An anti-spam integration



  • So I got asked about integrating an anti-spam API into something, and before I accepted the gig, I looked at the WordPress and Drupal plugins.

    I've seen bad PHP before but damn. And if this is the sort of thing I'm seeing in their API, I refuse to believe their service is any better.

    First of all, I don't want to see a large number of commented out lines of code in a public plugin. I don't mean comments, I mean commented out code, almost as if it's experimental.

    Then I see shit like this in their build-a-POST routine:

    	srand((double)microtime()*1000000);
    	$boundary = "---------------------".substr(md5(rand(0,32000)),0,10);
    

    Firstly... rand() is the shitty PRNG in PHP. Its random characteristics are known to be terrible, and it's been deprecated in favour of the Mersenne Twister since 4.2 or thereabouts. Considering that 5.0 was 2004... yeah.

    The class says it requires PHP 5.3+ but I see absolutely no reason why.

    And then there's the way they contact their server. There's multiple ways to do it in PHP. There's the cURL bindings. There's the streams setup (which is more modern and still a bit voodoo) or there's the time honoured method of opening the socket manually and building the POST request completely by hand... and this assumes the host has fsockopen even enabled.

    The code smell absolutely reeks. And that's even before the primary deal whereby you put their ad system/token/tracking code on login forms, comment forms, registration forms, with almost no way for the server to determine which it's actually getting.

    Terrible.


  • Grade A Premium Asshole

    In the city I live in, there used to be a web development company that did everything via WP. Everything. They are a perfect example of how "if your only tool is a hammer, you treat all problems like nails".

    Seeing them on a resume is a pretty good indicator that the programmer is likely to do goofy stuff. I think at least part of that is WP's fault.



  • @Arantor said:

    First of all, I don't want to see a large number of commented out lines of code in a public plugin. I don't mean comments, I mean commented out code, almost as if it's experimental.

    I see a lot of that in compiled code, since the comments get removed. I'd worry about it either way, though, since it means that it's probably not being versioned correctly.

    @Arantor said:

    The class says it requires PHP 5.3+ but I see absolutely no reason why.

    That's probably the only version that they tested with.



  • Yup, the comment smell is definitely off-putting.

    As for testing, it's definitely looking like 5.2+ but there's nothing that relies on 5.3, not something like late static binding. Namespace support is too much to hope for.



  • @Intercourse said:

    In the city I live in, there used to be a web development company that did everything via WP. Everything. They are a perfect example of how "if your only tool is a hammer, you treat all problems like nails".

    Seeing them on a resume is a pretty good indicator that the programmer is likely to do goofy stuff. I think at least part of that is WP's fault.

    WP is great for API gluers. For actual programmers it inspires utter terror, or it should.

    Its entire design is predicated around how things were done years ago and they couldn't modernise if they wanted to



  • To be fair, I work at a .NET shop that also provides packaged API wrappers in a slew of languages.
    We touch those things once every couple of years when a customer finds a bug. With only 4 developers on the team, we really don't have the time to go and research the right way to generate a random number in a language we don't use.

    Bad API wrappers alone do not necessarily indicate a bad service on the other end.


  • BINNED

    @Arantor said:

    there's the time honoured method of opening the socket manually and building the POST request completely by hand

    Is this the place where I can try and popularize the "Reverse Plumber" term?

    Nah, fsockopen is low level, this is just ignoring the higher level APIs completely. It's more like "Reverse Spanish Inquisition".



  • On the one hand I can see where you're coming from. The problem is I'm really not sure I agree in this case.

    That's one specific issue - aside from the small detail that even the shitty PRNG doesn't need manually seeding, their choice of bounds suggests they've read the manual and misinterpreted it (since there's a comment about how if you don't pass bounds to rand(), it'll be between 0 and getrandmax() which on some systems is 32767)

    But more than that, it's an overall code smell looking at the actual API - the non language specific stuff. There is, for example, the very implicit assumption that the IP address being supplied is the real one - there's not even a hint of a check for proxied IP addresses (not even checking things like the X-Forwarded-For header or X-Client-IP or even things like the CloudFlare IP transport)

    Thing is I couldn't really nail a specific thing wrong with it other than mentioned, it's just very whiffy.



  • @Onyx said:

    Is this the place where I can try and popularize the "Reverse Plumber" term?

    Nah, fsockopen is low level, this is just ignoring the higher level APIs completely. It's more like "Reverse Spanish Inquisition".

    Sure, that's exactly it... but in this day and age with modern-written software there is no reason to ignore the higher level APIs when it will make the code cleaner to read/maintain and in all likelihood avoid issues with hosting platforms.


  • BINNED

    The only time I used fsockopen was followed 2 minutes later by the realization that I shouldn't be doing what I was trying to do in PHP anyway.

    fsockopen was not the actual reason though, it was the fact that it should sit on the system as a service continually listening for events. Meaning, PHP is not really the best idea ever.

    And then, a week later, I find a plugin that does exactly that...


    Filed under: Hammer, nails, you know the drill



  • Been there, done that, written my own daemons in PHP etc. etc. fully understand. I remember once thinking about this application I wanted to build and was trying to decide whether to abuse PHP or use Node.js. Lesser of two evils kind of thing.

    fsockopen is fine if you're doing something really strange like connecting to obscure services, or you're having to do it because the better methods aren't available, e.g. stuck with a shitty host that doesn't have the FTP extensions but you need to process stuff via FTP (long story) but for a simple POST, you shouldn't be getting down and dirty.

    Then again I could just be in the realm of arrogant/competent PHP dev.


