- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
A selecter, huh? So what's the selectest!
Admin
Dare I say "Javascript has the best WTF's" ?
Admin
Rofl, so if I'm reading this right, if he has 10, 210, 310 and 410 checked, and he unchecks 10, he ends up with 234 checked? Good thing the ids are so high!
What does the g in the eval line do?
Admin
g = global replace. otherwise, only the first "10," would be replaced.
Admin
I was originally going to make a joke about the javascript as an effort to make sure that the checked checkboxes were, like, really checked, so they didn't have a situation like the 2000 Florida vote with the hanging chads and whatnot.
Then I re-read the bit about the WoW site and though, aw, hell, that's funnier than anything I could come up with anyway.
Admin
I guess he is unfamiliar with $_POST in PHP?
Admin
Is it safe to remove my welding goggles yet?
Admin
Yeah, this is awesome! For fun, paste this code on your machine at work, add some checkboxes where the ids are substrings of the other ids, and change the hidden input to text so you can see it as it messes up the list of ids.
And all this for something the browser does for you when it posts the form, had the developer been 1337 enough to give all the checkboxes the same name, with each value being the id.
Admin
Yes, but then he wouldn't be able to handle "input" from mutliple pages in his insert.php file. At least that's what i'm guessing he did. Based on the prefix of fthe checkboxes, he probably had some huge switch statement in that file that knew what values were selected on what page. It's the new duct tape...insert.php!
Or, am I completely off here?
Admin
I did not interpret "in trouble" as getting fired. If he did not get fired for trying to sell proprietary software on eBay...that might be a bigger WTF than his whole system.
Admin
Unnecessary: assuming the point of this was to convert a POST to a GET, all he had to do was change
<form method="POST"> to <form method="GET">
I'm pretty sure GET is the default anyway. I can't for the life of me figure out why the fuck he thought he needed the javascript.
Admin
As javascript in itself was designed with good intentions, there are many facets about the language and the varying browser capabilities that can eventually drive your code into WTFland for the next developer...
Admin
Holy crap.
Err. Unholy Crap.
'Nother instance of "TTWTASO" design pattern (trash the whole thing and start over)
Admin
The story around it is differenct, or this could be jscript from the place I at now as an on-site contractor!
This job was presumably modifying about 8 web pages. But it turned out the pages had server-side jscript rendering client-side jscript with this kind of garbage code, plus putting values in and out of XML strings by someone not knowing how to use XML. That just my rant on the web pages!
In fact, some samples were submitted to WTF, but Alex only had sympathy for me. Don't recall if it was duplicate stuff or wasn't humorous enough to use. But it has kept some of my sanity reading WTF and seeing I'm not the only one dealing with bad coding and applications.
(Someone had to ask real nice to get me to come here and rescue a project that was sinking. The first guy placed here couldn't figure out what to do.)
Admin
Oh yes, forget the whole $_REQUEST.....very nice. I've always wanted to create the new and improved version of that. Lol...
It's almost as bad as the new link tag seen elsewhere on this site last week...
<a onclick="location='http://www.aximilation.com'; return false;" href="#">The <em>new</em> link!</a>
(I'm making a t-shirt!)
Admin
This is what happens when someone hears the term 'MVC' in passing and then reads a random blog post. Because nothing controls like a single file with 20,000 if statements.
Admin
Notice the bolded parts. When the page loads, all the boxes are checked. If you submit without un-checking and re-checking the box you want, there is no value in the "checkedValues" field.
Admin
Resistance is futile.
Admin
It's so beautiful! I'm crying... no wait... that's blood... FROM MY EYES!
Admin
the guy almost invented Ajax
Admin
Wait, I was wrong. That doesn't say "checked" it says "on". This was so stupid I mentally filled in what he should have been doing instead of what he actually did.
Wow, that's a lot of work to be so wrong.
Admin
Actually, 'value="ON"' does not mean the box is checked. It just means that if it is checked, the value to send to the server is "ON".
Considering that that value presumbly isn't used (since checkedValues.value holds the list of checked checkboxes) you have to wonder why it's there. Just another copy-paste job, I suppose...
Admin
Web-neophyte here - I thought check boxes could only be true/false, or possibly [un]checked. "On" ???
Admin
<FONT face=Arial size=2>Huh? value="on" doesn't autocheck a box on the page load. I think you are thinking of</FONT>
<input id="check_4273842" onclick="onCheck('4273842')" type="checkbox"
name="check_4273842" <FONT size=4>checked</FONT>/>
<FONT face=Arial size=2>Or am I missing something (trust me, its happened before)?</FONT>
Admin
Check boxes pass whatever is in the "value" attribute to the form action page when they are checked. If they are not checked, they pass nothing. If more than one checkboxes have the same name, all that are checked are passed in a single variable as a comma seperated list. Basically, the guy/gal wrote a bunch of crap code to do what standard html forms already do.
Admin
It burns.
It burns. So. Much.
Please. Someone make it stop!
Admin
Thanks - I know just enough about all-things-web to realize how little I know about all-things-web (I tend to stay on the server-side of things - where I know what I'm doing).
