• Richard (unregistered)

    theForm.user.value=="frist"

  • Jakob H. Poulsen (unregistered)

    This has the added benefit of telling every potential user who their fellow users would be after registering!

  • (cs)

    Oh holy hell...

    Where is the coder who developed that? I won't even begin to describe the potential for spearfishing attacks, but to grab every single user out of the database is grossly inefficent.

    Bring me the developer. I must cut off his hands so that they never develop anything like that ever again.

  • The developer (unregistered) in reply to Hasteur

    Everyone knows HTTP requests are more expensive then a single database query...

  • Anon (unregistered) in reply to Hasteur
    Hasteur:
    Oh holy hell...

    Where is the coder who developed that? I won't even begin to describe the potential for spearfishing attacks, but to grab every single user out of the database is grossly inefficent.

    Bring me the developer. I must cut off his hands so that they never develop anything like that ever again.

    I'd poke out their eyes too. Only way to be sure.

  • Enrico Miranda (unregistered)

    Not only that - the user will also instantly be given access to the whole user list database...

  • (cs) in reply to The developer
    The developer:
    Everyone knows HTTP requests are more expensive then a single database query...

    By a jury of your peers you have been convicted for crimes against Big-O.

    Your sentence is to serve out the rest of your days with the social stigmata of being featured on The Daily WTF.

  • Mark (unregistered)

    You guys misspelled "thorough".

  • (cs) in reply to Anon
    Anon:
    Hasteur:
    Oh holy hell...

    Where is the coder who developed that? I won't even begin to describe the potential for spearfishing attacks, but to grab every single user out of the database is grossly inefficent.

    Bring me the developer. I must cut off his hands so that they never develop anything like that ever again.

    I'd nuke the site from orbit. Only way to be sure.

    FTFY.

  • (cs) in reply to Mark
    Mark:
    You guys misspelled "thorough".
    Thou art rough.
  • Joshmotron (unregistered) in reply to Mark
    Mark:
    You guys misspelled "thorough".

    It actually stands for the last name of Niles Stanley Thourough, inventor of the algorithm, and lesser known brother of Henry David Thoreau. Since the man was alive in the 1800s, his algorithm preposterously out-of-touch with today's high quality standards.

  • Anon (unregistered) in reply to Hasteur
    Hasteur:
    The developer:
    Everyone knows HTTP requests are more expensive then a single database query...

    By a jury of your peers you have been convicted for crimes against Big-O.

    Your sentence is to serve out the rest of your days with the social stigmata of being featured on The Daily WTF.

    You need your sarcasm detector looked at, or maybe your troll-o-meter.

    The trailing ellipsis is a clue...

  • slurm (unregistered)

    omg, a gigant 2000+ line if-statement, he should have used a switch-statement instead ;)

  • Ben (unregistered) in reply to Anon
    Anon:
    Hasteur:
    Oh holy hell...

    Where is the coder who developed that? I won't even begin to describe the potential for spearfishing attacks, but to grab every single user out of the database is grossly inefficent.

    Bring me the developer. I must cut off his hands so that they never develop anything like that ever again.

    I'd poke out their eyes too. Only way to be sure.

    Pretty sure that whatever created that was already a blind automaton that just pounded a keyboard with its gooey stumps until something compiled.

    Kill it with fire. It's the only way.

  • TGVish (unregistered) in reply to Anon
    The trailing ellipsis is a clue...
    +1: you've anonymously negated your own sarcasm...
  • Me (unregistered) in reply to Anon

    The only way to be sure is to nuke the planet from orbit.

  • (cs)

    Hell low PERIOD I am than programmer who write that soda. Dew too the fact that you friends in the forums decided to cut off my lands and poke out my ice COMMA I am forced to use Microsoft® Talk-To-Text to code. Eye hope ewe R very flabby with yourselves. COPY PASTE

  • (cs) in reply to jonsjava

    Just FYI. I wasn't really the coder.

  • Matt (unregistered) in reply to Ben
    Ben:
    Pretty sure that whatever created that was already a blind automaton that just pounded a keyboard with its gooey stumps until something compiled.

    Kill it with fire. It's the only way.

