- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Well if he did, then he's even MORE stupid!
Admin
Hey take a bottle or two of valium. Its not my code, im not telling people how to spell thier names, im just saying that from the code presented, there are the possibility of many special cases that have now been rolled up and lost.
Yes in an ideal world there shoudl be no need to muck at all with the user input, just validate it as being reasonable and make sure its not some xss and just go with that.
However it appears from teh code that for who knows what reason it has alreayd been played with and lowercased somewhere else
Admin
Indeed... I mean what happens when it comes to this...?
case "john": $day = date ( "l" ); if($day == 'Saturday' || $day == 'Sunday'){ echo "Susan"; }else{ echo "John"; } break;Admin
Not necessarily, it might make sense to fix that somewhere other than the uppercase function.
Admin
And ASCII was the only encoding table you needed to worry about ...
Admin
Admin
A naming convention for functions? No. Good documentation, where most things are relatively easy to find? Yes. Many times I've thought "Oh, I wonder if there's a built-in function that does ...", and a quick look through the string functions, array functions, whatever functions reveals - yes, there is one. No naming convention is not an excuse - failing all else, there's your good friend google (search for "uppercase php", 2nd result is PHP manual entry for ucfirst). Or even - god forbid - asking a real, live, breathing human being...
Missing ucfirst, or any other particular function is not the WTF, the WTF is missing the concept one might exist and actually pulling your head out to look for it...
Admin
Back at IBM, we got some junk mail one time addressed to "Mr. International B. MacHines", because some clever program attempted to abbreviate the middle name and handle the "special cases" (no pun intended) in last names.
Admin
There's also the fact that almost all those cute little functions with unique names take their arguments in different orders and there's absolutely no need for that, ether. Or, go the .Net or Java route which makes it something like String.UppercaseFirst, which is even more useful and great if you have Intellisense (which is even faster than Google - smaller dataset to search through and no reams of idiots posting HOW DO I DO THIS PLZ MAIL CODEZ.).
Admin
The person you quoted was referring to the post with the link to an xkcd comic in it, but forgot to quote it. The comic referenced an SQL injection vulnerability, not an XSS vulnerability, betraying the fact that the person who posted it didn't understand either concept.
Admin
I be he wrote a smart script to create all those files instead of writing em all!
Something like:
open(MYFILE, "c:\myNames.txt"); @lines = <MYFILE>; close(MYFILE); foreach $line (@lines){ print "\t case " . $line; substr($line, 0, 1) =~ tr/[a-z]/[A-Z]/; print "\t\t echo " . $line; print "\t\t\ break;\n"; #Can't forget this! }
Admin
Ah, that's not impressive! if he really wanted to be clever, he'd write a perl program that generates PHP that generates Javascript, that goes on to generate XML+XSL, which is then transformed into HTML plus more javscript.
Yeah, that's what I'm talkin' about!
Admin
It seems there are names from several languages in that list, so perhaps it would capitalize with the correct locale in mind (which it guessed from the name). E.g:
ijsbrant -> IJsbrant (dutch)
Admin
ucfirst() doesn't make sense for all first names. Ask my nephew D'Quione.
Admin
In my case, the spelling of my name is user- and context-specific. Like so:
case "kurtis": switch ($lUser) { case "Wendy": case "Stephen": echo "Curtis"; break; case "Cynthia": if ($lUserAlcoholLevel > 0.05) { echo "Karl"; } else { echo "Keith"; } break; default: echo "Korbet"; } break;Note to self: insert giant frowny face here...
Admin
That's what Goethe wrote in a letter to his sister. As has been pointed out (indirectly), he wasn't the first one to say rsp. write that, but interestingly, it is said that Goethe had this quip from the works of Cicero. God knows whether Cicero was the first one to ever think of it.
Admin
Wow... The real WTF is the stupid quote mechanism in the board software... The last sentence in the quote block in my post above is SUPPOSED to be outside the quote block, but what I wrote and what got rendered were two different things and of course the edit period expired...
Admin
No, the next installment is where we learn the process by which last names are cleaned up.
Admin
Ironically, refactoring the switch statement to
ucfirstmay produce incorrect results! Why not assume the user knows how to type their own name? Then allow them to modify or verify it.Admin
Maybe they prevent the XSS hack because the output is caught and filtered first...
/just upset I didn't catch that first. //other commenter is right though, it's not a "new" bug
Admin
great code. sometimes I think Windows was written this way (if it's too slow add better hardware)
Admin
There is no vulnerability there. You should not escape input, only output.
(because you may have to output in different contexts which require different escaping and/or processing could remove escaping)
Admin
Yeah, tell me about it. And then š and ž have a difference of 16 between upper and lower case, as does œ.
Of course TRWTF is that Zuzanny is just the plural of Zuzanna. What happened, did two of them turn up at once?
Admin
Hasn't the guy broken the code?
Unknown names previously were left unchanged, but now they'll be capitalised. Who are we to say that this wasn't an important feature!
Admin
Ha, ya right-- a PHP generating Perl script. Ack, I think that my eyes just started to bleed!
Admin
I think it says a lot about the state of PHP and the myriad of functions out there that are a PITA to find and use.
ugh, how I hate PHP
Admin
Dropping the 5th bit would make lower case 61h - 7Ah into lower case 41h - 5Ah but it would make any digits 30h - 39h into unprintable (machine dependent) 10h - 19h codes.
What is sad is that all the hexadecimal codes are from memory and I haven't needed to look up anything :-(
Admin
I wonder what user TJ will say.
Admin
You hope. Given the story here it seems rather unlikely ;)
Admin
so THAT is the most STUPID thing that i've EVER seen :D
Admin
Well, It is not the case with php. But some crappy "programming languages" don't support strings properly, and you finish doing things like that to implement a printf for non const strings.
Yes, I'm talking about Texas Instruments GEL. Which is incorrectly specified in everything, and doesn't allow you to do anything right.
I finished having to do
if (data = 0x0041) print ("a") else ...
Because, of course, they never thought making a switch statement was worth. Lazy language designers...