• Franky (unregistered)

    So what happens when a user goes to "http://idioticapplication.com/securityhole.php?doaction=system&forclient=rm%20-rf%20/"?

  • (cs)

    A two dimensional $_SESSION array? That's weird as hell right there. I mean, all he really needs is a regular array, or a hash, or a database. Why bother to effectively globalize all your variables? Php is hell with 2d arrays as well; it's not really supported.

    Though I have to admit I once saw a 14 dimensional array in Java...Worked perfectly, but it hurt my mind to look at it.

  • Bozo (unregistered)

    The actual WTF happens rather at the beginning:

     /* ED: Dump the request (form or querystring) hash into the session */
    if ($_POST) { $_SESSION['VAR']=$_POST; } elseif ($_GET) { $_SESSION['VAR']=$_GET; }

    Otherwise _SESSION variables are just persisted variables that are only controlled serverside.

  • (cs) in reply to Franky
    Anonymous:
    So what happens when a user goes to "http://idioticapplication.com/securityhole.php?doaction=system&forclient=rm%20-rf%20/"?


    A security hole gets closed.
  • Steve (unregistered)

    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.

    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.

  • (cs) in reply to Steve
    Anonymous:
    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.

    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.


    My biggest problem with it, as with Perl, is the tenuous use of the alphabet
  • cd (unregistered) in reply to Steve
    Anonymous:
    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.

    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.


    Absolutely correct.  Yahoo, IBM, Oracle and MySQL (to name a few) are embracing PHP as a serious language.
  • (cs) in reply to Bozo

    I think:

    $_SESSION['VAR']['doaction']($_SESSION['VAR']['forclient']);

    has serious WTF potential. He's calling a function stored in an array on a value in a later part of the same line of the 2 dimensional array. This would be okay, though seriously obfuscated in a normal application with a normal array, but the $_SESSION array is not a normal array, and doesn't always behave like a normal array. You could really shaft yourself with some cryptic, unfindable errors that way.

    It's a terrible way to work with get/post data as well.
  • (cs) in reply to cd

    I write in php as well, and while it does have it's good points, it is seriously weak in other areas. If I need something that's purely a web database frontend, I'll use php, but if I need anything more complex, I'll use perl or java.

  • Arachnid (unregistered) in reply to Satanicpuppy
    Anonymous:
    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.


    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.



    Absolutely. Unfortunately, the amount of bad code is proportional to how easy it is to use the language, not to how securethe language can be. Any language that's fairly easy to learn will have many WTFs.

    Satanicpuppy:
    I think:
    $_SESSION['VAR']['doaction']($_SESSION['VAR']['forclient']);

    has serious WTF potential. He's calling a function stored in an array on a value in a later part of the same line of the 2 dimensional array. This would be okay, though seriously obfuscated in a normal application with a normal array, but the $_SESSION array is not a normal array, and doesn't always behave like a normal array. You could really shaft yourself with some cryptic, unfindable errors that way.

    It's a terrible way to work with get/post data as well.


    More importantly, it'll execute any function the user submits, with a parameter specified by them. As someone pointed out, system('rm -rf /') is the obvious one...
  • (cs)

    Someone must have told him once that PHP variables weren't (type) safe. He didn't like the thought of producing un-safe code... so, away with the variables.

  • cmr (unregistered) in reply to Steve
    Anonymous:
    What's up with the PHP bashing?


    just a territorial skirmish:

    http://thedailywtf.com/forums/AddPost.aspx?PostID=43896&Quote=True
  • Richard (unregistered)

    > PHP is used primarily by hobbyists

    Perhaps 5 years ago. Wake up and smell the PHP takeover.

  • (cs) in reply to Richard
    Anonymous:

    > PHP is used primarily by hobbyists

    Perhaps 5 years ago. Wake up and smell the PHP takeover.



    Oh, I smell it alright. 
  • (cs) in reply to Steve
    Anonymous:
    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.

    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.


    I agree that good and/or bad code can be written in any language. It's just that PHP as a language and the standard library is rather repulsive. It seems to combine the worst bits of Perl and C.

    But I guess that's just me..


  • Aaron (unregistered) in reply to Franky

    It wouldn't be *too* bad. Basically everything owned by the httpd user would be deleted. That probably wouldn't include the script, system files, or other user's files. A while back php-nuke had a similar problem with include($_GET['file']) and php allowing for http requests in the include function. Basically you got a remote non-interactive user which gets you a step closer to running local exploits.

