The Phantom of The System

  • TurboThy 2005-08-02 13:54
    Security Through Obscurity at its finest.<br>
  • Barfusslaeufer 2005-08-02 13:56
    This is so bad that I had to read it three times and now I'm not the first one to post any mor :/<br>
  • sas 2005-08-02 13:56
    I think "The Whiz" refers to the fact his code deserves to be urinated on. [:P] [+o(]
  • Jehos 2005-08-02 13:56
    <P>Funny how encryption just escapes some people.&nbsp; If you're worried about exposing values, you could just encrypt what you want to hide then decrypt it on the receiving page to reveal its true beauty, just like the poor Phantom of the Opera.</P>
    <P>Or you could, you know, not pass values in the querystring...</P>
  • sadmac 2005-08-02 13:58
    Wow. Just wow.<br>
    <br>
    Note: for full effect from this particular WTF, go find the title music from Clockwork Orange and listen as you read the code.<br>
  • Maurits 2005-08-02 14:00
    Alex Papadimoulis:
    <span style="color: rgb(0, 130, 0);">' takes order total and jumbles it mathematically</span>
    maskerAmount = ((((oTotal + 22) * 7 )) - 12) * 620<span style="font-family: monospace;"><br>
    </span>
    <br>
    <br>
    The worst part is, this is exactly equivalent to:<br>
    maskerAmount = 4340 * oTotal + 88040<br>
    <br>
    So the last digit of maskerAmount is always zero<br>
  • Otis Mukinfus 2005-08-02 14:14
    Dammit!&nbsp; Now I'll have to go back and change all my code to not use querystring :o(
  • spacey 2005-08-02 14:18
    with posts like these, Alex - you'll need to rename the site to:<br>
    <br>
    "the daily OMFG"<br>
    <br>
    -space<br>
  • dubwai 2005-08-02 14:25
    <P><SPAN style="COLOR: #000099">(</SPAN>999999 - 100000 + 1)</P>
    <P>What's the point of doing that calcuation not only once but&nbsp;mutliple times?</P>
  • Maurits 2005-08-02 14:26
    Anonymous:
    Dammit!&nbsp; Now I'll have to go back and change all my code to not use querystring :o(
    <br>
    <br>
    Nothing wrong with using the querystring... as long as you verify it independently.<br>
    <br>
    For example....<br>
    1. User pulls up "view product" page<br>
    2. User notes price - $50<br>
    3. User reads description<br>
    Time passes...<br>
    4. Manager changes price to $60<br>
    Time passes...<br>
    5. User decides "all right, I'll buy it"<br>
    6. User clicks "Add to cart" link which passes product ID <span style="font-weight: bold;">and price</span> via querystring<br>
    7. "add to cart" page compares price from query string and database and notices they're different<br>
    8. "add to cart" page displays helpful message to user along the lines
    of "The price of this product has recently changed to $60.&nbsp; Add to
    cart anyway? OK / Cancel"<br>
  • Charles Nadolski 2005-08-02 14:30
    dubwai:
    <p><span style="color: rgb(0, 0, 153);">(</span>999999 - 100000 + 1)</p>
    <p>What's the point of doing that calcuation not only once but&nbsp;mutliple times?</p>
    <br>
    <br>
    Because 900000 isn't obfuscated enough, silly ;)<br>
  • whistler 2005-08-02 14:46
    This is the classical definition of encraption.&nbsp; When the same&nbsp;amount is&nbsp;sent through this routine&nbsp;multiple times, only one&nbsp;part of the query string&nbsp;will remain&nbsp;constant -- the 7th through 12th digits of track.&nbsp; Now an attacker just needs to collect several of these values for different purchases and perform a linear regression to find they all fall on the line y=4340x+88040.&nbsp; It's then trivial to find x is the purchase amount, and modify it accordingly (depending, of course, on the context).&nbsp; Security by obscurity, indeed. [:@]
  • loneprogrammer 2005-08-02 14:47
    Alex Papadimoulis:
    <b></b><pre style="color: rgb(0, 0, 0);"><br><span style="color: rgb(0, 130, 0);">' takes order total and jumbles it mathematically</span>
    maskerAmount = ((((oTotal + 22) * 7 )) - 12) * 620

