• Greg (unregistered) in reply to Quicksilver

    Or a Radiohead fan

  • (cs) in reply to Nagesh
    Nagesh:
    #ifdef REQUIRES_LOGIN #define 4 5 #endif
    Then 4 == 4 is still TRUE, sadly. Try

    #ifdef REQUIRES_LOGIN

    define 4 5 BUT_ONLY on lefthandside

    #endif

  • (cs) in reply to Chester

    Do I get extra credit for recognizing CodeIgniter? ... No? ... Ok...

  • Don L (unregistered)

    Nah, it's because 2 is defined as a variable The function logged_in() can modify that variable, thus enabling or disabling the following code block....

  • emaN ruoY (unregistered) in reply to Quicksilver
    Quicksilver:
    Chopper:
    Anketam:
    normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt: 2+2=5 For extremely large values of 2

    Not if you're a banker!

    Or you are living in Airstrip One!

    Then 2+2=3 and you keep the change.

  • (cs) in reply to veggen
    veggen:
    Do I get extra credit for recognizing CodeIgniter? ... No? ... Ok...
    But you do get credit towards your next visit to the psychotherapist.
  • (cs) in reply to RogL
    RogL:
    Could make sense as a temporary debugging change, to force the login to work while testing.

    A distinctive "true" value is easier to remove when testing is done.

    When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ? You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

    On the other hand, you could probably safely remove all "|| true"s.

  • Rfoxmich (unregistered) in reply to Qpirate

    It was thrown so it could be caught. Just try and you will understand.

    Qpirate:
    I'm just looking at the WTF in the text: I started sifting throw hundreds Should it not be I started sifting through hundreds
  • myName (unregistered)

    2.4 + 2.4 = 4.8

    If you round those values to the nearest integer you get:

    2 + 2 = 5

  • Rfoxmich (unregistered) in reply to Leo

    Even that will fail if == has been overloaded so that it no longer tests for equality or modifies the value of two.

    Leo:
    No good, because what if 2 changes so that 2+2 no longer equals 4? Should be "|| 2+2 == 2+2", so even if 2+2 = 6, it will still evaluate correctly.
  • Re: The Gonvert (unregistered) in reply to KattMan
    KattMan:
    So realyl, it doesn't matter if you are logged in. The || essentially makign it so if you are logged in you can upload, if you are not logged in, you can upload, because in our reality 2+2 does equal 4. Why not do away with the check in it's entirety? You will get the same results.

    Wow, considering the number of replies, this is the best troll ever!

  • tj (unregistered) in reply to KattMan

    lol...pentium math error. good old days.

  • (cs)

    His logic is so wrong 2+2 obviously equals 10 (base-4).

  • IV (unregistered) in reply to KattMan
    KattMan:
    EDIT: Just thought of a reason for this. It is to prevent anyone using one of those really old pentium processors where 2 might become a float and the math error might make 2+2 != 4.

    I imagined this as authentication code running on a server. So it won't matter what your users are running; it will matter what you are running. And it will always evaluate as true or false for all users (even assuming your theory).

  • (cs)

    THERE. ARE. FOUR. INTEGERS!

  • Fred Flintstone (unregistered) in reply to Medinoc

    Agreed. I would add code review and any testing from build verification to user acceptance to the TRWTF?

  • (cs) in reply to iToad
    iToad:
    // DEBUG
    % DEBUG
    REM DEBUG
    (* DEBUG *)
    /* DEBUG */
    ; DEBUG
    <!-- DEBUG -->
    # DEBUG
    ' DEBUG
    {- DEBUG -}
    etc...
    
    Using debug code? Pick one from the list above.
    >>> if 2+2 == 4: etc...
      File "<stdin>", line 1
        if 2+2 == 4: etc...
                          ^
    SyntaxError: invalid syntax
  • foo (unregistered) in reply to jonny_q
    jonny_q:
    Anketam:
    normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt: 2+2=5 For extremely large values of 2

    If 2+2==4 is his favorite debugging alias for "true" then it's easier to search for to remove later. It's a built-in todo.

    Still dumb, but that's the thought process.