  • (cs) in reply to Steve
    Anonymous:
    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.

    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.


    Learn Python or Ruby and then tell me php is nice. 

    php is good for quick and dirty web applications where you don't need to worry about security, and don't need anything complex.

    As soon as you want something secure, or complex php starts to get in the way.   It may take longer to use Python or Ruby (though I've heard good things about frameworks for those that make is quick and easy), but because they are cleaner languages, in the long run your code will be cleaner and easier to maintain.

    Php puts everything into one namespace, and the internal functions have to consistency.   lsplit is useful, but it should be part of a string namespace (if not the object), not a top level. 

    Sure back in the early 70s you could claim nobody knew better (though I suspect someone who remembers the good languages of the time will disagree), but repeating the sins of C today isn't a good idea.

    Sure you can do anything in php you can in any other web language.   However if you pick a good one you can do it in a much more readable and therefore maintainable fashion.  If what you are doing is complex there is a reasonable chance that the better language can do it in less code as well, meaning less cost.

    Of course there is also a lot of bad PHP libraries out there, but that isn't the fault of php.   Any language can have them.   Python (at least, I don't know ruby well) tries to discourage things from getting as bad as php is, but I suspect if python was as popular as php there would be plenty of bad python libraries to choose from.

    That said, I can do a better job with php, than the programmer of this WTF could do with python, even if he was given twice as long to do it.
  • Anonymous (unregistered)

    Sorry ... I just thought that the statement "gives you just enough rope to shoot yourself with" was a good WTF ... it reminds me of some other good quotes.

    http://www.dilbert.com/comics/dilbert/dnrc/html/newsletter59.html

  • (cs) in reply to Satanicpuppy
    Satanicpuppy:
    Why bother to effectively globalize all your variables?

    Ahem! Superglobalize.

    Satanicpuppy:
    Php is hell with 2d arrays as well; it's not really supported.

    This is not true. PHP supports multi-dimensional arrays just fine.
  • Anonymous coward (unregistered)

    Too obscure to comment about.  No more php/perl!

  • (cs) in reply to Reun
    Reun:
    Satanicpuppy:
    Why bother to effectively globalize all your variables?

    Ahem! Superglobalize.

    Satanicpuppy:
    Php is hell with 2d arrays as well; it's not really supported.

    This is not true. PHP supports multi-dimensional arrays just fine.


    It's Ad Hoc. Work with a language like java, and you can just declare an array with more than one dimension. In php you have to declare a bunch of one dimensional arrays that happen to be inside other one dimensional arrays. So yea, you can do it, but it's awkward, and it can get you in trouble if you don't go through the trouble of writing your own methods to deal with multi-dimensional issues.

    I prefer to just skip the whole mess wherever possible and dump it into a database.
  • LuserAnt (unregistered) in reply to Franky

    So what happens when a user goes to "http://idioticapplication.com/securityhole.php?doaction=system&forclient=rm%20-rf%20/"?
    Nothing on a wind'ohs box.
  • (cs) in reply to liff

    You're definitely right about the standard library. Nothing against function-based interfaces, and after all, the library is simply large - but it's also chaotic. The various search functions for example - you never know whether the needle or the haystack comes first.

  • (cs) in reply to Reun
    Reun:

    This is not true. PHP supports multi-dimensional arrays just fine.

    Arrays of arrays should not be confused with multidimensional arrays.
  • asdf (unregistered) in reply to Satanicpuppy
    Satanicpuppy:
    Php is hell with 2d arrays as well; it's not really supported.

    Could you give us an example?  I use PHP exclusively at work and use 2D arrays constantly, so I would like to know why you think this way.

    I hope the explanation involves a little more than "They don't work like they do in {language}."
  • asdf (unregistered) in reply to John Smallberries
    John Smallberries:
    Reun:

    This is not true. PHP supports multi-dimensional arrays just fine.

    Arrays of arrays should not be confused with multidimensional arrays.