    <span style="color: rgb(0, 130, 0);"></span>
    <br><br>The power of <span style="font-weight: bold;">mathematics</span> compels you!<br>The power of <span style="font-weight: bold;">mathematics</span> compels you!<br><br>*** projectile vomit pea soup ***<br></pre>
  • Apoch 2005-08-02 14:51
    <P>
    Maurits:
    Anonymous:
    Dammit!&nbsp; Now I'll have to go back and change all my code to not use querystring :o(
    <BR><BR>Nothing wrong with using the querystring... as long as you verify it independently.<BR><BR>For example....<BR>1. User pulls up "view product" page<BR>2. User notes price - $50<BR>3. User reads description<BR>Time passes...<BR>4. Manager changes price to $60<BR>Time passes...<BR>5. User decides "all right, I'll buy it"<BR>6. User clicks "Add to cart" link which passes product ID <SPAN style="FONT-WEIGHT: bold">and price</SPAN> via querystring<BR>7. "add to cart" page compares price from query string and database and notices they're different<BR>8. "add to cart" page displays helpful message to user along the lines of "The price of this product has recently changed to $60.&nbsp; Add to cart anyway? OK / Cancel"<BR>
    </P>
    <P>This smells of overengineering if you ask me - especially in nontrivial systems where there's a lot more to consider about an item than just price. Just pass the product ID via querystring and present the user with a price totals page before they confirm their purchase. Even better, internally track the price that they "picked up" the item for in their shopping cart and do some sanity validation on that price (e.g. it is less than 4 hours old, etc.) and just charge them that price. Works out great for all concerned.</P>
  • Cthulhon 2005-08-02 14:51
    <span id="_ctl0_PostForm_Reply">
    6. User clicks "Add to cart" link which passes product ID <span style="font-weight: bold;">and price</span> via querystring
    <br>
    Why?&nbsp; if you're just going to check against the DB later, why pass
    the price?&nbsp; Better to do something like pass the timestamp and
    check it against when the product was updated.<br>
    </span>
  • John Smallberries 2005-08-02 14:54
    <font size="2">grrr...god I hate code like this.<br>
    <br>
    why would you even encrypt the total anyway?<br>
    </font>
  • Maurits 2005-08-02 14:59
    Cthulhon:
    <span id="_ctl0_PostForm_Reply">
    6. User clicks "Add to cart" link which passes product ID <span style="font-weight: bold;">and price</span> via querystring
    <br>
    Why?&nbsp; if you're just going to check against the DB later, why pass
    the price?&nbsp; Better to do something like pass the timestamp and
    check it against when the product was updated.<br>
    </span>
    <br>
    <br>
    Because the manager could change his mind and set it back to $50
    again.&nbsp; This would lead to the user getting a confusing message
    like "The price has changed to $50" when it already was $50.&nbsp; Or
    maybe the manager just changed an internal field on the Products table,
    like the accounting code.<br>
  • Apoch 2005-08-02 15:03
    <P>
    Maurits:
    Cthulhon:
    <SPAN id=_ctl0_PostForm_Reply> 6. User clicks "Add to cart" link which passes product ID <SPAN style="FONT-WEIGHT: bold">and price</SPAN> via querystring
    <BR>Why?&nbsp; if you're just going to check against the DB later, why pass the price?&nbsp; Better to do something like pass the timestamp and check it against when the product was updated.<BR></SPAN>
    <BR><BR>Because the manager could change his mind and set it back to $50 again.&nbsp; This would lead to the user getting a confusing message like "The price has changed to $50" when it already was $50.&nbsp; Or maybe the manager just changed an internal field on the Products table, like the accounting code.<BR>
    </P>
    <P>The YAGNI principle was invented specifically for this kind of thing. In practice, this is not a genuine problem. I've written a couple of web-store applications and my current employer shares an office suite with a company whose sole business is building web-store apps. Any user&nbsp;who doesn't check their totals on the checkout screen before blindly throwing their credit card number at a web site deserves to get snipped out of the $10 price difference - and customer service departments exist for smoothing over the problem. I'd be willing to lay out a decent wad of cash that a large amount of WTFery is generated by over-engineering to account for such non-issues.</P>
