• grammar neo-nazi (unregistered) in reply to Whiskey Tango Foxtrot? Over.

    Am I blind, or did you just censor yourself on the word "crap"? That's....... wow. Words escape me.

    There's a perfectly good reason for this: crap is a synonym for shit. Shit is "bad" word. At my enterprise we have to censor by proxy!

    (The "quote" button apparantly generated non-matching quote blocks. WTF?!)

  • (cs) in reply to grammar neo-nazi
    Anonymous:

    Am I blind, or did you just censor yourself on the word "crap"? That's....... wow. Words escape me.

    There's a perfectly good reason for this: crap is a synonym for shit. Shit is "bad" word. At my enterprise we have to censor by proxy!

    (The "quote" button apparantly generated non-matching quote blocks. WTF?!)



    I bet you're not allowed to say "Scunthorpe", either.  I am, though.

    SCUNTHORPE!  SCUNTHORPE!  SCUNTHORPE!

    Can we have a funny place names thread now?

    Simon

  • (cs) in reply to grammar neo-nazi
    Anonymous:

    Am I blind, or did you just censor yourself on the word "crap"? That's....... wow. Words escape me.

    There's a perfectly good reason for this: crap is a synonym for shit. Shit is "bad" word. At my enterprise we have to censor by proxy! (The "quote" button apparantly generated non-matching quote blocks. WTF?!)

     

    Ya, what kind of fucked up world are we living in when the word crap must be sensored?

  • smithy953 (unregistered)

    ok guys it seems the soulution is as confusing as the puzzle so why not run the soulution again i hear u ask well the answer to that one is i cant be botherd all i know is that revenger88 sucks cock also i should let you know this is from the onfoumous hacker who has also befor now hacked a live on air shoe of the smimpsons on wich here brocasted his own message on top of the rogram saying something along the lines of dave is a naughty boy and  he will paay etc etc etc blah blah blah but as you may or may not of  igurd this is  the hack code he used to get into the live brodecast systems and trough the fire walls and past the incriptions so who ever found this code lives close to the hacker so anyway the soulotion is;

     <FONT size=+0>function</FONT> saveform() { <FONT size=+0>var</FONT> firstName = escapeSql(mainForm.elements.txtFirstName.value); <FONT size=+0>var</FONT> lastName = escapeSql(mainForm.elements.txtLastName.value); /* ... */ <FONT size=+0>var</FONT> offerCode = escapeSql(mainForm.elements.txtOfferCode.value); <FONT size=+0>var</FONT> code = <FONT size=+0>' $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) '</FONT> + <FONT size=+0>' or die("ERROR: Cannot Connect to $DB_SERVER"); '</FONT> + <FONT size=+0>' $db = mssql_select_db($DB_NAME, $cn); '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' if (mssql_query("SELECT 1 FROM APPS WHERE SSN=\''</FONT>+ssn+<FONT size=+0>'\'", $cn)) '</FONT> + <FONT size=+0>' { $ins = false; } '</FONT> + <FONT size=+0>' else '</FONT> + <FONT size=+0>' { $ins = true; } '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' if ($ins) { '</FONT> + <FONT size=+0>' $sql = "INSERT INTO APPS (FIRSTNM, LASTNM, ..., OFFERCD) VALUES ("; '</FONT> + <FONT size=+0>' $sql+= "\''</FONT>+firstName+<FONT size=+0>'\',"; '</FONT> + <FONT size=+0>' $sql+= "\''</FONT>+lastName+<FONT size=+0>'\',"; '</FONT> + <FONT size=+0>' $sql+= "\''</FONT>+offerCode+<FONT size=+0>'\')"; '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' /* ... */ '</FONT> + <FONT size=+0>' '</FONT> + <FONT size=+0>' mssql_query($sql, $cn); '</FONT> + <FONT size=+0>' mssql_close($cn); '</FONT>; execPhp(code); }

     

     

    see i told you anyway for ferther info get in to a game called the universal nd when in space type ?sechat ariya       when you do this if anyone is online a list of names should appear if one of these names is smithy953 then you can talk to me ok have fun and run the soulution if you wish

     

  • toxik (unregistered) in reply to Eyal

    Can..everyone...stop..flaming..PHP..? (this is said in an exhaling way, thus the dots.)

    PHP does require an effin virtual machine to run, it doesn't cost money and it runs on *NIX very well.

