• Pete from Perth (unregistered)

    Probably easier to simply send the header or meta strings needed properly rather than resort to this sort of ugly hack.

  • (cs)

    Why didn't they use a for loop?

  • (cs)
    I just quitely replaced it with content.php?rnd=<?php echo time(); ?>.

    But that way your code is not portable in different time zones!

  • Andrew (unregistered)

    // add a useless comment I love the way every line of code is preceded by a useless comment. // laugh out loud lol // say what captcha was captcha=feugiat

  • Dave (unregistered) in reply to Stilgar
    Stilgar:
    I just quitely replaced it with content.php?rnd=<?php echo time(); ?>.

    But that way your code is not portable in different time zones!

    Would it be more likely to work if multiple servers were running (ie serving up a page at the same time)?

  • Mork (unregistered)

    Salt is a perfectly valid technical term in cryptography, being a random string or value added into the encryption process to obfusticate the process or the original value being encrypted. It's just an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity.

    The use here is not consistent with the proper definition of salt though, so I imagine the original author got confused somewhere along.

  • http://jobs.thinkaloud.in (unregistered)

    I know another term that will act as "an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity. "

    its called PEPPER

    CAPTCHA : validus

  • Andrew (unregistered) in reply to Mork

    perhaps he's a seasoned developer rim shot

  • (cs)

    Perhaps. But he's not worth his salt. drum solo

  • (cs)

    Now taking bets on how long it'll take for some dweeb to helpfully inform us that "PHP is the real WTF". And no, this post doesn't count.

  • Mork (unregistered) in reply to Erick

    we have a winner.

  • anon (unregistered) in reply to Andrew

    //wtf the only reason I can think of to do this was if they wrote a skeleton in comments and then added the code.

  • (cs) in reply to Mork
    Mork:
    Salt is a perfectly valid technical term in cryptography, being a random string or value added into the encryption process to obfusticate the process or the original value being encrypted. It's just an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity.
    Actually, when hashing passwords, adding a salt will prevent people from just looking up the hash in their precomputed hash database.
  • Bob Marley (unregistered)

    The real WTF is that a programmer would go quietly change code without enquiring why it was that way, worst case is there's no good reason and someone learns something, worst case just quietly changing it is you reintroduce a bug that someone had fixed, do that a couple times with me and you'd be getting the boot rather fast. So go learn how to work as a team.

    can i have a drum roll too please?

  • Broken sarcasm-detector-detector (unregistered)

    Perhaps it is used to stop/use serverside caching?

    if (not fileexists(nocache)) { //return FILE_NOT_FOUND string s = getContent() stream_to_file(nocache) }

    stream_file_to_browser(cocache)

  • byron (unregistered) in reply to gerard_
  • Dark (unregistered)

    The real WTF is that the code makes perfect sense to me.

    Also, if you replace it with just time(), then you're not dealing with multiple requests per second. Slow site?

  • illum (unregistered)

    I think this says it all:

    Italian Proverb:
    Give neither counsel nor salt till you are asked for it
    and
    Stephen King:
    Talent is cheaper than salt. What separates the talented individual from the successful one is a lot of hard work.
  • byron (unregistered)

    generally i use the last modified time of the file in question rather than the current time. let the browser cache it if it hasn't changed.

  • I walked the dinosaur (unregistered)

    Seriously - this isn't any real WTF. Alot of php code does small little stupid things like this.

    So, as someone mentioned above, the real wtf is nitpicking at PHP code.

  • (cs)

    Now now, don't put someone down for commenting their code, after all how would we know what was going on in this snippet without comments??

    	// Set i = 0
    	$i = 0;
    

    What is the last line about though?

    	// Call the function to generate a random code
    	$random = make_random_code();
    

    Surely if you're generating the random code as part of the header, you're not going to need to call the function again, because you could just use the $random that is assigned there?

    The real WTF is algebra...

    Addendum (2008-05-12 09:09): bah... by "header" there I mean an included file before the main page source. Not anything to do with the html header

  • (cs)

    My favourite bit:

          // Set i = 0
          $i = 0;
  • Iain Collins (unregistered) in reply to Pete from Perth

    Of course setting the HTTP headers appropriately is the right thing to do (as Pete from Perth points out) but it's worth nothing that in some situations some browsers (MSIE and Safari in particular I've noted) cache certain GET requests regardless.

    I've found this is usually when are doing something like dynamically loading content in a frame or iframe, or as the result of an AJAX GET request, and I think also possibly when bouncing the client around with HTTP redirects (for a single sign on platform).