  • Maurits 2005-08-02 15:19
    Apoch:
    <p>Any user&nbsp;who doesn't check their totals on
    the checkout screen before blindly throwing their credit card number at
    a web site deserves to get snipped out of the $10 price difference</p>
    <br>
    <br>
    And what if the total changes between when they load the "checkout"
    page and when they submit the "checkout" page?&nbsp; Do you check that?<br>
  • Apoch 2005-08-02 15:21
    <P>
    Maurits:
    And what if the total changes between when they load the "checkout" page and when they submit the "checkout" page?&nbsp; Do you check that?<BR>
    </P>
    <P>Since you missed it the first time:</P>
    <P>
    Apoch:
    Even better, internally track the price that they "picked up" the item for in their shopping cart and do some sanity validation on that price (e.g. it is less than 4 hours old, etc.) and just charge them that price. Works out great for all concerned.
    </P>
  • Bustaz Kool 2005-08-02 15:24
    loneprogrammer:
    <PRE style="COLOR: rgb(0,0,0)">The power of <SPAN style="FONT-WEIGHT: bold">mathematics</SPAN> compels you!<BR>The power of <SPAN style="FONT-WEIGHT: bold">mathematics</SPAN> compels you!<BR><BR>*** projectile vomit pea soup ***<BR>
    </PRE><PRE style="COLOR: rgb(0,0,0)">Now, that's funny!! How funny? F***in' funny!!!</PRE>
  • Maurits 2005-08-02 15:37
    Apoch:
    <p>
    Maurits:
    And what if the total
    changes between when they load the "checkout" page and when they submit
    the "checkout" page?&nbsp; Do you check that?<br>
    </p>
    <p>Since you missed it the first time:</p>
    <p>
    Apoch:
    Even better, internally track the price that
    they "picked up" the item for in their shopping cart and do some sanity
    validation on that price (e.g. it is less than 4 hours old, etc.) and
    just charge them that price. Works out great for all concerned.
    </p>
    <br>
    <br>
    No, you misunderstand [:)]&nbsp; I'm fine with letting the user buy
    something at the price that was on the shelf at the time they put the
    item in their cart, even if we changed it by the time they got to the
    register.&nbsp; I do that myself in my homegrown shopping cart.<br>
    <br>
    But I do pass the total from the "gather credit card" page to the
    "process credit card" page, because I worry about the user slipping
    something into the cart after I've swiped their card and before they
    leave the register.<br>
    <br>
    1. User goes to checkout page with a stick of gum in their cart - total is $0.10<br>
    2. In another browser, user adds a big-screen TV to their cart<br>
    3. User pays $0.10 and walks out with their gum and their TV<br>
  • Miszou 2005-08-02 15:58
    <P>
    Maurits:
    <BR>1. User goes to checkout page with a stick of gum in their cart - total is $0.10<BR>2. In another browser, user adds a big-screen TV to their cart<BR>3. User pays $0.10 and walks out with their gum and their TV<BR>
    </P>
    <P>Does that really work? Just askin', you know. Might be something to look out for in my own code. Yeah, that's it... [;)]</P>
    <P>&nbsp;</P>
  • loneprogrammer 2005-08-02 16:01
    Maurits:
    1. User goes to checkout page with a stick of gum in their cart - total is $0.10<br>
    2. In another browser, user adds a big-screen TV to their cart<br>
    3. User pays $0.10 and walks out with their gum and their TV<br>
    <br>
    Try this at amazon.com and you just get sent back to the "confirm order" screen.<br>
    <br>
    Passing anything important through the query string is a WTF.&nbsp;
    What stops someone from sending any query string they want?&nbsp;
    Nothing!<br>
    <br>
    You should lock the shopping cart on the server, or check for new items
    in the cart before placing the order.&nbsp; Never trust any data that
    the client sends you.<br>
    <br>
  • Maurits 2005-08-02 16:27
    loneprogrammer:
    check for new items
    in the cart before placing the order
    <br>
    Well, I do.&nbsp; Specifically, I compare the total I get from the form
    against the total I get by adding up the product prices currently in
    their cart.<br>
