- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Lol pudding first post
Admin
fist!
The real WTF here is that they use VBScript
The real WTF here is the forum software
This WTF isn't as funny as they used to be
Sincerely, Gene Wirchenko
Admin
my favourite part =)
Admin
Boy, it's almost as if they've never heard of .htaccess files, or the equiv. for IIS (which I believe is point/click "who do I want to see this?")
Admin
at least it wasnt like this
response.redirect("special.asp?grantaccess=sales&showDebug=none")
Admin
Another example of job security through incompetence. If they fire the programmer, they won't be able to hire or fire anybody else. Well, until they hire another programmer.[8-|]
Admin
It's security through obscur-- er, no. It's security through phy-- no, not that either.
It's security through....Well, I dunno, really.
Admin
This wtf reminds me of the hardcoded TI-83 BASIC program shells so prevalent in highschool. The ones that could be bypassed by pressing the 'ON' button...
Admin
Now is the HR person responsible for adding new employees to the code as well as setting up direct deposit, the health plan and the 401k?
Admin
they sure are optimistic-they assume these guys will not quit or switch jobs [:D]
Admin
No question. This is a "WTF Award Winner of the Day".
Admin
Heh - perhaps they give so little access to their salespeople that it doesn't matter if they give it out to random people. Or perhaps there were too many users in the sales department, and the author couldn't be bothered adding them all.
Admin
Oh, I'm sure there are many people reading this forum who were once very impressed with themselves after adding a password to an 8-bit BASIC program using plaintext string comparison.
Admin
wow... way too many if...elseif's... the obvious solution is to create a new ASP page for each user and just do the following:
Response.Redirect UCase(usrID) + ".asp"
Admin
I wonder how rsGetUserID() is implemented - another long series of If .. ElseIf ... statements?
On second thoughts, maybe I don't want to know...
Admin
In VBScript, using ADO, that is most likely just a recordset. So rsGetUserID() isn't actually a method call, its more like retrieving a value from a collection. Thats one of the major problems with VB. You can't tell between arrays (or indexers) and functions (or subs, bleh - cant believe they even distinguish between the two). What a crappy language.
Admin
I find myself being very annoyed by the number of calls to UCase(Trim(rsGetUserID(""))). Especially considering that VBScript doesn't use short circuit evaluation, that means that this is being called over and over and over and over - no matter what. If the first item is a match, it still calls it for every single IF evaluation. Now maybe, just maybe, VBScript is doing some optimization in the interpreter, but I doubt it. Why not make one variable, call the methods once, and then use that for the evaluations?
Am i crazy for thinking this?
Admin
I've seen worse, like the Access system that named all of its tables/views/queries after the users that needed them followed by a number.
Admin
Yes... sort of. It's ASP - VBScript-like syntax is all it supported.
Admin
I'm very curious how redirecting to ronaldt.asp will allow Ronald to see KevinS's jobs. Maybe all ronaldt.asp does is display KevinS's jobs. Now that would be a WTF.
Admin
No, no, it's much better! You just require the newbie in the job to change their name to match the id!
Admin
OK... wild stab in the dark... I'm guessing some mate of a mate of the boss was a cheap student coder who naively said 'sure I can do that'.
Bunch of ="JESSIES"
Admin
Yes... yes it does.
Admin
Sorry, not true. ASP is an Active Script Host (see http://msdn.microsoft.com/scripting for more information); by default that means either VBScript or JScript are available to use, but you can easily add support for other languages like, for instance, Perl (see ActivePerl from http://www.activestate.com).
Admin
Am I the only one who feels physical pain when reading about such spectacular stupidity?
Admin
Those of us that were "hardcore" wrote the routine in ASM.
I did once reduce myself to writing a TI-83 menu emulator to fool the teachers into thinking they were really clearing my RAM. My first ASM app. Boy could I pull some WTFs out of that code... What is this "stack" you speak of?
Admin
I developed this system. It's pretty damn good in my opinion.
Paul Bean
(formerly Paula Bean, I had a sex change operation)
Admin
I don't believe that you could have done that. I've seen some of your code, Paul(a), and this goes way beyond your ability.
Admin
The right thing to do would be to wrap it up in a proper database. Probably rewriting this function in PL/SQL.
Admin
What and then use ODBC through ASP to call it? yeah, that sounds awesome. Or you could stick it in a COM dll and really cause yourself some pain... ;)
lol the CAPTCHA word is "enterprise"
Admin
Looks pretty typical for a small company with no money. It probably also did exactly what they wanted it to do.
Admin
Am I the only one here who thinks this is not that bad? What is really the big difference between hardcoded usernames and a configuration file, especially for some internal application? Of course it could be done better, a lot better, but it could also be far worse.
Admin
I don't even want to imagine your "far worse" options ... *shudder* ...
l.
Admin
Far worse is easy; Remember those ?admin=true WTFers? :)
Admin
Not at all merreborn......not at all.....
Admin
ssshhhhh! the forum bots will hear!
Admin
I realise it's not the point here, but what sets my teeth on edge is all this unnecessarily repeated UCase, UCase, UCase rather than upper-casing the appropriate strings once and comparing against those versions throughout the method.
Admin
You are almost right - they can fire the programmer, but they cannot stop his paychecks from arriving until they hire another programmer.
Admin
This is actually concise code that clearly achieves its intent. I suspect any alternative solution would introduce new costs, and I'm not sure what the benefits would be. The WTF in the system is probably that ronaldt.asp and special.asp are needless reimplementations of the default ASP, but since that's not what is actually posted, it's hard to tell.
I'd like to see an alternative solution to this.
Admin
Yes you are the only one.
It seems that a lot of people think "Its only an html file. You have to store the information someplace, one file is as good as another. Why not store it in the html file, instead of a config file."
Lets suppose it is an interal app for a small business. And lets suppose for the sake of argument security is pointless, this thing is only implemented for convienience... SO what happens when someone quits or is fired. Who gets to change it?
Do you as the dev want to be bothered with the detail of updating the code in the html every time a person quits or is hired? Do you want some random secratary to be mucking around in your code? Is it going to really kill you to stick this into some sort of database (whether it is a real database or just a simple config file doesn't really matter)
Admin
Concise? Hardly.
Look, the optimist in me hopes you're joking, but my inner pessimist insist on responding anyway. If you don't see what's wrong with this, get as far from the software business as you possibly can. You are a danger to yourself and others.
I am beyond tired of working with folks who "can't see the benefit" of good design and maintainable code. When it's time to do the Hard Work of making code maintainable, they just can't see how the easy way would ever be a problem; yet then when it's time to maintain the code, they're the first ones moaning about how hard it would be to change this or fix that; but of course, the problem isn't the code, so it must be these unreasonable new requirements!
WTF!
Admin
I want to know why they are sometimes checking usrId and other times checking session("UID").
And what's JEREMYP done to get his access removed?
In any case the UCase(Trim(rsGetUserID("JOB_TITLE"))) and UCase(usrId) called a gazillion times each are a WTF even if nothing else is.
In my experience these types of WTFs are usually caused by managers who would rather do 37 "quick" fixes than commit to doing a bit more work upfront and fixing it once and for all.
Admin
That's the guy that submitted the code here. They found out.
Admin
I think you're missing his point. There are some things that are just small enough, and one-offs and such, where all the ideas about maintainability and extensibility are really inappropriate. Now, before this ridiculous statement sets your teeth on edge, let me offer some support:
I've been coding for about 10 yrs professionally, I'm at least good enough to appreciate elegant code and good architecture, patterns, agile methods, etc.etc, and I still think that sometimes we all swallow the "extensible framework" kool-aid a bit too much. I've been on lots of large projects that are orders of magnitude more complicated than they need to be (not bad, mind you, well written, but following all the latest rules about how to make your apps extensible), mostly because they were designed the way they were "supposed to be". Some things really are a one-off, and building an n-tier system for something that 2 people are going to use internally is probably not a good idea most of the time.