    So he was a Stalker from the Half-Life series? [image]

  • Anonymous (unregistered)

    This is like a who's-who of common WTFs. If I were a little less experienced I would think this was a fake, somebody's idea of the "perfect storm" of WTFs (SQL injection vulnerabilities - check; SQL in page source - check; unhomogenous mix of technologies - check; PHP - check and f-ing check!). But I see this shit waaay to often so I don't doubt the veracity of the OP for a second.

  • dshpak (unregistered)

    I've seen things...similar to this before. I think it's typically caused by a poor (or absent) understanding of the difference between client-side and server-side code.

    I've definitely seen people writing code like this and questions asked in online forums that make it clear they simply don't understand that PHP and JavaScript are not only different languages, but fundamentally different technologies.

  • Mike (unregistered)

    I think I used to work with this guy.

  • fdafdafs (unregistered)

    var foo = theForm.user.value; if (foo=="admin" ||foo=="sjenkins" ||foo=="mdavis" ||foo=="gbivins" ... MASSIVE SNIP ... )

    That should run faster!

  • Neil (unregistered) in reply to Mark
    Mark:
    You guys misspelled "thorough".
    They were just spelling it thoroughly.
  • (cs)

    You think that was good? Just wait until you see how he made sure that nobody uses a duplicate password.

  • by (unregistered) in reply to dshpak
    dshpak:
    I've seen things...similar to this before. I think it's typically caused by a poor (or absent) understanding of the difference between client-side and server-side code.

    I've definitely seen people writing code like this and questions asked in online forums that make it clear they simply don't understand that PHP and JavaScript are not only different languages, but fundamentally different technologies.

    And of course that is the only thing that is wrong with it...

    Throw in some VB, and the sheer size of this WTF would cause a rift in the space-time continuum, creating a WTF black hole sucking in all PHP and VB developers (and the slop they call "code" too)...

    captcha: abbas => like abba, but many (oh dear god, the humanity!)

  • remi bourgarel (unregistered)

    I simply love it. The awesome part is that this kind of things still exists, thanks to php our job is just a big joke. (I like php, but why so many cowboy-style developers choose this language ?)

  • (cs)

    This is, sadly, a lot more common than we would hope. I've seen a LOT of codebases that, while not this bad, exhibited the same "I have no idea WTF I'm doing so I'll do the first thing that pops into my head" type developer mentality. In all cases it was because management was breathing down the developer's neck and they didn't have the time to do things properly, so they HAD to throw together some nonsense and never got around to fixing it.

    That doesn't excuse the WTFs in this particular article because there's NO excuse for this kind of idiocy, but I guarantee it wasn't just a stupid developer; probably a newbie who had to do the first thing that they thought of due to stupid deadlines from their boss.

  • by (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    This is, sadly, a lot more common than we would hope. I've seen a LOT of codebases that, while not this bad, exhibited the same "I have no idea WTF I'm doing so I'll do the first thing that pops into my head" type developer mentality. In all cases it was because management was breathing down the developer's neck and they didn't have the time to do things properly, so they HAD to throw together some nonsense and never got around to fixing it.

    That doesn't excuse the WTFs in this particular article because there's NO excuse for this kind of idiocy, but I guarantee it wasn't just a stupid developer; probably a newbie who had to do the first thing that they thought of due to stupid deadlines from their boss.

    You know what, I'm not a master craftsman, however I tend to get the feeling that "there has GOT to be a better way" when I'm trying to use a piece of jello to hammer in a nail...

    We've all been junior devs as one point or another, however this just reaks of lack of common sense. Somewhere deep down, alarm bells should've gone off when they were writing this. Personally, I think that this guy was/is likely to be a darwin award winner...

  • (cs)

    They handled security breaches in the terms and conditions:

    [...] any person accesssing the site, hereinafter known as "sucker" [...]

    [...]Should sucker create any dupulicate user, use any user that does not beling to sucker, or authorizze themselves as "admin" then sucker does hereafter agrea to give all their money to site owner and there first borne child as well. [...]

    Now that keeps the riff-raff out! Who needs carefully designed authentication algorithms?

  • SR (unregistered) in reply to jonsjava
    jonsjava:
    Hell low PERIOD I am than programmer who write that soda. Dew too the fact that you friends in the forums decided to cut off my lands and poke out my ice COMMA I am forced to use Microsoft® Talk-To-Text to code. Eye hope ewe R very flabby with yourselves. COPY PASTE

    Bad programmer. No WTF for you!

