- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
What was the site URL again?
Admin
Sweet, now I have Alex's credit card number! Crap, it got rejected...
Admin
Too broken to hack.
Admin
inb4TRWTFisPHP (even though the choice of language has nothing to do with anything)
At first, I assumed that this was happening AFTER the log-in procedure, but I can see now that this is not the case.
Even scarier, if this is actually the case, it would appear that it grants admin access BEFORE validating the credentials... Yeah, what site is this again?
Admin
It's not working right...
Admin
When does the hurting stop?
Admin
In fact, TheDailyWTF runs on similar software. I expect a deposit of $200,000, or the lights go out...
You can find my bank account details under payment/data.php
Admin
I once worked on a contract at a University and found the login page put the username and password into a URL and did a GET to login. Plus for fun, I found one could delete all the records in the database by editing the URL. This database was used to justify all the payments from the state for their entire budget. Oopsy.
Admin
Security through obscurity. Nothing wrong with that, right?
Admin
Buh....
/me eyes KB /me targets KB /me aligns head with KB /me starts to slameknmn234398ym a 4xjkrdfxc ujkigvcf jmkrdfex8ioghv**
Whoa! Admin access! Coo!! Maybe I should have used a simpler method of getting a random username than having to use jmkrdfex8ioghv
Admin
HA HA, now I'm a admin here!
Admin
..like Bobby Tables.. http://bobby-tables.com/ (bobby-tables dot com)
captcha: augue - how they do it in Bruk-lin, New Yawk.
Admin
These two issues can be explained easily when you know the previous admin wanted to make his app as transparent as possible without revealing the source code. The double stars mean that user is double special and can act as an admin. The access to admin payments is another attempt at transparency. You have to learn a little more about his intentions before you call it a WTF.
Admin
Pathetic. Of course, that's what you get for writing an enterprise application in Personal Home Page. What sort of idiot looks at the requirements for an enterprise web-app and thinks to himself "this is perfect for Personal Home Page (it will be just like my Geocities site!)"??
Admin
You do realize PHP hasn't stood for "Personal Home Pages" since 1997, right?
And PHP is plenty fine for large scale applications, just as C is. It just depends on having a coder that isn't completely retarded. But then so does JSP, Java Servlets, or asp.NET.
Admin
Is it any of these?
http://www.google.co.uk/search?hl=en&q=allinurl%3A++%22admin%2Fpayments%22&btnG=Search&meta=&aq=f&oq=
Admin
Nonsense. Choosing a moron to develop this is the issue - it has nothing to do with the plaform.
And Alex - this is straight to Classic TDWTF. If this reappears on, say, Wednesday I'll be more than happy.
Admin
I thought PHP stood for programmers hacking porn.
Admin
I believe Facebook is written in PHP.
Though PHP does have a reputation for attracting a lot of hacks and amateurs, it does ultimately come down to the competance of the developer, NOT the technology.
Admin
Admin
Sorry but... we are talking about Credit Cards Numbers and payments etc... the last thing that this should be is transparent. in my country we have a saying that is "the hell is full of good intentions", and this is one of those cases.
Admin
Don't blame the gun, blame the shooter.
Admin
Wow.
Wow.
My brain has locked up. That was too retarded for 8:30 on a Monday.
Admin
Sorry to be a pedant, but I thought the phrase was...
"The road to hell is paved with good intentions"
Admin
Admin
You guys are all wrong. This is totally secure. Now, if it were ONE star, then THAT would be insecure. But TWO stars? Now, who would ever guess that??!!
Admin
OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?
Admin
Good thiong then that it's 3:30PM here...
Admin
Yes, writing an application in Personal Home Page is stupid, especially considering it doesn't even support database connectivity. Now, Imma let you finish, but this PHP is Hypertext Pre-Processor, which is the best web language of all time!
(I'm sorry, I couldn't help it...)
Admin
Imagine a single Twinkie represents all the WTFs ever created in LAMP. Active Directory itself would be a Twinkie 35-feet long, weighing approximately 600 pounds.
Admin
Admin
That's a big Twinkie!
Admin
Some bloated crap Micro$oft made to give admins job security. Basically, every function of an application is a "task", Users can be assigned multiple "roles" and if that role can perform a specific task, then permission is granted. Some tasks can be performed by more than one role, and if lots of users are given the same roles, the roles can instead be assigned to a "group" that the users then become "members" of. Administrators have access to all roles, so only one administrator account is needed - in case you lose the user with the role of assigning roles.
Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.
Admin
just because PHP doesn't stand for personal home page doesn't mean it is suitable for anything other than personal home pages any more than microsoft "enterprise" software is suitable for enterprises - in fact, PHP's complete unsuitability for personal home pages is testament to that fact. Hint: PHP is not suitable for anything, full stop. and yes I have build PHP web sites
Admin
Well, Facebook's one example. They seem to be doing alright.
Admin
A poor craftsman blames his tools.
Admin
You're an idiot. PHP is plenty fine. It comes down to whether you are competent enough to harness the capabilities of the language.
Admin
Hey, it's still better than one student's site, where admin interface was phpmyadmin. The user (old lady in reception) had to edit tables and write html code... just briliant.