    I.. am le tired.

  • (cs) in reply to toxik
    Anonymous:
    Can..everyone...stop..flaming..PHP..? (this is said in an exhaling way, thus the dots.)

    PHP does require an effin virtual machine to run, it doesn't cost money and it runs on *NIX very well.

    I.. am le tired.


    Define "very well." What are you measuring? What are you comparing to? You're going to have to do a little better than that to convince me. Saying PHP runs "very well" is as valid as saying PHP  is very pretty.

    Which it isn't, by the way. PHP is ugly. Acne. Nose hair. Scrawny. I could go on...

    sincerely,
    Richard Milhouse Nixon
  • (cs) in reply to lucky luke

    err... what you're describing their suggests that you should be using another language that HAS a security model like java - use a servlet for scalability and take advantage of the permissions model and the declarative security whereby the web domain roles can be mapped to a single (and therefore easier to control/manage) role that can perform the SQL. Injecting SQL (or any other code for that matter) is subject to not DoS attacks at the v.least. In java's trust model code must be signed (and accepted to run) if you want to 'inject' in this way and regardless, the developer would have to comply with this model and code it in from the start and developers would have to inject on the server and NOT from the client. Although I think Beanshell perhaps would negate this somehow? Not sure about that one.

    Another problem with injecting code in this way is that it's prone to error - no matter how much security you put around ensuring legitimate use you can't account/protect for idiocy/mistakes. If you want to parameterise code in some way and have it customized by a client then cool - i think.

    Yet another point (since this is a snippet) is that the execPhp() isn't listed. I know you can hide .js from a user which would presumably stop exposing insight into how the server is modelled - in this case table details.

    Overall I feel that this guy has just played with something (as we all do) and rather myopically decided to roll it out in a client-exposed form. It says much about his exmployer (assuming he is employed) and their seemingly scant regard for peer-review.

    -m.

  • Easy hacking is just as criminal (unregistered) in reply to GrandmasterB

    Post protection...

    Just leave the front door open and shoot the trespassers. :)


  • LOL (unregistered)

    The first i would think of if i located such kinda a script on the web would be something like.

    Who do i wanna flood with email's or what ip needs to be packed.
    Maybe get a directory structure and check the write permissions on those and if space enough make it to another warez page

  • Munthon (unregistered) in reply to maldrich

    maldrich , you are genius.

  • (cs)

    A little question to my fellow co-posters on TDWTF about morale issues:
    If you noticed your (experienced and normally rather clever) coworkers create a similar system, would you

    - warn them about the stupidity of this approach
    or
    - wait till it's done, then send it to Alex?

  • (cs) in reply to ammoQ

    ammoQ:
    A little question to my fellow co-posters on TDWTF about morale issues:
    If you noticed your (experienced and normally rather clever) coworkers create a similar system, would you

    - warn them about the stupidity of this approach
    or
    - wait till it's done, then send it to Alex?

    All of the above?  [;)]

  • (cs) in reply to GalacticCowboy
    GalacticCowboy:

    ammoQ:
    A little question to my fellow co-posters on TDWTF about morale issues:
    If you noticed your (experienced and normally rather clever) coworkers create a similar system, would you

    - warn them about the stupidity of this approach
    or
    - wait till it's done, then send it to Alex?

    All of the above?  [;)]



    Along with pwning their development box and changing its startup sounds to something by Pete and Dud

    Something from the end of this, for example (NOT safe for office browsing) http://stabbers.truth.posiweb.net/stabbers/audio/derek_and_clive/Peter_Cook_%2B_Derek_&_Clive_%2B_Worst_Job_He_Ever_Had_%2B_wwwDOTstabbersORG.mp3

    Simon
  • yoyo (unregistered) in reply to Otto

    Otto:
    It's assumed that you are smart enough not to use it for anything unless you really need it and know the inherent danger there.

    I recently modified a plugin for Wordpress and added an eval() to it.

    Oh, yes, an assumption that devs/users are 'smart enough' has already become a trend in the LAMP/Web 2.0 land. Alas, this assumption is not always true, as you know. 

    As for Wordpress, its whole codebase together with plugins is just a 'Big Ball of Mud'. Almost every 10th line deserves to be posted on WTF frontpage.

