Ben recently inherited a massive PHP-based project that makes spaghetti-code look appetizing.
What's so impressive about this system is not the globally misspelled variables or the horribly written constructs, but the downright creative ways in which logic is implemented. Like this unique glued-together mess of PHP/Javascript used for user-name validation:
<? $SQL=mysql_query("SELECT * FROM users"); $total=mysql_num_rows($SQL); $i=0; while($validate=mysql_fetch_array($SQL)) { $used[$i]=$validate[user_name]; $i++; } ?> if (<?for($x=0;$x<count($used);$x++) { echo "theForm.user.value==\"$used[$x]\""; if($x<($total-1)) echo " ||"; }?>) { alert("Username has been already registered, please enter a different username."); theForm.user.focus(); theForm.user.value=""; return (false); } }
As for what this combination of PHP and JavaScript produces, it's nothing other than a gigantic, 2000+ line if()
statement that checks against every single user in the database.
if (theForm.user.value=="admin" ||theForm.user.value=="sjenkins" ||theForm.user.value=="mdavis" ||theForm.user.value=="gbivins" ... MASSIVE SNIP ... )
Naturally, if you turned off JavaScript, you could register a duplicate name. Though, from a security standpoint, it's not really that big of a deal, as entering a password of ' OR ''='
would log you in as the first user in the database (admin), anyway.