How to hold a grudge



  • I came across this quite a while ago, so it may not be verbatim.. 

    I was browsing through an ecommerce application written in PHP that I'd been hired to modify and came across an "interesting" piece of code in one of the files that processed orders...

    Names removed to protect the [presumably] innocent!

    if (
    $_POST['firstname'] == "John" && $_POST['lastname'] == "Smith" && $_POST['addressline1'] == "123 Fake Street" && $_POST['addressline2'] == "Exampletown" ... (snip - you can gather how it went on)
    ) 
    {
    echo "You are not welcome at this store.";
    }

    else
    { // process order }

    I checked with my boss (the owner of the store) as to whether this was meant to be there - and it was the first time he'd ever heard of it. I guess my predecessor really didn't know when to let a grudge go?



  •  Similarly in a project that I don't normally work on, I was having a hard time loging in. I knew that I hadn't mistyped my password, so I went looking for recent changes to the code base. Not finding any that looked suspicious, I looked at the login code in general and found a surprising and nasty shock -- there was a super password that would let anyone into any account!

     The password? Something very much akin to

    "my co developer who got fired at the same time that I did is a shit head"

     

    And to admit to my own WTF, I couldn't login because the database behind the site was down. The site probably should have given me a more useful error message, but I also should have thought of the simple solution before expecting someone to have checked in login-breaking code without testing it. Or at least poked the developer for the site.



  • Ugh, I found something like this in one of our customer's systems. (Sit down. Ready? Every one of our customer's systems is customized. Yeah, I know. Fun always.) I was appalled because I still try to adhere to proper programming practices. But having code that says (pseudocode):

    if incident.location == "123 MAIN ST" (actually the customer's office address)
    do this stuff
    else
    do this other stuff
    endif

    is not even in the realm of custom code. It's just bad and the guy who did it (yes, I know who you are) shouldn't have told the customer it was do-able.



  • Having said that, I've been tempted to do exactly what the OP found for a few irritating users who cause too much trouble. But note I said "tempted". I know better than to actually do it.



  • We have done it here in the past. We had cases where we would persistently get lots of failed orders, then some fraudulent orders from a few specific email addresses (probably them trying out stolen/guessed credit card numbers), so we 'blacklisted' them by adding tests for them until we got around to putting a proper checker in place to check for repeated failed orders from the same address and putting those through for manual verification. (Yes, you'd think they'd just change their email address, but apparently they weren't that clever as our simple blacklist tests worked fine...)



  • @pscs said:

    We have done it here in the past. We had cases where we would persistently get lots of failed orders, then some fraudulent orders from a few specific email addresses (probably them trying out stolen/guessed credit card numbers), so we 'blacklisted' them by adding tests for them until we got around to putting a proper checker in place to check for repeated failed orders from the same address and putting those through for manual verification. (Yes, you'd think they'd just change their email address, but apparently they weren't that clever as our simple blacklist tests worked fine...)
     

     

    ... or maybe they got smarter and are ripping you off daily? ;-)



  •  Reminds me of a simple internal PHP web app we have here that we all use on a regular basis. Back when I was first building it I added a browser check so that when Konqueror was detected the page would include a line saying "Konqueror sucks" in bold red letters. This was to poke fun at a tech coworker of mine who used it. He tracked down the code (not really hard to do a text search in a PHP file) and changed it to "Konqueror rules". I responded by encoding the string in base64 and turning it back to "Konqueror sucks". He promptly tracked it down and changed it again.

    This obfuscation race went on until we reached a point where the script was communicating with a service via telnet and getting the string from there, before we got tired of it. It's a good thing that code's gone now because if anyone else had to poke around in that app, it would undoubtfully have ended up here.



  • @negativeview said:

    Similarly in a project that I don't normally work on, I was having a hard time loging in. I knew that I hadn't mistyped my password, so I went looking for recent changes to the code base. Not finding any that looked suspicious, I looked at the login code in general and found a surprising and nasty shock -- there was a super password that would let anyone into any account!

     The password? Something very much akin to

    "my co developer who got fired at the same time that I did is a shit head"

    Hard coding login/pass combos into an applications code in general is bad practice.  However if I ever found someone had coded a super password,  I would I would be utterly astounded and pissed.  something like that could cause my company to be fined and could set the grounds for a lawsuit under HIPPA. 



  • @galgorah said:

    Hard coding login/pass combos into an applications code in general is bad practice.  However if I ever found someone had coded a super password,  I would I would be utterly astounded and pissed.  something like that could cause my company to be fined and could set the grounds for a lawsuit under HIPPA. 
     

    We're not in any regulated industry, thankfully, or there'd be a few things that we'd get in trouble for, probably. I showed the password to my boss (actually, I used it to log in as him, then sent him a ticket from himself where the bug was that if they know how, anyone can login as anyone (no, I did not put the password into the very-widly-viewable ticket)), who knew that such a thing had existed, but had forgotten the actual password. He made note of it, thanked me for finding it and that was that. I have long since lost my desire to have huge arguments over such bad practices. I just make sure that the person that should care knows about it, then go on with my business. I suppose there's a few more WTFs embedded in this statement, too.



  • I think WebExpert CMS does this.


Log in to reply