• Mike Caron (unregistered)

    Frast!!!one

    Also, this clearly isn't a WTF. PHP runs on the server, and is guaranteed to run, while Javascript may be disabled in the client. Duh!

  • mekansm (unregistered)

    frist.Random()

  • Frist (unregistered)

    Not much of a WTF if they were trying to avoid JavaScript.

  • modem1975 (unregistered)

    <respectdemand>FRIST!</respectdemand>

    <sarcasm>And it is obvious to any code monkey that SERVER-SIDE randomness was key to this application's security</sarcasm>

    <trollevasion>I'm well aware that whether the PHP or the javascript picks a random number would not change security aspects of this particular app.</trollevasion>

  • Engival (unregistered)

    They were obviously just worried about client side performance. They're doing a nice thing offloading some of the intensive calculations to a dedicated server farm.

  • Dave (unregistered) in reply to Mike Caron
    Mike Caron:
    Frast!!!one

    Also, this clearly isn't a WTF. PHP runs on the server, and is guaranteed to run, while Javascript may be disabled in the client. Duh!

    Except the only line of PHP was to generate JavaScript code. Which wouldn't run anyway.

  • JonsJava (unregistered) in reply to mekansm
    mekansm:
    frist.Random()
    while ($user = "mekansm"){ echo "Fial\n"; } Captcha: valetudo Can you use that in a setence?
  • (cs) in reply to Frist

    You are joking right? The flash object is created using javascript.

  • Demoli (unregistered)

    If they cared if the user had JS disabled or if they were trying to avoid JS they probably wouldn't be using the SwfObject plugin in the first place

  • dotdotdot (unregistered)

    Did anyone else read thedailyswf?

  • Flaming Foobar (unregistered)

    The real WTF is that they're using random numbers to force reload. You should use a timestamp instead, like this:

    var t = Date(); var url = "file.swf?t="+foo.getTime();

  • Flaming Foobar (unregistered) in reply to Flaming Foobar
    Flaming Foobar:
    var t = Date(); var url = "file.swf?t="+t.getTime();

    Fixed my own wtf.

  • (cs) in reply to JonsJava
    JonsJava:
    Captcha: valetudo Can you use that in a setence?

    Angit me Fanniae valetudo.

  • (cs)

    This must be similar to TDWTF's typo.rand() function.

  • Captain Obvious (unregistered)

    This may not be obvious to all, but I'd imagine using PHP instead of JS would have only 1 plausible effect.

    Caching.

    Instead of the flash url being random for every page load, it would only change between non-cached page loads.

    IE: You could adjust the cache time of the video by adjusting the cache time for the page it was referred from.

    Of course, you could just adjust the cache time of the video, but having them bound together plausibly has use.

    But I'd probably want the code to be a bit more intent-oriented to explain that is what they wanted from it.

  • You didn't see me right (unregistered)

    in b4 "all PHP devs are retards" or "this is why I wouldn't use PHP to put out my own mother if she was on fire"

  • Drew** (unregistered)

    This is pretty tame by WTF standards. Where's the ridiculously horrible code that makes me want to impale my face on the nearest pike?

  • Patrick (unregistered)

    Thank you, Captain Obvious... no sarcasm intended... Indeed, clicking Refresh or Back or Forward would result in the same page with the same flash object until the cache expires, whereas including the random function in the javascript would change it. Sometimes it's frustrating to say to someone "take a look at this funny video!" only to find that it's been replaced by someone throwing a puppy off a balcony.

  • Anonymous (unregistered)

    Well it's pretty stupid but it's hardly outrageous. I would imagine the reason behind this is because PHP's rand() function takes two parameters to specify min and max bounds. The coder has used these to produce a random number between 100 and 999. Javascript's Math.Random() function takes no arguments and always returns a number between 0 and 1. Sure, it wouldn't be hard to convert this to the desired representation but by sending it off to PHP's rand() function he has saved himself a few extra lines of numeric conversion. The guy is clearly a bit lazy but he's not up (down?) to the standard of most WTF coders.

