- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Probably done intentionally to avoid any image/copyright/ownership issues...
Admin
<font size="2">I have no words to discribe how this post make me feel. This will give me nightmares for many months to come. </font>
Admin
See, you don't understand php. In php there are no "true" arrays, they're all hashtables just pretending. So the only thing you could really do is call array_key_exists(), and make sure the key you're looking for is actually in the array. There really is no "out of bounds" since the keys can be 1,2,3,4,bob,bob[], 5,6,7,etc.
Php is useful for many things, but it doesn't really support any datastructure outside of a database.
Admin
Of course, as so often, the real WTF is the number of people on thedailywtf.com defending this...
Admin
Writing porn scripts/apps really make up for all of the time you spent not getting laid. Here's a tip for you froogle coders: some popular movie formats can be simply cat'ed together. Combine with curl/wget, and a simple pattern on a URL - you're in for a good time.
Admin
Even if they are doing a bad job of it, I'm glad to see php getting attention.
Bad attention is better than no attention, right, ...right?
Admin
It's crap like this which makes me glad that I can program in Python. =P
Admin
What is worse than this and other WTF code are the morons that try to justify them. The IT field is contaminated with incompetent, undisciplined, hacking, self-proclaimed programmers (DBAs, Architects, Engineers, etc included) that are an insult to me and other professionals. Unbelievable!
Admin
I don't think they're so much trying to justify it, as trying to figure out what the person in question must have been thinking. There is more than one way to solve every problem.
Admin
LOL!
Admin
Well.. could be used if you want to make an easy to share little webpage. You can put allt the code + images in one file..
then again.. maybe not :P
Admin
That is a joke. It must be a joke. Please tell me it's a joke.
Admin
Why wouldn't you just put the images in a secure directory, then write a script to check permissions, open the appropriate file, set MIME type and stream it to the requestor? This approach seems bizarre, but about what I would expect from some PHP "developers". Cough... InfiSt@r!
Admin
(shiver)
I shudder to think how much memory and runtime that little script uses by loading up and parsing all those constants into memory every time you want to display an image. Remember folks, php is an interpreted language.
Admin
Company I worked for (left a while ago) did something similar, with / without justification... :^)
We had a library (gui.php) and it was used to build common components of sites, a la:
include( 'gui.php' );
$g = new GUI();
echo $g->page_header();
echo $g->block_header( "This is the thingy..." );
echo "
- Hello\n
- World\n
\n";echo $g->block_footer( $buttons=array('ok', 'cancel') );
echo $g->page_footer();
...or something of the kind. Point was that "block_header" was a lot more complicated than "
" and block footer needed support for graphics, buttons, help-text, tooltips, etc, etc. Each gui.php could be customized per client (ie: ClientFoo used red headers and footers, ClientBar used footer buttons with stretched bars or with extra spacing, without, etc...) This was before CSS was really useful or widespread, so a solution like this was "needed" to preserve visual integrity across NS4.7, IE, Mac, etc.
Deal ended up being that they wanted to make a generic "gui.php" that they could drop-ship into self-contained client installations and not have to worry about it. Having to have a separate gui.php and corner-left|right|bottom|top.gif was a chore, so they ended up including some small (~200 bytes) images that the gui.php could "serve as itself", using a method similar to this WTF describes.
bar.php uses gui.php
[table]
[tr][td][img src=gui.php?img=ul][/td][td] Hello World [/td][td][img src=gui.php?img=ur][/td][/tr]
...etc...
[/table]
That way they could have a quick turnaround time, nice curves in an era of squares, and not have to worry about any external dependencies when delivering stuff to clients.
Anyway, doing it all like that (vs. 200 byte images) definitely qualifies as WTF, but if it's part of how the client wants it to operate you've got to know what the requirements were before you fully pass judgement. :^)
--Robert
Admin
That one sentence is wrong in so many ways! For starters, naming a file as "images" cries out that you're a dimwit! Secondly, storing images in a dynamic document - wtf? Just "put" it in there <by copying and pasting the text>? There's much, much more efficient ways to store files. Lastly, PHP (need I say more)!?
