- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
"thank you"
Admin
attempting the dreaded comment, i got:
Not sure what it was, but it was logged. A human will eventually look at it. If the problem persists, please Contact Us. If the problem is on the contact form, then ... well ... that pretty much sucks. You can email instead: alexp-at-WorseThanFailure.com.
Admin
Maintainability be damned! D:<
Admin
Admin
Thank you for properly supporting me. ಠ_ಠ
Admin
Welcome to TDWTF. It does that. Just keep hitting Back then Submit until it goes through.
My personal best is 4 attempts but I'm sure other users can beat me in that particular pissing contest.
CAPTCHA: erat (Borat's brother?)
Admin
TRWTF is that anybody assumes client-side Javascript to have done any validation for them. No, really. Page one, people, page one.
Admin
Sorry, but this is probably the biggest non-WTF I've ever seen on this site.
I think someone is clearly confusing "Not everyone runs JavaScript" with "No-one runs JavaScript".
Where is this article is there any suggestion that there is not additional validation of data conducted on the server? Clearly the intention of this function (which admittedly has changed since it was named - possibly the only vague WTF in the article) is to tell when a user is attempting to enter an invalid character and provide immediate feedback to the user without requiring a round trip to the server. Last time I checked this is a good thing.
There's plenty of WTFs out there to do with JavaScript, but simply using JS to provide additional functionality to a user is most definitely not one of them.
Admin
This allmost beats the Regex pattern (as seen on our intranet website):
Regex reg = new Regex(@"^\K*$"); if(reg.IsMatch(txtPStrField13.Text)) pfuncInformUser(txtPStreField13);
I am not sure what is the most abrasive to my eyes and mind, be it the hillarious regex, or the mindraping abuse of several notations blended into one.
The worst of it is, txtPStrField13 is hidden by hardcode.
CAPTCHA: conventio! Is is at convent or IO or both?
Admin
What did you expect, C#Scrpit? Pah!
Admin
The function is horribly mis-named, but the author doesn't seem to think that's a very big deal. So the WTF is using Javascript to perform input validation? Lame.
Admin
Is the real WTF the fact that this got posted in the first place?
Admin
Repeat: everything you ever thought you knew about progressive enhancement is wrong.
Admin
Maybe I'm a moran, but I don't see the WTF here. Maybe that means I'm TRWTF.
Admin
Dylan Moran? Kevin Moran?
CAPTCHA: damnum (if they can't take a joke)
Admin
This is a WTF if this is THE only user input validation.
This is NOT a WTF if this function is part of enhancing user experience.
Both factors unknown, so useless article.
Admin
I say - this is truly a WTF. Everyone knows that all input-validation should be done serverside, and only serverside. In case a user enters invalid characters in a textfield, the server should simply return a: "error 503 - invalid character(s)" message, and allow the user to guess which character(s) was invalid and why!
Admin
Then make sure they have javascript.
Admin
Hmm... well, what if the round trip is an expensive process that takes some time? You could spare the end user from the wait by using client side validation.
(2nd attempt)
Admin
Admin
This is not a WTF unless you add this sentence to the article: "Oh, and they don't perform validation on the server."
By the way, would that JS stop someone from pasting in invalid text? Or does it only work if the user manually types in invalid text?
Admin
To take that to its logical conclusion, writing software at all is wrong, because someone might not use it.
Admin
That's no "by the way", it's a concrete example of your first point. There's nothing to stop malicious users hand-whittling the HTTP POST, shitty data and all.
Admin
What if I call process.php with my own POST variables? :)
Admin
TWTF is that there is a function named "numbersonly" that takes three parameters: a field, an event, and a number. Why it takes these three parameters is not obvious. It acts like a real-time input handler, which isn't necessary.
It purports to return True or False depending on if the characters (or single input character, in this case) is a number. Instead, it changes the form and input behavior. The function is tied to the form, tied exclusively to that field, and afaik is called infinitely, because of that last 'else true' that lets you have no myfield or event but still return true as if the input is considered a 'number'.
tl;dr It's a boolean utility function that changes the state. Changes the state in ways it never suggests it would. Like allowing alphas and question marks.