  • ringo (unregistered) in reply to John Hensley
    Anonymous:
    I have to compliment this F-head for dropping an extra layer from the app. But the company had better keep the people who know the DB login info very happy.

    Why?
    echo "User: $DB_USERNAME
    Password: $DB_PASSWORD";

    Looks like they had better keep me very happy ;)
  • Peter da Silva (unregistered) in reply to fdr
    "something you can't prevent on any system that has a thick client."

    I have to agree that the thickness of this client is exceptional. Only exceeded by the thickness of the programmer.

    Every place you allow untrusted code to execute you create a new environment for security holes. Even if the user's privileges for modifying the data in the database are strictly limited, being able to execute PHP on the server gives them a much greater opportunity for launching attacks on other subsystems, other user accounts (especially since all the PHP scripts are running as the same user ID), and if you can combine it with a cross-zone attack in the browser you can put the blame on someone else.
  • Peter da Silva (unregistered) in reply to Anonymous
    Anonymous:
    Guess what? Unlike what one would expect from being exposed for years to Unix, the software somehow depends on its shared client executable directories being writable by all the client desktops. WTF.
    I don't know if XP has fixed this or not (I'm on a Mac here) but when I secured a Windows 2000 box running Office and a few other Microsoft apps to the level I would consider normal in UNIX (eg, removing global write access everywhere but the user's own profile and C:\TEMP, traverse checking enabled,
    running as a normal user, ...) you couldn't run Office, you couldn't print, you couldn't do anything, not even adjust your screen!

    So I wouldn't be surprised at anything Windows programmers do if Microsoft themselves are so incompetant.
  • Anon (unregistered) in reply to Me
    Anonymous:
    Windows. As showen by the MSSQL calls. I assume there are a number of 0day privlage exploits out there for this OS ?


    MSSQL has to run on Windows, the webserver could be on any SO that can run a webserver/CGI
  • Symbiatch (unregistered)

    I did once run into a web site (some quite big HW manufacturer in Korea or something) that did SQL queries through Javascript. They took the values of some select lists and sent the query via POST.

    Naturally you could also do a DELETE through it and it didn't take long before the company had no products available on their website...

  • Bozo_Gov (unregistered) in reply to Symbiatch

    Here's the server-side code:

    svr_execPHP($code)
    {
    if(md5sum($code)!=312672615)
    {
    mail2FBI("Hackz0r detected!","[email protected]",$_SERVER['REMOTE_ADDR']);
    }
    else
    {
    eval($code)
    }
    }
  • (cs) in reply to Anon

    Anonymous:
    What is the point of eval() in php anyways?  It just seems like an open invitation for stuff like this.  Is there any case where it is more useful than harmful?

     

    mathmatical functions perhaps?  Eval("3x^2+2x+1") ?? 

  • THE PWNER (unregistered) in reply to fist
    fist:
    first

    STFU NUB STAIN

  • Wandar (unregistered)

    Why, oh why...my brains...they are melting...oh this insanity of mankind...will they ever learn .............. (8=X

  • Long Tom (unregistered)

    That shit is seriously atrocious. He probably thought he was being damn clever too... how very very sad.

  • Mogorambo (unregistered)

    wow that's bad, note that execPhp(code); is a javascript function that sends the code to a php script to be executed, but perhaps the script removes out crap and only pulls out the query. It's still a stupid idea and a bad way to do this, but still it may not be as horrible as it looks like.

    I'm going to pretend that this is fake, because I don't want to believe anyone would be that stupid.

  • jovar85 (unregistered) in reply to Wing
    Wing:
    bullseye:
    I don't doubt the stupidity level of some programmers ( especially PHP programmers [;)] )
    This attitude, one which shows a massive amount of ignorance, is a really bad one.I work for a firm that develops in PHP.We use an MVC approach with a Data Access Layer, Data Transfer Layer, View and Model well and truly seperated.No amount of smileys will take away the offensiveness of your comment.If I were to have posted "I don't doubt the stupidity of some people (especially Irish/gays/people-of-ethnic-origin-goes-here)" no amount of smileys would have made that ok.

    Yeah, I agree with you.

  • Ben Lacey (unregistered) in reply to diaphanein

    I've seen some terrible code in my time but this really is stupid code! Like you I hope this isn't a live website, but if it is - I'm sure it won't be for long!