  • Patrick (unregistered) in reply to Drew**
    Drew**:
    This is pretty tame by WTF standards. Where's the ridiculously horrible code that makes me want to impale my face on the nearest pike?
    It doesn't have to be ridiculously horrible code, but you have to admit, when you find a single script among a sea of static pages with only one function call in it that the page content could have done... what more could you say?
  • Ken B (unregistered) in reply to Demoli
    Demoli:
    If they cared if the user had JS disabled or if they were trying to avoid JS they probably wouldn't be using the SwfObject plugin in the first place
    But they do care. That why they also use the javascriptEnabled() function.
  • thinice (unregistered)

    And? This ruffles your feathers?

  • SR ** (unregistered) in reply to Patrick
    Patrick:
    Sometimes it's frustrating to say to someone "take a look at this funny video!" only to find that it's been replaced by someone throwing a puppy off a balcony.

    Ah puppyrolling. It's my favourite thing after cheese.

  • camillo (unregistered)

    somewhow the best "wtf?" in months

  • Ethan (unregistered)

    Avoiding Javascript is a pretty normal behavior, but a Flash file that can't produce a random number on its own?

  • elektronaut (unregistered)

    Not to mention the fact that Flash has Math.random built in.

  • Steenbergh (unregistered)

    Well, if this 'abomination' </sarcasm> passes for a WTF these days, those 'Bad Code Allotments' we saw advertised some days ago might not be neccessary anymore. The bug-free era of coding is dawning...

  • (cs) in reply to Frist
    Frist:
    Not much of a WTF if they were trying to avoid JavaScript.
    Uh you didn't read the code did you? The php code IS IN THE JAVASCRIPT, not embedded within the html.
  • The version I wanted to see (unregistered)

    What about the ayn.rand() function? It would randomly pick from words like "free", "market", "capitalism" and so forth.

  • virgil (unregistered)

    You obviously have no understanding of the small details of web programming. If that page was loaded from the website, the SWF received a different parameter each time - and thus would behave differently each time.

    On the other hand, if someone saved a local copy of the site (e.g. using wget), the SWF would receive the same parameter each time, thus behaving identically each time.

    I bet that was the real reason for using php's rand() instead of JavaScript's Math.random(). That guy was simply too smart for you :D

  • Iie (unregistered) in reply to Flaming Foobar
    Flaming Foobar:
    The real WTF is that they're using random numbers to force reload.

    Isn't that what all the cache related HTTP headers are for? Appending a random number is a dirty hack to something that already has an elegant solution.

  • justsomedude (unregistered) in reply to virgil
    virgil:
    I bet that was the real reason for using php's rand() instead of JavaScript's Math.random(). That guy was simply too smart for you :D

    I was thinking the same thing, you beat me to it. Touché, good sir.

  • Ken B (unregistered) in reply to The version I wanted to see
    The version I wanted to see:
    What about the ayn.rand() function? It would randomly pick from words like "free", "market", "capitalism" and so forth.
    FTW!
  • Zapp Brannigan (unregistered) in reply to The version I wanted to see
    The version I wanted to see:
    What about the ayn.rand() function? It would randomly pick from words like "free", "market", "capitalism" and so forth.
    The ayn.rand() function has been depreciated since the election.
  • Nick (unregistered) in reply to Anonymous
    Anonymous:
    Well it's pretty stupid but it's hardly outrageous. I would imagine the reason behind this is because PHP's rand() function takes two parameters to specify min and max bounds. The coder has used these to produce a random number between 100 and 999. Javascript's Math.Random() function takes no arguments and always returns a number between 0 and 1. Sure, it wouldn't be hard to convert this to the desired representation but by sending it off to PHP's rand() function he has saved himself a few extra lines of numeric conversion. The guy is clearly a bit lazy but he's not up (down?) to the standard of most WTF coders.

    So, 0.5?

