- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Fixed it: function getTimeOut() { return 1000+(int)$_POST['pin_number']; }
Admin
Woo! PIN code as timeout, who'd have thought of that?!?
Admin
I think it would have been funny if the boss spoke only in third person.
"Biltmore wants his reports! Why does it keep asking Biltmore to type in his PIN? Fix it for Biltmore!"
Admin
TRWTF is this: "four-digit PIN number" It's PIN, not PIN number.
Admin
That's assuming getTimeOut isn't actually used for PIN validation somewhere . . .
Admin
Admin
Using a user-supplied password as a session timeout limit in seconds? I have a feeling that 2008 is going to be a good year for the Daily WTF... We're definitely starting it off well.
Admin
I hope Biltmore got the memo about the cover sheets.
Admin
I suspected the PIN was being stored in a numeric field. It's a number right? The fact that his PIN was 0010 confirmed that fact for me. Then it turns out I was completely wrong.
I wonder if they could enhance the system to have a 5 digit PIN. Then he could make it 12345 and synchronize with his luggage combination.
Admin
Personal Identification Number Number.
In other words, the amount of identification numbers you need.
Admin
I wonder if they were the TPS reports...?
Admin
Hehe. I work in telecoms. In my code dealing with call statistics, I have variables like $numnums which is, of course, the number of phone numbers dialled in a given time period.
Admin
This is just a code reusing ;). Code reusing saves money as you know...
Admin
"Biltmore wants his preciousssssss. Nasty PINses! PINSes want to hurt Biltmore!"
"Fix it for Biltmore you will! Beware of the power of the dark PINs you must!"
"It is a truth universally acknowledged, that a director in possession of a Monday, is in want of a PIN."
Admin
This WTF must be a paraphrase from BOFH. I'm too lazy to dig it up, but I'm pretty sure of it.
Admin
My personal favorite is $numnuts. Which would be the number of php monkeys using crappy variable names.
Admin
Admin
This is a case of the RAS syndrome.
Admin
oh my god this is so funny. love this site
Admin
Admin
Hah, that's a WTF :)
Admin
Admin
I also suspected some integer conversion code to strip the leading zeroes - a common kind of bug in processing numbers that aren't actually numbers in the mathematical sense of the word-, but this isn't just a programming glitch, it's pure insanity. And it's so freaking arbitrary. Why use the PIN and not, let's say, the digit sum of the ZIP code multiplied by the surface temperature of the spot on the Moon that faces the Earth in Fahrenheit? Sure, you couldn't log in at all whenever the latter drops to or below 0°F, but using the absolute value function or the Kelvin scale would easily fix this problem. Maybe instead of using the digit sum of the ZIP code, you could use a database of crime hot spots. So someone who logs in from the New York subway will have to reauthenticate more often than someone accessing the system from his ranch in Colorado. It all makes terribly much sense if you think about it. :-)
Admin
Well at least its in seconds, not milliseconds :) I wonder why a hard coded 15 minutes was not enough? Or 15 minutes since last request? I duno, I guess typing in 15*60 is harder than 'pin_number'...
Admin
The new PIN is so l33t!
Admin
Seems like the programmer was trying to teach people a lesson about very low PINs. Most crackers would try to brute-force your PIN from zero (after trying the obvious stuff like 1337 etc.)
Admin
A hard-coded timeout? Why, magic numbers are grounds for termination here!
Admin
This is great WTF because I don't understand at all what the programmer was attempting to do. (This is not said at all in sarcasm, I am truly stumped).
Admin
function getForumTimeOut(){ return $_REQUEST['ArticleId']; }Admin
I'm going to guess that originally the PIN's were assigned, not chosen, and were used as a kludge method of setting different session lengths for different users.
Admin
But what if the PIN isn't set? Fixed:
function getTimeOut() { $pin_number=$_POST['pin_number']; if (isset($pin_number)) { $old_pin = $pin_number; } $new_pin=1000+(int)$_POST['pin_number']; if (! isset($new_pin) ) { $new_pin=1000; } else { $new_pin=1000+(int)$_POST['pin_number']; } return $new_pin; $_POST['pin_number']=$old_pin; }Admin
Admin
Why not just :
function getTimeOut() { return 2000; }
Why on earth would the timeout depend on the password? That makes no sense at all... someone was smoking something when they wrote that function.
Admin
Hmm, I just realised that my solution doesn't cover "what if GetTimeout is used for PIN validation?"... well how about $_SESSION("difference_between_timeout_and_real_PIN") which is set to 1000 by GetTimeout() ?
Admin
???? function getTimeOut() { return 1500; }
Admin
Admin
Is this not just a perversion of password life being a function of password complexity? You know, the ONLY way to crack such a PIN is to start at 0001 and go up from there(0000 is, of course, reserved for super geniuses).
Admin
Me Biltmore. Biltmore want reports. Biltmore SMASH!
Priceless stuff, what a start to the year!
Admin
Without seeing the full codebase, you can't be sure that it's a valid fix :)
Admin
Am I reading this right? It looks like the code is setting the timeout to the user's PIN?
Admin
Admin
You crazy PHP monkeys, in ASP.NET, we just leak an arbitrary amount of memory knowing exactly how long until the leak forces the application pool to recycle.
Then once it does, all the sessions are cleared.
:)
Admin
You're assuming quite a bit there, aren't you?
Admin
The moment I saw his PIN I was ready to bet that the problem was leading zeros...
And I am still not convinced that this SetTimeout stuff is authentic... seems kinda too big a WTF to be TRWTF. More likely the submitter just couldn't figure out what the problem was, and made up some nonsense to submit it instead :p
Admin
Admin
Someone help me out here...
Gollum
Yoda
???
Admin
Admin
I was starting on a reply where I wanted to correct the errors and bugs in your function, but I realized that it is probably just bait ;-)
Admin
Pride and Prejudice, I believe.
Admin
That's some badass intution right there... how did he make the link between "timeout" and "pin"? Or did I miss something?