Admin
I knew this didn't sound right, so I tried it. What I got in the URL for a GET request looked like this:
key=test&key=test2
Now, your language/CGI parser library may change this into something nicer like a comma separated list for you, but the data is actually sent as multiple key=value pairs, only using the same keys.
Admin
Sure you're not missing anything.
WTF on WTF
Admin
Thanks for the correction. I guess you learn something new everyday. I am mainly a client app programmer, so my experience is limited to a couple ASP and coldFusion (gross, I know) hobby sites I help my fellow geeks maintain.
And the answer to your question is that you learn to keep commas out of the indivdual checkbox values pretty quickly.
Admin
My eyes are checkered, does that mean they are on?
Admin
I'm afraid of:
//insert.php mysql_query("INSERT INTO MyOrder (ID) VALUES ($chosen)");Admin
Good god, I actually tore at my skin with my fingernails when I read this.
[image]Admin
I could imagine why one would want to reconstruct the querystring and bypass the normal form submission. For instance if there is another javascript function attached to the onSubmit event and for some reason you don't want it to run when you click on that button.
The eval on the string replace is a bit weird. It looks like a workaround for someone who don't know about the RegExp() object (you can't use variables with the // notation). But you don't really need a regular expression in the first place.
Admin
<font face="Courier New" size="2"><font face="Arial">Just to clarify from the PHP people... Is there some reason you wouldn't just use the following ... like I'd do with a Java/Servlet back-end? Is there some reason building a comma separated string would make things easier in PHP? I would just use the HttpServletRequest to give me an array of the "chosen" parameters...</font>
<form id="selecter" name="selecter" action="insert.php">
<input class="button" type="submit" value="Submit" />
...
<input type="checkbox" name="chosen" value="4273844" />
...
<input type="checkbox" name="chosen" value="4273843" />
...
<input type="checkbox" name="chosen" value="4273842" />
...
</form>
</font>
Admin
Umm.. how so? If my memory serves me correctly, "name"-attribute of input-elements is of type CDATA, which means "a sequence of characters from the document character set"... so ending a name with [] is just about as allowed in HTML as ... well, just about anything :)
Admin
Oooh, I need to get a webcam at my desk too.
Admin
Young Padewan - checkboxes have three states - true, false, and FileNotFound.
"On" is indeed the real WTF here.
Admin
Yeah, let's combine a great big web app design flaw with a PHP-specific design flaw: SQL injection annnnnd register_globals... =)
Admin
You would be very surprised (well, no, you wouldn't really) how many people who work with one of those languages every day, and are paid to do so, actually think that the browser sends a comma-separated list.
captcha: whiskey
Admin
PHP isn't the only "framework" that uses that kind of thing either. Struts, for instance, uses the hell out of it.
Captcha: error
Admin
Well, if you're going to use xhtml you should make it
<input id="check_4273842" onclick="onCheck('4273842')" type="checkbox"
name="check_4273842" <font size="4">checked</font>="<font size="4">checked</font>"/>
Admin
Actually, PHP even has a design flaw that makes this CHILDS PLAY! Then again, the new PROPER way isn't much harder. PHP was built from the ground up to work with this stuff.
Steve
Admin
Hard to believe. How can a programming language especially made for web programming require such client-visible workarounds to accomplish such basic tasks? Even Oracle's Web toolkit (web programming in PL/SQL, introduced around '99) does it better.
Admin
Maybe, but struts has a higher level of abstraction.
Admin
PHP will only accept arrays of inputs if the input is named with a [] suffix. This is a pet peeve of mine, I feel that a proper server side web scripting language should be able to handle whatever form data is sent at it sanely.
If I remember ASP correctly (it's been a while), if you read the input directly, you get a comma separated list but you can also read the input as an array [Don't remember how but it's fairly simple]. I think the comma separated list is an awful holdover from htx/idc of the original IIS (Makes me feel queasy just thinking about it).
Rich
Admin
It's not a work-around, it's just how things are done. PHP isn't an amazingly clever language, but what's wrong with using [] to return an array? It's no more client-visible than using the same name without [] for each element.
Admin
Not that I want to be seen to be defending PHP particularly (I use it a fair bit but I am a sysadmin, no longer a full-time programmer) but it must be remembered that PHP originated as a very simple language to make designing simple homepages quick and relatively painless. Crap such as [] is pretty easy to understand in that context, much like the magic quotes and other braindead stuff.
That said, it should have deprecated by now and been replaced with something saner. I did ask about it recently and was told that there were technical reasons or ot was "too difficult" to do things any other way (which I immediately rebutted of course). I took that to mean that the PHP developers had not yet had the appropriate epiphany. I am sure they will. But in the meantime, the insanity remains.
Rich
Admin
What's wrong with that? Well, it means PHP can be unable to process (perfectly legal from a HTTP point of view) input coming from another page (possibly even another server) that does not know or care about that.
It means implementation details inevitably leak through to a tier where they should be invisible.
Admin
Yeeesh, I'm glad I don't use PHP. How hard is it to parse the key/value pairs in the http post or get, and then build an array for any key that has more than one occurrence...Anyway, thanks to all for clarifying this to me.