Admin
ha! At least this code CAN make sense. i found this script on the wild wild web:
<script> if (typeof(window.parent.refreshSessionNoFlash)=="function") { window.parent.refreshSessionNoFlash(); } <script> </i> </script>Admin
I:APOSTROPHE:ve had the misfortune to have to fill in a problem:HYPHEN:description form for a :OPENBRACKET:major:CLOSEBRACKET: consumer hardware manufacturer that, while asking for a complete report on why I wanted them to repair my laptop, forbade :OPENBRACKET:server:HYPHEN:side:CLOSEBRACKET: almost all non:HYPHEN:alphanumerics :DASH: the procedure was apparently just to keep removing characters until it stopped giving :QUOTE:Illegal character:QUOTE: errors. Is this typical:QUESTIONMARK:
Admin
Admin
My favourite that I've seen so far is that bit with checking if it's processing decimal and, if so, comparing to see if the key was a period. When that character is a member of set of chars checked for previously. Thankfully, the test wouldn't lead to an observable outcome anyway, since it's just choosing whether to return false, or to instead return false. Vital decision, that…
(Yes, there's a focus change in there. Anyone want to bet which element would be focused on at that point?)
Admin
Am I being stupid, or it will never get to this:
else if (dec && (keychar == ".")) { myfield.form.elements[dec].focus(); return false; }
as the "." char would've been captured by the indexof just above.
And in that case (if it's not one of the "invalid for which it return true" chars), it'd always return false.
Admin
Generally, if I have to go through the code line-by-line looking for unused elseif statements to try and find a WTF then there isn't one there at all.
On the other hand, can anyone tell me what's so bad about allowing ☺?
Admin
You would be fine or you would get a syntax error. If you're fine, my job is done. If you get a syntax error, then you don't know what you're doing.
Admin
I had a similar problem a couple weeks back. They kept giving me an illegal character error. I finally figured out something else was going on when I'd removed everything from my comments except plain letters and spaces and still got the error. After slogging through their massive amount of obscure javascripts I finally found the function causing the problem. It turned out that my comments were longer than their limit. What's worse: enforcing a limit that you don't tell anyone about, doing it in a function that checks for bad characters, or reporting it as an illegal character error?
Admin
Admin
People are defending this as reasonable client-side validation. But as far as I'm concerned, any validation that occurs on every keypress is fundamentally wrong. Why process every single key when you could just process the whole thing on submit? Unless it specifically needs to process every key press I would say that this is definitely a WTF. Not a major one, but a WTF nonetheless.
Admin
This code looks like complete shiite and is trying to do too much in a poorly written method. TRWTF is seeing actual value in deploying it, and that value as being worth more than the headache of maintaining this type of junk.
Admin
As long as the server side does real validation, then using client side code to provide a better use experience (e.g. instant validation of form fields without a round trip to the server) is a great and useful thing that should be encouraged.
Admin
So yes, the code is ugly, it's obviously mutated from something else and is full of bits that aren't needed. And yes, it won't run at all if you have JavaScript turned off. But I agree with a lot of other posters that, assuming there is some validation done server side, it's not much of a WTF. It there is any WTF, it's why do you need to validate the text in the "thank you note" text area with is presumably only going to be read by a human (other than escaping special characters)? Who cares if somebody wants to put a ☺ in the thank you note?
Admin
I see what you did there. Well played Anonymously Yours.
Admin
On most browsers, pressing Enter on a form that has no explicit submit buttons will submit it either way.
Admin
Admin
Errm. Excuse my ignorance, I do plenty of form validation using javascript/ajax. Specifically ajax, it sends request to the server and validates data. I actually have a "validate" button - to check all data is hunky dory.
Then the whole form gets processed after validation. This enables informaitve feedback to be given to user (eg:you need to change field 1 before submitting)
Discuss ...
Admin
Ever heard of SQL injection?
Admin
No, it's not, it's an event handler, and as such it returns true or false depending on whether or not the event should be handled further. It has a badly chosen name, sure (both because the name doesn't make clear that it is an event handler, and because it suggests it limits input to numbers, rather than a broader range of characters). But reading the function, it's intent is perfectly clear. The fact that it doesn't do what you incorrectly think it should do, is your problem, not a problem in the code.
Admin
Data scrubbing to avoid SQL injection = WTF
Admin
Well... yes, but I doubt this shop is using parameterized queries.
Admin
Is it wrong that the number one thing I got out of this article is that I just felt bad that the little guy didn't have a nose:
ಠೃಠ
Admin
In this fine example of the programmer's art, you can feel the coder's desperate fear of unnecessary curly brackets, while the use of whitespace to separate 'if' from 'elseif' (but not other unrelated lines of code) imparts a whimsical air to the function as a whole, as if the author only used the 'else' blocks as an afterthought.
Admin
ಠ͜ಠ
Admin
Dear me! You forgot the colons!
Of course, I left out marking up the colons that mark up the colons, but I don't have infinity time to make up for your sloppy work.