• Tom Melly (unregistered)

    This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

    I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

  • feugiat (unregistered)

    Let's just hope he, you know, grepped the code for special cases before deleting it...

  • Jens (unregistered)

    I did a similar thing when i was 13 and wrote my about fifth little program in basic. I taught it to myself using the help file, back then i didn't know yet what loops are.

    So i wrote 1120 lines of code (640+480) to display a moiré pattern on the screen that could have been made with two simple loops.

  • Estigy (unregistered) in reply to Tom Melly

    I'm pretty sure that at some other point of code they do have something like this:

    if (firstCharIsLowerCaseChar($username)) { $Usertype = GUEST; } else { $Usertype = LOGGED_IN_USER; }

  • RazZziel (unregistered)

    You don't even need a builtin function, just *name -= 'a'-'A';

    Sigh the old times when men were men...

  • Jens (unregistered) in reply to Jens

    Ah, there it is...last changed on January 2 of 1994, i was 11 back then:

    SCREEN 12 WINDOW (0, 0)-(640, 480) LINE (0, 0)-(640, 480), 1 LINE (1, 0)-(639, 480), 2 LINE (2, 0)-(638, 480), 3 LINE (3, 0)-(637, 480), 4 LINE (4, 0)-(636, 480), 5 LINE (5, 0)-(635, 480), 6 LINE (6, 0)-(634, 480), 7 LINE (7, 0)-(633, 480), 8 LINE (8, 0)-(632, 480), 9 LINE (9, 0)-(631, 480), 10 LINE (10, 0)-(630, 480), 11 LINE (11, 0)-(629, 480), 12 LINE (12, 0)-(628, 480), 13 LINE (13, 0)-(627, 480), 14 LINE (14, 0)-(626, 480), 1 LINE (15, 0)-(625, 480), 2 LINE (16, 0)-(624, 480), 3 LINE (17, 0)-(623, 480), 4 [snip] LINE (640, 466)-(0, 14), 13 LINE (640, 467)-(0, 13), 14 LINE (640, 468)-(0, 12), 1 LINE (640, 469)-(0, 11), 2 LINE (640, 470)-(0, 10), 3 LINE (640, 471)-(0, 9), 4 LINE (640, 472)-(0, 8), 5 LINE (640, 473)-(0, 7), 6 LINE (640, 474)-(0, 6), 7 LINE (640, 475)-(0, 5), 8 LINE (640, 476)-(0, 4), 9 LINE (640, 477)-(0, 3), 10 LINE (640, 478)-(0, 2), 11 LINE (640, 479)-(0, 1), 12

  • Anonymous Howard (unregistered) in reply to RazZziel

    Except of course for not working on names that are already capitalized.

  • Odoboy (unregistered)

    So if the name was "Aaron" then the function will return that it's not in the database. Funny and sad at the same time. Good example of achieving bad results after putting in a lot of work, or better said, a lot of typing.

  • (cs) in reply to Odoboy
    Odoboy:
    So if the name was "Aaron" then the function will return that it's not in the database. Funny and sad at the same time.

    No, it'll return "Aaron" - the bit about the name not being in the "database" is a comment.

  • J. Walter Weatherman (unregistered)

    What if your name is LaForge?

  • (cs)

    It does only seem to be doing first names. But still, Billy-Jo and Mary-Jane are going to be unhappy.

  • foo (unregistered) in reply to Tom Melly
    Tom Melly:
    This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

    I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

    Never underestimate the power of stupidity.

  • (cs)

    Can't wait for the next installment, in which we learn the process by which names are added to "the database".

  • The Undroid (unregistered)

    I wonder whether there was someone with a name mid-alphabet, say between Kevin and Peter, who got back an insult. It would be a fine way to cover it up.

  • foo (unregistered)
    Anigel:
    Well thats all the O'Driscolls and McDonalds buggered then aint it.

    Some times saving many lines of code is really not as clever as it sounds.

    The real WTF is trying to fix people's names at all. MaYBe I WaNT to See mY naMe with CaPs tHat WAY?

    The US gubbernmint solves this problem by UP-casing all names... so McDonalds becomes MCDONALDS and so on. Nobody can complain because everyone's name has been equally screwed up.

    As far as your little website goes. If the user types their name as laForge or la Forge or LaForge or FaGeorge you shouldn't care... really... you just shouldn't care.

    If marketing wants to make names "uniform" then you wash the strings how ever the hell they say but do it only on their display/page not in the database... not anywhere else.

    Once they notice Mcdonald they'll have that conversation with you and you can point out that what if the name is La Forge and that's the name not La as the middle name and Forge as the last name but literally La and then Forge... and so on.

    It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. Not your marketing program, not the US government, not your mamma, and sure as hell not your rinky-dink little web page with revenues less than fifty million a year.

    The real WTF is Who the F do you think you are to "correct" how people spell their own names?