    <br>
    So they could switch out products all they want, as long as their total
    remains the same.&nbsp; They are charged for - and their receipt
    contains - the products in their cart at the time I process their card,
    not necessarily what they had in their cart when the "enter credit card
    info" page was loaded.<br>
  • AnonymousCoder 2005-08-02 16:33
    <P>
    Maurits:
    <BR>The worst part is, this is exactly equivalent to:<BR>maskerAmount = 4340 * oTotal + 88040<BR>
    </P>
    <P>It's actually: maskerAmount = 4340 * oTotal + 80600</P>
    <P class=MsoNormal style="MARGIN: 0in 0in 0pt">I wonder if there's even bigger WTF behind this code. Why did he feel that&nbsp;&nbsp; total amount needs to be "masked" in the first place.&nbsp;From the code it looks like, it's being redirected to thankyou.asp, what is a big deal having total in query string on that page? Maybe it’s over engineering as some suggest. Or&nbsp;maybe&nbsp;the query string value is the actual value that is being charged to user credit card?</P>
    <P><SPAN style="FONT-SIZE: 12pt; FONT-FAMILY: 'Times New Roman'; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Relying on query string for any <EM>significant</EM>&nbsp;input is in general a WTF; what would happen if a user changed qs values and resubmitted this page with maskerAmount=0 or maskerAmount=xxxWTFxxx?</SPAN></P>
    <P>&nbsp;</P>
    <P>&nbsp;</P>
  • JThelen 2005-08-02 16:45
    Maurits:
    loneprogrammer:
    check for new items
    in the cart before placing the order
    <br>
    Well, I do.&nbsp; Specifically, I compare the total I get from the form
    against the total I get by adding up the product prices currently in
    their cart.<br>
    <br>
    So they could switch out products all they want, as long as their total
    remains the same.&nbsp; They are charged for - and their receipt
    contains - the products in their cart at the time I process their card,
    not necessarily what they had in their cart when the "enter credit card
    info" page was loaded.<br>
    <br>
    <br>
    I'd highly reccomend changing that.&nbsp; It's practically begging for
    a mischarge lawsuit, since the possibility of billing for goods not
    received exists, and as you seem to be saying, is exceptionally easy.<br>
    <br>
    While I think Apoch can take YAGNI, and shove it where the sun doesn't
    shine along with the rest of eXtreme Programming, he certainly has a
    point regarding the verification of goods in the cart against their
    current price at the time of checkout.<br>
  • spotcatbug 2005-08-02 17:14
    Nobody beats The Whiz!
  • mizhi 2005-08-02 17:20
    dubwai:
    <p><span style="color: rgb(0, 0, 153);">(</span>999999 - 100000 + 1)</p>
    <p>What's the point of doing that calcuation not only once but&nbsp;mutliple times?</p>
    <br>
    <br>
    You are missing the larger picture: what is the point of this entire bit of code?<br>
  • noName 2005-08-02 17:43
    <br>
    <br>
    You are missing the larger picture: what is the point of this entire bit of code?<br>
    <br>
    <br>
    Job security. Once you manage to slip such a beast into production you
    can't be fired. And if you leave the company by your own decission you
    can charge for consulting again and again, or have some revenge and
    leave them high and dry if you feel like it.<br>
  • duck1123 2005-08-02 17:44
    <p>I'm confused. Is he trying to protect "The System" from End-Users or other developers?</p>
    <p>[job] security through obscurity</p>
  • uber1024 2005-08-02 18:01
    Well, Alex.&nbsp; I think it's time to shut down your site.&nbsp; This is never going to be topped, IMO.<br>
  • Maurits 2005-08-02 18:07
    Anonymous:
    <p>
    Maurits:
    <br>The worst part is, this is exactly equivalent to:<br>maskerAmount = 4340 * oTotal + 88040<br>
    </p>
    <p>It's actually: maskerAmount = 4340 * oTotal + 80600</p>
    <p class="MsoNormal" style="margin: 0in 0in 0pt;">
    <br>
    </p>
    <p class="MsoNormal" style="margin: 0in 0in 0pt;"><br>
    Are you sure?<br>
    </p>
  • Spudley 2005-08-02 18:11
    Anonymous:
    you can't be fired. And if you leave the company by your own decission you can charge for consulting again and again, or have some revenge and leave them high and dry if you feel like it.