    I've used a GET request with microtime in it myself in those cases and in some instances it's all you can do. If it's just a regular website though (and not making use of Ajax or iframes in some way) then setting headers appropriately will work just fine.

    For PHP, something like the following should suffice:

    header("Expires: Tue, 1 Jan 2008 01:00:00 GMT");
    header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
    header("Pragma: no-cache");
    

    I think what usually happens is that a lot of people try setting one or two of the headers above notice they still don't work some of the time and give up on that approach and go straight for something like a dynamic element to the GET request when setting all the appropriate headers would suffice.

  • Derek (unregistered)

    Hey! That's my code!

    And it's perfectly valid. I found it in the PHP documentation, it was one of the user submitted examples. So it must be right.

    Like yours is better!? What if two pages were requested at the same time? What then smartarse!?

  • (cs) in reply to Iain Collins
    Iain Collins:
    header("Pragma: no-cache");
    
    As Pete from Perth's link also points out, pragma=no-cache is being deprecated (I read to the end wondering why they didn't use it)

    Addendum (2008-05-12 09:24): got my quoting a bit muddled there, sorreh..

  • Álvaro Lopes (unregistered)

    Well, the most remarkable thing about this code snippet are the comments...

  • (cs) in reply to anon
    anon:
    the only reason I can think of to do this was if they wrote a skeleton in comments and then added the code.
    I often do that. It helps me plan out how to implement a function. Think of it as ultra-low-level design.

    However, after writing the code, the "clean" thing to do, is to remove the superfluous comments, leaving only those that describe code that is difficult to understand. That of course should be a small fraction. (But rarely is. That's a whole 'nother WTF....)

  • (cs) in reply to Mork
    Mork:
    Salt is a perfectly valid technical term in cryptography, being a random string or value added into the encryption process to obfusticate the process or the original value being encrypted. It's just an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity.

    The use here is not consistent with the proper definition of salt though, so I imagine the original author got confused somewhere along.

    The function generates a random string that was originally intended to be used as a salt. Somebody came along later and realized that the function did exactly what they needed it to do for some other purpose, so they reused it without renaming the local variables.

    Small WTF.

  • (cs) in reply to Derek
    Derek:
    Hey! That's my code!

    And it's perfectly valid. I found it in the PHP documentation, it was one of the user submitted examples. So it must be right.

    Like yours is better!? What if two pages were requested at the same time? What then smartarse!?

    Ignoring your sarcasm: Even if adding a random string to the end of the url in a get variable was a good way to prevent caching, the original code was way to obscure and long winded. It would be better to allow a browser to cache the two pages served on the same second TO THE SAME CLIENT anyway. It isn't caching pages server side then throwing them out, it is using ECHO which means, if two different people access it at the same time they will get the same string but different CONTENTS, which is fine.

  • Procedural (unregistered)

    Actually, this code is correct. Some caching proxies are built to ignore time stamps of all formats and look for deeper changes in the page to determine whether the page should be cached or not. A random string, coupled with the appropriate headers and pragmas, is the best way to go.

    Kind of lame too to unearth old code from PHP4 days, and then claim that it is wrong because it is now deprecated under PHP5. Should the developers replacing the poster in PHP6 days chuckle at this person for using code that is perfectly valid at the moment of writing ?

  • (cs)

    I am under the impression that IE does not bother to cache stuff with parameters even if they are the same. I may be wrong though and I am not sure about the other browsers.

  • Dark (unregistered)

    I think we have agreement that the comments were the most WTFy part. So I fixed the comments:

    <?php
       // Create a string-token that is
       // (a) impossible to predict and
       // (b) different for every request 
       // Both requirements are taken more seriously than is
       // usual for PHP code. Instead of half-assed, this will
       // be done fully-assed.
       function make_random_code() {
          // The characters from which the random code is made.
          // The string is called $salt because I read
          // a cryptography book once.
          $salt = "abcdefghijklmnopqrstuvwxyz0123456789";
          // Reinitialize the random generator every time through
          // because I bet it would otherwise start repeating
          // itself when I'm not looking.
          // Since srand expects an int, passing microtime()
          // directly would always get truncated to 0 and
          // that would be embarrassing.
          // Use double-size math because we care deeply
          // about the precision of our random numbers.
          srand((double)microtime()*1000000);
    
