- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
How about *name =& !32 or something? (haven't tested it)
Admin
Admin
I be he wrote a smart script to create all those files instead of writing em all!
Something like:
open(MYFILE, "c:\myNames.txt"); @lines = <MYFILE>; close(MYFILE); foreach $line (@lines){ print "\t case " . $line; substr($line, 0, 1) =~ tr/[a-z]/[A-Z]/; print "\t\t echo " . $line; print "\t\t\ break;\n"; #Can't forget this! }
Admin
Perhaps it's just a simplified version of what the code actually does.
Admin
"I didn't have time to write a short letter, so I wrote a long one instead."
Admin
I could forgive missing the existence ucfirst(), it's not like php has any kind of identifiable pattern for naming functions. Would be pretty easy for a newbie to miss stuff like that.
Doesn't excuse the ginormous switch statement though, in the worst case there are plenty of other functions with much more standard names that could be used in performing the same job.
But I could certainly see missing ucfirst(). Many times I've been idly perusing their online docs for whatever reason and found some obscure routine that makes me go "darn, I wish I knew about that when I was working on X". Sometimes I'll even go back and rewrite stuff!
Admin
Who said there was one to begin with? Maybe the application does what it should be doing and escapes the data at output?
Admin
A big ugly case statement with 10s or 100s of individual usernames, and nobody had a BiCaps style name?
Admin
TRWTF is the title... Reverse Dictionary Attack seems more suitable... or Dictionary Defense
Admin
The real WTF is that he didn't make it a function.
Addendum (2007-12-19 12:19): EDIT: Also, could you call this a worst-case scenario?
Admin
Maybe that's the problem. Maybe the initial author DID look for example code, and took the first solution he found, which happened to resemble this one.
Admin
I find it easier to remember that you just have to clear the 2^5 bit (off for uppercase, on for lowercase).
Admin
What if they hates those people with known names and try to take revenge by ... up case the first letter :P
Admin
Have they never seen names like DeShawn, KeMika, etc.?
Admin
C'mon people, at least he know how to use switch-case instead of if-else
Admin
I realize that "paid by the line of code" is a standard joke, but has anyone REALLY been paid by the line of code?
Admin
Except it was Blaise Pascal, not Mark Twain.
Admin
This isn't good coding? I write all my code this way. :)
Admin
I wonder if this code was produced by a script that took a list of names and output the entire switch statement? that would mean the programmer did know how to uppercase a letter, but seing this kind of code, I think anything is possible.
Admin
wait'll they find diMarco (that's how it's capitalized). Anyway, it's perfectly reasonable to screw up names with handwritten input data and so forth. Getting more names spelled right does help with things like collections.
Admin
Had this been implemented properly, "special cases" still could have been handled. This code treats every name as a special case, which makes it even harder to find and validate the ones that truly are.
Admin
That's a marktwain misquote: "I apologize for the length of this letter. I don't have time to write a short one." - more or less
Admin
What I wonder is why they force names to all lowercase in the database in the first place? My bank does this with vendors I have set up to pay (only to all uppercase instead), and it's really annoying. It makes it much harder to read through the list of them to find the right one. And they have something like a 10 character limit, which is fine if the vendor is "AT&T" but a pain if there are 2 vendors, like "Acme Electrical Contractors," and "Acme Electricity Company." Both show up as "ACME ELECT." Lovely. Why not make the limit reasonable and use the casing the user entered? That way, names like "Mary Ann," which have 2 upper case letters don't become "Mary ann." What is the point of forcing the names to lowercase? It doesn't save you any space in the database. Why would you ever change the data the user entered?
Admin
IMO, writing a routine to "fix" the data in the UI is the real mistake. Why not tell the users to fix the data? If this routine was used on entry, then tell the users to enter the data the way they want it displayed. I.e., the cheapest solution that involves the least amount of code is to make the users accountable.