    Oh man, there's a WTF!!! LOL

    I hope you were being facetious.
  • Comedian (unregistered)

    throws a brick into the author
    Ahhh... Feels good :)

  • cw (unregistered) in reply to asdf

    php deosn't have multidimensional arrays, in fact it doesn't even have real arrays.  they are more like hash tables. 

    multidimensional basicaly implies a grid, you can think of it as rows and colums and you put data in the cells.  With php it isn't this way, you have an array where an element can be a value OR another array.  something like array(0, array(0,1,2), "foo") is not uncommon.  While index 1 there behaves like a multidim array, it's not one, it's an array within an array.  confusing, but very handy.

  • DS (unregistered) in reply to hank miller
    hank miller:
    Anonymous:
    Okay, I feel the need to post for the first time.

    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least.  Sure there's a lot of bad code out there, but it can also run on a lot of platforms, which might account for there being more of it.

    It is possible to write very good, clean and secure code in PHP, just as its possible in any language.  In most cases, insecure code comes down to someone not understanding the concept of "user input validation," which can shoot you in the foot no matter what you're programming in.


    Learn Python or Ruby and then tell me php is nice.

    php is good for quick and dirty web applications where you don't need to worry about security, and don't need anything complex.

    As soon as you want something secure, or complex php starts to get in the way.   It may take longer to use Python or Ruby (though I've heard good things about frameworks for those that make is quick and easy), but because they are cleaner languages, in the long run your code will be cleaner and easier to maintain.



    I'm sorry but you're wrong.  You're simply stating a preference, and that's fine, but it doesn't make PHP bad or unsafe.  I like Python but I could list several things I hate about it.  I use Perl daily and could go on for an hour about my particular dislikes. 

    One of the greatest advantages of using php for web apps is the ability to embed code into html, even if it's just basic looping or printing variable values (yeah, 3-tier, separation of logic and layout, blah blah).  Trying to do this with Perl, even using one of the template modules, is awkward and clunky and a pain in the ass.  I remember once playing with Embedded Perl but that never really caught on, unfortunately.

    "However if you pick a good one you can do it in a much more readable and therefore maintainable fashion"

    Again, this is an opinion.  I've developed many largescale, secure web apps that are very easily maintanable.  Experience is more important than the tool.  Also, I know you didn't mention Perl but i'd hardly consider perl code readable.

    Regarding variable variables, if people abuse them then that's their problem, not PHP's.  Perl has variable variables also but I don't hear Perl getting ripped for them.  Sure, they can be effectively turned off with use strict, but someone like the person who wrote this WTF wouldn't use strict anyway.

    Variable vars can be useful, for instance when dealing with extracting and typechecking a large number of form fields:
        foreach(array('int1', 'int2', 'int3', '...') as $f) $$f = (int)$_POST[$f];
        foreach(array('fname', 'lname', 'address', '...') as $f) $$f = trim($_POST[$f]);


  • (cs) in reply to Steve

    Anonymous:
    What's up with the PHP bashing?  I've been coding in it professionally for years, and I certainly don't see it as a "hobbyist" language in the least. 

    There is a difference between a hobbyist language and a language used primarily by hobbyists. Most things built in PHP are by hobbyists. Hobbysts generally do things much more poorly than professionals. Hence, there is a much higher percentage of bad PHP code than in other languages, like, say, PL/SQL, which I don't think anyone hobbies around in ...

  • (cs)

    Actually, saving $_POST into $_SESSION can be useful sometimes, like when you have to go back to a form and fill it in. But this guy is just a WTF:er...

    For the PHP vs other languages debate:
    When I see .Net code, I just shake my head. The "paths" to the wanted functions are so f~cking long:
    System.Web.HttpContext.Current.Session["admin"].ToString();

    Also, I surely would prefer the well-tested phpBB forum than this crap.

  • (cs) in reply to asdf
    Anonymous:
    John Smallberries:
    Reun:

    This is not true. PHP supports multi-dimensional arrays just fine.

    Arrays of arrays should not be confused with multidimensional arrays.


    Oh man, there's a WTF!!! LOL

    I hope you were being facetious.

    The WTF is that PHP does not have true multidimensional (rectangular) arrays. It implements them as arrays of arrays (otherwise known as jagged arrays). They're not even real arrays, but ordered maps similar to a hashtable.

    In languages that support both multidimensional arrays and jagged arrays (C#), not only is the syntax different, but the functionality differs.
  • (cs) in reply to John Smallberries

    ugh, the link didn't work.
    check out
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/csref/html/vcwlkarraystutorial.asp
    if you're interested.