          // Make a random string, 7 characters long
          $i = 0;
          while ($i <= 7) {
             // Generate a random number suitable for indexing
             // $salt. Use a simple modulo because we're not
             // really serious about the whole random thing,
             // so it doesn't matter that the resulting
             // distribution is skewed towards 0.
             // Also, calling rand(0, 32) seemed too complicated.
             // Use modulo 33 because $salt is 36 characters
             // long and the numbers 7, 8 and 9 traumatized me
             // when I was young.
             $num = rand() % 33;
             // Extract the somewhat-randomly chosen
             // character from $salt.
             $tmp = substr($salt, $num, 1);
             // Building strings one character at a time
             // builds character.
             $random_code = $random_code . $tmp;
             $i++;
          }
          return $random_code;
       }
    
       // Make sure it doesn't throw an error
       // like the last time I edited it.
       // Also, it would be a pity to leave
       // without polluting the global namespace.
       $random = make_random_code();
    ?>
    
    
  • Robert Synnott (unregistered) in reply to Pete from Perth
    Pete from Perth:
    Probably easier to simply send the header or meta strings needed properly rather than resort to this sort of ugly hack.

    Oh, if only this were the case.

    Sadly, there's always some bloody stupid browser and/or caching proxy which refuses to behave itself; this approach is sometimes necessary.

  • Joe (unregistered) in reply to Dark

    Feature this one please. Excellent and funny.

    Dark:
    I think we have agreement that the comments were the most WTFy part. So I fixed the comments:
    <?php
       // Create a string-token that is
       // (a) impossible to predict and
       // (b) different for every request 
       // Both requirements are taken more seriously than is
       // usual for PHP code. Instead of half-assed, this will
       // be done fully-assed.
      ...[snipped a bunch of funny comments]...
       // Make sure it doesn't throw an error
       // like the last time I edited it.
       // Also, it would be a pity to leave
       // without polluting the global namespace.
       $random = make_random_code();
    ?>
    

    QFT

  • The real wtf fool (unregistered) in reply to Dark
    Dark:
    I think we have agreement that the comments were the most WTFy part. So I fixed the comments:
    <?php
       // Create a string-token that is
       // (a) impossible to predict and
       // (b) different for every request 
       // Both requirements are taken more seriously than is
       // usual for PHP code. Instead of half-assed, this will
       // be done fully-assed.
    </pre>

    Brillant

  • Rob (unregistered) in reply to Joe

    Second that, Dark FTW!

    Joe:
    Feature this one please. Excellent and funny.
    Dark:
    I think we have agreement that the comments were the most WTFy part. So I fixed the comments:
    <?php
       // Create a string-token that is
       // (a) impossible to predict and
       // (b) different for every request 
       // Both requirements are taken more seriously than is
       // usual for PHP code. Instead of half-assed, this will
       // be done fully-assed.
      ...[snipped a bunch of funny comments]...
       // Make sure it doesn't throw an error
       // like the last time I edited it.
       // Also, it would be a pity to leave
       // without polluting the global namespace.
       $random = make_random_code();
    ?>
    

    QFT

  • Thunder (unregistered) in reply to gerard_
    gerard_:
    Mork:
    Salt is a perfectly valid technical term in cryptography, being a random string or value added into the encryption process to obfusticate the process or the original value being encrypted. It's just an extra obstacle for people trying to recover the original value, though it does smell a little of security through obscurity.
    Actually, when hashing passwords, adding a salt will prevent people from just looking up the hash in their precomputed hash database.
    Erm... it helps to read what people write before commenting. For example, that's what OP said, though with many more words.

    Captch: capio. Usage: I'm gonna bust a capio haid.

  • Paul (unregistered) in reply to Pete from Perth

    I suspect this was written (at least initially) for ye olde tyme WML 1.1 browsers, none of which (except for the Openwave browsers) supported caching headers or meta tags.

    If that's the case, the only problem I see with replacing the no_cache by the current time is, content sent to those old browsers was limited to 1400 bytes of compiled WML, so if this increases the size of the URL string, you lose several bytes, and with multiple links you lose a multiple.

    Of course, the name of the URL attribute "no_cache", makes all that unlikely, since that alone uses up multiple bytes. Hence when I was working with WML, I had to use only single byte attribute names.