    Hmmm.... revenge may be good, but employment references are better.
  • Guayo2 2005-08-02 19:06
    <font size="1">Mortimer Armstrong:<br>

    Where in the world have you been hiding?<br>

    Really you were perfect.<br>
    I only wish I knew your secret,<br>

    Who is this so called whiz?<br>
    <br>

    Coworker:<br>

    The user once spoke of an whiz,<br>

    I used to dream he'd appear,<br>
    Now as I code I can sense him,<br>

    And I know he's here.<br>
    Here in this asp-snip he calls me softly,<br>

    Somewhere inside...hiding.<br>
    Somehow I know, he's always with me,<br>

    he's the unseen [mathematical] genius.<br>
    <br>

    Mortimer Armstrong:<br>

    My friend you must have been dreaming,<br>

    Stories like this can't come true<br>
    My friend you're talking in riddles,<br>

    And it's not like you!<br>
    <br>

    Coworker:<br>

    Whiz of The System,<br>

    l33t h4x0r and Guardian,<br>

    Grant to me you glory!<br>
    <br>

    Mortimer Armstrong:<br>

    Who is this Whiz?<br>

    This...<br>
    <br>

    Both:<br>

    Whiz of The System,<br>

    Hide no longer, <br>

    secret and strange whiz<br>
    <br>

    Coworker:<br>

    He's with me even now<br>
    <br>

    Mortimer Armstrong: <br>

    Your hands are cold<br>
    <br>

    Coworker:<br>

    All around me<br>
    <br>

    Mortimer Armstrong:<br>

    Your face, my friend, it's white<br>
    <br>

    Coworker:<br>

    It frightens me<br>
    [...]</font><br>
  • Maurits 2005-08-02 19:08
    Keep your hand at the level of your eyes ;)<br>
  • Guayo2 2005-08-02 19:29
    Maurits:
    Keep your hand at the level of your eyes ;)<br>
    <br>
    <br>
    I suppose Mortimer would like to practice some punjab lasso techniques on "The Whiz"<br>
  • Golly 2005-08-02 21:24
    loneprogrammer:
    <pre style="color: rgb(0, 0, 0);">The power of <span style="font-weight: bold;">mathematics</span> compels you!<br>The power of <span style="font-weight: bold;">mathematics</span> compels you!<br><br>*** projectile vomit pea soup ***<br></pre>
    <br>
    <br>
    Hahaha, oh man that's damn funny!<br>
  • phelyan 2005-08-02 21:49
    <P>
    spotcatbug:
    Nobody beats The Whiz!
    </P>
    <P>I'm sure there's a few people out there by now who would want to. With clue-by-fours.</P>
  • Ben Dover 2005-08-02 22:42
    spotcatbug:
    Nobody beats The Whiz!
    <br>
    <br>
    Heheh... kudos for the Seinfeld reference... <br>
    <br>
    Now, to re-write all this code:<br>
    <br>
    Session["price"] = price<br>
    <br>
    Done!<br>
    <br>
  • The Whiz 2005-08-02 22:56
    Hey this looks like my code!!!!!
  • Jon Limjap 2005-08-02 23:10
    The Whiz is Evil!!!!
  • Pax 2005-08-03 00:14
    Bah! That's easily fixed - you just need to use higher-order
    polynomials.&nbsp; If, instead of ax+b, you use
    ax^100+bx^99+cx^88+...+d, it will require 100 (or 101, I can't
    remember) orders to solve the polynomial values.<br>
    <br>
    Obviously, you can make this even harder to attack by using massive
    polynomial coefficients.&nbsp; And, when the customers find that each
    order on the net is taking 2.7 years to complete, they'll go elsewhere
    :-).<br>
    <br>
    It's a joke, Joyce.<br>
    <br>
    <br>
  • dhromed 2005-08-03 04:44
    Real mathemawizards use complex numbers to encrypt their pricetags.<br>
  • No obscurity needed 2005-08-03 04:58
    Sometimes we need to use passing parameters through url (or post) for
    systems that have nothing to do with each other. The anti-tempering
    solution was easy to implement without obsuring anything - we calculate
    md5 signature for url + "a secret part" and append it as the end of the
    url as the last parameter. Works like a charm.<br>
  • Xepol 2005-08-03 05:24
    What amazes me more than the code is that in all the replies so far about ASP code, there has only been one reference to the server side only session object.

