- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Even the documentation for strpos says how to handle the difference between 0 (found at the start) and false (not found at all), yet somehow the developer missed that...
Admin
What strikes me as funny is that the hardcoded string "Cabbage" is converted to lowercase. Why not, at least, use "cabbage"?
Admin
Where's the "rerun of an old WTF" tag? I know I've seen this one before, and so does Google.
https://thedailywtf.com/articles/Cabbage_Based_Authentication
Admin
Old... And ""Cabbage" is not necessary... "Lettuce" (pray) or any other prefix would have worked as well... So the comment is also WRONG.
Admin
I like to think that this code has been around for so long that at least two devs have submitted it
Admin
I think they knew exactly why they were doing it. It's a simple method to avoid having to think about the fact that "not found" looks exactly the same as "found at position 0" when you are using the return value of
strposin a boolean context. The WTF here is PHP, but we already knew that.Yes, the error handling is a WTF.
Admin
For better clarity maybe the prepended string should be more like:
Yeah, that's self-documenting enough. ;)
Admin
This is actually a coded message.
It explains that the admin ate some cabbage that expired in January 1990, and died.
But it says that in very, very bad PHP.
Admin
Even though PHP is a WTF, you can differentiate between not found and found at position 0: strpos( $haystack, $needle) === FALSE
will be false for found at position 0 and true if not found. It's not elegant, it makes developers think harder than they should have to but nevertheless that cabbage code shouldn't have existed.
Admin
My first thought would be to use the word "Poop" instead of "Cabbage", but a moment later, I realized that "Poop" may be confused with other words in existing URL paths that this application serves up.
Admin
The correct use would be if(strpos($_SERVER["PHP_SELF"]) , "/admin") !== false) If the dev had RTFM, he would know that strpos returns boolean false on not found, which can be checked with an identical operator (=== or !==)
Admin
I would like to know more about this "ADMIM" user type they're looking for in the $_SESSION["IS_ADMIM"] check.
Admin
I doubt it: An IS_ADMIN variable screams "this looks like the kind of website where only admins have to authenticate, and all authenticated users are admins (and therefore authorized)".
Alternately, the test actually checks both, because the variable is only "set" when the user authenticates.
Admin
The code is also checking for a session variable "IS_ADMIM", which looks like a typo, until you see that it's in there twice ...
Admin
Must be where Seymour went wrong - he thought it was some kind of flytrap ;)
Admin
Cabbages, knickers, uh, it's not got a ... a beak!
Admin
Wait, so PHP's strpos() returns an int if found (including 0 if at start) or FALSE if not found? Does PHP's boolean "type" also include a FileNotFound?
Admin
Except that your prefix contains the string to search for, so strpos will never return a non-falsy result. It will in fact always return the exact same result - the index of /admin in your prefix.
Admin
Have you so far resisted the urge to read eevee's rant about PHP? https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
Admin
A secondary point: that test for admin rights is almost as daft as what one of my former colleagues used to write. Almost, because in his case it would be
if( !isset( $whatever ) || isset( $whatever ) && $whatever != "0" ). Somehow, the existence of a function calledempty()has escaped more than one person.Admin
So far, I have been fortunate enough in my chequered career to not have to deal with anything PHP-related. But now that you've posted that link, I will - against my better judgment - go read it, hoping for the lulz if nothing else :)
Admin
The real WTF here is slipping cole slaw into the title.
Admin
@rob ref
Congratulations. You got the joke. Hence the ;) at the end.
Admin
By all means do, it has some pretty good and sometimes deserved sarcastic remarks to make; but do keep in mind that quite a bit of it is badly outdated and some of it is plain wrong.