  • Tiago "pacman" Peczenyj (unregistered) in reply to DOA

    function myRandom(){ return 9; }

  • Bim Job (unregistered) in reply to derula
    derula:
    JonsJava:
    Captcha: valetudo Can you use that in a setence?

    Angit me Fanniae valetudo.

    This is a brillant advance on traditional captcha implementation: rather like replacing passwords with pass phrases.

    No more wobbly letters in strange fonts. No more weird lines, flashing backgrounds, and consequent epileptic fits.

    In theory, no more random dismissals by TDWTF, even when you get the captcha right (although I wouldn't bank on this).

    Security through antiquity! Requiring the poster to form a correct sentence around the captcha is bot-tastic!

    What's even better is that you can choose the corpus for your captchas in order to filter through only the finest dew-picked appropriate comments. High-class sites like this obviously require Latin. Many technical blogs can probably get by with remedial English. Those devoted to sports fans need little more than baby talk.

    It's the wave of the future.

    Contraxit hanc dum assidet Iuniae. (Otherwise, by my own rules, I wouldn't be allowed to respond.)

  • You didn't see me right (unregistered) in reply to Iie
    Iie:
    Flaming Foobar:
    The real WTF is that they're using random numbers to force reload.

    Isn't that what all the cache related HTTP headers are for? Appending a random number is a dirty hack to something that already has an elegant solution.

    Sadly some poorly written web caches (some ISP ones spring to mind) choose to ignore those headers and instead rely on the GET string. This means the insertion of a timestamp or unique-enough string of some kind into the URL for every call is necessary as well as passing those headers.

  • SR ** (unregistered) in reply to Tiago "pacman" Peczenyj
    Tiago "pacman" Peczenyj:
    function myRandom(){ return 85; }

    FTFY

    2nd attempt, now a spam filter nag?

  • Anonymous (unregistered) in reply to virgil
    virgil:
    If that page was loaded from the website, the SWF received a different parameter each time - and thus would behave differently each time.

    On the other hand, if someone saved a local copy of the site (e.g. using wget), the SWF would receive the same parameter each time, thus behaving identically each time.

    I bet that was the real reason for using php's rand() instead of JavaScript's Math.random(). That guy was simply too smart for you :D

    I don't see how this achieves anything. If you grab your own local copy of the SWF (via wget or any other mechanism), you can easily chuck any random number at it you like. You can spawn it however you like and pass in any params you want. The fact that the PHP call within this particular page will no longer work if copied locally is completely irrelevant to one's ability to load the SWF with some parameter. This won't protect anything from anyone and I fail to see why you assume this is what the coder intended.

  • Anonymous Cow-Herd (unregistered) in reply to virgil
    virgil:
    You obviously have no understanding of the small details of web programming. If that page was loaded from the website, the SWF received a different parameter each time - and thus would behave differently each time.

    On the other hand, if someone saved a local copy of the site (e.g. using wget), the SWF would receive the same parameter each time, thus behaving identically each time.

    ActionScript === JavaScript. They could have sent the same SWF each time and generated Math.random from within the Flash object

  • Chris (unregistered)

    Or ActionScript's random function..

  • SCB (unregistered) in reply to Tiago "pacman" Peczenyj
    Tiago "pacman" Peczenyj:
    function myRandom(){ return 9; }
    I feel an XKCD reference coming on... Something about dice... Must... resist...
  • Anonymous Organ Donor (unregistered) in reply to Bim Job
    Bim Job:
    derula:
    JonsJava:
    Captcha: valetudo Can you use that in a setence?

    Angit me Fanniae valetudo.

    This is a brillant advance on traditional captcha implementation: rather like replacing passwords with pass phrases.

    No more wobbly letters in strange fonts. No more weird lines, flashing backgrounds, and consequent epileptic fits.

    In theory, no more random dismissals by TDWTF, even when you get the captcha right (although I wouldn't bank on this).

    Security through antiquity! Requiring the poster to form a correct sentence around the captcha is bot-tastic!