  • SR (unregistered) in reply to jonsjava
    jonsjava:
    Just FYI. I wasn't really the coder.

    What? You mean we cut your hands off for nothing? At least we got a laught out of it.

  • two (unregistered) in reply to by
    by:
    And of course that is the only thing that is wrong with it...

    Throw in some VB, and the sheer size of this WTF would cause a rift in the space-time continuum, creating a WTF black hole sucking in all PHP and VB developers (and the slop they call "code" too)...

    sounds like a good start to me ...

  • MASSIVE SNIP (unregistered)

    So that's why I could't register!

  • European (unregistered)

    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    Can we move on now.

  • Anonymous (unregistered) in reply to European
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    Can we move on now.

    YOU HAVE BECOME THAT WHICH YOU DESPISE!

  • European (unregistered)

    Can we please stop discussing http://xkcd.com/327/.

  • AJAX via precognition (unregistered)

    I think our hapless/handless programmer got a requirement to check the availability of usernames - like all those fancy sites do, right? - without requiring a submit/reload cycle. Xmlhttprequest was beyond the pale of knowledge alas.

  • wtf (unregistered) in reply to European
    European:
    Just so that nobody posts http://xkcd.com/327/ and thinks it's still funny let me post http://xkcd.com/327/ so that noone else posts http://xkcd.com/327/.

    I still think it's funny. Totally irrelevant, but funny as hell. I've used it as a citation in documentation, and my boss thought it was funny, too.

    Can we move on now.

    Sure. You're the one who brought it up.

    captcha: genitus as in 'European' is no genitus, it seems

  • ML (unregistered) in reply to European
    European:
    Can we please stop discussing http://xkcd.com/327/.
    Why did you have to bring up http://xkcd.com/327/?
  • European (unregistered)

    Did you have to start it so much on http://xkcd.com/327/.

    captcha: similis, similar to syphilis

  • qbolec (unregistered)

    Oh, I see, he should just move it to the server side!

    <?
      $SQL=mysql_query("SELECT * FROM users");
      $total=mysql_num_rows($SQL);
      $i=0;
      while($validate=mysql_fetch_array($SQL)) {
      	$used[$i]=$validate[user_name];
      	$i++;
      }
      for($x=0;$x<count($used);$x++){
        if($_POST['user']===$used[$x]){
          die("Username has been already registered, please enter a different username.");
        }
      }
    ?>
    
  • qbolec (unregistered) in reply to Anonymous
    Anonymous:
    SQL injection vulnerabilities - check;
    where?
    Anonymous:
    SQL in page source - check;
    where?
    Anonymous:
    unhomogenous mix of technologies - check;
    obviously it should all be done in SQL, which already has a functionality to insert rows, check for duplicates and privleges!
    Anonymous:
    PHP - check and f-ing check!
    JS - check!
  • Jan82 (unregistered) in reply to ML
    ML:
    European:
    Can we please stop discussing http://xkcd.com/327/.
    Why did you have to bring up http://xkcd.com/327/?
    What is this http://xkcd.com/327/ you keep talking about? Is it similar to http://bit.ly/3MRuHo?
  • J (unregistered)

    Fools, how can you deny the genius of query-once-and-done?!

  • Marvin the Martian (unregistered) in reply to Hasteur
    Hasteur:
    Bring me the developer. I must cut off his hands so that they never develop anything like that ever again.
    If he can't code, he'll become manager or database architect... not sure that will cause less damage to the universe.
  • Marvin the Martian (unregistered) in reply to wtf
    wtf:
    I've used it as a QUOtation in documentation, and my boss ONCE thought it was funny, too.
    FTFY
  • nasch (unregistered) in reply to Anonymous
    Anonymous:
    unhomogenous mix of technologies

    That's "heterogenous".

  • BentFranklin (unregistered) in reply to nasch
    nasch:
    Anonymous:
    unhomogenous mix of technologies

    That's "heterogenous".

    That's heterogeneous.

    (Heterogenous sounds kind of sexy though.)

  • hunter2 (unregistered)

    [quote article]entering a password of ********* would log you in[/quote]Does that show as asterisks for you guys? Because I don't think it should be revealing my password like that.

Leave a comment on “Thourough Username Validation”

Log In or post as a guest

Replying to comment #:

« Return to Article