  • (cs) in reply to byron
    byron:
    generally i use the last modified time of the file in question rather than the current time. let the browser cache it if it hasn't changed.
    Ah, you're one of those people who like it when dynamically generated content gets cached client-side! Given this is php I'm guessing that the content changes far more often than the script get edited.
    Iain Collins:
    For PHP, something like the following should suffice:
    header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
    Thank you for pre-emptively answering the question "Doesn't PHP have some method of setting cache-control dynamically for pages that you don't want caching?".
    Robert Synnott:
    Sadly, there's always some bloody stupid browser and/or caching proxy which refuses to behave itself; this approach is sometimes necessary.
    OK, some user agents / caching servers may ignore the headers, but given that it's an HTTP 1.1 standard maybe those programs need taking out and shooting?
    Iain Collins:
    ... in some situations some browsers (MSIE and Safari in particular I've noted) cache certain GET requests ... usually when ... dynamically loading content in a frame or iframe, or as the result of an AJAX GET request ...
    It would be hackish and childish of me to say that TRWTF is MSIE, so I won't (honest guv). The only problem I had with unwanted caching in IE was in a dynamic javascript I was loading into a page via DOM (yes, it's a cheap hackish way of doing AJAX without the AX!) - and setting cache-control to no-cache worked fine for me...
  • SomeCoder (unregistered) in reply to Bob Marley
    Bob Marley:
    The real WTF is that a programmer would go quietly change code without enquiring why it was that way, worst case is there's no good reason and someone learns something, worst case just quietly changing it is you reintroduce a bug that someone had fixed, do that a couple times with me and you'd be getting the boot rather fast. So go learn how to work as a team.

    can i have a drum roll too please?

    I was wondering the same thing. How many bugs did he introduce by making that change?

    I'm willing to give him the benefit of the doubt though and say that his change was appropriate.

  • Martin (unregistered) in reply to Stilgar
    I just quitely replaced it with content.php?rnd=<?php echo time(); ?>.

    This will be the future thread on Daily Advanced WTF 2.0

    ... I just quitely replaced it with content.php?rnd=<?= time() ?>

  • Boner (unregistered) in reply to Dark
    Dark:
    The real WTF is that the code makes perfect sense to me.

    Also, if you replace it with just time(), then you're not dealing with multiple requests per second. Slow site?

    that doesn't matter, it's not like you're caching webpages for me.

  • (cs)

    What's sad is that a while ago a coworker of mine did pretty much the same thing, though I'd say on a much worse scale. Here's what I managed to dig out of the repos

    public static function getRandomString($length)
            {
                    if($length>0) 
                    { 
                      $rand_id="";
                       for($i=1; $i<=$length; $i++)
                       {
                         mt_srand((double)microtime() * 1000000);
                         $num = mt_rand(1,36);
                         $rand_id .= self::_assign_rand_value($num);
                       }
                    }
             
                    return $rand_id;
            }
    
            private static function _assign_rand_value($num)
            {
              // accepts 1 - 36
                    switch($num)
                    {
                            case "1":
                             $rand_value = "a";
                            break;
                            case "2":
                             $rand_value = "b";
                            break;
                            case "3":
                             $rand_value = "c";
                            break;
                            case "4":
                             $rand_value = "d";
                            break;
                            case "5":
                             $rand_value = "e";
                            break;
                            case "6":
                             $rand_value = "f";
                            break;
                            case "7":
                             $rand_value = "g";
                            break;
                            case "8":
                             $rand_value = "h";
                            break;
                            case "9":
                             $rand_value = "i";
                            break;
                            case "10":
                             $rand_value = "j";
                            break;
                            case "11":
                             $rand_value = "k";
                            break;
                            case "12":
                             $rand_value = "l";
                            break;
                            case "13":
                             $rand_value = "m";
                            break;
                            case "14":
                             $rand_value = "n";
                            break;
                            case "15":
                             $rand_value = "o";
                            break;
                            case "16":
                             $rand_value = "p";
                            break;
                            case "17":
                             $rand_value = "q";
                            break;
                            case "18":
                             $rand_value = "r";
                            break;
                            case "19":
                             $rand_value = "s";
                            break;
                            case "20":
                             $rand_value = "t";
                            break;
                            case "21":
                             $rand_value = "u";
                            break;
                            case "22":
                             $rand_value = "v";
                            break;
                            case "23":
                             $rand_value = "w";
                            break;
                            case "24":
                             $rand_value = "x";
                            break;
                            case "25":
                             $rand_value = "y";
                            break;
                            case "26":
                             $rand_value = "z";
                            break;
                            case "27":
                             $rand_value = "0";
                            break;
                            case "28":
                             $rand_value = "1";
                            break;
                            case "29":
                             $rand_value = "2";
                            break;
                            case "30":
                             $rand_value = "3";
                            break;
                            case "31":
                             $rand_value = "4";
                            break;
                            case "32":
                             $rand_value = "5";
                            break;
                            case "33":
                             $rand_value = "6";
                            break;
                            case "34":
                             $rand_value = "7";
                            break;
                            case "35":
                             $rand_value = "8";
                            break;
                            case "36":
                             $rand_value = "9";
                            break;
                    }
              return $rand_value;
            }
    }
    