    I've gotten very good as learning to think like the retard I have to clean up after.

    You're still giving him too much credit. More like: "I want this condition to always be true (for a change request, or for debugging, doesn't matter), but I don't want/know to comment it out, or remove it (even if it's a permanent change request, after all I might lose some code, what's source control?), so perhaps I can add something to make it always true, oh yeah, I'm so clever, I'll add || and something that's always true, but what could this be? <think hard> Oh right, remember how in kindergarten I learned 2+2=4, and that's always true, wow, I'm really so clever, look how I can put my kindergarten knowledge to practical use, yeah, this looks great, and it actually works. Problem solved, and took me only 10 minutes."

    TRWRF is so called programmers who don't know shit about Boolean logic, including the dreaded "if foo then return true; else return false;" antipattern, or other lengthy if-else-spaghetti code (or worse, goto) instead of a simple Boolean expression.

  • foo (unregistered) in reply to Zylon
    Zylon:
    THERE. ARE. FOUR. INTEGERS!
    +1
  • foo (unregistered) in reply to toth
    toth:
    RogL:
    Could make sense as a temporary debugging change, to force the login to work while testing.

    A distinctive "true" value is easier to remove when testing is done.

    When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ? You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

    On the other hand, you could probably safely remove all "|| true"s.

    if (foo || true == false)

  • geoffrey, MCP, PMP (unregistered)

    It is a commonly accepted practice to place OR logic into a conditional in order to bypass some dependency for testing purposes, or to stub out code that will do an authentication check at some later point, but is OK to leave unauthenticated for now. George Z should tread carefully in this code, lest he introduce a defect into something that is working in production.

  • Steve (unregistered) in reply to Anketam
    Anketam:
    His logic is so wrong 2+2 obviously equals 10 (base-4).

    Or 2+2=11 (base-3). Of course, if the compiler is using base-3 or base-4 arithmetic, then "4" is an undefined value and this expression should generate an error (the same as if it was "2+2=Fred" (unless, of course, Fred is 4)).

  • the beholder (unregistered) in reply to Zylon
    Zylon:
    THERE. ARE. THREE. DOT. NINE. NINE. SEVEN. EIGHT. NINE. SEVEN. FIVE. INTEGERS!
    (ftfy)
  • Boolean Troll (unregistered) in reply to foo
    foo:
    if (foo || true == false)

    by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

    adding the || true in that case would not change the truthiness of the expression.

  • (cs)

    We all realize, of course, that logged_in() has side effects, and this is a way to ensure that those side effects take place while in effect throwing away the result of the check?

  • Franz Kafka (unregistered) in reply to RogL
    RogL:
    Could make sense as a temporary debugging change, to force the login to work while testing.

    A distinctive "true" value is easier to remove when testing is done.

    When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ? You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

    or you could throw in a //BUGBUG and scan for those before releasing

  • Meep (unregistered) in reply to RogL
    RogL:
    Could make sense as a temporary debugging change, to force the login to work while testing.

    A distinctive "true" value is easier to remove when testing is done.

    When it's time to remove the bypass, which would you rather search for: "true" or " || 2+2=4" ? You probably don't want to blindly remove all "true" strings but you can safely search&replace " || 2+2=4" with "".

    Rather than relying on stupid codes, use source control. hg status to see which files you changed, and then revert them. Or if you've committed, hg diff -r with the revision before the changes.

  • Meep (unregistered) in reply to Boolean Troll
    Boolean Troll:
    foo:
    if (foo || true == false)

    by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

    adding the || true in that case would not change the truthiness of the expression.

    Nice try Mr. Boolean Troll, but it fails with three-valued logic.

  • (cs)

    I feel obligated to write this since no one has done it yet. TRWTF is PHP!

    Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

    If you wanted to fuck up the syntax, why not use _> which takes 6 key-strokes?

  • Franky (unregistered) in reply to Chopper
    Chopper:
    Anketam:
    normally if you want to force a true you add "|| true" not a math function. Reminds me of the shirt: 2+2=5 For extremely large values of 2

    Not if you're a banker!

    exactly, there the calculation is always: 2 + 2 = 3 + 1-for-the-own-pocket :D

  • Edward (unregistered) in reply to Canonymous Oward
    Canonymous Oward:
    Actually, the code might have a pretty legit reason. In some cases you can not just put "true" into "if" condition if there is "else" branch in the code, the compiler will complain about unreachable code.

    Seeing this in the production code kind of sucks though.

    There's a good reason why it would complain of unreachable code.

    Because it is.

  • pedantic (unregistered) in reply to fishdude
    fishdude:
    wbrianwhite:
    And I don't consider it a WTF. When appending various conditions to dynamic sql it's easier to start with a no-op condition and then append all the other conditions starting with "AND" without keeping track of "is this my first condition? no? then throw in and".

    Since you are dynamically building an SQL statement, I'll assume you are using PHP.

    Put all your WHERE clauses into an array, then use implode() to join the arrays into a string.

    $where[] = "param1 = 'fish'"; $where[] = "param2 = 'slap'"; $sql = "SELECT * FROM table WHERE " . implode(" AND ", $where);

    You'd still have to test for an empty $where array, though!
  • (cs) in reply to ubersoldat
    ubersoldat:
    If you wanted to fuck up the syntax, why not use \_> which takes 6 key-strokes?
    They'd be better off using “»»”. Maximizes the annoyance for US Windows users for type-ability reasons and for many others because of charset issues… Fun for all!
  • Re: The Gonvert (unregistered) in reply to ubersoldat
    ubersoldat:
    I feel obligated to write this since no one has done it yet. TRWTF is PHP!

    Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

    If you wanted to fuck up the syntax, why not use _> which takes 6 key-strokes?

    If I remember correctly, from C++, which PHP is written in:

    a.MyValue() if a is a reference a->MyValue() if a is a pointer

    -> looks like a pointer, get it?

  • (cs) in reply to dkf

    I can't even find those keys :-)

  • (cs) in reply to ubersoldat
    ubersoldat:
    I feel obligated to write this since no one has done it yet. TRWTF is PHP!

    Actually, TRWTF is PHP syntax... who thought about using -> for object access? Really, what's the explanation for using TWO signs (which in es_ES keyboards takes THREE key-strokes) when a dot works perfectly fine in almost every other language in the world?

    If you wanted to fuck up the syntax, why not use _> which takes 6 key-strokes?

    Maybe consider using a normal keyboard? Seriously, {, [, ], } and \ are all three keystrokes on a Belgian keyboard (which has a retarded design, by the way). If programming languages were supposed to be easy to type on every keyboard in the world, we'd be stuck with letters only. Hurray for END IF.

  • (cs)

    Now obligatory--

    [image]
  • Peter (unregistered) in reply to Anketam
    Anketam:
    Reminds me of the shirt: 2+2=5 For extremely large values of 2
    A better version of this is "For sufficiently large values of 2": 2.5 isn't really extremely large.
  • Spencer Ryan (unregistered)

    Probably didn't know he could just have made it || 1) if he wanted it to always test true.

  • (cs) in reply to fishdude
    fishdude:
    wbrianwhite:
    And I don't consider it a WTF. When appending various conditions to dynamic sql it's easier to start with a no-op condition and then append all the other conditions starting with "AND" without keeping track of "is this my first condition? no? then throw in and".

    Since you are dynamically building an SQL statement, I'll assume you are using PHP.

    Put all your WHERE clauses into an array, then use implode() to join the arrays into a string.

    $where[] = "param1 = 'fish'"; $where[] = "param2 = 'slap'"; $sql = "SELECT * FROM table WHERE " . implode(" AND ", $where);

    I am not using PHP, nor am I building the SQL in the front end. This is dynamic sql as in a stored procedure that builds a sql string based on input parameters and uses sp_executesql to execute it. It is more performant in situations where totally different plans will be generated based on whether you need to join to this table or that table and apply this filter or that filter. Amusing that implode is a built in function of PHP.

  • DEEmery (unregistered)

    Does this better capture the original programmer's intent:

    if ($this->ion_auto->logged_in() || assert(2 +2==4))
    
  • default_ex (unregistered) in reply to Warlaan
    Warlaan:
    Seriously guys, that's like basic optimization knowledge.