    What's even better is that you can choose the corpus for your captchas in order to filter through only the finest dew-picked appropriate comments. High-class sites like this obviously require Latin. Many technical blogs can probably get by with remedial English. Those devoted to sports fans need little more than baby talk.

    It's the wave of the future.

    Contraxit hanc dum assidet Iuniae. (Otherwise, by my own rules, I wouldn't be allowed to respond.)

    Have you actually READ what most people are capable of writing? "Hai, u r gud pursen, u wan b mi frend?" Some people, educated (??) people, have a bare grasp of the english language, and you expect them to know LATIN?!

    By your rules, and my idiocy: "Tego" is the captcha I received, and it is the first word in this sentence.

  • (cs) in reply to Anonymous
    Anonymous:
    Well it's pretty stupid but it's hardly outrageous. I would imagine the reason behind this is because PHP's rand() function takes two parameters to specify min and max bounds. The coder has used these to produce a random number between 100 and 999. Javascript's Math.Random() function takes no arguments and always returns a number between 0 and 1. Sure, it wouldn't be hard to convert this to the desired representation but by sending it off to PHP's rand() function he has saved himself a few extra lines of numeric conversion. The guy is clearly a bit lazy but he's not up (down?) to the standard of most WTF coders.

    Math.Random() * 899 + 100

  • (cs) in reply to virgil

    It's not a parameter for the .swf file, it's just to make sure that your browser always downloads the latest version.

  • David (unregistered)

    In fact, it's only using the random number as a parameter for the SWF file. Wouldn't be even easier to use ActionScript's Math.random()???

    It's a double WTF!

  • (cs) in reply to Anonymous
    Anonymous:
    Well it's pretty stupid but it's hardly outrageous. I would imagine the reason behind this is because PHP's rand() function takes two parameters to specify min and max bounds. The coder has used these to produce a random number between 100 and 999. Javascript's Math.Random() function takes no arguments and always returns a number between 0 and 1. Sure, it wouldn't be hard to convert this to the desired representation but by sending it off to PHP's rand() function he has saved himself a few extra lines of numeric conversion. The guy is clearly a bit lazy but he's not up (down?) to the standard of most WTF coders.

    In the interests of preventing caching there is no difference whether the query parameter is 386 or 0.3861531158954592. This parameter does not contain any useful information by itself, its only purpose is to generate unique URLs.

  • Anonymous (unregistered) in reply to XIU
    XIU:
    Anonymous:
    Well it's pretty stupid but it's hardly outrageous. I would imagine the reason behind this is because PHP's rand() function takes two parameters to specify min and max bounds. The coder has used these to produce a random number between 100 and 999. Javascript's Math.Random() function takes no arguments and always returns a number between 0 and 1. Sure, it wouldn't be hard to convert this to the desired representation but by sending it off to PHP's rand() function he has saved himself a few extra lines of numeric conversion. The guy is clearly a bit lazy but he's not up (down?) to the standard of most WTF coders.

    Math.Random() * 899 + 100

    We didn't really need a solution to this trivial problem but it's quite funny that you've actually managed to get it wrong. The SWF expects an integer between 100 and 999. Your solution will return a float instead of an int. For example, Javascript's random function could return 0.00001. Your code above would result in 0.00001 * 899 + 100 = 100.00899. That's no good I'm afraid, probably why the original coder used PHP! If you're looking for a hint, check out the Math.floor() function.

  • Anonymous (unregistered) in reply to SlyEcho
    SlyEcho:
    In the interests of preventing caching there is no difference whether the query parameter is 386 or 0.3861531158954592. This parameter does not contain any useful information by itself, its only purpose is to generate unique URLs.
    You are making an assumption here; you don't actually know that is what the random number is for. For all you know, the random number is a seed for the SWF to use. Either way, the SWF expects an integer so you can't just chuck a float at it.

Leave a comment on “A Random PHP Script”

Log In or post as a guest

Replying to comment #:

« Return to Article