- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Admin
Maybe $moduleID is sanitized earlier ;)
Admin
Nice Lovecraft-style there!
Admin
well, at least he now knows what to do for the next 20 years ... clean up the insanity piece by piece.
Admin
Yazeran.
Plan: To go to Mars one day with a hammer.
Admin
Hmm, TRWTF is the actual story itself :O
Well done guys - this is what thedailywtf should be like every day :-)
Admin
That... that is even worse than our PHP...
Admin
Hey that sounds like I know the code, from my first job. The guys there had a tendency to write similar stuff.
Admin
"Shed a year"? I could usefully shed several. Will re-reading the article achieve that?
Admin
"shed a year" - I just sucked one year of your life away. Be honest. How do you feel?
Admin
I think that's quite neat code. It's clearly been thought through well and responsibly, and the fact that error handling is minimal and cursory suggests that the function works really, really well.
Move along there, nothing to see.
Admin
And nobody even picked up on the sql injection issue.....
Admin
THIS is the only thing wrong with the query. Who cares about a redundant ORDER BY?
Admin
Admin
Admin
Sure, I'll shear a yed.
Admin
'; ...New SQL Statement for New Feature Here... ;'
to one of the results of one of those calls. Preferably to one that ends the query.
Admin
Admin
Because there isn't one. None of the underlying PHP mysql(i)_query functions will allow that second query to be executed.
Admin
It is because yed shearing follows the Julian Calendar.
Admin
Kind of FTFY, but it probably only executes one query so your plan is busted.
Really FTFY:
Admin
I've said it before: PHP is just a DSL for writing SQL injection entry points.
Admin
Not only do I think Simon wrote this, but I also think I know which particular Simon it was.
We've got tons of this in legacy PHP/SQL projects that a former employee, Simon, wrote while he was here.
Coincidence?
Admin
I've always felt eval() was a solution in search of a problem.
Admin
SELECT * in a production environment.
There's your sign.
Admin
I realise that this has many other problems, but I can't see why you think the ORDER BY is redundant. Databases are under no obligation to produce results in any particular order unless ORDER BY is specified. The order that results come out can and will change depending on the available indexes, and the exact query plan that the server chooses based on the statistics available. Adding or deleting data can cause the order to change. Adding or deleting indexes could cause the order to change even if you weren't intentionally using those indexes.
The application might not actually care in which order they come out, but that isn't explained in the article. That the column is called 'displayOrder' is a big clue that it actually does matter.
Admin
The point is, since moduleID is the primary key (and probably the unique key), there will only ever be one record returned from that query, thus an ORDER BY clause is redundant because you can't really order a single record.
TRWTF is indeed that no fucks were given to the blatant SQL injection hole.
Admin
I think the reason why the ORDER BY was considered redundant is because it's looking it up by
moduleIdwhich is (hopefully, if it's called an ID) unique. So it should only return one result. So an ORDER BY would be meaningless.Admin
Because the article stated that you're selecting by primary key, hence you will never get more than one item back. Sorting lists with less than two items is a bit silly.
Admin
Admin
i have seen worse code than this so i am questioning if this merits to be a wtf.
Admin
So why all the concern about SQL injection? If it's a system where everyone is trusted, is a responsible adult, knows what they're doing, and (possibly in some people's eyes the most important thing) has easier ways to destroy the system - then why be concerned?
Or does everyone have a belt and a pair of braces on their onesie just in case?
CAPTCHA: suscipit - not moving because of the suspicion that there may be a pit somewhere
Admin
Ia! Ia! SQLthulhu Fhtagn!
Admin
Dear co-worker of Nagesh: please submit his code to this site.
Admin
That's all fine and good until a responsible, trusted, but non-technical adult works on a record for Bobby Tables.
Admin
That site wouldn't exist if everyone would use PROPER programming language. All I see are PHP, C++, C# WTFs here, there are none Pascal or Delphi ones. Why? Obviously, because Pascal is a superior language.
And before you'll try to say it's because it's not popular, well many businesses both big and small uses Delphi or even legacy Turbo Pascal apps (for accounting, HR and similar tasks).
Hell, if you are game developer, you may be using program written in Delphi and not even realize it. GraphicsGale, popular pixelart editor is written in Delphi.
So if Pascal wouldn't be superior language, some Pascal/Delphi WTF would crop up on this site sooner or later, yet it didn't.
Admin
It's better if you read it backwards (bottom-to-top). That way:
You'll go mad from the unparenthesized nested ternaries first.
Then, the PHP-code-embedded-in-query-construction will hurt less.
By the time you've parsed enough to see what the query actually is, you'll be prepared to simply laugh maniacally at the SELECT * FROM That Which Is Not A Table.
After all that, when you reach the beginning, the mundane WTFery of a maybe-SQL-injection will be a breath of fresh air -- the beginning of the road back to sanity.
Admin
Your assumption is incorrect. Exhibit 1: The code in the article.
Admin
Note: my first programming language was Pascal, but I haven't touched it in like 10 years. It was cool.
Admin
Holy shit, it's a Cthulu-summoning Rube Goldberg machine of PHP and SQL.
I'm gonna go cry in a corner now.
Admin
Admin
Admin
At the very least, someday someone is going to enter John "The Man" O'Mally and get some weird SQL error instead of it working. In this case, it looks like the error would disappear, leading to silently disappearing entries and a likely accounting with some very unhappy people who lost a bunch of data attached to some valuable accounts.
Admin
This is one of the times where anything except complete rewrite won't cut it.
Admin
Did anyone else nearly pass out from sheer boredom from reading this?
Admin
Are you serious? You must be at the wrong site. This was one of the most well written stories I've seen here. Excellent!
Admin
Better than Hanzo? You've got to be kidding me!
Admin
Sorry, but no. Article stated that they originally assumed that what the SQL does is selecting by primary key. But that was obviously wrong assumption to start with. Unless you know the table and keys definitions, you are not allowed to assume anything like that just by looking at the select statement.
Admin
Admin
It is interesting that everyone considers returning anything other than raw data stored in database using SQL as a WTF yet all web programming languages - PHP, ASP(.NET), Javascript, and JSP just the name a few - are all about embedding and mixing just about every possible technology one can lay their hands on and this is considered normal, acceptable, and even cool. NoSQL databases are all about running any programming language you can think of against unstructured data sometimes containing XML, HTML, or JSON documents and returning back the something that could be even a reformatted web page and this is a great new idea that increases performance. Do the same in SQL and you have a WTF. I am not saying that returning PHP form database is a great idea but what is the difference between that and PHP (or JSP or ASP.NET) using embedded SQL (directly or via some fancy ORM) and generating HTML with embedded Javascript? Isn't the way modern web development works all a WTF on top of WTF?