Have a predefined array of characters, then use LINQ to do a cross-join of the two arrays, then scan the cross-join for identities, ie where the two characters are the same.

  • (cs)

    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?

  • (cs) in reply to frits
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    Because someone actually thought this was an acceptable implementation?
  • mjk340 (unregistered) in reply to Pessimiser
    Pessimiser:
    How could this be worse?

    Take the input string, do a String.Split to break it into an array of characters. Have a predefined array of characters, then use LINQ to do a cross-join of the two arrays, then scan the cross-join for identities, ie where the two characters are the same.

    Take in an array of strings, display it in a command prompt using echo, take a screen shot, send it to the printer, have an intern black out the bad characters with a sharpie, take a picture of the printout on a wooden table, convert the jpg to pdf, OCR in Adobe, and build a blacklist by removing the characters found on the page from the complete list of unicode characters.

  • Cishuman (unregistered) in reply to mystery

    One could take screen captures of all non-allowed character symbols, store their paths in a XML file, then validate the string by taking each character, printing it in an image file, and then check if it is bitwise equivalent to any of these images.

  • Enterprisey Guy (unregistered) in reply to Cishuman
    Cishuman:
    One could take screen captures of all non-allowed character symbols, store their paths in a XML file, then validate the string by taking each character, printing it in an image file, and then check if it is bitwise equivalent to any of these images.

    That sounds slow, difficult to implement, and prone to error.

    Tell me more!

  • 3rd Ferguson (unregistered) in reply to mystery

    Maybe it's a fault of the anonymization but one of the special characters listed is double quote '"'. Shouldn't that terminate the strings in the code and render the whole thing unworkable? Or, this being script, does the parser just try its level best to parse away and present the user with YHWH knows what on screen?

  • anon (unregistered) in reply to 3rd Ferguson
    3rd Ferguson:
    Maybe it's a fault of the anonymization but one of the special characters listed is double quote '"'. Shouldn't that terminate the strings in the code and render the whole thing unworkable? Or, this being script, does the parser just try its level best to parse away and present the user with YHWH knows what on screen?

    The " is escaped with \

  • I. G. E. (unregistered) in reply to mystery
    mystery:
    Try as i might, i can't think of a way to make this worse.
    Tell the perpetrator about Unicode.
  • Cishuman (unregistered) in reply to Enterprisey Guy

    Well, instead of recording the paths of the images in the XML file, perhaps we could store the images directly in the XML, as a sequence of strings "ON" (or "TRUE", or "OK") and "OFF" (or "FALSE", or "OKNOT", or "NOTOK"?)

    This would certainly make our procedure more efficient, because then we would not have to wait for the file system to load the image file...

  • foo (unregistered)

    Sure it's not one of those timing problems, where something like ('foobar'.match('[^a-zA-Z0-9]') == undefined) wouldn't have wasted enough time?

  • Mmmpf (unregistered) in reply to The poop of DOOM
    The poop of DOOM:
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    Because someone actually thought this was an acceptable implementation?

    Plus, it's not that easy to fix. Knowing myself I know that I'm going to end in a self-inflicted regex and ISO pain; yes, in the beginning it seems easy, because you just have to exclude non alphanumeric characters, you know.

    But then, I'm going to think: you can't forbid space as a valid character, we're in the 21st Century! And if I start with this, are period and forward slash valid characters? It's going to lead me on the article about path on Wikipedia, I'm going to lose one hour reading it, which will lead me to try to get to know what OS I'm running on, and soon I'll find myself reading the POSIX spec for answers.

  • PoPSiCLe (unregistered)

    What baffles me the most is that this is (very poorly) implemented in JS. Turn off JS, or bypass this part of the js, and voila, one could make invalid subfolders (I'm assuming for a filesystem on a server) as one pleases.

    I really hope this is just to display an error-message to the end-user, and not the actual validation - there is a server-side check somewhere, right?

  • Cishuman (unregistered) in reply to Mmmpf
    But then, I'm going to think: you can't forbid space as a valid character, we're in the 21st Century!
    And? What is it about the new millennium that makes users believe that they are entitled to the use of their space bar?

    Really, they should be thankful that they are allowed to use capital letters - and they should remember, that's a privilege, not a right.