    Yes, 2+2==4 is always true, but as it is an expression it is not for free. Now if logged_in() is true, 2+2==4 does not have to be evaluated at all, saving valueable processor time.

    Basic optimization knowledge? Been a long time since I seen a compiler that doesn't evaluate constant expressions during compile time unless told not to do so with some command line argument or project configuration.

  • Dima (unregistered) in reply to Jason
    Jason:
    It's obviously debug code that either the original developer forgot to take out, or was purposely left in to bypass having to constantly log in. Since it was an unfinished project it's likely the latter and the new guy needs to get off his high horse. In my experience many developers when having to take over a new project will trash the work of the previous generation since it's easier to do than actually having to really learn the architecture.
    I subscribe to that.

    The actual WTF here is George's lack of experience that prevents him from understanding debugging patterns and enables him to make fun of it.

  • (cs) in reply to Qpirate
    Qpirate:
    I'm just looking at the WTF in the text: I started sifting throw hundreds Should it not be I started sifting through hundreds

    Freudian slip. The code made him throw.

  • (cs) in reply to Boolean Troll
    Boolean Troll:
    foo:
    if (foo || true == false)

    by both boolean logic (and operator precedence in most programming languages) A || true evaluates to the same as A...

    adding the || true in that case would not change the truthiness of the expression.

    Kick the fucking stupid cunt to death before the fucker breeds. Too late? Kick its fucking offsping to fucking death too. Burn the dwellings it lived in. Salt the ground it wanked on. Exterminate it from the universe.

  • Mr.'; Drop Database -- (unregistered) in reply to Anon') or 1=1
    Anon') or 1=1:
    The very first infinite loop I wrote when I was a noob looked like this:
    while(6 != 7)
    {
       ...
    }
    I thought I was so clever.
    Alternatively:
    #define EVER ;;
    for (EVER) { ... }
  • leeter (unregistered)

    Poorly written backdoor?

  • (cs)
    <script type="text/javascript"> var count = 2; function validate() { var un = document.myform.username.value; var pw = document.myform.pword.value; var valid = false; var unArray = ["hussan","ayaz","mehmood","faraz"]; //as many as you like = on comma after final entry var pwArray = ["password1","password2","password3","password4"]; // the corresponding password; for (var i=0; i <unarray.length;i++) {="" if="" ((un="=" unarray[i])="" &&="" (pw="=" pwarray[i]))="" {="" valid="true;" break;="" }="" }="" if="" (valid)="" {="" alert="" ("login="" was="" successful");="" window.location="http://www.facebook.com" ;="" return="" false;="" }="" var="" t="tries" ;="" if="" (count="=" 1)="" {t="try" }="" if="" (count="">= 1) { alert ("user name or password to dal pagal admin ajeeb hai?" + count + t + "left"); document.myform.username.value=""; document.myform.pword.value=""; setTimeout("document.myform.username.focus()",2); setTimeout(document.myform.username.select()",2); count --; } else { alert ("still incorrect you have no more tries left!"); document.myform.username.value = "no more tries allowed"; document.myform.pword.value = ""; document.myform.username.disabled = true; document.myform.pword.disabled = true; return false; } } </script> <form> <p> </p><p>ENTER USER NAME <input type="text" name="username "></p> <p>ENTER PASSWORD <input type=password name="pword"></p> <p><input type="button" value="Check In" name="submit" onClick= "validate"()"></p> <p></p> </form> </unarray.length;i++)>
  • aw4 (unregistered)

    When you're a hacker, old habits die hard...

  • a;sleo (unregistered) in reply to cellocgw
    cellocgw:
    Nagesh:
    #ifdef REQUIRES_LOGIN #define 4 5 #endif
    Then 4 == 4 is still TRUE, sadly. Try

    #ifdef REQUIRES_LOGIN

    define 4 5 BUT_ONLY on lefthandside

    #endif

    but 2 + 2 doesn't equal 5, right? (although I guess we're talking stupid anyways)

Leave a comment on “Authenticate or Math”

Log In or post as a guest

Replying to comment #:

« Return to Article