  • Jonathan (unregistered) in reply to cd

    here here!

    I am also a coder that does PHP on a professional basis.  Yes I used to code in VB with ASP and HATED it.  I never tried ASP.net but i think its probably garbage as well.  I love PHP running on Apache servers.  I like reading wtf, as a lurker, only because I enjoy learning more coding and things not to um do.....but i find the php bashing a disappointment.  this site is truely a disappointment to me now, i can tolerate the vb code, as i just see it as vb bashing since vb is garbage anyways.  C++ is the only language to develop worthy code for applications.  C# doesnt even come close, sorry.     

  • (cs) in reply to John Smallberries

    The arrays in PHP function as arrays, lists and structs at the same time:
    $persons = array (

        array (
           'name' => 'Charlie Brown',
           'age' => 43
        ),

        array (
           'name' => 'John Parker',
           'age' => 72
        )

    );

  • (cs) in reply to md2perpe

    md2perpe:
    Actually, saving $_POST into $_SESSION can be useful sometimes, like when you have to go back to a form and fill it in.

    I wouldn't do that. Imho, if you require an in-between page (like this: form => error message => back to form), to store the input temporarily in a form consisting only of hidden fields.

    Sessions don't scale well: the data for each session is stored on the server's disk, and kept there for a while before it's being deleted, since HTTP applications are essentially connectionless. I believe they're stored for half an hour, or that's the time a session cookie remains valid, at least. Multiply with the number of visitors and you'll see that the data stored in sessions should be kept to a minimum.

  • nasch (unregistered) in reply to Jonathan
    Anonymous:
    here here!

    I am also a coder that does PHP on a professional basis.  Yes I used to code in VB with ASP and HATED it.  I never tried ASP.net but i think its probably garbage as well.  I love PHP running on Apache servers.  I like reading wtf, as a lurker, only because I enjoy learning more coding and things not to um do.....but i find the php bashing a disappointment.  this site is truely a disappointment to me now, i can tolerate the vb code, as i just see it as vb bashing since vb is garbage anyways.  C++ is the only language to develop worthy code for applications.  C# doesnt even come close, sorry.     


    So it's OK to bash languages, as long as they're the ones you think suck.
  • (cs)

    PBPbasher++;

    This language is ugly, very ugly, even compared to C; the fact that it took a decade to develop a built-in database abstraction layer so you can easily switch e.g. from MySQL to PostgreSQL is a WTF for a "language" mainly used for web apps requiring database connectivity.


  • Mike (unregistered)

    Hopefully we can all at least agree that ColdFusion really sucks.

  • Arachnid (unregistered) in reply to ammoQ
    ammoQ:
    PBPbasher++;

    This language is ugly, very ugly, even compared to C; the fact that it took a decade to develop a built-in database abstraction layer so you can easily switch e.g. from MySQL to PostgreSQL is a WTF for a "language" mainly used for web apps requiring database connectivity.




    I don't see what's so ugly about C.
  • AndrewVos (unregistered) in reply to Jonathan

    tool!

  • AndrewVos (unregistered) in reply to AndrewVos

    Argh, wasnt logged in, my quote didnt work, etc etc....

    Jonathan ur a tool

    just shuddup and laff :)

  • (cs) in reply to Jonathan

    Anonymous:
    here here!

    I am also a coder that does PHP on a professional basis.  Yes I used to code in VB with ASP and HATED it.  I never tried ASP.net but i think its probably garbage as well.  I love PHP running on Apache servers.  I like reading wtf, as a lurker, only because I enjoy learning more coding and things not to um do.....but i find the php bashing a disappointment.  this site is truely a disappointment to me now, i can tolerate the vb code, as i just see it as vb bashing since vb is garbage anyways.  C++ is the only language to develop worthy code for applications.  C# doesnt even come close, sorry.     

    Dude, I agree that VB with ASP is horrible, I've used it and don't think much of it. However, ASP.NET is actually very good. You're showing your age/inexperience by saying "i think its probably garbage as well" and "C# doesnt even come close". To everyone who might be about to flame this guy - leave him alone :)

  • (cs) in reply to Alex Papadimoulis
    Alex Papadimoulis:

    There is a difference between a hobbyist language and a language used primarily by hobbyists. Most things built in PHP are by hobbyists. Hobbysts generally do things much more poorly than professionals. Hence, there is a much higher percentage of bad PHP code than in other languages, like, say, PL/SQL, which I don't think anyone hobbies around in ...