  • (cs) in reply to PoPSiCLe
    PoPSiCLe:
    What baffles me the most is that this is (very poorly) implemented in JS. Turn off JS, or bypass this part of the js, and voila, one could make invalid subfolders (I'm assuming for a filesystem on a server) as one pleases.

    I really hope this is just to display an error-message to the end-user, and not the actual validation - there is a server-side check somewhere, right?

    Taking this code as an example, I think that is likely not a valid assumtion....

    Yazeran

    Plan: To go to Mars one day with a hammer.

  • (cs) in reply to Cishuman
    Cishuman:
    Well, instead of recording the *paths* of the images in the XML file, perhaps we could store the images directly in the XML, as a sequence of strings "ON" (or "TRUE", or "OK") and "OFF" (or "FALSE", or "OKNOT", or "NOTOK"?)

    This would certainly make our procedure more efficient, because then we would not have to wait for the file system to load the image file...

    Actually on embedded systems without a filesystem this is a common practice.

  • Sean Ellis (unregistered)

    Ðid ÿøµ knøw, thåt ®øµtine wøµld håve thøµght this cømment was À-ÕK.

  • (cs) in reply to Sean Ellis
    Sean Ellis:
    Ðid ÿøµ knøw, thåt ®øµtine wøµld håve thøµght this cømment was À-ÕK.

    No, it contains a comma and a period.

  • Ton (unregistered) in reply to Cishuman
    Really, they should be thankful that they are allowed to use capital letters - and they should remember, that's a privilege, not a right.

    ABSOLUTELY CORRECT!

  • (cs) in reply to frits
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    Tears of joy, perhaps?

    I will point out however that one thing seems like it might not be as easy to fix: the return type - you'd likely have to fix everywhere the function is called.

  • Andy (unregistered)

    Beside all other oddities, this one is also nice:

    //var special_char = "[á|à|ã|ã|ä|é|è|ê|ë|í|ì|î|ï|ó|ò|õ|ô|ö|ú|ù|û|ü|ç|ñ" + "|!|"|#|$|%|&|/|=|?|'|\»|\«|=|}|{|[|]" + "|\§|\£|@|,|;|.|:|-|`|\´|^|~|<|>|]";

    The line comment left just a (concatenated) string literal, which is valid Javascript Syntax (that is also explored in new JS 5 with "use strict"; statement).

  • (cs) in reply to Cishuman
    Cishuman:
    But then, I'm going to think: you can't forbid space as a valid character, we're in the 21st Century!
    And? What is it about the new millennium that makes users believe that they are entitled to the use of their space bar?

    Really, they should be thankful that they are allowed to use capital letters - and they should remember, that's a privilege, not a right.

    Excuse me, it's you perishing kids insist on being able to use lowercase in your programs who are the upstarts. When I started programming, lowercase hadn't been invented.

  • (cs) in reply to mjk340
    mjk340:
    Pessimiser:
    How could this be worse?

    Take the input string, do a String.Split to break it into an array of characters. Have a predefined array of characters, then use LINQ to do a cross-join of the two arrays, then scan the cross-join for identities, ie where the two characters are the same.

    Take in an array of strings, display it in a command prompt using echo, take a screen shot, send it to the printer, have an intern black out the bad characters with a sharpie, take a picture of the printout on a wooden table, convert the jpg to pdf, OCR in Adobe, and build a blacklist by removing the characters found on the page from the complete list of unicode characters.

    I like your solution because it would scale really well.

  • (cs) in reply to Andy
    Andy:
    Beside all other oddities, this one is also nice:

    //var special_char = "[á|à|ã|ã|ä|é|è|ê|ë|í|ì|î|ï|ó|ò|õ|ô|ö|ú|ù|û|ü|ç|ñ" + "|!|"|#|$|%|&|/|=|?|'|\»|\«|=|}|{|[|]" + "|\§|\£|@|,|;|.|:|-|`|\´|^|~|<|>|]";

    The line comment left just a (concatenated) string literal, which is valid Javascript Syntax (that is also explored in new JS 5 with "use strict"; statement).

    Oh... I assumed that one was caused by Alex cleaning up the code.

  • (cs) in reply to C-Octothorpe

    I also agree. But an Army of Interns would make this solution better.

