• (nodebb)

    You'll be shocked to know it's PHP.

    Not especially. WTFers can create WTFs in any programming language, after all, and WTFers seem to be at a higher concentration in PHP shops than in other places. (PHP, almost by direct intention of its creators, is much easier than other languages to start with if you lack the discipline in software engineering and general computer science that's implied by almost any CS degree.)

    Which means that if this function is doing anything at all, it's entirely dependent on the order of the keys.

    That might be somewhat less WTF than one might think, if this code is handling a request from front-end JS, where the order of the individual token-value pairs (separated by "&") is controlled by the same body of code that handles the URL, simply on the grounds that "legitimate" (questionable terminology in this case, I know, but please bear with me) requests will always have the comma-separated part last.

    Well, until someone decides the system needs another "key", one that isn't comma-separated, and, forgetting about this abomination, puts it at the end. Couple that with a poor testing régime, and the whole thing rapidly goes to shit.

    In the end, all that this part does is make the overall system more fragile and less easy-to-maintain than sane people would want.

  • Rob (unregistered)

    We don't look at its value, we just check if it exists, and if it does, we set a global variable. And this, right here, is enough for this to be a WTF. The logic of "set a global variable based on the existence of a query parameter regardless of the value of the query parameter" is… a lot.

    Keep in mind that this is PHP, where every variable exists for the duration of the current request only. So yes, a global variable is set, but that's comparable to a request-scoped variable in other languages.

  • (nodebb)

    It's interesting that all you think about is legitimate uses of the website. I spend a fair amount of my job --- maintaining two completely different applications --- handling bot attacks in such a way as to not fill up my logfiles, so that it's easy to find actual errors.

  • (author) in reply to Rob

    Sure, but you've still got a mutation happening without meaningful scope; if your requests are non-trivial, you're in rough shape.

  • (nodebb) in reply to dpm

    If your comment about legitimate use was in response to me, well, yes, attackers might well send tout et n'importe quoi (approx: "everything and anything") to my server, but I "know" that because it's my JS(1) sending the requests, I won't receive duff messages from it. But it remains fragile and hard to maintain.

    (1) No, it isn't actually mine, but I'm speaking metaphorically.

  • (nodebb)

    "It worked once in development with a specific test case with everything in a specific order so 'return($p)' would give us the exact result we were looking for. Yep -- it's good to go for Production!!"

  • (nodebb) in reply to Bananafish

    A project manager I once worked with got so fed up with her team's poor testing that she had pin-on badges custom-made: the letters JSI in a red-circle-with-a-slash. "Just Ship It".

  • (nodebb)

    I'm fully expecting that the urls only ever include the one parameter, either "h" or some comma-delimited string, and the foreach is not really required at all, which is why it works.

  • (nodebb) in reply to dpm

    The real question is whether that project manager actually allocated time for writing tests.

  • (nodebb)

    The first thing we check is if a key "h" exists. We don't look at its value

    It's a misconception that CGI parameters must be key=value pairs. It's perfectly fine for a parameter to only have a name and no value associated.

    Whether that's good practice is a different issue.

  • (nodebb)

    The nice part about CGI parameters that are keys without no values is it lets you unambiguously represent a Boolean without that pesky FILE_NOT_FOUND value having anywhere to sneak in.

  • (nodebb) in reply to dpm

    A project manager I once worked with got so fed up with her team's poor testing that she had pin-on badges custom-made: the letters JSI in a red-circle-with-a-slash. "Just Ship It".

    I never got a badge, but I'm pretty sure I worked with her at some point, lol. That's awesome and scary at the same time. I've pulled the plug on the same project here at least four times because no matter how many edge cases we tested there was always another. So far, this project has become a heptatriacontagon - polygon with 37 sides :(

  • SomeWTFname,RefreshedDaily (unregistered) in reply to Bananafish

    A heptatriacontagon, so basically a crude ball-shaped object?

  • löchlein deluxe (unregistered)

    Oh diety, I've seen the then h=1 thing. It's what you do(tm) about flags when a security audit reveals you don't sanitize your input variables.

  • (nodebb) in reply to SomeWTFname,RefreshedDaily

    A heptatriacontagon, so basically a crude ball-shaped object?

    We here in IT prefer to call it a clusterf**k. And no - I'm not playing ball on that project anymore as I was finally able to pull the plug permanently on this ticket, which was opened on 04/11/2022 and still can't be completed because every time we run tests on this integration we discover yet another "edge" on this ball.

    If you add the time/energy/salary of all the people involved with meetings, development, testing, etc. over the last THREE years, I can't imagine how much money has been thrown at this project which, in case you're wondering, would save a collective 90 minutes a week for less than six employees.

    Like I said ... "clusterf**k" ;)

Leave a comment on “Get Explosive”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article