Admin
Gimmie a break. You're quibbling over deck chairs on the Titanic. If Zeev can call it an array then I can call it 'out of bounds' when the key doesn't appear in it.
Depending on the PHP setting for showing notices, using a value <strikeout>out of bounds</strikeout> not in the hash will either spew nothing or a text message, meaning that the result is going to either be the mime type and then a 0-length return or something that will show up at the other end as an invalid GIF since it won't have the obligatory initial header
Admin
Doesn't this bring to mind the latest window's flaw where virus writers can embed malicious code in image files?! Maybe this dood's company is a front for an evil gang of haxkors.
Admin
<FONT color=#ff0000>[um][um][um][um]</FONT>
Admin
Isn't this timely... I just noticed that M$ released the patch for this flaw. http://windowsupdate.microsoft.com
It was scheduled to be released on the 10th. http://it.slashdot.org/article.pl?sid=06/01/05/2027259&tid=172&tid=128&tid=201&tid=218
Admin
I don't know about that, I could have this working in 5 minutes in any of about two dozen languages, including python. There's something going for it, it's really a very portable solution! ...just too bad http is even more portable.
Admin
Security? What security? It's an image. If it can be seen in a browser, it can be saved. End of story. At worst, print screen. paste. save. stolen.
This is a WTF any way you look at it.
Admin
Someone please order many of the special goggles so that we will be able to work again.
Admin
I guess you missed the isset()? You do understand that this is one common way of checking for php hash/array in-bounds?
If the key is missing, this script just won't output anything at all. (Except pointless headers.)
Admin
<font size="5">I</font>t is really interesting to see the effect of competiton, from the "unofficial third-party" patch, has had on Microsoft. The three blind mice or even headless chickens come to mind. I'm glad I'm no longer on that bus.
Admin
He's right. Php won't output anything if you access a key that doesn't exist. Doesn't give a damn if you use a variable that hasn't been initalised either. If you have Display_errors set to "On" it'll tell you those things, but it won't stop operation or anything like that. The only really fatal errors are parse errors.
That's one of the things about php that give people the heebie jeebies, when you start talking about security.
Admin
My next project at work is creating a repository for images for artists and writers. One management-type person said they wanted the images stored inside a database, another management-type person thinks file locations should be stored in the database and not the actual image.
I can do it either way, I'm not emotionally attached to either implementation. I can't see any real overriding reasons to prefer one over the other. One supervisor said "but if the application is down you can't get to the images" I don't see this as a problem if the app is in production and used it should be easy enough to maintain (at least to get the images in/out) and seems like a trite excuse. However this seems to highlight an advantage. If the application is supposed to keep information/history of the images, storing the image inside the database would ensure some integrity keeping people from messing with the files outside of the application.
So database the images or keep them in a file system? If it was just a web app and the images were just part of the pages, I think storing them in a DB would be retarded. In this instance though since the images are the data being managed I'm not sure.
Admin
<font size="5">R</font>egistered members can give a rating to each article at the top of the post by using the http://thedailywtf.com/Themes/default/images/ratetopic.gif icon.
Admin
Oh, it has a certain "brute force" elegance, I admit. I'd be afraid to use the method though, because of the performace hit on any site with multiple pictures...Well, that and the fact that it sucks. I could make a regular folder of pictures work just as well. It doesn't get much more portable than php; install php, unzp the files, and you're done...Unless you moved between windows and unix without thinking about little things like case sensitivity.
Admin
hang on, doesn't "." in php mean that you are concatenating the string? So for each line, you're spending heaps of ram (not just twice the size either!) just to build the string, and that's even before you've started serving the data? oh dear...
Admin
A very humerous anecdote.
Was your flatmate into MS Access and MS SQL Server also?
Admin
I would hope this would be some variety of "freak the new guy/make him show he has a brain by squawking" initiation, but the introduction suggests this sort of code is typical.
