- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Probably easier to simply send the header or meta strings needed properly rather than resort to this sort of ugly hack.
Admin
Why didn't they use a for loop?
Admin
But that way your code is not portable in different time zones!
Admin
// add a useless comment I love the way every line of code is preceded by a useless comment. // laugh out loud lol // say what captcha was captcha=feugiat
Admin
Would it be more likely to work if multiple servers were running (ie serving up a page at the same time)?
Admin
Salt is a perfectly valid technical term in cryptography, being a random string or value added into the encryption process to obfusticate the process or the original value being encrypted. It's just an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity.
The use here is not consistent with the proper definition of salt though, so I imagine the original author got confused somewhere along.
Admin
I know another term that will act as "an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity. "
its called PEPPER
CAPTCHA : validus
Admin
perhaps he's a seasoned developer rim shot
Admin
Perhaps. But he's not worth his salt. drum solo
Admin
Now taking bets on how long it'll take for some dweeb to helpfully inform us that "PHP is the real WTF". And no, this post doesn't count.
Admin
we have a winner.
Admin
//wtf the only reason I can think of to do this was if they wrote a skeleton in comments and then added the code.
Admin
Admin
The real WTF is that a programmer would go quietly change code without enquiring why it was that way, worst case is there's no good reason and someone learns something, worst case just quietly changing it is you reintroduce a bug that someone had fixed, do that a couple times with me and you'd be getting the boot rather fast. So go learn how to work as a team.
can i have a drum roll too please?
Admin
Perhaps it is used to stop/use serverside caching?
if (not fileexists(nocache)) { //return FILE_NOT_FOUND string s = getContent() stream_to_file(nocache) }
stream_file_to_browser(cocache)
Admin
http://en.wikipedia.org/wiki/Salt_(cryptography)
Admin
The real WTF is that the code makes perfect sense to me.
Also, if you replace it with just time(), then you're not dealing with multiple requests per second. Slow site?
Admin
I think this says it all:
andAdmin
generally i use the last modified time of the file in question rather than the current time. let the browser cache it if it hasn't changed.
Admin
Seriously - this isn't any real WTF. Alot of php code does small little stupid things like this.
So, as someone mentioned above, the real wtf is nitpicking at PHP code.
Admin
Now now, don't put someone down for commenting their code, after all how would we know what was going on in this snippet without comments??
What is the last line about though?
Surely if you're generating the random code as part of the header, you're not going to need to call the function again, because you could just use the $random that is assigned there?
The real WTF is algebra...
Addendum (2008-05-12 09:09): bah... by "header" there I mean an included file before the main page source. Not anything to do with the html header
Admin
My favourite bit:
// Set i = 0 $i = 0;Admin
Of course setting the HTTP headers appropriately is the right thing to do (as Pete from Perth points out) but it's worth nothing that in some situations some browsers (MSIE and Safari in particular I've noted) cache certain GET requests regardless.
I've found this is usually when are doing something like dynamically loading content in a frame or iframe, or as the result of an AJAX GET request, and I think also possibly when bouncing the client around with HTTP redirects (for a single sign on platform).
I've used a GET request with microtime in it myself in those cases and in some instances it's all you can do. If it's just a regular website though (and not making use of Ajax or iframes in some way) then setting headers appropriately will work just fine.
For PHP, something like the following should suffice:
header("Expires: Tue, 1 Jan 2008 01:00:00 GMT"); header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0"); header("Pragma: no-cache");I think what usually happens is that a lot of people try setting one or two of the headers above notice they still don't work some of the time and give up on that approach and go straight for something like a dynamic element to the GET request when setting all the appropriate headers would suffice.
Admin
Hey! That's my code!
And it's perfectly valid. I found it in the PHP documentation, it was one of the user submitted examples. So it must be right.
Like yours is better!? What if two pages were requested at the same time? What then smartarse!?
Admin
Addendum (2008-05-12 09:24): got my quoting a bit muddled there, sorreh..
