Jan Krüger shares with us the unique EnterFlag Technology that he came across recently ...

"We all know it is very difficult to validate user input on web pages. Specifically, a problem that has been baffling scientists for years is finding out whether the input form on the page to be displayed was submitted in the current request. Luckily, this problem is now solved once and for all, thanks to a colleague of mine, who was tasked with preventing the form validation code from showing error messages when the form was not even submitted yet.

"The following piece of code handles submissions. 

  foreach ($cfg_template as $field => $required) {
    $this->values[$field] = $_POST[$field];
    if (!$this->values[$field] && $required) {
      $valid = false;
      // If the user is coming from the welcome page, 
      // do not complain about missing fields.
      if ($this->firstEnterFlagExists())
        $msgHandler->addMsg("config_edit.no_$field", RESULT_NEG);
    }
  }

  // Set Flag
  $this->constructFirstEnterFlagFile();

"After that, the form is either processed or displayed, depending on whether the input data is correct. Now let's look at the code that deals with the ominous EnterFlag. 

  function firstEnterFlagExists()
  {
    return file_exists($this->flagPath);
  }

  function constructFirstEnterFlagFile()
  {
    if ($fd = @fopen($this->flagPath, 'a')) {
      fwrite($fd, "Dummy");
      fclose($fd);
      return true;
    } else {
      return false;
    }
  }

"Naturally, $this->flagPath points to a location that is not generally writable by the web server. It worked fine on the developer's Windows computer, though, and to prove it, the EnterFlagFile is forever kept on the disk for future generations to admire.

"The EnterFlag technology was recently replaced with a rather uncreative isset($_POST['submit']).

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!