  • BINNED

    As an aside, this was a case of connecting to a telnet port and processing output in realtime.

    Even if I kept doing it in PHP I'd give up at some point since the thing ended up being more complicated than the documentation would lead you to believe. Luckily, I have full control of machines this runs on, so there's now a C++ service happily chugging along, doing it's thing, saving stuff to a DB and providing an interface to pull data from it at any time it's needed.



  • Yeah, that's the hammer/nails gig. In my case I was looking at doing a thing with socket.io and modestly decent scale pubsub stuff that Node.js is suited to but I hate JavaScript with a passion and I really think I don't get Node.js because I don't understand how it's ever going to be anything other than fucking long chains of nested callbacks.


  • BINNED

    Considered socket.io myself. Dropped support for the older browsers instead and went with a pure websocket implementation. Fuck it, old browser, no instant notifications. Upgrade or use the application without realtime shit. I'm not adding node.js to the stack just for you.



  • Yes, but you still have to have something to handle the relatively many idle connections which PHP really doesn't do so well.


  • BINNED

    That's why the websocket server is on the C++ side ;-)

    The only data that needs to be pushed through it is from the monitoring service anyway, so no point in doing it in PHP. Also, allows me to easily hook in mobile apps later on since both the service and the mobile apps are / will be written in Qt, so same libraries and everything.



  • That sounds rather intelligent.


  • BINNED

    Occasionally it happens even to me.



  • So too does modesty.



  • @Onyx said:

    Occasionally it happens even to me.

    @Arantor said:

    So too does modesty.

    You guys, [s]get a room[/s] [u]start a poetry topic[/u].



  • No, no, that was last night where I was writing poetry (on par with Vogon poetry, really) just to try and make some sense of the crap in my head and then it went all iambic pentameter.


  • BINNED

    @Arantor said:

    and then it went all iambic pentameter

    For us unwashed masses, is that a fancy term for "tits up"?



  • Shakespeare? 10 syllables to a line in an alternating di-dah/di-dah/di-dah/di-dah/di-dah rhythm?



  • (Note, I'm not suggesting I was any good at it.)


  • BINNED

    I know. I was being facetious.



  • Needs more di-dahs.


  • BINNED

    You realize we're now spamming the thread about anti-spam measures?



  • @Onyx said:

    For us unwashed masses, is that a fancy term for "tits up"?

    If you'd phrased this in iambic pentameter, it would have been the perfect trolling.



  • I delight in the irony of things.



  • @Keith said:

    If you'd phrased this in iambic pentameter, it would have been the perfect trolling.

    You know I checked before replying, right?


  • BINNED

    I was not sure of the exact definition. And too lazy to go research it.



  • Agreed. We have only two developers. If we can get things to work and not break then it is usually satisfies requirements. We try to do better and better, but yes, you are only two people and with give or take 150 websites in production things can get overwhelming with only a small uptick in tasks. Sometimes we code so fast and furious that when I open that code I am amazed and what we produce under pressure (both good and bad).



  • I don't think I can speak in pentameter <<< but this was my best attempt.



  • Are you talking about this, perhaps?

    The fsockopen implementation is only used if you have an ancient version of WordPress.

    That is, any version since 6 years ago doesn't use the fsockopen code.

    The code requires PHP 5.3 because the rest of WordPress requires 5.3 and you can't run part of a PHP script with one interpreter and another part with a different interpreter.

    Do you have an ancient version of the plugin?



  • I just secured a server by disabling PHP.

    not really



  • Nope, I was not talking about Akismet - though Akismet is a clusterfuck in many ways.

    No, the anti spam integration I was talking about is not nearly as nice to work with as Akismet. And only has fsockopen.

    I know I'm usually the WTF but even I would be able to see if there were another code branch using any other option for file sending. As much as it might surprise some people, I'm not a total retard, just mostly ;)



  • If you are doing things "in-house" then that may be an unavoidable situation. If you are selling the product, then there should be a certain quality bar. If a company can not meet that quality bar they should not ship. Obviously, if they don't ship at some point, then they need to find another business to be in.



  • Its not like that (of course I get your meaning). Here are the conditions that usually affect my world.

    Very manageable:
    Our a vanilla install that has the top billing components that clients like and those components are groomed and re-groomed constantly by me and my coding partner. All clients start here.

    Where the rubber meets the road:
    But as we know one size doesn't fit all. Customizing to taste or creating new modules for our toolset is a frequent occurrence. Encouraged and enjoyed.

    Totally WTF:
    The one-off-flip-the-script-development-masturbation-sessions e.g. not my native language and out of my element conceptual things like dealing with proprietary feeds that change often change when hardware gets auto-patched sending me into the trenches to patch bunk-o shit (e.g. keeping the patient on life support).

    Bonus points and sheer bloody mindedness:
    Non-essential functionality changes that don't affect the customer nor us. Just want something to change for fuck sake. Subjective? Possibly what I think is important may be different than others. But still it is a barrier to enjoying my work.

    The first part I can handle the second part I can handle too. Its the third part that destroys me because it compounds expectation with what the client will pay for with a deadline. The fourth part attached to anything will send me over a balcony faster than anything else. Oh! One more.

    Cached mindfuck:
    The bane of all-on-the-fly changes we need to make in house. I have personally been victimized by this more times than I care to admit. Most of our tools are caching things on certain pages or entire modules or the tables and table data is cached or particular feeds are cached or text or XML files (not really cached but same effect) that can change don't change for whatever reason.


Log in to reply