• Rob (unregistered)

    Even the documentation for strpos says how to handle the difference between 0 (found at the start) and false (not found at all), yet somehow the developer missed that...

  • Industrial Automation Engineer (unregistered)

    What strikes me as funny is that the hardcoded string "Cabbage" is converted to lowercase. Why not, at least, use "cabbage"?

  • (nodebb)

    Where's the "rerun of an old WTF" tag? I know I've seen this one before, and so does Google.

    https://thedailywtf.com/articles/Cabbage_Based_Authentication

  • (nodebb)

    Old... And ""Cabbage" is not necessary... "Lettuce" (pray) or any other prefix would have worked as well... So the comment is also WRONG.

  • Allie C (unregistered) in reply to Steve_The_Cynic

    I like to think that this code has been around for so long that at least two devs have submitted it

  • (nodebb)

    So our developer took the easy solution- instead of trying to understand what they were doing or why they were doing it

    I think they knew exactly why they were doing it. It's a simple method to avoid having to think about the fact that "not found" looks exactly the same as "found at position 0" when you are using the return value of strpos in a boolean context. The WTF here is PHP, but we already knew that.

    Yes, the error handling is a WTF.

  • WTFGuy (unregistered)

    For better clarity maybe the prepended string should be more like:

    if ( strpos( strtolower("Prepended extra Content to ensure /admin doesn't Appar in the zeroth Position" . $_SERVER["PHP_SELF"]) , "/admin" ) )
    

    Yeah, that's self-documenting enough. ;)

  • Sauron (unregistered)

    This is actually a coded message.

    It explains that the admin ate some cabbage that expired in January 1990, and died.

    But it says that in very, very bad PHP.

  • Greg (unregistered) in reply to Jeremy Pereira

    Even though PHP is a WTF, you can differentiate between not found and found at position 0: strpos( $haystack, $needle) === FALSE

    will be false for found at position 0 and true if not found. It's not elegant, it makes developers think harder than they should have to but nevertheless that cabbage code shouldn't have existed.

  • (nodebb)

    My first thought would be to use the word "Poop" instead of "Cabbage", but a moment later, I realized that "Poop" may be confused with other words in existing URL paths that this application serves up.

  • netmunky (unregistered)

    The correct use would be if(strpos($_SERVER["PHP_SELF"]) , "/admin") !== false) If the dev had RTFM, he would know that strpos returns boolean false on not found, which can be checked with an identical operator (=== or !==)

  • SITE ADMIM (unregistered)

    I would like to know more about this "ADMIM" user type they're looking for in the $_SESSION["IS_ADMIM"] check.

  • (nodebb)

    Also, pedantically, the comment is wrong: the user is already authenticated, we are checking their authorization: is the authenticated user an admin?

    I doubt it: An IS_ADMIN variable screams "this looks like the kind of website where only admins have to authenticate, and all authenticated users are admins (and therefore authorized)".

    Alternately, the test actually checks both, because the variable is only "set" when the user authenticates.

  • Neil P (unregistered)

    The code is also checking for a session variable "IS_ADMIM", which looks like a typo, until you see that it's in there twice ...

  • (nodebb)

    Cabbages are an interesting vegetable, especially as they're one of those subtypes of brassica, that endlessly polymorphic family of plants which includes everything from cauliflower to Brussels sprouts and likely Audrey II.

    Must be where Seymour went wrong - he thought it was some kind of flytrap ;)

  • Officer Johnny Holzkopf (unregistered)

    Cabbages, knickers, uh, it's not got a ... a beak!

  • The Beast in Black (unregistered)

    Wait, so PHP's strpos() returns an int if found (including 0 if at start) or FALSE if not found? Does PHP's boolean "type" also include a FileNotFound?

  • Rob (unregistered) in reply to WTFGuy

    Except that your prefix contains the string to search for, so strpos will never return a non-falsy result. It will in fact always return the exact same result - the index of /admin in your prefix.

  • (nodebb) in reply to The Beast in Black

    Have you so far resisted the urge to read eevee's rant about PHP? https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

  • RLB (unregistered)

    A secondary point: that test for admin rights is almost as daft as what one of my former colleagues used to write. Almost, because in his case it would be if( !isset( $whatever ) || isset( $whatever ) && $whatever != "0" ). Somehow, the existence of a function called empty() has escaped more than one person.

  • The Beast in Black (unregistered) in reply to Steve_The_Cynic

    So far, I have been fortunate enough in my chequered career to not have to deal with anything PHP-related. But now that you've posted that link, I will - against my better judgment - go read it, hoping for the lulz if nothing else :)

  • Steve W (unregistered)

    The real WTF here is slipping cole slaw into the title.

  • WTFGuy (unregistered)

    @rob ref

    Except that your prefix contains the string to search for, so strpos will never return a non-falsy result. It will in fact always return the exact same result - the index of /admin in your prefix.

    Congratulations. You got the joke. Hence the ;) at the end.

  • RLB (unregistered) in reply to The Beast in Black

    So far, I have been fortunate enough in my chequered career to not have to deal with anything PHP-related. But now that you've posted that link, I will - against my better judgment - go read it, hoping for the lulz if nothing else :)

    By all means do, it has some pretty good and sometimes deserved sarcastic remarks to make; but do keep in mind that quite a bit of it is badly outdated and some of it is plain wrong.

  • nunya business (unregistered)
    Comment held for moderation.

Leave a comment on “Cole's Law of Authentication”

Log In or post as a guest

Replying to comment #:

« Return to Article