  • me (unregistered) in reply to Bob Marley
    Bob Marley:
    The real WTF is that a programmer would go quietly change code without enquiring why it was that way, worst case is there's no good reason and someone learns something, worst case just quietly changing it is you reintroduce a bug that someone had fixed, do that a couple times with me and you'd be getting the boot rather fast. So go learn how to work as a team.

    You SO obviously don't understand just how fucked up that code was...

  • me (unregistered)
    I just quitely replaced it with content.php?rnd=<?php echo time(); ?>.
    Thus demonstrating that you have no more clue than the author of that abomination. I don't say that everybody has to know about how to control caches in HTTP (although not knowing HTTP basics speaks volumes about your competency as web apps developer, even a newbie should study it a bit), but any programmer worth being called that should immediately realize that this problem must be common and there's almost certainly a proper solution to it that they should use instead of ugly hacks like adding time() to URL.
  • (cs)
    Mork:
    Salt is...a random string or value added into the encryption process to obfusticate the process or the original value being encrypted.
    Andrew:
    perhaps he's a seasoned developer *rim shot*
    Erick:
    Perhaps. But he's not worth his salt. *drum solo*
    These are all tasteless comments.
    Jesus (Matthew 5:13):
    You are the salt of the earth; but if the salt has become tasteless, how can it be made salty again? It is no longer good for anything, except to be thrown out and trampled under foot by men.
    *Bongos, congas, shakers, rattles and a marimba*
  • captcha: quis (unregistered) in reply to I walked the dinosaur
    I walked the dinosaur:
    Seriously - this isn't any real WTF. Alot of php code does small little stupid things like this.

    So, as someone mentioned above, the real wtf is nitpicking at PHP code.

    You know, we shouldn't overlook it just because lots of PHP code does stupid things. Knowing the difference between stupid code and clever code is what separates us from the animals.

  • (cs) in reply to SomeCoder
    SomeCoder:
    Bob Marley:
    The real WTF is that a programmer would go quietly change code without enquiring why it was that way.

    can i have a drum roll too please?

    I was wondering the same thing. How many bugs did he introduce by making that change?

    I'm willing to give him the benefit of the doubt though and say that his change was appropriate.

    Bob: no drum roll for you - too verbose and not witty enough. Sorry!

    Coder: I don't agree that the change was appropriate; for instance, we don't know if the content.php script made use of the NoCache later in the code (I assume it didn't, but can't be sure) and the renaming of the parameter from NoCache to rnd is worthy of a quiet WTF itself; at least the old name was descriptive:

    Original Article:
    Clearly, it was just being used to prevent 'content.php' (or whatever page) from being cached
    whereas future maintainers are going to look at the code and wonder why the content.php page is being passed the value of the date() function under the variable name rnd. And that's without mentioning that this is a hack relying on undefined behaviour (caching of pages which include querystrings), rather than following clearly defined standards (setting cache-control headers).

    The appropriate thing to do would've been to thoroughly review the codebase, check whether removing these references would have any other side effects, and then implemented the appropriate headers on the scripts (meaning you can remove this code from every page that references those scripts). But hey, this is PHP, isn't it... ;^)

  • nosebreaker (unregistered)

    Or you could just use the pragma nocache headers...

  • Jay (unregistered) in reply to Claxon
    Claxon:
    Now now, don't put someone down for commenting their code, after all how would we know what was going on in this snippet without comments??
    	// Set i = 0
    	$i = 0;
    

    I particularly love it when programmers include such useless comments rather than tell me what I really want to know. One of my favorites was:

    // Add n2 to n5
    totchg=n2+n5;
    

    Like, wow, thanks for that helpful comment telling me that "+" means to add. They never taught me about that subtle and rarely used feature of C in college.

    But it would have been nice if you could have given me a hint what "n2" and "n5" hold. I managed to guess that "totchg" had something to do with "total charge" to a customer, but even that was obscure, as the program also had a variable named "chgtot" that was apparently something different.

Leave a comment on “A Rather Curious Pattern”

Log In or post as a guest

Replying to comment #:

« Return to Article