  • CiPHER (unregistered)

    The updated code should have been; echo ucfirst(strtolower($name));

  • disown (unregistered)

    I did this when I was around 8. I was coding a ball-bouncing "demo". Instead of doing

    x += dx if (x < 0 || x > xmax) dx = -dx

    i did something like (dxconst was always > 0):

    if (x < 0) x = x + dxconst, dir = right if (x > xmax) x = x - dxconst, dir = left if (x > 0 && x < xmax) { if (dir=right) x = x + dxconst else if (dir=left) x = x - dxconst }

    , and that's still not even close to this WTF. So the guy who wrote todays WTF is effectively ages behind a eight year old in intelligence. 'Nuff said.

  • crxs (unregistered)

    ...being paid on Lines Of Code, David had to pay $320.50 when he finished the project.

  • Ben (unregistered)
    echo ucfirst($_GET['name']);

    The real WTF is how this guy just added an XSS vulnerability.

  • Mike (unregistered)

    That code made me want to pluck out my own eyeballs and use them as paperweights. I'm not sure why I thought of paperweights, particularly.

  • Migala (unregistered) in reply to Ben
    Ben:
    echo ucfirst($_GET['name']);

    The real WTF is how this guy just added an XSS vulnerability.

    That has always been there:

    default:
    	echo $name; // Name not in the database yet...
    
  • (cs) in reply to Tom Melly
    Tom Melly:
    This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

    I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

    Or at the very least, found a way to generalize the approach? Like maybe setting the string to lowercase and then replacing the first character with its uppercase equivalent? Rewriting a framework function because you don't know it's there is forgiveable. Completely ignoring the possibility that there is a "better way" is just stupid.

  • (cs) in reply to Mike

    How did someone actually generate that code? That must've taken a concerted effort to do so.

  • (cs) in reply to foo
    foo:
    It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. Not your marketing program, not the US government, not your mamma, and sure as hell not your rinky-dink little web page with revenues less than fifty million a year.

    The real WTF is Who the F do you think you are to "correct" how people spell their own names?

    You misspelled Fu.

  • (cs)

    The sad part is how much time and pride went into the original programmer's script to generate the switch statement.

  • Greg (unregistered) in reply to Ben
    Ben:
    echo ucfirst($_GET['name']);

    The real WTF is how this guy just added an XSS vulnerability.

    Nope, the original has the same problem. So no new bugs added.

  • (cs) in reply to foo
    foo:
    The real WTF is Who the F do you think you are to "correct" how people spell their own names?

    The real WTF is that you're getting this worked up over a WTF post. Relax.

    And nobody's telling people how to spell their own names. They're correcting how their data is stored. We do it here all the time, so that there's consistency.

    Take a chill pill, dude. You're way too stressed.

  • Anonymous Cowherd (unregistered)

    deShawnda was very displeased at the misspelling of her name in company forms from that day forward.

  • Barf 43va (unregistered)

    Wow... One honestly has to wonder how they slip through the cracks.

  • (cs) in reply to GalacticCowboy
    GalacticCowboy:
    Tom Melly:
    This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

    I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

    Or at the very least, found a way to generalize the approach? Like maybe setting the string to lowercase and then replacing the first character with its uppercase equivalent? Rewriting a framework function because you don't know it's there is forgiveable. Completely ignoring the possibility that there is a "better way" is just stupid.

    Back in the good old days (circa 1984), when I was writing 6809 assembler for the Tandy Color Computer, I would have ANDed the ASCII value of the first letter with hex DF. Whip out your little scientific calculator and try it.

  • DiRadical (unregistered)

    Looks like a dutch website.

    Must be a 'productive' programmer I would have been to lazy to type all the names and would prefer to look for a different solution. Even if it took me all week.

  • jMo (unregistered) in reply to FredSaw
    FredSaw:
    foo:
    It is utter fallacy to think that you GET to tell people how their names are spelled. NOBODY gets to tell people how to spell their own names. Not your marketing program, not the US government, not your mamma, and sure as hell not your rinky-dink little web page with revenues less than fifty million a year.

    The real WTF is Who the F do you think you are to "correct" how people spell their own names?

    You misspelled Fu.

    LMAO! pwned. though, i also must agree with foo. don't tell me how to spell my own name.

  • Zygo (unregistered)

    What happens to the name of the-artist-no-longer-known-as-Prince?

  • contributor (unregistered)

    lol

    CAPTCHA: ludus

  • German B. (unregistered) in reply to Greg
    Greg:
    Ben:

    The real WTF is how this guy just added an XSS vulnerability.

    Nope, the original has the same problem. So no new bugs added.

    Can you guys please explain this problem you're talking about? Thanks...

  • Jason (unregistered)

    I just threw up in my mouth a little.

  • (cs) in reply to FredSaw
    FredSaw:
    GalacticCowboy:
    Tom Melly:
    This type of error mystifies me - does it never occur to them, when they're coding this stuff, that there might, y'know, be a better way? That maybe, y'know, people have dealt with this kind of issue before?