Now, feeding binary from a script is not bad when appropriate. I've build document-download sites where particular documents are restricted to certain users, so I use a script that validates whether someone really is allowed to download a file before spitting it out to them. (It also records that they've downloaded the file so s/he gets an emailed notification if it's updated later - this company is persnickety about updates.) But, as people have suggested, it's one thing to stream some images from a file or even a BLOB in a database and quite another to hard-code the data in a script.
Admin
Admin
<FONT face=Georgia>Question: does anybody know what pattern images follow when turned to text files? I'm sure it differs from file type (like gif, jpg, psd, etc.), but does anybody know if there is some sort of rhyme or reason to the conversion? </FONT>
Admin
Duh? In this code, the "isset" function checks for the existance of the "image" key into the "$_GET" array (in the retarded PHP meaning of the word), or maybe you're telling us you didn't know that $_GET or $_POST are merely arrays prefilled by the interpreter?
Admin
maybe they want to do something like this:
http://www.asp101.com/articles/lewis/dynamicgif/default.asp
I did something like this once (except the gif was in a BLOB to begin with).
Admin
Duh? Maybe you're telling us that you don't know that images is a hashtable which may or may not contain the key. They should perhaps check if that key exists, don't you think?
Admin
Ah, the power of porn. I've made a similar PHP script that goes sequentially through a set of images. For example, if your images are in the format "http://www.somesite.com/images/imgXXXXb.jpg" you have to manually parse it out to be in three parts: "http://www.somesite.com/images/img", the number of digits in the number (in this case, 4), and "b.jpg". It then outputs all of the images in a range you specify. It's quite clever, runs fast (since it's simple and runs on my local machine), and saves a lot of time since you don't have to change the URL to get to the next image.
Good tip, I didn't know that. May have to look into this more :D
CAPTCHA: DOOM (rather foreboding, isn't it...)
Admin
With foresight i should have written :
Admin
I'm shocked that nobody called you out on this. md5 hashes are not even remotely unique. You could end up with 2 images with the same md5 hash, even if the images are very, very different. Your code may end up on this site some day.
Admin
My previous post was in response to this:
Admin
Oh, I didn't know that. I thought that was kind of the point for MD5. So, a) where's the proof (mathematically), and b) what should I be doing if I want to generate a unique sum of a file?
Admin
Even i didn't think of that. This must be very clever.
Admin
What everyone seems to be forgetting is that PHP is compilable.
So once this sucker's compiled there's not parsing / unbase64encoding to do, just a simple array lookup.
the WTF is he forgot to add the content-length header required by http !!!
omg
Admin
I don't see why you'd need a mathematical proof, collisions are part of the world of hashing period. And even without knowing that, you're mapping an unlimited number of different messages (since you can hash anything) to 128 bits.
I don't know you, but I find quite obvious that you're going to get collisions (aka same hash for different hashed data) when you're translating the infinity to 340.282.366.920.938.463.463.374.607.431.768.211.456 possible output messages.
See Wikipedia's articles on Hash Collision and Cryptographic Hash Functions for some more informations.
Admin
ok, point taken.
Admin
The proof is trivial. Since all MD5 sums are exactly 128 bits, the number of distinct MD5 sums is very limited compared to the number of possible files, which is large enough to be effectively infinite. Therefore, there must be an essentially infinite number of possible files which hash to any given MD5 sum. This is true of any hash algorithm.
But there's no reason for you to worry, because the chances of any two valid files of a given size having the same MD5 sum is very small. (In fact, it's rather MORE likely if the images are very, very different. The closer they are in size and format, the less likely a collision is, because the whole point of MD5 and similar algorithms is to ensure that minor differences in input translate to major differences in output.)
Admin
agreed, but, mathematically - chances anyone? anyone listen in on their probability lectures during highschool?
im willing to bet that I will never hit a double.
Admin
Thank actually makes sense and could be a Good Thing, but it must be done correctly using the proper HTTP headers at the right spot so it will cache. It appears you didn't have the expertice to make this work properly in which case your right, axing the functionality would be better than un-cashed images.
This wtf though, is a shooting offence. It makes a lot more work the the developers, it does not cache, and it provides no benefit.
Admin
There have been relatively few MD5 collisions found. Your chances are essentially nothing.