- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Why is a triangular wheel bad? It has one less bump per revolution compared to a square wheel!
Admin
Triangular wheels are good! See 'The 3 cornered wheel' by Poul Anderson
Admin
It doesn't even protect against mix cases like DrOp...
Admin
Given how utterly dysfunctional this code is, I think it was written out of malicious or perhaps lazy compliance. The manager said, write code to protect against SQL injection; the developer did write. The manager didn't say, test it, debug it, or anything like that.
Admin
What are these 503 and 500 errors? A big WTF to the readers? ;-)
Admin
I can already imagine the "architect" behind this code explain why passwords, user names, etc. cannot contain anything except ASCII letters and digits.
Changing that would make our site
At that point in the PowerPoint presentation, there would be an explanation of 1335 and how hackers use it to scramble their communications, and management would nod wisely and praise themselves happy with so much security.
Admin
also, if something bad doesn't get detected, it happily slips through. I think this should be patented...
Admin
And then have a column named "selection" and break the code [just happened in the real world in the past 6 months]
Admin
This kind of bullshit is why WTFs happen. A few months ago I tried to upload a text file of commented assembly language source code to a web board as a file attachment, but fucking cloudflare flagged it as a security violation because it had a "bad word" in it. I think it took me three times before I figured out that I had to put it in a zip file.
Not everything gets interpreted as SQL, you assholes. The problem is that there are morons out there who will go out of their way to throw anything and everything into a SQL command anyhow. It's a corollary of "the universe can always create a bigger idiot".
Admin
If I got a house for anytime I have seen code like that against SQL injections at a customer... Just use query parameters, even PHP has them since v3 for all providers and PDO even unified everything years ago.
Admin
This happened in my very first non-intern job. I found the injection vulnerability, explained to the seniors how it could be easily exploited (through the password field) and they "fixed" it just like this article, banning SQL keywords. Bonus points for the solution as one of the business analysts had the word "from" in their password and got locked out of the system.
Admin
Yeah, my first thought was a mandate from above to ban the keywords--the incorrect solution was dictated, not designed by a programmer. An awful lot of managers aren't good at realizing they're going at it the wrong way and not open to underlings telling them they're going at it the wrong way.
Admin
Code like this might be ok if it sat there, never being called. Invite the clueless managers to a technical review so they could nod wisely and report upwards that Something Has Been Done. Ideally by "sit there" it should be sitting in a suitably separate directory "for security", not anywhere where it might end up in a code repo.
Admin
Some of the code in there looks like it hasn't been touched in twenty years, but all of it looks bad. (Like: firing off an arbitrary
die()
in the middle of your page says you've never had to write something that doesn't break.) I don't understand the penchant for putting a return value into a variable solely for the sake of returning the variable's value (still less calling said variable$newvar
).Then there is the matter of using
preg_split
to split the string into individual characters to see if any of them are strings like "DELETE" (no, none of them will be). But that part of the code isn't going to match anything anyway because of thePREG_SPLIT_OFFSET_CAPTURE
flag. With that flag set, what is returned is not an array of characters, but an an array of [character, string position] pairs (used to identify where in the string each match occurred).Not that you'd notice of course, since the only characters that might have matched anything have already been stripped out.
Admin
This is definitely one of those times the developer is making PHP look bad and not PHP being bad itself.
Admin
Putting a return value into a variable just to return it in the next statement? Sometimes it's nice while debugging. You step through the code, you see what value got computed and you can tweak it if you need to test the rest of the code with a different return value.
Admin
This person never did any debugging.
Admin
My new favourite conspiracy theory: client-side password hashing is done to make sure the stored password only consists of hexits, but you tell mgmt something about offloading computing costs to the client and how it helps with DDOS.
Admin
Sure this is a WTF but not the one the comments imply. Did anyone notice the array is iterated by value? So the code doesn't actually modify
$_POST
. It only checks the values against a blacklist (only part of which works actually as it checks sanitized values). Thus the code is virtually harmless... until someone would try to fix it. Oops.