Admin
Many reasons... Lots of these systems were not re-written, they were ported to newer systems keeping the old flaws intact. Some weren't even ported but are still running in their original state. Old mainframe systems were very limited as to storage space so having a ten character limit back then seemed appropriate, remember these system are either still running or simply ported. These same systems sorted by numerical value, not true alphabetic, so you got a-z then A-Z so things would be sorted as such:
apple cat Banana
Making sure everything was the same case fixed this problem.
Admin
Admin
The XSS was already there and David had to keep the code functionally equivelant ;-)
Admin
I hope they don't have any customers named JoAnn, RoseMarie, or LaWanda...
Admin
Not exactly "paid by the lines" - http://www.folklore.org/StoryView.py?project=Macintosh&story=Negative_2000_Lines_Of_Code.txt - but interesting.
Admin
That's not a vulnerability, it's just some output.
Admin
and sheep were nervous.
Admin
There's also no way to know from the snippet whether any further SQL escaping is done, anyway.
Admin
Addendum (2007-12-19 16:00): Of course, that's not much different than just tricking them into clicking a link to admin.php?etc but if you shove AJAX code in there, you can have it do absolutely anything on the site that the victim could do.
Admin
Admin
slurp it all in hey? Something more like this might be better on memory usage, plus a few minor syntax error fixes:
open(MYFILE, "mynames.txt"); while (<MYFILE>){ chomp; next if (! /^[a-z]+$/); print "\tcase '$_':\n\t\techo '"; print ucfirst; print "';\n\t\tbreak;\n"; #Can't forget this! } close(MYFILE);
Perl to generate PHP FTW!
Admin
I know people who have multiple capital letters in their name.
I know other people who have decided that they will eschew all capital letters in their name.
The real WTF is why there's a need to make this change to such a string. Why not believe the user when they provide you with their name?
You'd think people would know how to capitalize, or not, their own name.
Admin
something I've always known -- if I find myself coding the same thing (or similiar things) in code more than twice, I know that there's probably an easier way to do it.
Admin
Most people spell their name exactly how their mamma told them to spell it :-)
It seems the name is stored in the database in all lowercase and then the first letter is capitalised just before output.
Admin
Your bank probably has software from nearly 50 years ago working with that same database.
There would have been little library support for searching/sorting. Now saving an entire function call on each comparison is fairly significant.
Admin
That approach is a bad one because it relies on a numerical relationship between upper case letters and lowercase letters that is not always true. For example, it will fail if your name begins with Ā (capital a macron) with code 0x0100 since the lowercase version ā is code 0x0101.
Cheers Craig
Admin
In the old days, when IBM used EBCDIC, this would be wrong! The upper/lower-case functions are character encoding aware, and users should apply them. Not everyone writes in English either.
Admin
Its php... what do you people expect.
A horrible language that should have never been able to win the www (and shame on the other languages for not being there to block php's rise to fame...)
Admin
But still, if you know about switch, ya gotta know about strtoupper & substr (if you're going through the function index, you'll see both of those before the word 'switch'). At the very least it would give you an awkward, but functional:
(XSS vulnerability acknowledged; wrap the works in htmlentities or htmlspecialchars if you'd like)
Admin
http://xkcd.com/327/
Admin
Well, we found a LOT more bugs, but for some strange reason, the number of bugs in the final version was even higher then usual.
Admin
How is that an XSS Vulnerability?
Admin
Look on the bright side. It could have been a nested if.
Admin
ITYM SQL injection vulnerability.
Admin
Admin
Here is another real story: we were working on an Oracle database and we had to create synonyms for about 600 odd tables. The Oracle-certification-earned hire copied the names in an Excel spreadsheet column, added the syntax "create synonym ..." etc. in the surrounding columns, saved it as a text file, and ran it as a script! And she erred, and missed some, which caused me grief, which is how I found that she had missed some.
I was not on the db team, but wrote a simple PL/SQL script that did the whole thing in a few lines, and was error free. And, no, I don't have any Oracle "certificate".
The funny part was, when I showed it to her, hoping that she would learn, or at least take a hint, her response was, "Oh, that is just another way of doing it."
With people like that at the helm, is it any wonder then that systems break like they do?