• caesay (unregistered)

    HTTP GET /frist.php

  • What? I'm not giving you my name. (unregistered)

    Making jokes about PHP will result in: "Comment held for moderation."

  • RLB (unregistered)

    Frist Ilium

  • RLB (unregistered)

    Also... why? Testing code? Why leave that in there? Doesn't look like a script kiddie, unless the only thing he wanted was to flood the system. A single DOS, how 1980s.

  • Your Name (unregistered)

    Wow, test code found in production, Hardcoded admin permission is silly, but im failing to see the WTF other than someone didnt set a .htaccess or pushed a stupid update to production at the clients end, or is the WTF they did the ops job of the client for them when they should be doing a migration, or did the sales asshats throw support of existing system into the migration contract?

    could really do with a tl;dr version of this article: client breaks site by deploying debug code to production, hamfisted attempt at drama over non issue, check tomorrow for a real WTF

  • 🤷 (unregistered)

    I call shenannigan. Who still plays solitaire in 2017/2018?!

  • PHPCoder (unregistered)
    • PHP code, of course Because it's only possible to write crap code when using PHP, right?
  • 🤷 (unregistered)

    The moderation should be held for holding the comments for moderation. This isn't "moderate" at all!

  • ArSee (unregistered)

    Bad enough the conversion scripts weren't done because Troy would rather play Solitaire, but what an odd thing to prioritize writing new features ahead of those scripts. Troy needs better supervision.

  • Sole Purpose of Visit (unregistered)

    Cassie's buttocks heaved magnificently in the dim light cast by the imitation Star Trek console that filled the front wall of the data center. Nobody could remember why the console was there -- it had been installed by a gnome with very pointy ears back in 1993, but the mystic lore had been lost, along with the gnome. Somebody up on high had sent a thousand milk cartons out with a fairground caricature of the gnome on the side, but alas! The gnome was still missing. Nobody knew what purpose the console served, except ....

    "I've got it!" Troy yelled. "It's not buttocks, it's bosoms!"

    *You mean your buttocks aren't heaving?" murmured Cassie, implausibly.

    "I don't have bosoms, Cassie. The only parts of me that can heave are buttocks. And, believe me, they are heaving!" Troy turned to the console. "Activate the Screaming Monkey Protocol!"

    The monkey screamed and screamed and screamed. Bosoms and buttocks heaved inconsequentially. Troy hit the monkey over the head with a sledge-hammer.

    "It's worse than I thought!" he whimpered in the key of G#. "We go to DefCon 0 immediately!" He sank back in his chair with a gratifying sigh and not a little heaving.

    "But what does DefCon 0 mean, in the context of a bog-standard DevOps cock-up?" asked Cassie, fluttering various lids, at least two of which were in proximity to her eyes.

    "It means," said Troy, with a gleam in his nostril that was probably just a strobing effect from the Star Trek console on the front wall, "it means that ... well, it's hard to explain. Let's go to DefCon -1 and damn the chances of an integer underflow!"

    Hanzo alert! Hanzo alert! Lock all keyboards down and don't let Eric Gern into the building!

    But no, seriously. This is the first WTF I've read where the background story was considerably more annoying than the following PHP code.

  • jeepwran (unregistered)

    Hah! Had similar happen with a home-grown CMS. Someone published 1) direct to production 2) in debug 3) and no security applied to the admin functionality. Google found and happily followed all the DELETE links. Had good database backups, thankfully.

  • my name is missing (unregistered)

    I worked at a University briefly where all the delete links were GET's with a single increasing INT key to identify the data to delete. A simple script would delete the entire database. The bad news was that this was the system the state used to validate budgets for every department. So delete the database and no more budget.

  • (nodebb)

    and happily followed all the DELETE links.

    This happened to an early CMS I had written: it was someone's browsing accelerator that followed the GET links. This prompted me to change them all to POST. Actually, I think I cheated and used JavaScript to create and submit the form onclick the link but at least server-side did ensure it was a POST.

  • Reformed PHP coder (unregistered)

    My first dev job used a PHP script to trigger the revenue-generating daily newsletter. When it needed to be run manually for whatever reason the "senior dev" would just open the URL to it in his browser.

    This sort of worked for them, but then one day it started triggering randomly. It got blamed on me as the dev had asked me to run it once. He used Firefox and I used Chrome ... and Chrome continued to aggressively pre-fetch the page from my history.

  • Newbie to php (unregistered)

    I don’t understand what this code does. Can someone explain?

  • ax6 (unregistered) in reply to Newbie to php

    It adds a (clearly dummy) row with random data every time the script is executed.

    And PHP scripts are executed whenever they are requested. If you go to example.com/foo.php, it will execute that script. Google finding it would attempt to load the website (and thus execute the script) very, very often. More so considering it was probably included in a lot of other scripts.

  • 🤷 (unregistered) in reply to Newbie to php

    It inserts random values at random into the database and a random amount of times, with hardcoded admin rights.

  • bobcat (unregistered)

    What they also should have done (besides the whole 'not leaving it in/on admin level') would be have it so the first names are all just 'TEST'. Maybe 'TEST##' if you have to have them all different. That way any entries that happened by accident would be clearly visible and easily pruned from the database, but you can still check sorting and the like on the other fields.

    If you're generating test entries, always make sure you can tell at a glance, just in case it leaks. Never know when someone inadvertently re-uses an old testing database or something. "Oh yeah, that's a test entry. 'Name' is exactly eight characters, with no vowels."

  • nb (unregistered) in reply to 🤷

    Who plays solitaire? one of my team's sr devs still does while he's thinking something over...

  • Chris (unregistered)

    Since when do programmers sit at their desk playing Tetris, except for lunch or for a break? What company has programmers with nothing to do? Also, how would an autoloader have made it easier to find the problem here?

  • Joseph Osako (google)

    "We're at DEFCON 1 in ops. We need to be running yesterday!"

    "Move the alert status to Pistoled Cock!" "Yes, Sir!" shoots rooster

  • doubting_poster (unregistered) in reply to Sole Purpose of Visit

    Loved it. what happens next? will the defcon -1 start a world-wide apocalypse? will the buttocks ever stop heaving?

  • Conrad Buck (unregistered)

    It seems to me that other commenters are not seeing TRWTF. This wasn't about "hardcoding admin". The code doesn't declare that the user IS an administrator, it declares that the user MUST BE an administrator, which is correct and would have prevented the issue described. The WTF is that the check to ensure that the user actually has the requisite permissions fails, but only in the footer after the SQL query has already run!

Leave a comment on “Insert Away”

Log In or post as a guest

Replying to comment #:

« Return to Article