Admin
Well, the most remarkable thing about this code snippet are the comments...
Admin
However, after writing the code, the "clean" thing to do, is to remove the superfluous comments, leaving only those that describe code that is difficult to understand. That of course should be a small fraction. (But rarely is. That's a whole 'nother WTF....)
Admin
The function generates a random string that was originally intended to be used as a salt. Somebody came along later and realized that the function did exactly what they needed it to do for some other purpose, so they reused it without renaming the local variables.
Small WTF.
Admin
Ignoring your sarcasm: Even if adding a random string to the end of the url in a get variable was a good way to prevent caching, the original code was way to obscure and long winded. It would be better to allow a browser to cache the two pages served on the same second TO THE SAME CLIENT anyway. It isn't caching pages server side then throwing them out, it is using ECHO which means, if two different people access it at the same time they will get the same string but different CONTENTS, which is fine.
Admin
Actually, this code is correct. Some caching proxies are built to ignore time stamps of all formats and look for deeper changes in the page to determine whether the page should be cached or not. A random string, coupled with the appropriate headers and pragmas, is the best way to go.
Kind of lame too to unearth old code from PHP4 days, and then claim that it is wrong because it is now deprecated under PHP5. Should the developers replacing the poster in PHP6 days chuckle at this person for using code that is perfectly valid at the moment of writing ?
Admin
I am under the impression that IE does not bother to cache stuff with parameters even if they are the same. I may be wrong though and I am not sure about the other browsers.
Admin
I think we have agreement that the comments were the most WTFy part. So I fixed the comments:
<?php // Create a string-token that is // (a) impossible to predict and // (b) different for every request // Both requirements are taken more seriously than is // usual for PHP code. Instead of half-assed, this will // be done fully-assed. function make_random_code() { // The characters from which the random code is made. // The string is called $salt because I read // a cryptography book once. $salt = "abcdefghijklmnopqrstuvwxyz0123456789"; // Reinitialize the random generator every time through // because I bet it would otherwise start repeating // itself when I'm not looking. // Since srand expects an int, passing microtime() // directly would always get truncated to 0 and // that would be embarrassing. // Use double-size math because we care deeply // about the precision of our random numbers. srand((double)microtime()*1000000); // Make a random string, 7 characters long $i = 0; while ($i <= 7) { // Generate a random number suitable for indexing // $salt. Use a simple modulo because we're not // really serious about the whole random thing, // so it doesn't matter that the resulting // distribution is skewed towards 0. // Also, calling rand(0, 32) seemed too complicated. // Use modulo 33 because $salt is 36 characters // long and the numbers 7, 8 and 9 traumatized me // when I was young. $num = rand() % 33; // Extract the somewhat-randomly chosen // character from $salt. $tmp = substr($salt, $num, 1); // Building strings one character at a time // builds character. $random_code = $random_code . $tmp; $i++; } return $random_code; } // Make sure it doesn't throw an error // like the last time I edited it. // Also, it would be a pity to leave // without polluting the global namespace. $random = make_random_code(); ?>Admin
Oh, if only this were the case.
Sadly, there's always some bloody stupid browser and/or caching proxy which refuses to behave itself; this approach is sometimes necessary.
Admin
Feature this one please. Excellent and funny.
QFT
Admin
Brillant
Admin
Second that, Dark FTW!
Admin
Captch: capio. Usage: I'm gonna bust a capio haid.
Admin
I suspect this was written (at least initially) for ye olde tyme WML 1.1 browsers, none of which (except for the Openwave browsers) supported caching headers or meta tags.
If that's the case, the only problem I see with replacing the no_cache by the current time is, content sent to those old browsers was limited to 1400 bytes of compiled WML, so if this increases the size of the URL string, you lose several bytes, and with multiple links you lose a multiple.
Of course, the name of the URL attribute "no_cache", makes all that unlikely, since that alone uses up multiple bytes. Hence when I was working with WML, I had to use only single byte attribute names.
