Yet another ugly web app
-
Posting abominations in PHP here is like shooting fish in a barrel, unfortunately, but every once in a while I come across something that is worse than the average clueless script kiddie product.
High points of this one (a form I had to add a new field to):
- GET is used indiscriminately for all forms in the page, including those that result in database entries.
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.
- Input validation (required fields, etc.) is done on the "preview" action, but not the "send" action, so it's possible to send unvalidated data by simple modification of the URL.
- Absolutely no protection against SQL injection.Oh, and this one just does it: After the form is sent and saved in the database, it may be viewed in printer-friendly format.
Now, professionals implement printer-friendly formats by using the "media" attribute in CSS stylesheet links. Less experienced programmers might use an extra URL parameter as in script.php?id=800&print=on.
What does our script do?
There is a separate file, scriptprint.php. This file does not take the ID of the request that was just saved. Instead, it takes the ENTIRE data entered in the form, also of course inside URL parameters. The page renders a link to scriptprint.php with all this data.Oh, and the data is of course not passed in separate arguments - far too easy. Instead, the data is imploded with a ";" delimiter and then split back up in printscript.php. This has the added advantage of removing the names from these values and making them accessible only by their numerical position in this long array.
Excuse me while I wash my brain with acid. :(
-
@Arancaytar said:
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.Not necessarily bad, could be an implementation of the "front controller" design pattern. Which, of course, would at least mean that the main script delegates the real work to some other scripts...
-
Doesn't, unfortunately. It's a one-script setup (aside from the print view I mentioned); it works a bit like this.
if($action=='send') send($HTTP_GET_VARS);
else if ($action=='preview') {
validate($HTTP_GET_VARS);
preview($HTTP_GET_VARS);
} else form();
Bonus points for at least using functions, I guess; it could have lumped all the code into one huge if-else block.
-
With proper validation of input theres absolutley nothing wrong with the first 3 points you make. The last 2 are inexcusable however.
The rest is just bad.....
-
Technically, the first point is at least a major WTF, though maybe not inexcusable. GET is meant to be idempotent and cacheable. If I reload the page ten times, it's not supposed to cause any problems on the database end, and if Google decides to crawl it too, that shouldn't cause trouble either.
-
Just reread the first point, your right.
-
In some situations, yes. Depending on how your page is structured, you might want to have links rather than forms for every action. I have a script like that, but it defaults to only being visible to registered users, it has rel="nofollow" just in case they decide to make it viewable by guests, and even if it gets visited twice by the same person, they'll just see a page telling them they don't have permission to do that.
-
@Arancaytar Oye! Pony spotted!
Also, NodeBB, why search find weird things? Why can't find thing wanted?
-
@Arancaytar said in Yet another ugly web app:
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.
We call that an SPA these days
-
@homoBalkanus said in Yet another ugly web app:
@Arancaytar said in Yet another ugly web app:
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.
We call that an SPA these days
Not exactly, an SPA would do as much as possible on the client and fire off AJAX to the backend, meaning that the user wouldn’t see a page load as such.
This is just old school PHP done with a sort of localised front controller - very common design pattern 20 years ago. Thankfully we know better now.
-
@Arantor said in Yet another ugly web app:
@homoBalkanus said in Yet another ugly web app:
We call that an SPA these days
Not exactly, an SPA would do as much as possible on the client and fire off AJAX to the backend, meaning that the user wouldn’t see a page load as such.
This is just old school PHP done with a sort of localised front controller - very common design pattern 20 years ago. Thankfully we know better now.
Background HTTP requests have a lot to answer for.
-
There are too many Arans now. @Arantor, you’re now aran3.
-
@dkf said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@homoBalkanus said in Yet another ugly web app:
We call that an SPA these days
Not exactly, an SPA would do as much as possible on the client and fire off AJAX to the backend, meaning that the user wouldn’t see a page load as such.
This is just old school PHP done with a sort of localised front controller - very common design pattern 20 years ago. Thankfully we know better now.
Background HTTP requests have a lot to answer for.
The worst part is that some of us were doing AJAX before AJAX was invented, by channelling it through a hidden iframe and sending a POST.
Though the SPA model was always going to evolve one way or another on top of the document model as soon as people decided it was possible to build apps on top of a document model.
If anything, blame HTTP 2.0 for adding forms.
-
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for the other Aran to be changed since they’re not here and I am.
-
@Arantor Since they're not here and we cannot ask, we will assume that they've been using their name since
undefined(coerced to1970-01-01T00:00:00Zon the client side)
-
@Arantor said in Yet another ugly web app:
@dkf said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@homoBalkanus said in Yet another ugly web app:
We call that an SPA these days
Not exactly, an SPA would do as much as possible on the client and fire off AJAX to the backend, meaning that the user wouldn’t see a page load as such.
This is just old school PHP done with a sort of localised front controller - very common design pattern 20 years ago. Thankfully we know better now.
Background HTTP requests have a lot to answer for.
The worst part is that some of us were doing AJAX before AJAX was invented, by channelling it through a hidden iframe and sending a POST.
Though the SPA model was always going to evolve one way or another on top of the document model as soon as people decided it was possible to build apps on top of a document model.
If anything, blame HTTP 2.0 for adding forms.
Arguably SPAs predate Javascript. Initially they were done with applets and Flash and a bunch of other plugins...
-
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for the other Aran to be changed since they’re not here and I am.
This is a highlander situation. Have at it!
-
@dkf forms were (mostly) standardised by HTML 2, while the applet tag didn’t appear until 3.2 and the other embeds in 4.
Of course browsers may have supported them but I’m pretty sure Netscape supported its pet language ahead of Java applets - at least at first. It was over 25 years ago at this point and the entire thing was and has always been a colossal fucking mess.
-
@Arantor probably going to be shot out of a canon for this but swing, while ugly, would have been preferable to html/css. So many hours lost to centreing a div.
Java would have veen preferable to js.
I wonder what lua is like.
-
@DogsB said in Yet another ugly web app:
So many hours lost to centreing a div.
Not sure if you jest, but I'm completely serious. HTML+CSS as a layout engine is rather powerful, but also arcane, fidgety, as a result of bloating from structuring text to graphical fuckery, entirely improper for the job, and, most importantly, devoid of any sense and commonly accepted meaning of the words and concepts involved. I believe you cannot understand it. You either know it (but you can never, because implementations differ) or you fail.
-
@DogsB Lua is a nice enough little language, easy to embed. Would have been around at the time JS was shat out, too, but there’s no real analogue in it for handling the DOM - Lua is procedural not OO, and the DOM is pretty heavily conceptualised as an OO-ish model.
-
@Applied-Mediocrity said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
So many hours lost to centreing a div.
Not sure if you jest, but I'm completely serious. HTML+CSS as a layout engine is rather powerful, but also arcane, fidgety, as a result of bloating from structuring text to graphical fuckery, entirely improper for the job, and, most importantly, devoid of any sense and commonly accepted meaning of the words and concepts involved. I believe you cannot understand it. You either know it (but you can never, because implementations differ) or you fail.
Half the problem is that many of its current (ab)uses are things a document markup model was never intended to service at any point, and the Living Standard is evidence to me of “we’ve just given up trying to steer this thing”.
There are days I wish we could return to HTML4 because while it was fucky back then too, it wasn’t as fucky as it is now, in a lot of ways.
-
@Arantor said in Yet another ugly web app:
@dkf forms were (mostly) standardised by HTML 2, while the applet tag didn’t appear until 3.2 and the other embeds in 4.
Of course browsers may have supported them but I’m pretty sure Netscape supported its pet language ahead of Java applets - at least at first. It was over 25 years ago at this point and the entire thing was and has always been a colossal fucking mess.
There were things going on before Netscape was even founded. I knew some of the people involved, and there were court cases on the topic.
-
@Arantor said in Yet another ugly web app:
@DogsB Lua is a nice enough little language, easy to embed. Would have been around at the time JS was shat out, too, but there’s no real analogue in it for handling the DOM - Lua is procedural not OO, and the DOM is pretty heavily conceptualised as an OO-ish model.
Lua was never in the frame for that. Tcl was, and handles OO just fine. It also had proofs-of-concept done for the application domain (up to and including an applet-like plugin), and a sane security model to back it up.
-
@dkf said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB Lua is a nice enough little language, easy to embed. Would have been around at the time JS was shat out, too, but there’s no real analogue in it for handling the DOM - Lua is procedural not OO, and the DOM is pretty heavily conceptualised as an OO-ish model.
Lua was never in the frame for that. Tcl was, and handles OO just fine. It also had proofs-of-concept done for the application domain (up to and including an applet-like plugin), and a sane security model to back it up.
Well, there’s the reason it wasn’t adopted for the web
-
@ammoQ said in Yet another ugly web app:
@Arancaytar said:
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.Not necessarily bad, could be an implementation of the "front controller" design pattern. Which, of course, would at least mean that the main script delegates the real work to some other scripts...
there is always someone defending the wtf and imagining some case that it would make sense
-
@sockpuppet7 said in Yet another ugly web app:
there is always someone defending the wtf and imagining some case that it would make sense
Just drink this and wait about ten minutes, and then everything will seem perfectly logical. Though you might want to tie your leg to a couch first.
-
@sockpuppet7 said in Yet another ugly web app:
@ammoQ said in Yet another ugly web app:
@Arancaytar said:
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.Not necessarily bad, could be an implementation of the "front controller" design pattern. Which, of course, would at least mean that the main script delegates the real work to some other scripts...
there is always someone defending the wtf and imagining some case that it would make sense
Some scripts genuinely did this (e.g. older phpBB, older vBulletin) but chances aren't good that it was done well.
-
@PotatoEngineer said in Yet another ugly web app:
@sockpuppet7 said in Yet another ugly web app:
there is always someone defending the wtf and imagining some case that it would make sense
Just drink this and wait about ten minutes, and then everything will seem perfectly logical. Though you might want to tie your leg to a couch first.
Its okay, you can say you think some of are drinking toliet duck.
-
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for
the other Aran to be changed since they’re not here and I am.@DogsB to STFUJK. But still not going to change anyone's name.
-
-
@boomzilla said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
So many hours lost to centreing a div.
cries in
I was thinking of him on Monday. I delievered a html email template completely in tables and nothing came back to me. It was the outsourced team not been able to expose the images on AWS that bugs were raised against.
-
@DogsB said in Yet another ugly web app:
I delievered a html email template completely in tables
Still the cromulent solution for rich emails in 2023.
-
@boomzilla said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for
the other Aran to be changed since they’re not here and I am.@DogsB to STFUJK. But still not going to change anyone's name.
some systems deactivate users for inactivity
-
@Arantor said in Yet another ugly web app:
If anything, blame HTTP 2.0 for adding forms.
Web forms of one sort or another have been around for far longer than HTTP 2.0. (https://datatracker.ietf.org/doc/html/rfc7540 , 2015.) Maybe you meant HTML 2?
-
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
I delievered a html email template completely in tables
Still the cromulent solution for rich emails in 2023.
Most of my emails are poor. Some of them are trying to get me to invest in some sketchy get rich scam; most just want me to spend all my money on products I don't need or want.
-
@Steve_The_Cynic said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
If anything, blame HTTP 2.0 for adding forms.
Web forms of one sort or another have been around for far longer than HTTP 2.0. (https://datatracker.ietf.org/doc/html/rfc7540 , 2015.) Maybe you meant HTML 2?
Yes, yes I did. I was multitasking again.
-
@HardwareGeek said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
I delievered a html email template completely in tables
Still the cromulent solution for rich emails in 2023.
Most of my emails are poor. Some of them are trying to get me to invest in some sketchy get rich scam; most just want me to spend all my money on products I don't need or want.
Apropos of nothing in particular, but vaguely related:
I just installed Outlook on my home machine, three months after upgrading the computer, and I'm missing the way that Gmail sorts everything for me. Now I have promotions mixed in with my bacn. (And my very, very rare piece of ham.)
-
@PotatoEngineer said in Yet another ugly web app:
my very, very rare piece of ham
We don't really feed pigs garbage any more, so the risk of trichinosis is a lot lower than it used to be, but you should still cook it thoroughly.
-
@Arantor said in Yet another ugly web app:
@sockpuppet7 said in Yet another ugly web app:
@ammoQ said in Yet another ugly web app:
@Arancaytar said:
- The same script acts as the form page, the preview page and also does the database insertion.
- Which of the above actions is being performed is determined by the url argument "action" as in script.php?action=preview, script.php?action=send, etc.Not necessarily bad, could be an implementation of the "front controller" design pattern. Which, of course, would at least mean that the main script delegates the real work to some other scripts...
there is always someone defending the wtf and imagining some case that it would make sense
Some scripts genuinely did this (e.g. older phpBB, older vBulletin) but chances aren't good that it was done well.
Nowadays it's more or less "hidden" away anyways.
Sometimes.
Filed under: service-now.com/nav_to.do?uri=%2F$pa_dashboard.do
-
@sockpuppet7 said in Yet another ugly web app:
@boomzilla said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for
the other Aran to be changed since they’re not here and I am.@DogsB to STFUJK. But still not going to change anyone's name.
some systems deactivate users for inactivity
I've always wondered at the purpose of that.
-
@Tsaukpaetra to fight username squatting.
-
@Gustav said in Yet another ugly web app:
@Tsaukpaetra to fight username squatting.
How though? User registers a squat name. User gets deactivated. Never anyone else can use that name anyways in the future. Mission accomplished?
-
@Tsaukpaetra said in Yet another ugly web app:
@sockpuppet7 said in Yet another ugly web app:
@boomzilla said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for
the other Aran to be changed since they’re not here and I am.@DogsB to STFUJK. But still not going to change anyone's name.
some systems deactivate users for inactivity
I've always wondered at the purpose of that.
the one I saw it was for security
here, it would be good usability if autocomplete didn't list me
of dead users. removing from autocomplete would be enough for that
-
@sockpuppet7 Some of whom have been gone so long they might literally be dead.
-
@HardwareGeek we'll never know if they left or stopped posting cause they literally died
-
@sockpuppet7 said in Yet another ugly web app:
@boomzilla said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for
the other Aran to be changed since they’re not here and I am.@DogsB to STFUJK. But still not going to change anyone's name.
some systems deactivate users for inactivity
We don’t expect our software to work harder than we do.
-
@boomzilla said in Yet another ugly web app:
@Arantor said in Yet another ugly web app:
@DogsB said in Yet another ugly web app:
There are too many Arans now. @Arantor, you’re now aran3.
I’ve been using the name Arantor online since 2001, just not here. I petition for
the other Aran to be changed since they’re not here and I am.@DogsB to STFUJK. But still not going to change anyone's name.
I’m not inclined to beleive that’s available. I feel an admin would have
abusedused this already. Like you could uppercase a letter in the middle of someone’s name and slowly drive them to madness.
-
@DogsB TDWTF has standards.
-
