- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
OK, fair enough... it was a cheap shot, but about on par with "Can't believe you haven't heard it before, really. It's quite simple.". While I have of course heard these arguments before, I am all for a good discussion, and that's what I was trying to spark ;).
I'd bet that with an extended discussion, we would probably agree on more things than disagree. But I still think the type/collection question, and how that relates to programming is not exactly resolved and wrapped up, even among the more theoretically prestigious languages like LISP and Haskell. As to Hofstadter's book, I think it relates very well to (and perhaps explains) the incompletess and fuzziness of thinking that has led to the piles of boiling crap produced in the IT industry (and now we're starting to sound like Fabian Pascal). But this discussion ranges far from the starting point. I'd gladly carry it on elsewhere if you'd like.
Admin
Calling the submit button "submit" isn't the smartest thing to do, either, since this overwrites the existing "submit" entry in the form's namespace (normally a method which, when invoked, submits the form).
I think I'd check for the presence of a field, or probably -- and this is a bit radical -- just have the form's target page be a different file than contained the form, so the only way you can land there is if you submitted the form in the first place. It could even be the same file, on the far end of a symbolic link* (you can always use $_SERVER["REQUEST_URI"] to check what the user was asking for).
Admin
WTF? Are you saying this is a good feature? I have a suggestion for you: look up "objects". What happens if you have "xres" => "Brillant!"?
Admin
That's what your testers are for ;)
Admin
But then, you really have no knowledge of the application in question, do you, so your "WTF?" is wasted. But to further deflate it, the array was not the final data structure to be used for the logic of this application. It was merely the input to my image-handling class after the intermediate step of parsing command-line output from a C application. The class of course validated each element, and reacted appropriately to errors. Let's not take this merry-go-round any further, shall we?
Admin
$this->flagPath is a variable that would contain the path.
Admin
HEY - I HAVE BEEN USING WINDOWS ME FOR YEARS NOW WITH NO FIREWALL AND NO ANTI-MALWARE SOFTWARE AND NO "ACTIVE" VIRUS SCANNER - AND NO PROBLEMS! (yes, I check it periodically with a virus and malware scanner, NO, it is not infected or pwned, yes, I use Firefox) - can you figure out how?
Admin
That was some craptastic code. I couldn't help but laugh.
Of course, now I am wondering why no one has brought up the topic of hijacked forms (you know, the ones where someone views source, saves as, changes some of the field names and posts to your server)? Checking for a submit button is nonsense. The request method is a better way to check. But that does not protect you from having data passed to your server that shouldn't be. Knowing what is being sent against your known form adds a little more security to the equation. Checking for it and validating it adds a lot more.
Check to see if the request method is POST, then check each field and accept only what you know is supposed to be posted. That isn't that hard.
Oh yeah, PHP rocks. It has it's issues, but it keeps pace with any web development language out there, weakly-typed or otherwise. The idiots that write code like what was posted are what make seasoned professionals that are not PHP developers wonder WTF PHP is doing as a programming language. Sometimes it makes this professional PHP developer wonder the same thing.
CAPTCHA: bathe - Is someone trying to tell me something? Nevermind, I checked. It's right.
Admin
I assume other people already sneered at this so I'm going to have to run through a lot of sneers in a row.
"You said that like it was a good thing."
"I do not think the word 'benefit' means what you thing it means."
"The fact that the contents of the collection are not type-safe is NOT ameliorated by the fact that the collection itself is also not type-safe."
"Yes, this is ideal for programs less than 5000 lines long with an expected lifespan of 6 months or under."
"Yes, it's rather as if you were using VB and were only allowed to declare variables as Object and Variant."
...and so on, ad nauseam. Seriously, type systems exist for a reason. Sometimes you need to know what the code is going to do.
Admin
In that case the hacker gets the form rendered back to him and nothing happens to the data. Quite satisfactory outcome if you ask me.
Absolute bollocks. What if the entry means to the page is a POST request to begin with? The real WTF here is using the same code to render a form and to handle its submission! I'm sure that PHP supports some kind of Model 2 solution that would be much better.
Admin
Errrm.. No, nothing in one php http interaction affects any other (as far as I know)
Admin
I leave also my house's front door unlocked and car-keys are stored in their place next to steering wheel. THIS PREVENTS ME FROM NOT GETTING IN IF I FORGOT THE KEYS. ALso my keys are clearly labelled with my address and my car keys licence plate number - so should I loose them I would have them neatly returned. I can see no issue what so ever. I think that this locking business is the greatest wtf of all times.
Admin
Can anyone explain to me how else _POST array could contain the data if not because of submitting the POST? I know that you could fill the array in manually in the code, but then you would know already how the data got there. So I don't see a point in checking the 'submit' key or even more sane testing of 'REQUEST_METHOD' if you are still going to use _POST array. Checking 'REQUEST_METHOD' would make sense if you're going to use _REQUEST array or to use _GET or _POST depending on the 'REQUEST_METHOD'. Anyway - using file is far way stupid.
I must admit that I couldn't find a way to create a mutex in PHP so I used to lock a specific file for exclusive read on the server a couple of years ago, though..