- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
is itself a :wtf:, but at least its :wtf:-factor is measurable, unlike the code in the article…
Admin
But how does the provided code's :wtf: factor compare to the :wtf: factor of leaking the front page article three days early?
Admin
You say this as if it were an unusual occurrence.
Admin
I intended it as if this should be an unusual occurance. The fact that it happens regularly around here doesn't change the fact that it is a :wtf:
Admin
The bigger :wtf: (for which I'd like to page @Remy for real this time): this topic appears not to be linked with the article, it's still saying "0 replies" and has no discuss link.
Admin
Maybe we keep breaking it by replying before it's published and the topic is listed? Who knows what Paula thinks is happening when that happens.
Admin
I don't know what Paula thinks, but she has again created a second comment topic. Clearly, Paula is TRWTF.
Admin
Maybe we should rename her to PaulaJumpingBean.
Filed under: About as unpredictable
Admin
The random bolding in the syntax highlighting of the comments in this snippet is really confusing me.
Filed under: markdown sucks and confuses me with flavors
Admin
According to the markup, it looks like whatever highlighter the front page uses thinks that code is Applescript.
Admin
Wait...
[image]Well colour me
surprisedjavaAdmin
I flinched so hard I pooped a nugget
Admin
It won't give you a random number
Admin
It's not meant to be random :stuck_out_tongue:
Admin
The your code sucks because it does not comply to the specs :trolleybus:
Admin
How a 4 digit number in any way can fill an array of 1000000 elements with unique numbers is beyond me....
Admin
It doesn't,
range()
does this on this line ->$numbers = range(0,999999);
. Of course, this won't zerofill, so his code won't work (Or shouldn't work by god with thatsubstr
in there) anyway. That returns an array starting at 0 and ending at 999999, the$numbers
variable is used to strip out values from the array until he finds one that isn't used in the database. And it's making me cry. This is the kind of WTF that shows exactly why actual PHP developers get the reputation they have.Other problems - it's
$rs->next_result()
, not$rs->move_next()
, and he could/should skip theIF
by usingwhile ($row = mysqli_fetch_array($rs))==true)
which means he wouldn't even need thenext_result()
. And it's not PDO.Where does this guy live? I'm going to burn him.
This is shocking, I am a php developer and I literally had trouble following what the hell he was trying to achieve with this. Unset with Substr against a number? People who write code like this should be taken out and handed to Blakeyrat.
In other news, as @RaceProUK says,
SELECT MAX(used_num) + 1 FROM used_num
. Or store confirmation numbers in a second table and use job number as a foreign key to reference the primary key (confirmation number) which is a zerofilled auto-increment. Problem solved with yourjoin
of choice.Admin
I knew it was downhill from there.
Admin
Guess we could have just stopped there right :-)
Admin
Yep.
And as the already use a database. Why not ad a boolean 'confirm' field to the job table with a false default. The you wouold already have unique cinfirm numbers (meaning the job id) and if that should not be exposed, do a MD5 or similar on it and send that (Yes, I know there are risk of collisions when using hashing, but in this case I think the risk is less than the risk of the max+1 race condition....)
Admin
Seriously?
Seriously? Come on, the point isn't to make things worse
Because we have no context. At least this is plausible though.
Admin
No, everyone seems to be jumping past the "LIKE" clause in his select. What he's doing is picking out the confirmation numbers that start with that (stupidly constructed) job number prefix, and removing all of them from his candidate list. Then he shuffles the list so he can pick a random confirmation number. Finally he returns the final confirmation number, being the compacted job number pre-pended to the randomly chosen six-digit value.
It's a ridiculous way to make a random confirmation number, but the article makes it seem like the inefficiency is in searching through all available confirmation numbers and matching them to a million element array. Instead the most inefficient part is shuffling the remaining values in the million element array, rather than simply using a random number in the span 0 to arraylength to pick a remaining element.
@RaceProUK mentioned that his solution wasn't meant to be random. The case for random confirmation numbers is that you don't want people to be able to associate job number to confirmation number. If the values are always increasing incrementally, then a malicious user could craft an electronic or social engineering attack whereby they place an order, record the confirmation number, then try to get the orders for all following orders based on them knowing what the confirmation numbers would be. "Hi, I just placed an order a few minutes ago, confirmation number [known value + 1], could you please send me a link to view it? Oh, the delivery address is wrong, could you please update it to this PO Box?"
Admin
Admin
Well obviously you should not use MD5 for cryptography, but for less sensitive things where you only need a pseudo-random string for comparison and where it should be possible to regenerate it from known data, MD5 will still do. (And if you are paranoid, you could use SHA-256/512 or similar, I was only using MD5 as an example)
Regarding your second comment, I was NOT advocating the max+1 thing, that one is just horrible and waiting to blow up in your face. If you need sequences for anything, use a proper one supplied by your database engine ('serial' type in postgres for instance).
I was merely saying that compared to that, even relying on MD5 with it relatively high risk of collisions would be a better solution.
Admin
Sooooo.... Pick a card, any card, folks?