Admin
You were doing well there, right up to the platitude. There are things that PHP is good for (not necessarily best for, but good for); the OP is clearly not one of them. Now for the platitude.
When people say "A poor craftsman blames his tools," they are generally ignoring the following:
(1) The original meaning of this phrase is that a good craftsman would have sharpened the tools, greased the wang-nuts, and generally taken more care. It isn't immediately obvious how this applies to the choice of PHP. (2) Should your choice of tools ("Look! I have a hammer! It must be a nail!") be inappropriate, a good craftsman will upgrade their tool-set. (3) On the unlikely assumption that the good craftsman was, in this, case, forced to use a totally inadequate tool, much against their will, then a good craftsman will do the best f**king job they can -- and then leave, for a job where they can use proper tools.
The guy in the OP is, however, simply a Tool.
Best find a more credible defense for the 99.999% of PHP programmers out there who should be doing something more useful, like crocheting.
Admin
An extremely skilled craftsman can build a house with enough cardboard and duct tape... but should he?
I'm not against PHP as a language for enterprise scale websites, just the argument of 'it takes a competent developer' is weak. Very weak.
Admin
Have a look at http://en.wikipedia.org/wiki/Php under section "Usage", it lists Facebook, Wikipedia, Yahoo, Digg, Joomla, Wordpress, YouTube and Drupal as example web sites built using PHP, those are pretty big/major web applications built in a technology that you say isn't suitabke for large enterprise applications (then what the hell is Yahoo then!?).
My original statement stills stands that the technology is largely irrelavent (as long as it isn't MUMPS), it's the competancy of the developer that counts.
Admin
TRWTF here is that instead of using, oh i dont know, a boolean in the database (See below...) they've decided that its ok to just drop things in. cough guess it went to the lowest bidder.
My note on databases: I've done database work for authentication. It can be quite useful. However, if you're going to use a database to authenticate your users, make sure its behind some form of NAT. Beside your webserver behind a NAT. I saw once a table that almost generally met the requirements for a moderately secure system:
the password was (gasp) plaintext. isAdmin and isSuperAdmin showed if the user had admin priveledges and could use sudo (under SSH, which every night a cron job kicked in to update sudoers). However, pass_hash had a particular quirk: it was the SHA-512 of the password, concat'd to the hash of THAT hash. so 512 bytes of SHA1, then 512 bytes of more SHA1.
Admin
Of course, upon reflection, he wouldn't have done that. But it was my initial and charitable view.
Admin
So speaking as a desktop-app programmer who's only just starting to do more web development: if PHP is so evil, all you naysayers, what should I be using? (If anybody comes back with "JSP" I'll laugh them off the site).
Admin
I'd argue that "it takes a competent developer to write non-WTF-worthy code" is a universal truth, rather than a language-specific observation.
I would also argue that there's no such thing as a WTF-proof language.
Sure, some languages make it easy to write WTFy code. Visual Basic is one example. PHP is another. But used properly, both languages can be useful tools.
I'm not saying "everyone should use PHP"; I don't think that's the case. I'm just saying if you want to avoid WTF-worthy code, language choice should be the last thing you're concerned about, not the first.
Admin
I think you mean "firewall", not "NAT". While NAT can often act like a firewall, it isn't a firewall, and is not a replacement for a firewall.
There's no need for NAT if your firewall is set up properly (and NAT is often undesirable). Want to avoid people connecting to your database server? Set your database server's firewall to only accept incoming connections from your webserver's IP address.
Admin
What issues do you have with active directory?
Admin
The choice of "technology" is never irrelevant. (I'm kindly granting you the unexamined assertion that PHP is a "technology" rather than a "lash-up.")
Can we have a detailed argument as to why MUMPS (Oh, Poo!) is somehow inferior to PHP? I wouldn't choose either, myself (and I've worked with both). Intrinsically, either would work. Extrinsically, neither is a good choice.
I notice you didn't choose to defend your dimwit platitude on tools and workmen, btw. I put a bit of effort into explaining why that was a cretinous interpretation. Care to defend your views on that?
Oh yeah, I know. You've got those quotes from Wikipedia. Killer. And you've got attention deficit disorder (blog-related), which means that apparently PHP is "a technology that you say isn't suitable for large enterprise applications."
I said no such thing. People can do what they want. I'm simply maintaining that 99.999% of PHP programmers should concentrate on crochet.
Got that?
Admin
I think it would be easy to argue that for web development PHP is a better choice than MUMPS, given that PHP was (ostensibly) designed for web development, whereas MUMPS was not.
That said, I'd agree that most people who write PHP nowadays should take up some other non-computer-related hobby instead.
Admin
Wow.
Who gives a shit if he misspelled a word? You obviously understood what he meant which means he communicated with you in an unambiguous manner, and thus the point of language was served. What grammar/spelling Nazi’s tend not to understand is that there is nothing intrinsically pure about language. As long as it serves its purpose, who cares?
I maintain that 99.999% of ALL programmers should concentrate on crochet. It would drastically raise the number of crochet related deaths, but I'm OK with that.
The choice of technology is almost always less relevant than speed to market. If PHP allows for rapid prototyping then it wins.