    Suddenly, the Wizz.

    Uh, since it is (APPARENTLY) only a thank you page, I'm not entirely sure why it is even really required to be so obtuse, but hey, whatever turns your crank.

    Interesting technique to ensure that he can always pull out the price tho - you have to at least respect the thought put into the random padding, even if you can't admire his litteracy skills reading the asp manuals...
  • Xepol 2005-08-03 05:29
    Xepol:
    Suddenly, the Wizz.


    Speaking of litteracy skills.. :$

    I was GOING to say, suddenly the wizz doesn't seem to be so alone... (after all, if everyone here can ignore the session object, why shouldn't he?)

    As an interesting side note, and a totally different WTF, who set the limit limit for editing posts to obscenely small time limits less than 10 seconds??
  • Rank Amateur 2005-08-03 08:26
    <P>Ooooo. u1tr4 l33t encryption by linear transformation. Julius Caesar would be completely baffled.</P>
    <P>Yeah, it's overengineered. You never need more than ROT13 for anything.</P>
    <P>--Rank</P>
  • Adi 2005-08-03 08:42
    If maskerAmount is the "masked" amount and maskerDummy is "throw someone off", why is maskerDummy being passed in the Response?<br>
  • b1xml2 2005-08-03 08:49
    <span style="font-family: verdana;">There are some fundamental rules broken by the code snippet.<br>
    <br>
    </span>
    <ol>
    <li>Never expose private data via the Query String. This particularly
    applies to sensitive data as well as data that is used to reconstruct a
    portion of the UI that the user sees.</li>
    <li>By obfuscating the total amount and by attempting to mislead
    anyone that is curious enough to modify the url, the author has
    constructed two parameters: <span style="font-weight: bold;">track </span>to hold the actual amount and <span style="font-weight: bold;">tot </span>to
    mislead. This in itself indicates that the author is aware of the
    consequences of breaking #1 if not knowing the actual rule itself.</li>
    <li>Anyone trying to defend such methodology (as some have attempted
    to argue that it is reasonable to send the data via the query string)
    merely demonstrates a lack of understanding of what it takes to make
    secure and functional web applications.</li>
    <li>Protecting the data from tampering can take many forms: one could
    store the data in SQL Server with a timestamp or guid to provide the
    reference key. Alternatively, one could store it in the Session object
    (or in ASP.NET, one could store it in the ViewState and have enableMac
    property set to true)</li>
    </ol>
    Invariably, any web developer who is still doing what this snippet
    does, exposing private data in the querystring ought to be publicly
    humiliated. They just give web developers a bad name and by no small
    measure, we have quite a significant mass of web programmers who are
    neither programmers of any decent distinction nor proponents of any
    worthwhile methodology.<br>
  • dhromed 2005-08-03 08:56
    Xepol:
    As an interesting side note, and a totally
    different WTF, who set the limit limit for editing posts to obscenely
    small time limits less than 10 seconds??
    <br>
    <br>
    The forum gremlins.<br>
    I don't think there's anything Alex can do.<br>
  • David 2005-08-03 10:29
    <P>
    Anonymous:
    If maskerAmount is the "masked" amount and maskerDummy is "throw someone off", why is maskerDummy being passed in the Response?<BR>
    </P>
    <P>&nbsp;</P>
    <P>It's being passed in a very lame attempt to throw off anyone who knows&nbsp;about query strings from modifying the query string to try and trick the system.&nbsp; Someone trying to trick the system is more likely to start trying to change the value of "tot" rather than "track", when in reality tot is a dummy value and track is the actual total, but masked.&nbsp; [sarcasm]Of course we all know that they would only every try to&nbsp;change the value of tot, and never ever any other query string variable.&nbsp;[/sarcasm]</P>
  • chocolateBar 2005-08-03 11:48
    I <a HREF="/forums/22742/ShowPost.aspx">can't agree</a> somehow.
  • JohnO 2005-08-03 12:54
    dubwai:

    <P><SPAN style="COLOR: #000099">(</SPAN>999999 - 100000 + 1)</P>
    <P>What's the point of doing that calcuation not only once but&nbsp;mutliple times?</P>
    <P>
    </P>
    <P>What's the point of even doing it once?</P>
  • Rank Amateur 2005-08-03 15:09
    JohnO:
    dubwai:

    <P><SPAN style="COLOR: #000099">(</SPAN>999999 - 100000 + 1)</P>
    <P>What's the point of doing that calcuation not only once but&nbsp;mutliple times?</P>
    <P>
    </P>
    <P>What's the point of even doing it once?</P>
    <P>
    </P>
    <P>Everybody knows the more complicated the encryption the harder it must be to crack. "maskerAmount = ((((oTotal + 22) * 7 )) - 12) * 620" is much harder to crack than "maskerAmount = oTotal&nbsp; * 4340 + 88040" (or whatever).</P>
    <P>--Rank</P>
  • JamesCurran 2005-08-03 16:11
    <P>
    Anonymous:
    spotcatbug:
    Nobody beats The Whiz!
    <BR>Heheh... kudos for the Seinfeld reference... <BR>
    </P>
    <P>Actually, "The Wiz" is (was?) a NYC-area electronics chain store.&nbsp; The slogan was "Nobody beats the Wiz!"</P>
    <P>&nbsp;</P>
  • ammoQ 2005-08-03 17:05
    Anonymous:
    <span style="font-family: verdana;"></span><ol><li>Anyone trying to defend such methodology (as some have attempted
    to argue that it is reasonable to send the data via the query string)
    merely demonstrates a lack of understanding of what it takes to make
    secure and functional web applications.</li>
    <li>Protecting the data from tampering can take many forms: one could
    store the data in SQL Server with a timestamp or guid to provide the
    reference key. Alternatively, one could store it in the Session object
    (or in ASP.NET, one could store it in the ViewState and have enableMac
    property set to true)</li>
    </ol>
    Invariably, any web developer who is still doing what this snippet
    does, exposing private data in the querystring ought to be publicly
    humiliated. They just give web developers a bad name and by no small
    measure, we have quite a significant mass of web programmers who are
    neither programmers of any decent distinction nor proponents of any
    worthwhile methodology.<br>
  • lucio 2005-08-04 07:46
    <P>The phantom of the&nbsp;opera is there...</P>
    <P>inside your code [:|]</P>
  • David 2005-08-04 09:24
    The whole point of the response is to throw people off with saying the
    'amount=' maskerdummy, when in reality the real total is in
    'track='.  <br>
  • RobbieGee 2005-08-04 09:33
    Relying on query string for any significant input is in general a WTF; what would happen if a user changed qs values and resubmitted this page with maskerAmount=0 or maskerAmount=xxxWTFxxx?


    <p>Neither is POST safe. I just had to mention it... </p>

    <p>I always code my webapps with the philosophy that everything the user send me (the app) is a _request_ to do something. Once this logic sets in the head, queries like <code>"SELECT name FROM client WHERE clientid = '$clientid';"</code> should set off some alarm bells.</p>

    <p>First, is the variable safe? (Assuming PHP) has addslashes() been run on the variable? Using hungarian notation on variables has proved very useful for me. I use the prefix "us" for all unsafe variables and "s" for safe. This way it's much more likely that I'll spot any security hazards.</p>