Now, the thing about this WTF is that it reminds me of a job I had a long, long, long time ago. I wasn't really coding back then, but I worked in tech support for a small (about 100 people ) firm that had lots of small databases that had been thrown together for people in Filemaker 3, whose (incredibly minimal) maintenance and extension I inherited. Anyway, there were lots of things thrown up for the use of 2 or 3 people, and they served the business needs. Passwords were (if I remember correctly) encoded directly into the db, which also worked fine at the time, although obviosly not terribly scalable. Something like the WTF actually has a few benefits in this environment:
-all the passwords are in one place.
-yes, you have to "recode" if someone leaves, but it's really not much more work than changing their password, which you have to do anyway.
-it works
inotherwords, it's fine as a one-off hack. Obviously this equation changes if it actually needs to be really secure, or if it has to exist on a bigger scale. But there's a place for this sort of thing.
Of course, it's also atrociously written, but definately not as WTF as some of the giants of the past.
Admin
Wouldn't something like this be easier? (yes, still on the quick-n-dirty approach)
//pseudo codemanagers = Array("user1", "user2", "user?");users = Array("user5", "user6", "user?");if(member(managers)){//give cool security access} else if(member(users)){//give minimal access} else {//denied...}It is far from perfect... but surely significantly cleaner without building the taj mahal.
Admin
OK.... hard coding plain text paswords in to anything is like keeping a spare key to your house in one of those little fake rocks 2 metres from the front door. If somebody wants in enough - they have instant access. Now, I understand that not everything is worth the effort of hashing passwords (ie the odd pdf), HOWEVER........surely a 'quick and dirty' authentication system is something most coders should have lying about in a code lib somewhere, ready for when somebody says "Hey! Let's do some sorta q&d auth'ing." A simple (working) auth UI/backend isnt something I would consider a 'one-off'.
So therefore, wouldnt it be worth the effort of dreaming up something a little bit more inventive than hard coded plain text passes ready for those rainy days? Surely this guys time would have been better spent learning some simple sec tech before embarking on a hack and potentially would have spent a similar amount of time creating something that actually worked for the most part, instead of coming up with utter rubbish.
A stitch in time saves nine hundred lines
Admin
Steve, first you say it's "concise" and "clearly acheives its intent", then you say it's atrocious.
I'm guessing you are a self-taught coder who learn the skills after many years in the IT industry. I'm also guessing you're surrounded by a bunch of bad-to-mediocre programmers who toss the buzzwords around but are unable to accomplish anything.
We are not talking about extensible frameworks or n-tier architectures here. It's a matter of fundamental programming principles.
Firstly, the code exhibits all signs of being tossed together as the need arises rather than showing any thought whatsoever. It is not a one-of, since the commented-out code shows that it has been modified at least once, so maintainability is definitely an issue. Furthermore, it's not just unoptimized, it's practically anti-optimized. Some have already pointed out the ucase() optimization. Others have also shown how you can do away with multiple if statements by using a simple look up.
Secondly is the abstraction of data and function. You seem to be saying that a database is too heavyweight for this, and I do agree with you on that. I'm also against reinventing the wheel. But having a separate entity isn't the only way to abstract parts of a system. A simple array to provide a lookup table isn't too heavy weight. It's also easier to maintain (even the secretary can do it) and far less error prone.
This site is littered with examples which "just work" but that's not the point. Software engineering is about obtaining a high quality product that can last. Just because some kludge works now doesn't mean it can work in the future.
Admin
our system at school stored the passwords for everything in a text file (called passwords.cfg of something), so all i had to do was fire up the text editing app and open the file, which gave me hours of fun, controlling peoples computers etc, until of course i noticed the teacher standing behind me while i was looking at his inbox [:|]
Wonder what system that was, was some dossie sort of system.
Admin
I'm not sure if someone else has already pointed out that you don't know what you're talking about. But just in case they haven't: you don't know what you're talking about.
Classic "ASP" is just a thin framework/library. It's 5 objects can be implemented in a number of languages, including VBScript--the most common--but also JScript, TCL, etc.You could rewrite that exact code in JScript almost line for line. ASP is not a language. It does not support any syntax.
Admin
The real WTF as far as I can see, is if "ronaldt" sees his personal URL, gets curious, and tries out "jeremyp.asp". Though commented out, I bet you twice the salary-alexp-deserves that jeremyp.asp still resides on the server.