  • (cs)

    But apperently ÁÀÃÃÄÉÈÊËÍÌÎÏÓÒÕÔÖÚÙÛÜÇÑ is still a valid name.

  • No One (unregistered) in reply to frits
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    I just got suckered into buying a new house because I needed a place and this was the only one in my price range. Come to find out, my front door is made of cardboard and human spin pressed into the form of a door. I mean, I know it's easy to fix, but imagine, if this is the front door, how was the foundation constructed?

    (TL;DR: I fed the troll.)

  • Harrow (unregistered)

    If they tell the user the only valid characters are 0-9, A-Z, and a-z, shouldn't the validation routine just check for 0-9, A-Z, and a-z? If the input contains a character that's not 0-9, A-Z, or a-z, we don't care what it is, we just care that it's not 0-9, A-Z, or a-z.

    I would suggest casting each char of the input as an unsigned byte and performing three range checks, but I'm afraid that the author of today's example would end up checking for 0-8, A-Y, and a-y.

    -Harrow.

  • (cs) in reply to No One
    No One:
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    I just got suckered into buying a new house because I needed a place and this was the only one in my price range. Come to find out, my front door is made of cardboard and human spin pressed into the form of a door. I mean, I know it's easy to fix, but imagine, if this is the front door, how was the foundation constructed?

    (TL;DR: I fed the troll.)

    It wasn't a troll per se. Anyway, he's porting the code. Therefore, as long as the interface stays the same, he can change the internal logic all he wants. All he has to do is change the approach from blacklist to whitelist and be done with it. Instead, the OP cries like a wittle baby and submits the code to TDWTF.

  • (cs) in reply to frits
    frits:
    No One:
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    I just got suckered into buying a new house because I needed a place and this was the only one in my price range. Come to find out, my front door is made of cardboard and human spin pressed into the form of a door. I mean, I know it's easy to fix, but imagine, if this is the front door, how was the foundation constructed?

    (TL;DR: I fed the troll.)

    It wasn't a troll per se. Anyway, he's porting the code. Therefore, as long as the interface stays the same, he can change the internal logic all he wants. All he has to do is change the approach from blacklist to whitelist and be done with it. Instead, the OP cries like a wittle baby and submits the code to TDWTF.
    So, TRWTF was the submitter? I can live with that...

  • (cs) in reply to Andy
    Beside all other oddities, this one is also nice:

    //var special_char = "[á|à|ã|ã|ä|é|è|ê|ë|í|ì|î|ï|ó|ò|õ|ô|ö|ú|ù|û|ü|ç|ñ" + "|!|"|#|$|%|&|/|=|?|'|\»|\«|=|}|{|[|]" + "|\§|\£|@|,|;|.|:|-|`|\´|^|~|<|>|]";

    The line comment left just a (concatenated) string literal, which is valid Javascript Syntax (that is also explored in new JS 5 with "use strict"; statement).

    Yeah, beside all the other WTF's in that code, this was the one that screamed the loudest to me that they have no clue about programming. The rest was bad algorithms, but this shows a clear lack of understanding of the language. (While it works without error, it is a very weird and silly thing to do intentionally)

  • Bob (unregistered) in reply to frits
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?

    Errr, you are aware that this is thedailywtf?

  • Bob's Son (unregistered) in reply to Bob
    Bob:
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?

    Errr, you are aware that this is thedailywtf?

    Dad, what does the word "retarded" mean?

  • My Name Is Missing (unregistered)

    Now I know why "The goggles, they do nothing" do nothing. Whoever wrote this code wrote the code for the goggles.

  • (cs)

    it looks like FILE_NOT_FOUND is a valid file, however FILE-NOT-FOUND is not....

  • Mmmpf (unregistered) in reply to Silfax
    Silfax:
    it looks like FILE_NOT_FOUND is a valid file, however FILE-NOT-FOUND is not....

    Also, a name only composed of spaces is valid.

  • Harrow (unregistered) in reply to QJo
    QJo:
    Cishuman:
    But then, I'm going to think: you can't forbid space as a valid character, we're in the 21st Century!
    And? What is it about the new millennium that makes users believe that they are entitled to the use of their space bar?

    Really, they should be thankful that they are allowed to use capital letters - and they should remember, that's a privilege, not a right.