    <p>Second, this is an app where users keep track of their clients and how many hours to charge them for. Where's the check to see if that client "belongs" to the user requesting the name? If there is no such check, users may be able read each others data.</p>
    <p>This is much better: <code>"SELECT name FROM client WHERE clientid = '$sClientid' AND owner = '$sUserid' LIMIT 1;"</code></p>
    <p>Just a newcomers two cents.</p>

    <p>Btw, love the site :-)</p>
  • Apoch 2005-08-04 12:06
    <P>
    JThelen:
    While I think Apoch can take YAGNI, and shove it where the sun doesn't shine along with the rest of eXtreme Programming, he certainly has a point regarding the verification of goods in the cart against their current price at the time of checkout.<BR>
    </P>
    <P>Heh. Personally, I think XP is a complete travesty, and I loathe it as a development paradigm - but the XP crowd does have some important lessons to teach. Specifically, careful and judicious application of YAGNI (more as a principle of avoiding excess complication than a holy mantra) and a willingness to refactor anything and everything that suggests that it needs it. I've seen a huge boost in code cleanliness in all sorts of projects when these kinds of things are applied.</P>
    <P>Screw XP, yes... but rejecting all the teachings of something out of hand just because the whole is stupid is not wise ;-)</P>
  • Gene Wirchenko 2005-08-04 12:28
    uber1024:
    Well, Alex.&nbsp; I think it's time to shut down your site.&nbsp; This is never going to be topped, IMO.<br>
    <br>
    <br>
    You wish.<br>
    <br>
    (Yechnology marches on.)<br>
    <br>
    Sincerely,<br>
    <br>
    Gene Wirchenko<br>
    <br>
  • 8bit 2005-08-04 20:55
    <P>Uhm, how about a session variable already?</P>
  • mikeb 2005-08-05 20:24
    dubwai:

    <P><SPAN style="COLOR: #000099">(</SPAN>999999 - 100000 + 1)</P>
    <P>What's the point of doing that calcuation not only once but&nbsp;mutliple times?</P>
    <P>
    </P>
    <P>Those calculations are using an idiom for generating a random number bounded by a lower bound of 100000 and an upper bound of 999999 (ie., a number from 100000 to 999999 inclusive).</P>
    <P>The general algorithm is: ((upperBound - lowerBound + 1) * randNum) + lowerBound</P>
    <P>Of course, it would have made more sense to put that into a nice little function (assuming VBScript doesn't already have one), but this is one thing in the code that may be a WTF, but not an idiotic WTF.</P>
    <P>&nbsp;</P>
  • JThelen 2005-08-08 11:01
    Apoch:
    <p>
    JThelen:
    While I think Apoch can
    take YAGNI, and shove it where the sun doesn't shine along with the
    rest of eXtreme Programming, he certainly has a point regarding the
    verification of goods in the cart against their current price at the
    time of checkout.<br>
    </p>
    <p>Heh. Personally, I think XP is a complete travesty, and I loathe it
    as a development paradigm - but the XP crowd does have some important
    lessons to teach. Specifically, careful and judicious application of
    YAGNI (more as a principle of avoiding excess complication than a holy
    mantra) and a willingness to refactor anything and everything that
    suggests that it needs it. I've seen a huge boost in code cleanliness
    in all sorts of projects when these kinds of things are applied.</p>
    <p>Screw XP, yes... but rejecting all the teachings of something out of hand just because the whole is stupid is not wise ;-)</p>
    <br>
    <br>
    All of the good tenets of XP, such as code reviews, have already been
    incorporated elsewhere.&nbsp; Everything else, such as YAGNI, haven't,
    and with good reason.&nbsp;&nbsp; YAGNI is self existent in good
    design;&nbsp; if it wasn't in the design, then don't code it.&nbsp; In
    other words, it's been around before XP, and will continue to exist
    long after that travesty goes away, which we can only hope it
    will.&nbsp; <br>
  • Dan 2005-08-10 19:23
    Well sure, you could do all that. But W(hy)TF would you expose critical
    data like that in the first place? The page that needs the data should
    get it from the app, not the request.<br>
  • cindy 2010-12-18 09:08
    find for all kinds of watches and handbags

    http://replica038.com