    I mean, even if they don't know (or don't suspect) that there might be a built in function, don't they even look around for something else? Some example code? Anything?

    Or at the very least, found a way to generalize the approach? Like maybe setting the string to lowercase and then replacing the first character with its uppercase equivalent? Rewriting a framework function because you don't know it's there is forgiveable. Completely ignoring the possibility that there is a "better way" is just stupid.

    Back in the good old days (circa 1984), when I was writing 6809 assembler for the Tandy Color Computer, I would have ANDed the ASCII value of the first letter with hex DF. Whip out your little scientific calculator and try it.
    Wow, interesting...

    <?php
    $name = $_GET['name'];
    echo chr(ord($name{0}) & hexdec('DF')) . strtolower(substr($name, 1));
    ?>
    

    Haha :P

  • knock it off... (unregistered) in reply to Cloaked User
    Cloaked User:
    Odoboy:
    So if the name was "Aaron" then the function will return that it's not in the database. Funny and sad at the same time.

    No, it'll return "Aaron" - the bit about the name not being in the "database" is a comment.

    Wait... maybe that script was the database... in that case David screwed up royally ;o)

  • (cs) in reply to German B.
    German B.:
    Greg:
    Ben:

    The real WTF is how this guy just added an XSS vulnerability.

    Nope, the original has the same problem. So no new bugs added.

    Can you guys please explain this problem you're talking about? Thanks...

    The name could be Daniel<script>alert(document.cookie)</script> for example.

  • Zygo (unregistered) in reply to German B.
    German B.:
    Greg:
    Ben:

    The real WTF is how this guy just added an XSS vulnerability.

    Nope, the original has the same problem. So no new bugs added.

    Can you guys please explain this problem you're talking about? Thanks...

    The text of the name isn't quoted and it is output directly to the browser. This (in the absence of any other code to sanitize the data) allows people to use "names" that include HTML markup and Javascript. Some innocent victim clicks on the "name" and the victim's browser follows a link or executes some Javascript that the victim would not have chosen to follow or execute.

    Or just read http://en.wikipedia.org/wiki/Xss

  • German B. (unregistered)

    Thanks guys.

  • Tj (unregistered) in reply to crxs

    being paid per line thats just scary.

  • (cs) in reply to foo
    foo:
    It is utter fallacy to think that you GET to tell people how their names are spelled.

    Deep breaths....

    Actually, though, I POST when I tell people how to spell their own names.

  • (cs) in reply to Jason
    Jason:
    I just threw up in my mouth a little.

    I bet you read this site just so that happens. You must really like your breakfast to do this so much. So do you hold it there, or just swallow it again?

  • (cs) in reply to Tj
    Tj:
    being paid per line thats just scary.
    It'd certainly put me off programming in Whitespace...
  • (cs) in reply to Daniel15
    Daniel15:
    German B.:
    Greg:
    Ben:

    The real WTF is how this guy just added an XSS vulnerability.

    Nope, the original has the same problem. So no new bugs added.

    Can you guys please explain this problem you're talking about? Thanks...

    The name could be Daniel<script>alert(document.cookie)</script> for example.

    Little Danny Scripts, we call him...

  • knock it off... (unregistered) in reply to WhiskeyJack
    WhiskeyJack:
    Daniel15:
    German B.:
    Greg:
    Ben:

    The real WTF is how this guy just added an XSS vulnerability.

    Nope, the original has the same problem. So no new bugs added.

    Can you guys please explain this problem you're talking about? Thanks...

    The name could be Daniel<script>alert(document.cookie)</script> for example.

    Little Danny Scripts, we call him...

    ah, an xkcd reader, as it appears :o)

  • (cs) in reply to RazZziel
    RazZziel:
    You don't even need a builtin function, just *name -= 'a'-'A';

    Sigh the old times when men were men...

    Except that that assumes the first letter is lower-case. If it was already upper-case then it would be unsuitable.

    Also, technically, that wouldn't be guaranteed to be portable. Granted, 99.99% of the time it'll work, but... what if you really, really wanted it to run on an EBCDIC machine? For some odd, obscure reason. (:PP)

  • Dignis (unregistered) in reply to RazZziel
    RazZziel:
    You don't even need a builtin function, just *name -= 'a'-'A';

    Sigh the old times when men were men...

    Yes, the old tiems when men knew that 'a' = 97 and 'A' = 65, which obviously mean that lowercase letters have set bit 6. So you just do if (isalpha(name[0]) name[0] &=~32; (not checking it's a letter, could give funny things)

  • widget (unregistered)

    A co-worker had a quote from the legal profession, but it applies to software as well:

    I could have made it shorter, but I didn't have any more time.

    KISS. Live by it.

Leave a comment on “Reverse Brute Force”

Log In or post as a guest

Replying to comment #:

« Return to Article