- Feature Articles
- CodeSOD
-
Error'd
- Most Recent Articles
- Secret Horror
- Not Impossible
- Monkeys
- Killing Time
- Hypersensitive
- Infallabella
- Doubled Daniel
- It Figures
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
FIRST. wow, im cool
Admin
Well, at least it worked... kind of...
Admin
No, you have too much free time ;)
Admin
4th place! not bad...
Admin
wow.
that's all I'm going to say.
Admin
WTF??!?
This guy is obviously an old-sk00l shell scripter who has just learned python. I've seen stuff like this as a BASH script too many times to count.
Admin
The sad thing is how often this happens. I was hired once to rewrite the back-end a non-functional adult website (no puns intended). The Perl scripts the last 60-an-hour consultant wrote were littered with backticked calls to MySQL.
Admin
Admin
Can someone port this to Windows for me? [:P]
(I see that one way or another, the forum software is going to have to change...[8-)])
Admin
This could be a useful trick if you're using an obscure scripting language that really doesn't have MySQL drivers >:-)
--Daniel T
Admin
So I guess reposting old WTF's is a good way to say he's run out of real coding errors?
Admin
Wow, did the author of one of the WTF's get pissed at Alex or something?
Regretfully changing the software won't keep this from happening. Even if you are required to sign up first this guy can sign up, post get banned and sign up again using yet another msn or hotmail address.
____________
I am that signature virus, propogating in an assited manner.
Admin
A co-worker pointed out to me... Judging from the setting, it was probably some poor kid fresh out of Programming 101 with no clue about database libraries, getting paid $5/hour to build this script. If it was in an professional/enterprise/production setting, fine, it's a WTF - in this case, it's probably just a clever student.
--Daniel T
Admin
One more comment ;-)
That screenshot is from EditPlus, isn't it? I love it!!!!
--Daniel T
Admin
This guy probably heard that "Python is a scripting language" so he's using it as a replacement for #!/bin/sh instead of the full-featured programming language that it is.
Admin
Slightly more sophisticated software could weed out excessive repetitions, maybe. Also, just a line of code could get rid of those Javascript "injections."
Admin
Yes, but that's Perl - backticked calls to external programs are a long-standing tradition (albeit in this case a WTF-worthy one). Python makes you jump through slightly more hoops to do the same thing (and probably with good reason).
Admin
Slash ( http://en.wikipedia.org/wiki/Slash_%28weblog_system%29 ) does a very good job at filtering out trolls.
Admin
For what it's worth, the MySQL shell tool outputs tab separated values. So the script won't "fail if anything resembling a space is present in the database", just if there's a tab.
Admin
You wish. For example, I took a look at the LiveJournal code, and while the comment-parsing code is fairly secure (due to a paranoid HTML parser and rewriter) it had a number of additional checks required to handle web-browser specific quirks in parsing HTML, which obviously only got added in response to people noticing security holes. Also, anything short of a full parser (ideally whitelisting), preferably rewriting the HTML in an unambiguous fashion, probably won't cut it reliably due to various... interesting tricks involving HTML entities, comments, punctuation and the like.
Admin
... as opposed to a language whose selling point is integration with the database at the web server. Lets not forget that this code isn't running anywhere near a backend. This code runs where UI is rendered. :)
Admin
Haha, my apologies to the Python coders (really!). I don't know why I read this post as PHP. Maybe the syntax coloring <g>.
Admin
Except the script uses .split(), not .split('\t'), so it will split fields on any whitespace, not just tabs.
Admin
Amusingly, as long as you have a cygwin/mingw compile of mailman sitting in c:\usr\local\mailman (or whatever your system drive is), this python script would work just fine, fwiw. :p (Unless they're shell scripts, guess you'd have to replace them with batch files that ran them inside the cygwin environment.)
Thankfully I can't see whatever got posted, and I don't really care anyway as long as it isn't another goatse. But I am a bit worried that next up is IE/ActiveX exploits.
Admin
and r. flowers, I find your avatar a bit umm, disturbing.
Not that that is a bad thing.
I think the only way to be rid of things like this is to deny all javascript and html and just simply block text all replies. Even then you won't have a decent way around repeated lines in a post or even for someone to copy the entire first chapter of a novel into the post and upload, no repitition is necessary. This then leads to the question of how long can a post get before you truncate it? There is no perfect answer.
CAPTCHA = register (is someone trying to tell me something?)
Admin
I think I will change it. He's starting to disturb me, too. I found him by doing a Google image search for "WTF."
Admin
Don't know about that; someone was injecting invisible JavaScript that would quietly post a comment on IE on some of the other forum threads earlier, though. (At least, it would if it actually worked - so many script kiddies just don't test their code properly. I really don't know what the world is coming to...)
