• Duke of New York (unregistered)

    1.7 percent, obviously

  • Registered (unregistered)

    No Magic Numbers? Check.
    Easy devaluation of rewards points? Check.
    No magic function symbols? Check.
    Well documented way of devaluating rewards points? Oops, missed that one. But it should be easy, once figured out.
    No runtime eval statements? Oops, missed that one.
    Overall intent comment? Oops, missed another one.

  • (nodebb)

    Oh, and depending on how that $points value gets set (of if php has a notion lilke perl taint mode):

    Remote code execution vulnerability? Check

  • (nodebb)

    Perhaps predecessor recently converted to PHP from COBOL?

  • Duke of New York (unregistered)

    My guess: points is a string, or possibly a string. The coder didn't know about automatic string-to-number conversion or heard that relying on it was bad. They also didn't know how to explicitly convert or believed that it was also bad, so they wrote this code that worked and committed it.

  • (nodebb) in reply to Bim Zively

    I know that COBOL has been described as a "bondage and discipline" language, but doing the calculation that way in COBOL would be equally WTF-level perverse.

  • Michael R (unregistered)

    7/$FIRST

  • Jeremy (unregistered)

    This is in preparation of putting the formula in a database as a string, right?

  • (nodebb)

    I feel somehow worried that the ';' at the end of the string passed to eval should be necessary. it just makes it seem more wrong (NB I don't know php or how the eval statement works, so it might be - it's just that - it makes it feel wronger).

  • Duston (unregistered)

    We obviously the programmer was thinking Enterprise-y-ingly toward the future where all those strings are stored in an XML configuration file.

  • (nodebb) in reply to thosrtanner

    The argument to eval() is PHP statements to execute, not an expression (it's analogous to Python exec()). Notice that it begins with return. So the ; at the end is indeed required.

    The code works, it's just wrong in principle.

  • (nodebb)

    My first impression was that this is a coder who learned / saw somewhere how to use eval, and that's about the sum of their knowledge about PHP. A problem looks like a nail to their eval-hammer.

  • löchlein deluxe (unregistered)

    "I hate the guy who goes around telling other people how to do their jobs with his so-called security advice. I want something where it looks like he's asking me to break five other coding principles so I can complain about him to management."

  • Nick (unregistered)

    I’d bet that this is a poorly disguised backdoor into the system. Mind you, that’s also my assumption whenever I see “eval” being used anywhere in any language…

  • Tinkle (unregistered)

    Hmm, does PHP do floating point division on integers or will this truncate the /100? Or does it evaluate the *1.7 first?

  • (nodebb)

    IANA a PHP coder.

    At least they avoided assembling the string for eval() using PHP's moral equivalent of C's sprintf() or C#'s String.Format(). That would have made this mess oh so much more deliciously crunchy.

Leave a comment on “Evaluating Perks”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article