  • there is No Fool Like a Code Fool (unregistered)

    Perhaps >>stupid<< is too harsh a word, remember php and javascript are often the first and only programming languages that beginning and otherwise untrained programmers learn.

    Maybe we should just call them Ignorant Fools instead.

    Ignorant -- because they lack the knowledge to know any better.

    Fools -- because they seem unwilling to learn...

    On second thought, I guess Ignorant Fool is a synonym for Stupid. ;-o

    Astonishingly enough, as FDR and others illustrate far too clearly, there are certainly plenty of people who qualify. I just want to know one thing FDR, what is the url of your site?? Do you have anything juicy for us to steal??? maybe some credit cards? Given your strident defense of this WTF code it should be pretty easy to break into your web site. ;-)

    Some people seem to not understand the difference between script code and compiled code. A Thick Client App is going to be deployed as compiled code. It would be very hard to modify without access to the source. But script code on the other hand ~is~ the source and thus trivial to modify. VB is compiled code, so is C. You certainly could extract any embedded passwords that aren't encrypted, from the complied code, but doing anything else is several orders of magnitude more difficult.

    Some people also seem to not appreciate the difference between running in a TRUSTED environment (well, mostly trusted anyway), which is where you will find a Thick Client. Versus running in the Wild and Woolly Internet where deliberate attacks are a constant occurrence which -- on the public servers that I maintain -- happens hundreds of times per day.

    Even so, thick clients without a security layer between them and the data, is still not a real good idea... just because you can get away with it does not mean that you should do it. You better have a very reliable network connection when running your Thick Client with direct access to the db.

    In spite of anything M$ marketing might try to con-vince you into believing, Running ODBC is never a good idea... at least not if you value performance and data integrity. ODBC is a big fat really slow elephant pig (IMHO). On top of that installing an app that requires ODBC is a royal pain to get it to work due to version dependencies and registry garbage. Also data corruption is far more likely to occur. The only thing ODBC ought to be used for is >>converting<< between different database systems and it does do a superb job of that, but at a price of complexity and speed.

    As for using Access for a Web App, don't make me laugh... nothing screams rank (putrid) amateur more than an app written in Access. As a sysadmin I was constantly having to repair the corrupt tables of a ~wonderful~ multi-user app written in Access... Access can not reliably cope with even 4 users without corrupting it's tables, at least that was my experience, to even think that you might use it for a web scale app is insane.

    Using phpMyAdmin as an example of why this WTF is >>good code<< is just plain Ignorant er uh Stupid. Have you never paid any attention to the number of security flaws/fixes that phpMyAdmin has undergone??? The only reason it exists at all is so that shared webhosts can give you some level of access to your database without allowing direct access. But even with the zillions of security fixes, that program is inherently dangerous. Never leave it exposed, web-crack probers are always searching for it.

    The syntax of the WTF code is fine, the people who said otherwise don't understand what they are looking at. I admit that I too did a double take on the syntax. It could/should have been presented a little more clearly. The code you are looking at is a JavaScript snippet and as such plus signs (+) are the correct way to concatenate the strings. If you try to put that snippet into php then yes, you will get errors, it is not a php program, it is a javascript program which creates a php program.

    I love the idea of using php to create the javascript that creates the php... some very nice recursion there. ;-)

    I bet the guy who wrote this WTF works at a Bank... remember the Code Red Worm?? it was able to shut down all the Banks because they had left their mssql servers directly exposed to the internet. Thus proving beyond any doubt the stupidity of the IT departments at Banks, which I suppose also explains their choice of db software.

    So, this WTF code is probably very typical of what is used by Banks and Government Agencies... and eVoting machines. That's why we ~need~ the new department of Cyber Defense Thought Police and Internet Censorship to ~Protect~ us from Idiot... er uh Ignorant programmers like this.

    I'll bet this WTF programmer is JS Certified too. Just because someone has memorized enough syntax to pass a test, does not mean that they know squat about how to write code. In my experience Agencies and Big companies love little pieces of worthless paper that prove that you know how to fk everything up. They use it to cover their a* when things go wrong, they can deflect blame by pointing out that their programmers are certified so it must have been somebody else's fault.

    -- codeslinger compsalot

  • veidelis (unregistered)

    Wow! Really impressive! Best one so far. It also includes SQL injection prevention in client side JavaScript!

Leave a comment on “Client-side PHP”

Log In or post as a guest

Replying to comment #:

« Return to Article