Pulling everything is still somewhat dumb, even if it's not insane. Attempting to insert (given a unique constraint) and retrying if necessary would be much faster, at least until the random space is nearly full, which is your early warning that everything's about to fall over on you anyway.
Admin
You know what happens when you try to stretch a keyspace of 100 digits by MD5'ing them? You end up with... 100 possible MD5 values. It's not a randomizer, it's a hasher.
Admin
100 digits or 100 values? That's an important difference. A key space consisting of strings of 100 digits has plenty of room for entropy, and MD5 will do a reasonable job on it. A key space consisting of 100 values (of any length) will just have the MD5 be a fancy expensive tagging (or you might get unlucky and get a collision) like a sort of mathematical designer label.
Admin
The adding of digits 1&2 to 3&4 reminds me of an assembler that decoded its control card. It needed to be "ASMB", but it was checked by subtracting "AS" from "MB", on a 16 bit machine. If the sum matched, it would be allowed. Knowing this, a user did a search and figured out that "FURD" would work just as well. Well, it did look funny on the listings, and I guess you had to be there.
Admin
What happen once the table has been filled with one million confirmation ?
Hope that confirmation is not used to check for a popular social network, i heard there is more than one million people with Internet access, but I might have been misinformed.
Admin
Maybe I just did not see it, but the compacted job number ($c_jobno) is never used again in the script. Or am I wrong here. And it will be between 2 and 4 digits long.
You do not need md5 or shuffle or something like that. Just fetch all confirmation numbers from the database starting with the jobnumer. Generate a random new confirmation number until you found one that is not in the list you fechted from the database. And you are done. If you want increased security, add a salt.
Admin
What I'm not sure about is this; do PHP developers have shares in server companies, and write code guaranteed to keep companies buying ever bigger servers? Or are they just useful idiots for the server vendors?
Admin
Good idea. I'll ask our hosting company about this ;)
Admin
In fact (according to Terry Pratchett) there are only about 130 real people in the world, which is why we keep bumping into one another. The rest are illusions. 10^3 possible primary keys should be enough for anybody.
Admin
How many of them are @boomzilla?
Admin
.... All of them.
:-P
Admin
This was my first thought when I read this article. Did nobody notice that the confirmation numbers where between 8 and 10 digits long?
Probably a copy-paste mistake, According to the last comment it should be used in the return statement.
Admin
The confirmation number is at least 7 digits, and up to 10 digits, depending on the original value of the order number**. That gives up to 9,999,999,999 values for the confirmation number. Remember that it appends the 6 digit number selected from the array to the original order number (not the compacted one, regardless of what the comment for that line says.)
** The article is also wrong regarding what would is happening to the order number. It looks like the order number is 4 digits. The first two digits are added, the 3rd and 4th digits are added, then the two sums are concatenated. Since adding two digits can still yield a two-digit number (eg: 9+9 = 18), the order number isn't shortened to two digits in all cases. Instead it can still be 2, 3 or 4 digits. For example 1234 becomes 37, 3456 becomes 711, and 6789 becomes 1317.
Admin
There is only one real person; the rest of you are figments of my imagination. My imagination is ... demented.
Admin
https://www.reddit.com/r/AskReddit/comments/348vlx/what_bot_accounts_on_reddit_should_people_know/
Admin
Obfuscation fail, the true nerds still see what you did there.
Admin
So, um, could you tell me what I did there? Because I wasn't trying to obfuscate anything, just engaging in a bit of solipsism.
Admin
Wording was close enough, my nerd circuits got triggered.
Deranged, demented, close enough.
Admin
Ah. I have, of course, read that, and perhaps it was lurking somewhere in my subconscious, influencing what I wrote. My conscious thinking, however, was that my imagination must be demented to come up with you lot. :P
Admin
SEE? PHP developers CAN learn something from Java developers!
Admin
If you think that the multiverse is just as much a "saving the appearance" as were epicycles, in this case to hide the fact that String Theory has nothing under its trousers, space is not infinite; there is a finite number of worlds, a finite fraction is inhabited and the average population of all the planets in the universe is non-zero.
Alternatively we can just point to the error in saying that a fraction of an infinite number is finite. Even aleph-null divided by aleph-null is still aleph-null. So the whole argument falls down at that point.
Douglas Adams was doubtless confused because his old 68040-based MACs thought anything over 2 billion was NaN. Nowadays even a crappy mobile phone knows that integer infinity starts a little way beyond 8 * 10^18.
Admin
The other logic error is of course going from an average of 0 to a total of 0, particularly when he's just derived the average from a nonzero total. But I don't think the point of the passage was to construct an impeccable logical argument.
Admin
You know, I enjoy a good pedantic post as much as the next guy. But damn it, you guys pretty much managed to kill the original joke completely by this point.
Admin
It's not dead! It's just pining for the nulls…
Admin
Admin
Considering who wrote the book I think we can safely assume that it was the exact opposite of trying to make a solid logical argument!
Sure it sounds like a logical argument, but as with every other logical argument in 'The bible' / Guide, the individual bits seem ok, but the result is completely bonkers :smile: