Contact yourself !



  • Today I went to a mandatory off-site training about "web servers" and we had to "setup" a web server, you know the kind with IIS4 on WinXp, when we finally had to deal with Apach/PHP we had to install a website stub just for the exercice, something with chocolate, and there was a contact form in php which is WTFy but that's only my point of view:

    <?php
    if (isset($HTTP_POST_VARS['B1']))
    {
    // teste les valeurs.
    $nom=trim(addslashes($HTTP_POST_VARS['nom']));
    $mail=trim(addslashes($HTTP_POST_VARS['mail']));
    $tableau=array();
    $tableau=Explode("@",$mail,2);
    echo $tableau[0];
    if ($nom=="" || $nom=="Nom")
    {
    echo "Veuillez rentrer un nom";
    }
    elseif ($mail=="")
    {
    echo "Rentrez une adresse mail";
    }
    elseif (!isset($tableau[1]))
    {
    echo"Rentrez une adresse valide";
    }
    else
    {
    if(!mysql_connect('localhost','root'))
    {
    Echo'Connection Impossible';
    exit();
    }
    else
    {
    Echo'Connexion réussie';
    }
    Mysql_select_db('ybet');
    $requete="insert formulaire SET nom='$nom', mail='$mail'" ;
    $resultat=mysql_query($requete);
    }
    }
    $form="<form method=\"POST\">
    <p>Nom: <input type=\"text\" name=\"nom\" size=\"20\" value=\"Nom\"></p>
    <p>Votre adresse mail: <input type=\"text\" name=\"mail\" size=\"30\" value=\"Votre adresse mail\"></p>
    <p><input type=\"submit\" value=\"Envoyer\" name=\"B1\"></p>
    </form>";
    echo $form;
    ?>

    It's in french but I don't have time to translate it by now because i'm in class, but I have time to write a WTF !!

    So here is my list:

    • Using $HTTP_POST_VARS
      Almost as worse as using register_globals on
    • E-Mail validation
      Well this one is easy
    • Nested IFs
      If there are more fields, ouch
    • Using mysql procedural interface
      well this one can be accepter
    • Connectinc as 'root'
      Securiry breach
    • Why put the html of the form into a var an then echo it ?


    • Hows about also echoing without using htmlspecialchars?
    • And then there's addslashes without checking if the server has magic quotes enabled (OK, you set it up yourself, so in theory...).
    • And then there's writing out the form even after accepting the message (in case you want to send another one?).
    • Not prefilling the form with the previous values if there's an error.
    • Wasting time by pointlessly declaring $tableau as an array, just before recreating it as an array (explode will return a completely new array).
    • Echo echo? echo Echo! cAsE iNSEnsitivITY iS Ugly.

    I suppose they have to start somewhere, but this is like death from a thousand papercuts, and a security hole.


  • Discourse touched me in a no-no place

    @ltouroumov said:

    something with chocolate
    Que?

    E-Mail validation
    Well this one is easy
    They're checking that there's at least one @ sign in there and there's stuff before and after it. Ok, they could probably check for a period in the bit on the right of it, but quite how much validation do you think should be done in PHP?

    Hint: regex is not the solution, and beyond checking that the host has MX records, then sending a verification email to the address submitted, not much else from what's above should be done.

    @ltouroumov said:
    Nested IFs
    If there are more fields, ouch
    That indentation doesn't ring true. You have a series of if/else/else/else clauses with each subsequent clause unnecessarily indented even further.


  • The test website was about an online chocolate store, because I work in switzerland.

    Well Regexp is perhaps not the best solution but at leas it's better than this.

    And why when a field validation fails it should just add the message to a list and then print all the messages.

    Hopefully it's not production code (I guess)


  • Discourse touched me in a no-no place

    @ltouroumov said:

    Well Regexp is perhaps not the best solution but at leas it's better than this.
    Better in this context would mean that regex would both pass more valid email addresses and stop more invalid emails, and most regex implementations found with a quick google are notorious for stopping perfectly valid email address. (Perhaps the most commonly incorrectly refused as invalid in use these days is a + in the local part which GMail, among others, allow users to tag incoming emails.)



  • @ltouroumov said:

    Echo'Connection Impossible';
    Trlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrl... prrrlum!

    Pum, pum-pum-pum, pum.

    Pum-pum-pum, pum.

    Pum-pum-pum, pum.

    Pum-pum-pum--

    Neeneeneeee.. Neeneeneeeee.. Neeneeneeeee..

    Neah-neah!

    ...



  • Technically it's valid to have an email address that looks like this:

    "Quoted string containing spaces and other normally-invalid characters, like a 2nd @!"@[IP.AD.DR.ESS]

    Good luck finding a website that does validation and doesn't stumble on that one...



  •  why don't you first find an ISP / mailserver which allows you to configure yourself such an email-address...

     



  •  (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])

     

    supposedly this matches any  RFC 2822 E-mail address. I only tested a few- it allows the + in the local part. personally I would never use a regexp for something like an E-mail; just check a few basics and get on with it.



  • Shouldn't a contact form, um, contact someone?



  • And addslashes IS NOT safe against SQL injection. You need to use mysql_real_escape_string for that.



  • @Daid said:

    You need to use mysql_real_escape_string for that.

    Only if you're using MySQL.



  • @bannedfromcoding said:

    @Daid said:
    You need to use mysql_real_escape_string for that.
    Only if you're using MySQL.

    And only if you're not using parametrised queries. Which you should.

    (of course, you still need to escape html before outputting to the client, but that's completely separate)



  • @ltouroumov said:

    if om ($nom=="" || $nom=="Nom")



  • @Thief^ said:

    And only if you're not using parametrised queries. Which you should.

    TRWTF is that PHP's standard MySQL interface doesn't support parameterized queries (at least not last time I worked with PHP). Sure, you could use MySQLi, but I've had some bizarre and frustrating issues with that.


  • Trolleybus Mechanic

    @derula said:

    @ltouroumov said:
    if om ($nom=="" || $nom=="Nom")
     

    Wow, those French people must be missing out on all the Cookie Monster jokes.

    "He eats a biscuit saying 'Name, name, name'!  Why is that funny?"



  • @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.



  •  Meh, it's crappy PHP, but you said it was part of a class on setting up web servers, so who cares?



  • @morbiuswilters said:

    @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.

    When can we get a new RFC that outlines sane email addresses?  "Emails will be some letters and numbers and maybe some periods (or a plus for all those Gmail people), then an @ symbol, then some more letters and numbers and dots."


  • @bstorer said:

    @morbiuswilters said:

    @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.

    When can we get a new RFC that outlines sane email addresses?  "Emails will be some letters and numbers and maybe some periods (or a plus for all those Gmail people), then an @ symbol, then some more letters and numbers and dots."

    Also: case-fucking-insensitive, amirite?  Seriously, though, e-mail is such a piece of shit and there is so much wrong with SMTP, POP and IMAP that will never be fixed.



  • @morbiuswilters said:

    @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.

    [code]^.*$[/code]

    This will match all valid e-mail adresses. If you want to filter out invalid ones, send an e-mail and request a confirmation. I can not imagine a context where f3+*/}43t#@@d.@#$d. would be a "bad" value to have, while non_existing_address@example.com would be okay. If I need to send someone an e-mail, I do not care what shenanigans they have in their address, as long as they can receive the message.



  • @Abdiel said:

    This will match all valid e-mail adresses.

    You know what I meant, dickhole.

     

    @Abdiel said:

    If you want to filter out invalid ones, send an e-mail and request a confirmation. I can not imagine a context where f3+*/}43t#@@d.@#$d. would be a "bad" value to have, while non_existing_address@example.com would be okay. If I need to send someone an e-mail, I do not care what shenanigans they have in their address, as long as they can receive the message.

    The problem with this is that the invalid ones can quickly jam up a mail queue.  Plus, if your site gets any traffic at all spammers are going to discover your form and try to spam the shit out of it.  So all this talk about validating email addresses is kind of pointless.  I've never had an app where that was important.  A much higher priority was tracking failed addresses and blacklisting the IPs the web requests where coming from to combat spam.  I figure if it has an @ symbol in it, it's good enough.



  • @morbiuswilters said:

    Also: case-fucking-insensitive, amirite?  Seriously, though, e-mail is such a piece of shit and there is so much wrong with SMTP, POP and IMAP that will never be fixed.
    Local part of the e-mail is left to the interpretation of the receiving server anyway. Practically the only limitation there is that you can't have two consecutive periods (also, it can't begin or end with a period). Why period? Beats me.



  • @ender said:

    Local part of the e-mail is left to the interpretation of the receiving server anyway.

    Yes, I know, but that's fucking annoying because it makes interaction between different clients and servers problematic.  I would prefer that the rules for the LHS just be simplified dramatically (who the shit needs comments?  or case sensitivity?)



  • @TarquinWJ said:

    • Echo echo? echo Echo! cAsE iNSEnsitivITY iS Ugly.

     

    It's better than the alternative.  At least if you don't have case sensitivity you can't abuse it.  Every time I have to debug C windowing code and I see someone declaring a variable like "HWND hwnd;" I just wanna hunt them down and throttle them.



  • @Mason Wheeler said:

    Every time I have to debug C windowing code and I see someone declaring a variable like "HWND hwnd;" I just wanna hunt them down and throttle them.
     

    You should have a pretty long throttle list then.



  • @Mason Wheeler said:

    Every time I have to debug C windowing code and I see someone declaring a variable like "HWND hwnd;" I just wanna hunt them down and throttle them.
     

    Hi, I'm the guy who writes the MSDN sample code. You wanted to see me?



  • @Mason Wheeler said:

    @TarquinWJ said:

    • Echo echo? echo Echo! cAsE iNSEnsitivITY iS Ugly.

     

    It's better than the alternative.  At least if you don't have case sensitivity you can't abuse it.  Every time I have to debug C windowing code and I see someone declaring a variable like "HWND hwnd;" I just wanna hunt them down and throttle them.

     

    In C#, you can do shit like:

    [code]Item.Item Item = new Item.Item(global::Item.Item.Item);[/code]

    For those keeping track at home, the hypothetical class structure would be:

    [code]namespace Item {
    class Item {
    public Item(int i) {}
    public static int Item = 123;
    }
    }[/code]

    By the way, who the hell designed this forum software?



  • Wow...totally right.  Why the fuck wouldn't they have a multi-tier enterprise solution as an example for setting up web servers.  What a bunch of dumbasses.  I mean, wasn't PHP best practices the whole point of the training?  Jesus, MY one-day web-server admin training course includes a Facebook clone before lunch!  Fags.



  • @pkmnfrk said:

    In C#, you can do shit like:

    <font face="Lucida Console" size="2">Item.Item Item = new Item.Item(global::Item.Item.Item);</font>

    For those keeping track at home, the hypothetical class structure would be:

    <font face="Lucida Console" size="2">namespace Item {
    class Item {
    public Item(int i) {}
    public static int Item = 123;
    }
    }</font>

     

    Ugh!  Just when you thought it wasn't possible to take an ugly hack from C++ and make it any worse...



  • @Mason Wheeler said:

    Every time I have to debug C windowing code and I see someone declaring a variable like "HWND hwnd;" I just wanna hunt them down and throttle them.
    Perhaps you should consider another profession if you are easily confused by common naming conventions.



  • @toth said:

    @Thief^ said:
    And only if you're not using parametrised queries. Which you should.

    TRWTF is that PHP's standard MySQL interface doesn't support parameterized queries (at least not last time I worked with PHP). Sure, you could use MySQLi, but I've had some bizarre and frustrating issues with that.

    The "standard" MySQL interface is PDO, which does indeed support (and reasonably enforce) parameterized queries.



  • @Zecc said:

    Trlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrlrl... prrrlum!

    Pum, pum-pum-pum, pum.

    Pum-pum-pum, pum.

    Pum-pum-pum, pum.

    Pum-pum-pum--

    Neeneeneeee.. Neeneeneeeee.. Neeneeneeeee..

    Neah-neah!

    ...

     

    YOU'RE A MODEM



  • @blakeyrat said:

    @toth said:
    @Thief^ said:
    And only if you're not using parametrised queries. Which you should.

    TRWTF is that PHP's standard MySQL interface doesn't support parameterized queries (at least not last time I worked with PHP). Sure, you could use MySQLi, but I've had some bizarre and frustrating issues with that.

    The "standard" MySQL interface is PDO, which does indeed support (and reasonably enforce) parameterized queries.

    mysql_connect() and friends (which I was referring to) is not PDO, is it?



  • @toth said:

    @blakeyrat said:
    @toth said:
    @Thief^ said:
    And only if you're not using parametrised queries. Which you should.

    TRWTF is that PHP's standard MySQL interface doesn't support parameterized queries (at least not last time I worked with PHP). Sure, you could use MySQLi, but I've had some bizarre and frustrating issues with that.

    The "standard" MySQL interface is PDO, which does indeed support (and reasonably enforce) parameterized queries.

    mysql_connect() and friends (which I was referring to) is not PDO, is it?

    No, it's not. But it's also deprecated legacy code; you're supposed to be using PDO. PDO is the standard PHP interface to all database engines, including MySQL.

    Edit: Also I recently read that all non-PDO DB functions will be removed in the next PHP version. Take that with a grain of salt, especially since I can't dig up the article link anymore.



  • @pkmnfrk said:

    @Mason Wheeler said:

    @TarquinWJ said:

    • Echo echo? echo Echo! cAsE iNSEnsitivITY iS Ugly.

     

    It's better than the alternative.  At least if you don't have case sensitivity you can't abuse it.  Every time I have to debug C windowing code and I see someone declaring a variable like "HWND hwnd;" I just wanna hunt them down and throttle them.

     

    In C#, you can do shit like:

    <font face="Lucida Console" size="2">Item.Item Item = new Item.Item(global::Item.Item.Item);</font>

    For those keeping track at home, the hypothetical class structure would be:

    <font face="Lucida Console" size="2">namespace Item {
    class Item {
    public Item(int i) {}
    public static int Item = 123;
    }
    }</font>

    By the way, who the hell designed this forum software?

    ...Can't you do that in, say, Java, too?



  • @toth said:

    mysql_connect() and friends (which I was referring to) is not PDO, is it?
    No it isn't. PDO is PDO. Odd that the mysql extension functions aren't marked depricated, IIRC the default php.ini advises against enabling it.



  • @Lingerance said:

    @toth said:
    mysql_connect() and friends (which I was referring to) is not PDO, is it?
    No it isn't. PDO is PDO. Odd that the mysql extension functions aren't marked depricated, IIRC the default php.ini advises against enabling it.

    Yah, after saying they were deprecated, I looked it up and they... aren't...?

    Which is really odd because I could swear the last time I worked with PHP (about 3 years ago) they were... maybe I'm just crazy.

    Well, they're a new category that isn't technically deprecated, but you still shouldn't use it.



  • And here I was expecting a tale where someone actually told you to contact yourself.  For example: A few years back, the service I run went down during the day.  First thing I did was to call the helpdesk, to let them know we were on the job.  I told them, "Please attach all the incoming calls for <service failure> to a single ticket.  Also, add a status message to the helpdesk system greeting."  Instead they put in a ticket in for my call, and assigned it to me - the first1 of several hundred separate tickets for that issue.

    1 Sometimes, I'm quick like that.  Of course, I have the advantage of having the helpdesk number on speed dial, and the average user apparently needs to look at an average of three different websites (which all display the helpdesk number as a contact point at the bottom of the page) before they can find the helpdesk phone number.  Especially when the servers I run are down, as they're one of the few websites on the intranet that also display the helpdesk number in the middle of the main page.



  • @blakeyrat said:

    @Lingerance said:
    @toth said:
    mysql_connect() and friends (which I was referring to) is not PDO, is it?
    No it isn't. PDO is PDO. Odd that the mysql extension functions aren't marked depricated, IIRC the default php.ini advises against enabling it.

    Yah, after saying they were deprecated, I looked it up and they... aren't...?

    Which is really odd because I could swear the last time I worked with PHP (about 3 years ago) they were... maybe I'm just crazy.

    Well, they're a new category that isn't technically deprecated, but you still shouldn't use it.

    I also find this really odd, as when I was doing some PHP code a couple of months ago, not only did I Google how to do mysql queries and find the older stuff deprecated, but I also recall looking into PDO and seeing how to do parameterized queries.

    That having been said, I could've easily been rather confused at the time - I was reeling from the WTF code that I'd been asked to help with.  (Off-topic for this site, however - it was pure amateur code.  The author was self-taught in Java, so when he needed to do a web site, he thought, "I don't know any web programming languages.  I'll just use PHP without training.  What's the worst that could happen?")



  • @dhromed said:

    YOU'RE A MODEM

     

    Quick!  Call me a taxi!


  • Garbage Person

    @blakeyrat said:

    Well, they're a new category that isn't technically deprecated, but you still shouldn't use it.
    Immortal-by-inertia. Seriously. Take away mysql_connect and NO PHP app I've ever seen will run, nor will any of the community documentation be useful. I've worked extensively in PHP (not by choice) and I've never even stumbled across PDO in my "How the fuck do database shit in this godawful language again?" Googlequests.



  • @blakeyrat said:

    Well, they're a new category that isn't technically deprecated, but you still shouldn't use it.
    <cheap-shot>Like C++.</cheap-shot>



  • @Weng said:

    I've never even stumbled across PDO in my "How the fuck do database shit in this godawful language again?" Googlequests.

    Maybe you should stop swearing at Google; it might give you better results.  It was my fourth hit this time.  Of course, that having been said, it should be easier to get it to be the top hit.  I've tried five queries tonight, and the only one that had it come in as hit number one included "PDO" in the search.

    I can't remember exactly what I searched for a couple of months ago - it was inspired significantly by the code that I was trying to fix.  For what it's worth, this was code of the "'select * from table' to get a list of IDs to individually 'select * from table where id = $id'" variety, so pretty horrible.  My mind normally just kinda veers away from that, so even if I did recall the inspiration, I'd second-guess myself and refuse to believe I was right.

    I've mostly been avoiding PHP, but I've seen one app that used PDO.  Admittedly, this is the one I fixed a couple of months back, and it only used it after I fixed it.  (I didn't change it to PDO as the fix - I changed it to PDO in the process of the fix, because the first 5-8 search results I turned up were all nearly as bad as the code I was trying to fix; the PDO examples were the first I found that actually looked reasonable.)



  • @Weng said:

    @blakeyrat said:

    Well, they're a new category that isn't technically deprecated, but you still shouldn't use it.
    Immortal-by-inertia. Seriously. Take away mysql_connect and NO PHP app I've ever seen will run, nor will any of the community documentation be useful. I've worked extensively in PHP (not by choice) and I've never even stumbled across PDO in my "How the fuck do database shit in this godawful language again?" Googlequests.

    That's exactly the thing I hate about PHP: there is no damn way to find any semi-decent help which would feature code samples not belonging to this site. I consider myself a PHP newbie, but even I can say that 95% of the PHP code I find on the 'net is horribly ugly at best, broken (parser errors!) at worst. Including php.net.



  • @tgape said:

    @Weng said:
    I've never even stumbled across PDO in my "How the fuck do database shit in this godawful language again?" Googlequests.

    Maybe you should stop swearing at Google; it might give you better results.  It was my fourth hit this time.  Of course, that having been said, it should be easier to get it to be the top hit.  I've tried five queries tonight, and the only one that had it come in as hit number one included "PDO" in the search.

    I can't remember exactly what I searched for a couple of months ago - it was inspired significantly by the code that I was trying to fix.  For what it's worth, this was code of the "'select * from table' to get a list of IDs to individually 'select * from table where id = $id'" variety, so pretty horrible.  My mind normally just kinda veers away from that, so even if I did recall the inspiration, I'd second-guess myself and refuse to believe I was right.

    I've mostly been avoiding PHP, but I've seen one app that used PDO.  Admittedly, this is the one I fixed a couple of months back, and it only used it after I fixed it.  (I didn't change it to PDO as the fix - I changed it to PDO in the process of the fix, because the first 5-8 search results I turned up were all nearly as bad as the code I was trying to fix; the PDO examples were the first I found that actually looked reasonable.)

    I've used PDO for 3 years now.  I still use the mysql_* functions in quick-and-dirty CLI scripts, because it's fine for that.  Prior to using PDO, I used my own class for years that was basically the same thing as PDO, just wrapping the mysql_* functions.  I like PHP a lot, but I realize that 99% of stuff written in it is shit (compared to 95% for most other languages).  Still, there are competent programmers who can write very good code in PHP.  It's just that so many newbies gravitate towards PHP because it has a large install base and it's one of the most ready out-of-the-box web app platforms out there.



  • @Abdiel said:

    @Weng said:

    @blakeyrat said:

    Well, they're a new category that isn't technically deprecated, but you still shouldn't use it.
    Immortal-by-inertia. Seriously. Take away mysql_connect and NO PHP app I've ever seen will run, nor will any of the community documentation be useful. I've worked extensively in PHP (not by choice) and I've never even stumbled across PDO in my "How the fuck do database shit in this godawful language again?" Googlequests.

    That's exactly the thing I hate about PHP: there is no damn way to find any semi-decent help which would feature code samples not belonging to this site. I consider myself a PHP newbie, but even I can say that 95% of the PHP code I find on the 'net is horribly ugly at best, broken (parser errors!) at worst. Including php.net.

    Outside of the official documentation, php.net is useless.  The code examples in the docs aren't even that good, but at least they work.  The comments are just a pit of despair.



  • @Thief^ said:

    Technically it's valid to have an email address that looks like this:

    "Quoted string containing spaces and other normally-invalid characters, like a 2nd @!"@[IP.AD.DR.ESS]

    Good luck finding a website that does validation and doesn't stumble on that one...

     

     Hell, I have trouble finding sites that will accept the plus (+).



  • @SQLDave said:

    Hell, I have trouble finding sites that will accept the plus (+).
    Luckily, those sites accept a period '.', which Gmail completely ignores, so you can use that for seperating your mail too. It's not so easy though to think up combinations you've not already used though.



  • @morbiuswilters said:

    @BC_Programmer said:

    supposedly this matches any  RFC 2822 E-mail address.

    No, it doesn't.  It's impossible for a regex to match all valid RFC 2822 addresses.  Of course, if someone is including nested comments or other rarely-used features in their email address, I say fuck 'em.

    Presence of mind check: why would anyone want RFC 2822 (or, for that matter, RFC 822) email address validation?  It's RFC 2821.4.1.2 (previously RFC 821.4.1.2) that states what email addresses are valid for delivery.  RFC 2821 email addresses can't have comments, period, so they're much easier to validate with a regex.


Log in to reply