    Excuse me, it's you perishing kids insist on being able to use lowercase in your programs who are the upstarts. When I started programming, lowercase hadn't been invented.

    Well, when I started programming, the alphabet hadn't been invented. Our code library was passed down by oral tradition.

    -Harrow.

  • (cs) in reply to frits
    frits:
    No One:
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    I just got suckered into buying a new house because I needed a place and this was the only one in my price range. Come to find out, my front door is made of cardboard and human spin pressed into the form of a door. I mean, I know it's easy to fix, but imagine, if this is the front door, how was the foundation constructed?

    (TL;DR: I fed the troll.)

    It wasn't a troll per se. Anyway, he's porting the code. Therefore, as long as the interface stays the same, he can change the internal logic all he wants. All he has to do is change the approach from blacklist to whitelist and be done with it. Instead, the OP cries like a wittle baby and submits the code to TDWTF.
    A little harsh. How do you know the tears are not tears of laughter? Mine would have been.

  • (cs) in reply to Harrow
    Harrow:
    QJo:
    Cishuman:
    But then, I'm going to think: you can't forbid space as a valid character, we're in the 21st Century!
    And? What is it about the new millennium that makes users believe that they are entitled to the use of their space bar?

    Really, they should be thankful that they are allowed to use capital letters - and they should remember, that's a privilege, not a right.

    Excuse me, it's you perishing kids insist on being able to use lowercase in your programs who are the upstarts. When I started programming, lowercase hadn't been invented.

    Well, when I started programming, the alphabet hadn't been invented. Our code library was passed down by oral tradition.

    -Harrow.

    And the Lord said unto Moses:

    Honour thy Kernighan and Ritchie. Thou shalt not use GOTO. Thou shalt not steal from slashdot. Thou shalt not commit adulteration of algorithms. etc. etc.

  • (cs) in reply to Pim
    Pim:
    Sean Ellis:
    Ðid ÿøµ knøw, thåt ®øµtine wøµld håve thøµght this cømment was À-ÕK.

    No, it contains a comma and a period.

    ˙llǝʇ uɐɔ I sɐ ɹɐɟ sɐ 'ǝlqɐʇdǝɔɔɐ ʎlʇɔǝɟɹǝd ǝq plnoʍ ʇuǝɯɯoɔ sıɥʇ 'ɹǝʌǝʍoH

  • Rfoxmich (unregistered)

    TRWTF is that the exluded characters should have been in an XML file, loaded each time via a validating parser into a temporary data base table and a query done once per character in the input string to ensure that no character in the input string was in the temp table.

  • Ken B. (unregistered)

    Well, of course they did it this way. It's much more efficient to check for the 59 "invalid" characters listed than the 62 "valid" ones.

    ¿ɹoɟ ʞɔǝɥɔ ʇ,uop ʎǝɥʇ sɹǝʇɔɐɹɐɥɔ ǝʌıɟ ʎʇɹıɥʇ pǝɹpunɥ ǝuo ǝɥʇ ʇnoqɐ sǝɹɐɔ oɥʍ

  • Jim Fell (unregistered)

    Someone was probably given a requirement containing the phrase, "...no special characters."

  • Ken B. (unregistered) in reply to mystery
    mystery:
    Try as i might, i can't think of a way to make this worse.
    Don't use indexOf(), and use a nested for-loop instead.

    Or, "better" still, don't hard-code the list of "invalid" characters, and query an SQL table instead of indexOf().

  • Jim Fell (unregistered) in reply to mystery
    mystery:
    Try as i might, i can't think of a way to make this worse.

    Also FRIST

    return (bool)(valid == "true");
  • (cs)

    in a creepy voice: "Those are my characters, you can have the other ones"

  • (cs) in reply to mjk340

    Oh, nice one

  • (cs) in reply to boog
    boog:
    frits:
    Oh boo hoo. Do you want some cheese with that whine? Why would something this easy to fix bring tears to your eyes?
    Tears of joy, perhaps?

    I will point out however that one thing seems like it might not be as easy to fix: the return type - you'd likely have to fix everywhere the function is called.

    To be fair, given the sheer volume of problems most developers seem to have with booleans (as evidenced by articles on this site), I can empathize with someone using strings to represent truth .

Leave a comment on “Serious String Validation”

Log In or post as a guest

Replying to comment #:

« Return to Article