<?php mail('Billing failure'); ?>



  • (Backstory: I'm responsible for maintaining the SELECT 0 as Hitler project.)

    The client who uses this project is moving from one hosting service to another. My manager forwards me an email from him, asking, among other things, to make sure a cronjob still works. I check back with the manager, because the one cronjob I know of is still being worked on and hasn't been delivered to the client yet... twenty minutes later, I get a reply that there's a cronjob the previous developer set up to update statistics. Statistics that are needed for the site owner to issue invoices to the site users for his services.
    Red flag 1: there's a script dealing with real money that nobody remembers.

    I take a look at the script. shebang invoking php... looks all right. Wait, wait, which folder was this in? cron/ inside DocumentRoot? With permissions at 777 ? And Apache is allowed to serve it... Lovely.

    Okay, moving on...
    "Er, Boss, how often did you say this is supposed to run?"
    "Every night, why?"
    "Cause it emails the <original developer> with the report of whether it succeeded or failed every time."
    "Oh... he deserves worse. Remove the mailing bit and make sure the rest works."
    Fun fact 42: you can see why the original developer no longer works here.

    I keep looking. Hmm, hardcoded mysql_connect credentials. Flip to KeePass, sure as hell, they're outdated. So is the database name.
    Red flag 2: "There's no way this could work."

    Now I'm wondering how badly this script is screwed. Hey, the script records statistics for each month, all I have to do is look at the db to see the latest records in the table. Open phpmyadmin, find the database and the table... "Records 0-25 of 26 displayed." Shiiiiiiiiiit. The only month recorded is 2008 February.
    Red flags 3 & 4: nobody has noticed so far.

    "Boss, there's a problem. <problem description>"
    "If I have to worry about this as well my head will burst. Just do what he asked, make sure the script works, and we'll deal with the invoices later."
    Well, I do what I'm told. The script is fixed and will run every night... until the next server move/db change.

    Bonus fun - see how EXPERT PROGRAMMERS escape HTML, and then copy paste the escapism around:

    while($row = mysql_fetch_assoc($res)) {
    	$out []= $row;
    }
    while(list($c,$row) = each($out)) {
    	foreach ($row as $k25 => $v25) {
    		if (!is_numeric($row[$v25])) {
    			$row[$k25] = htmlentities($row[$k25], ENT_QUOTES);
    		}
    	}
    }


  • You have my condolences...



  •  Oh god.  The most horrific part was when I realized what $k25 and $v25 meant.

     There are at least 24 more foreach loops with equally idiotically named $key and $value variables.



  • I don't think so.  It might be more accurate to say that there used to be 24 other loops with idiotic variables.  I doubt that all 24 are still in use and I expect you'll find that some of those loop variables are now being used as globals.



  • @Qwerty said:

    I don't think so.  It might be more accurate to say that there used to be 24 other loops with idiotic variables.  I doubt that all 24 are still in use and I expect you'll find that some of those loop variables are now being used as globals.


    I checked - there are no k1 to k24... there are, however, at least 20 copies of k25 and v25 . With that same worthless is_numeric check, too.



  •  PHP is a wonderful language. It is easy for inexperienced programers to write horrible software. And, the horrible software always gets rewritten by experienced programmers. Everyone wins!



  • @DCoder said:

    while(list($c,$row) = each($out)) {
    foreach ($row as $k25 => $v25) {
    if (!is_numeric($row[$v25])) {
    $row[$k25] = htmlentities($row[$k25], ENT_QUOTES);
    }
    }
    }

    Why does the is_numeric check use the value as the key for the array the value came from? I'm hoping that's a typo.



  • @Lingerance said:

    Why does the is_numeric check use the value as the key for the array the value came from? I'm hoping that's a typo.

    Somehow I fear it isn't...



  • No, it's not a typo. That's how it is (well, was when I found it), in all 20+ instances of this copypasta.


Log in to reply