    Good to see Alex backing up his words - and I agree that PHP is a bit of a hack language. However it has gained a certain amount of respect over the past few years, hasn't Yahoo ported everything to PHP?

    Having said all of that, I've worked on quite a few different large scale IT projects and none of them have even mentioned PHP. It's been java or .net. And I can't remember the last time a client has asked for PHP.

  • algorythm (unregistered) in reply to Alex Papadimoulis
    Alex Papadimoulis:

    Most things built in PHP are by hobbyists. Hobbysts generally do things much more poorly than professionals. Hence, there is a much higher percentage of bad PHP code than in other languages, like, say, PL/SQL, which I don't think anyone hobbies around in

    I'd argue that a large portion of the 'hobbyists' coding in PHP these days are also professionals, and that when that is the case, the PHP produced as a 'hobby' is just as clean and secure as anything produced in a 'professional' capacity.

    Also, fwiw, according to the Tiobe Programming Community Index PHP is ranked 5th in popularity, beating out both VB and C#.

    PL/SQL is a lowly 12th, so it looks like not many folks "professional" around in it much anymore either =)

  • Chad (unregistered) in reply to DS
    hank miller:
    Experience is more important than the tool.


    Absolutely! Sorry to snip all of your post, but, that sentence in particular is dead on. If you know what you are doing, and the language has the basic tools you need (which PHP most certainly does), you can create a SECURE web application to do whatever you desire.

    I can't stand when people bash a language and ignore the solid fact that experience, intelligence, and to a lesser extent talent can surpass any nit-picky issues. A great coder can solve a problem regardless of the language.

  • (cs) in reply to Arachnid
    Anonymous:

    I don't see what's so ugly about C.


    Quite a lot. It starts with the preprocessor: You can hardly write a usefull C program without preprocessor directives, but they break the style of the rest of the C program.
    Some other issues:
    strings: they chose to implement them in the most ineffective way.
    gets() - a WTF by itself.
    if (a=1) ooops
    a=1,2||3; compiles

  • asdf (unregistered) in reply to John Smallberries

    Okay, show me an example in which it fucking matters.  Just because Bill makes "rectangular arrays" an "industry standard" doesn't mean that they are actual programming concepts.  PHP automatically assigns intermediary indeces when you access another part of a "jagged" array, so it makes no difference, other than the fact that C# just wastes memory, and maybe gains a little performance.  If someone is that worried about the performance of PHP when it is doing the runtime memory allocation, then perhaps they should move to a compiled language, as that would afford the most performance increase.

  • dan (unregistered) in reply to Arachnid
    Anonymous:


    I don't see what's so ugly about C.

    Two words: buffer overflow. C itself is a security hole.

  • drinkingbird (unregistered) in reply to algorythm
    Anonymous:
    Alex Papadimoulis:

    Most things built in PHP are by hobbyists. Hobbysts generally do things much more poorly than professionals. Hence, there is a much higher percentage of bad PHP code than in other languages, like, say, PL/SQL, which I don't think anyone hobbies around in

    I'd argue that a large portion of the 'hobbyists' coding in PHP these days are also professionals, and that when that is the case, the PHP produced as a 'hobby' is just as clean and secure as anything produced in a 'professional' capacity.

    Also, fwiw, according to the Tiobe Programming Community Index PHP is ranked 5th in popularity, beating out both VB and C#.

    PL/SQL is a lowly 12th, so it looks like not many folks "professional" around in it much anymore either =)


    Yeah, great logic there; "It's popular so it must be good."
    Oh no, I use Ruby, and IT'S NOT EVEN SHOWN THERE.
    Goddamn, PHP is popular because it's TOO easy to start using (i.e. any idiot now has a new tool to fuck things up with), and a lot of free web hosting has support for it, not due to it actually being a well designed language.
    Making something very simple and web-based, ok PHPs fine, anything more complex and I'd rather chew broken glass than build it in PHP.

Leave a comment on “Sessionrific! ”

Log In or post as a guest

Replying to comment #:

« Return to Article