- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Edit Admin
Not especially. WTFers can create WTFs in any programming language, after all, and WTFers seem to be at a higher concentration in PHP shops than in other places. (PHP, almost by direct intention of its creators, is much easier than other languages to start with if you lack the discipline in software engineering and general computer science that's implied by almost any CS degree.)
That might be somewhat less WTF than one might think, if this code is handling a request from front-end JS, where the order of the individual token-value pairs (separated by "&") is controlled by the same body of code that handles the URL, simply on the grounds that "legitimate" (questionable terminology in this case, I know, but please bear with me) requests will always have the comma-separated part last.
Well, until someone decides the system needs another "key", one that isn't comma-separated, and, forgetting about this abomination, puts it at the end. Couple that with a poor testing régime, and the whole thing rapidly goes to shit.
In the end, all that this part does is make the overall system more fragile and less easy-to-maintain than sane people would want.
Admin
Keep in mind that this is PHP, where every variable exists for the duration of the current request only. So yes, a global variable is set, but that's comparable to a request-scoped variable in other languages.
Edit Admin
It's interesting that all you think about is legitimate uses of the website. I spend a fair amount of my job --- maintaining two completely different applications --- handling bot attacks in such a way as to not fill up my logfiles, so that it's easy to find actual errors.
Edit Admin
Sure, but you've still got a mutation happening without meaningful scope; if your requests are non-trivial, you're in rough shape.
Edit Admin
If your comment about legitimate use was in response to me, well, yes, attackers might well send tout et n'importe quoi (approx: "everything and anything") to my server, but I "know" that because it's my JS(1) sending the requests, I won't receive duff messages from it. But it remains fragile and hard to maintain.
(1) No, it isn't actually mine, but I'm speaking metaphorically.
Edit Admin
"It worked once in development with a specific test case with everything in a specific order so 'return($p)' would give us the exact result we were looking for. Yep -- it's good to go for Production!!"
Edit Admin
A project manager I once worked with got so fed up with her team's poor testing that she had pin-on badges custom-made: the letters JSI in a red-circle-with-a-slash. "Just Ship It".
Edit Admin
I'm fully expecting that the urls only ever include the one parameter, either "h" or some comma-delimited string, and the foreach is not really required at all, which is why it works.
Edit Admin
The real question is whether that project manager actually allocated time for writing tests.
Edit Admin
It's a misconception that CGI parameters must be
key=valuepairs. It's perfectly fine for a parameter to only have a name and no value associated.Whether that's good practice is a different issue.
Edit Admin
The nice part about CGI parameters that are keys without no values is it lets you unambiguously represent a Boolean without that pesky FILE_NOT_FOUND value having anywhere to sneak in.
Edit Admin
I never got a badge, but I'm pretty sure I worked with her at some point, lol. That's awesome and scary at the same time. I've pulled the plug on the same project here at least four times because no matter how many edge cases we tested there was always another. So far, this project has become a heptatriacontagon - polygon with 37 sides :(