Admin
Admin
I was wondering the same thing. How many bugs did he introduce by making that change?
I'm willing to give him the benefit of the doubt though and say that his change was appropriate.
Admin
This will be the future thread on Daily Advanced WTF 2.0
... I just quitely replaced it with content.php?rnd=<?= time() ?>
Admin
that doesn't matter, it's not like you're caching webpages for me.
Admin
What's sad is that a while ago a coworker of mine did pretty much the same thing, though I'd say on a much worse scale. Here's what I managed to dig out of the repos
public static function getRandomString($length) { if($length>0) { $rand_id=""; for($i=1; $i<=$length; $i++) { mt_srand((double)microtime() * 1000000); $num = mt_rand(1,36); $rand_id .= self::_assign_rand_value($num); } } return $rand_id; } private static function _assign_rand_value($num) { // accepts 1 - 36 switch($num) { case "1": $rand_value = "a"; break; case "2": $rand_value = "b"; break; case "3": $rand_value = "c"; break; case "4": $rand_value = "d"; break; case "5": $rand_value = "e"; break; case "6": $rand_value = "f"; break; case "7": $rand_value = "g"; break; case "8": $rand_value = "h"; break; case "9": $rand_value = "i"; break; case "10": $rand_value = "j"; break; case "11": $rand_value = "k"; break; case "12": $rand_value = "l"; break; case "13": $rand_value = "m"; break; case "14": $rand_value = "n"; break; case "15": $rand_value = "o"; break; case "16": $rand_value = "p"; break; case "17": $rand_value = "q"; break; case "18": $rand_value = "r"; break; case "19": $rand_value = "s"; break; case "20": $rand_value = "t"; break; case "21": $rand_value = "u"; break; case "22": $rand_value = "v"; break; case "23": $rand_value = "w"; break; case "24": $rand_value = "x"; break; case "25": $rand_value = "y"; break; case "26": $rand_value = "z"; break; case "27": $rand_value = "0"; break; case "28": $rand_value = "1"; break; case "29": $rand_value = "2"; break; case "30": $rand_value = "3"; break; case "31": $rand_value = "4"; break; case "32": $rand_value = "5"; break; case "33": $rand_value = "6"; break; case "34": $rand_value = "7"; break; case "35": $rand_value = "8"; break; case "36": $rand_value = "9"; break; } return $rand_value; } }Admin
You SO obviously don't understand just how fucked up that code was...
Admin
Admin
Admin
You know, we shouldn't overlook it just because lots of PHP code does stupid things. Knowing the difference between stupid code and clever code is what separates us from the animals.
Admin
Coder: I don't agree that the change was appropriate; for instance, we don't know if the content.php script made use of the NoCache later in the code (I assume it didn't, but can't be sure) and the renaming of the parameter from NoCache to rnd is worthy of a quiet WTF itself; at least the old name was descriptive:
whereas future maintainers are going to look at the code and wonder why the content.php page is being passed the value of the date() function under the variable name rnd. And that's without mentioning that this is a hack relying on undefined behaviour (caching of pages which include querystrings), rather than following clearly defined standards (setting cache-control headers).The appropriate thing to do would've been to thoroughly review the codebase, check whether removing these references would have any other side effects, and then implemented the appropriate headers on the scripts (meaning you can remove this code from every page that references those scripts). But hey, this is PHP, isn't it... ;^)
Admin
Or you could just use the pragma nocache headers...
Admin
I particularly love it when programmers include such useless comments rather than tell me what I really want to know. One of my favorites was:
Like, wow, thanks for that helpful comment telling me that "+" means to add. They never taught me about that subtle and rarely used feature of C in college.
But it would have been nice if you could have given me a hint what "n2" and "n5" hold. I managed to guess that "totchg" had something to do with "total charge" to a customer, but even that was obscure, as the program also had a variable named "chgtot" that was apparently something different.