Besides, I use Konqueror, so I'm probably safe (you can more-or-less use the forum, as long as you pretend to be an IE user and don't try and use the fancy WYSIWIG HTML editor/toolbar - would it kill them to write portable code for once?).
Admin
Yes. It was part of the deal that Bill signed with the Devil.
Admin
I actually like the general approach for its decoupling qualities:
- No need to link a specific database library into the server
- Easily adaptable to other database CLIs - at least in theory
- Execution time is generally not an issue this days on web servers (unless you run Slashdot or some other popular site)
Admin
Now you're just trolling, aren't you?
BTW, does Python have weak references?
I just read an introductary book and there was no mention of this feature.
Admin
I like its highly modular architecture. It seems that /usr/local/mailman/bin/list_lists, /usr/local/mailman/bin/newlist and /usr/local/mailman/bin/rmlist are all separate scripts, called by os.popen and the like. They might be even some bash for all we know.
And intermediate mysql_cmds.txt is probably being created for efficiency reasons - the coder must have thought it's faster to have one call to os.* than thousands. This is optimization gone the absolutely wrong way. But it's nice he put some effort into it...
Admin
I just read an introductary book and there was no mention of this feature.
class A(object):
def method(self):
return 1337
a = A()
a_weak = weakref.ref(a)
# Calling the weakref will reveal the object if it still exists
print a_weak(), a
# <__main__.A object at 0x732d0> <__main__.A object at 0x732d0>
print a_weak().method()
# 1337
a = "Not the A you are looking for"
print a_weak()
# None
Admin
What I like about this code is how they are using "Python" like if it was bash, ignoring every possibility to use a normal database driver or mailman libraries. Of course, using Python instead of say bash will make it a bit easier to split those lists by [a for a in existing if not a in db_list_names], but that is about the only Pythonish thing in the code - which of course in newer Pythons is done faster and easier by using sets.
Admin
Full documentation at http://www.python.org/doc/2.4.2/lib/module-weakref.html - as well as Python's standard weak references, there's also weakref proxy objects (which act almost like the actual object referred to - not a good idea to use carelessly, since they might disappear at any moment) and dictionaries with weak keys/values.
Admin
If you're looking for something in Python, first stop is the Global Module Index, always (second one is the standard library reference).
And in the Module Index you can find the Weakref module, introduced in Python 2.1.
(oh, and for the people who don't know python, it has at least 1 or 2 mysql modules, at least one of whom more or less compliant with Python's DB API 2.0)
Admin
Yes, it does. Use the weakref module.
Admin
I don't know - does C or C++?
Admin
Python is my favorite general-purpose scripting language (rather fond of JavaScript, but it has pretty narrow applications), but I didn't know about this syntax which still kind of blows my mind:
This is definitely not typical Bourne-shell style. Seems like the bass-ackwards kind of thing that might be possible in Perl, however.
Admin
That's a list comprehension. It's equivalent to doing:
Admin
They don't need those temporary files
proc_open -- Execute a command and open file pointers for input/output
http://php.net/proc_open
Admin
oops. Didn't really read the code, beyond noticing mysql and the temp files. not php
Admin
http://www.python.org/doc/current/lib/module-popen2.html, the python equivalent of php's proc_open
Admin
My goggles! The eyes do nothing! O_o
Admin
Interesting, though I find this concept kind of hard to... um... understand.
Admin
C++ - weak_ptr
C - Shouldn't be hard to roll your own, what do you think most of these GC languages are written in?
Admin
Probably the original coder didn't have root to install the "official" MySQLdb package. Rather than annoy the sysadmin (or attempt to install the MySQLdb package in his home directory), he decided to take matters into his own hands.
Admin
Hey [I] , weren't there license restrictions with using MySQL client libraries - they first changed from lgpl -> gpl, then added the 3 licensing models: foss license, gpl license and commercial license?
For a time being, the situation was gpl for client code. Dunno the exact circumstances today. [^o)]^ Also, efficient bulk importing and exporting are normally not exposed via python db api.
Still WTF - for inserts etc this is weird. And the py is quite ugly. And os.system is very expensive on win32. [N]
Admin
Then you'll love generator expressions:
gen_exp = (a for a in something if a == 'foo')
will produce a generator which will produce the list of all values in 'something' that is 'foo'. So like a list comprehension but produces its values lazily.
Produce a list from that with list(gen_exp) :)
Admin
List comprehensions are the gift from god. So many stupid for loops can be stuffed into a little list comprehension. If you want to have a crash course in generator expressions and list comprehensions, take a good look at the results of the Python Coding Contest[1] that was held in the last week of last year; nearly all solutions used three nested generator expressions, except the winning one, which managed to use only two.
On second thoughts, maybe it's not so good for beginning Python coders to look at this code. ;-)
[1] http://www.pycontest.net/ranking/
Admin
fuck you guys are nerds go play wow or some shit