Who needs SQL when we have JavaScript?



  • Check out this website: http://www.girosardegna.it/, but in particular this page: http://www.girosardegna.it/CLTA.html
    It's an Italian event, from that page you can check if you are registered (in Italy you often register by fax/mail and it's rather common that things go wrong).

    In the form you have the fields "Nome" (First Name) and "Cognome" (Last Name), you then click on "C O N T R O L L A" (Check) and the various forms get filled with your registration info. No page reload, no postback.

    Smelling a WTF I looked a the source. Judging from the page graphics I didn't expect much better, but it's pretty interesting anyway :)
    This is the javascript included in the page: http://www.girosardegna.it/CTA.js

    I'll paste it below as it would be a shame to lose this precious piece of code with some irresponsible site update. Enjoy


    /* CLTA.js */
    var nome = "ACHIM,ADA,ADAM,... (goes on for thousands chars)
    var sur = "ABBATINO,ABBONDANTE,... (same here)
    var piv = ",29813825203435,42939644205436,15628523227437,... (same here)
    var h2 = "No,Park,Park&Sport,Beach Std,Beach Luxe,Beach Suite,x6,x7,Pevero,Pevero Luxe,Pev. Suite";
    var a2 = "Accompagnatore,GranGiro,MedioGiro,Tour,1000 km,Eroico,< 2 anni,< 12 anni,Organiz.";
    var c2 = "No,Sing.,Matr.,Tripla,Quad.,5 letti,Dop.,"; var sh = ""
    var q2 = "versamento non rilevato,versato acconto,versato acconto in Gruppo,versato a saldo,"
    var nn = new Array(); var cn = new Array(); var tu = new Array(); var ho = new Array(); var at = new Array(); var gp=new Array()
    var va = new Array(); var vt = new Array(); var ca = new Array(); var pe = new Array(); var q = new Array; var pv = new Array();
    nn = nome.split(","); cn = sur.split(","); q = q2.split(","); ho = h2.split(","); at = a2.split(",");
    ca = c2.split(","); pv = piv.split(",");
    gp[0]="0"; gp[1]="-1 + 0"; gp[2]="0 + 1"; gp[3]="-3 +0"; gp[4]="-1 +1" ; gp[5]="3 giorni"; gp[6]="2 giorni - 2 camere "; gp[7]="-2 +1";

    function mess(c0,n0){var ii,tt,lt,i1,i2,i3,i4,i5,cc,c1,n1
    with (Z){ K0.value=""; K1.value=""; J0.value = ""; J1.value = ""; I0.value = ""; I1.value = ""; H0.value = ""; ms.value=""
    H1.value = ""; G0.value = ""; G1.value = ""; L0.value = ""; L1.value = ""; L2.value = ""; F4.value = ""; Z0.value="-";
    c1 = c0.toUpperCase(); n1 = n0.toUpperCase(); if ((c1 == "") || (n1 == "")) {ms.value="Indicate COGNOME + NOME"; return;};
    for (var k=0; k <= 747; k++) {if (c1 == cn[k]) break;}; i1 = k + 100; //747=max cn
    for (var k=0; k <= 432; k++) {if (n1 == nn[k]) break;}; i2 = k + 100; //429=max nn
    stn = i1 + "" + i2; if ((i1 > 847) || (i2 > 532)){ ms.value= " Non trovato"; return;}
    for (var k=0; k <= 884; k++ ) {cc = pv[k]; if (stn == cc.slice(0,6)) break;}; i3 = k; ii = k ;
    if (i3 > 884){ms.value= " Non trovato"; return;}

    if (i3 > 434){cc = pv[i3]; ii = cc.slice(7);}
    ms.value = " Vedi sotto"; //432 =max piv
    tt = pv[ii]; i5 = tt.charAt(7)-0; i2 = tt.charAt(8)-0; i3 = tt.charAt(9)-0; i4 = tt.charAt(10)-0; sh = ""
    if(i4 >= 4){i4 = i4-4; sh = " + Vista Mare";}; if((i3==1)||(i3==3)||(i3==4)||(i3==6)){Z0.value=" Poichè gli Hotel aprono il 17/4, nei giorni precedenti sarete ospitati nel Colonna Park Hotel"};
    F4.value = q[i4]; L2.value = gp[i3]; L0.value=ho[i5]; if(i5>=1){L1.value = ca[i2] + sh;};
    i1 = tt.substr(0,3)-100; i2 = tt.substr(3,3)-100; K0.value = cn[i1] + " " + nn[i2]; i3 = tt.substr(6,1)-0; //i3??
    i1 = tt.charAt(6)-0; K1.value = at[i1] //1°//
    t = tt.slice(11); lt= t.length; if (lt < 3){return}
    ia = t.substr(0,3); tt = pv[ia]; //2°//
    i1 = tt.substr(0,3)-100; i2 = tt.substr(3,3)-100; i3 = tt.substr(6,1)-0; J0.value = cn[i1] + " " + nn[i2]; J1.value = at[i3]
    t = t.slice(3); lt= t.length; if (lt < 3){return}
    ia = t.substr(0,3); tt = pv[ia] ;//3°//
    i1 = tt.substr(0,3)-100; i2 = tt.substr(3,3)-100; i3 = tt.substr(6,1)-0; I0.value = cn[i1] + " " + nn[i2]; I1.value = at[i3]
    t = t.slice(3); lt= t.length; if (lt < 3){return}
    ia = t.substr(0,3); tt = pv[ia] //4°//
    i1 = tt.substr(0,3)-100; i2 = tt.substr(3,3)-100; i3 = tt.substr(6,1)-0; H0.value = cn[i1] + " " + nn[i2]; H1.value = at[i3]
    t = t.slice(3); lt= t.length; if (lt < 3){return}
    ia = t.substr(0,3); tt = pv[ia] //5°//
    i1 = tt.substr(0,3)-100; i2 = tt.substr(3,3)-100; i3 = tt.substr(6,1)-0; G0.value = cn[i1] + " " + nn[i2]; G1.value = at[i3]
    };}


  • >function mess(c0,n0)

     

     

    They got the function name right, in any case.



  • var nome = "ACHIM,ADA,ADAM,... (goes on for thousands chars)
    var nn = new Array();
    nn = nome.split(",");
    

    I can't think of anything to say.



  • @SlyEcho said:

    var nome = "ACHIM,ADA,ADAM,... (goes on for thousands chars)
    var nn = new Array();
    nn = nome.split(",");

    I can't think of anything to say.

    I can - does that mean if there's one person with the same first name as you, and one person with the same last name as you registered, that it "finds" your info? Because it certainly seems like the first name and last name arrays are both sorted alphabetically in the above snippet. Unless that's just a coincidence?



  • E' molto Web 2.0. Ma ha bisogno di piu' AJAX.



  • @dcardani said:

    @SlyEcho said:

    I can't think of anything to say.

    I can - does that mean if there's one person with the same first name as you, and one person with the same last name as you registered, that it "finds" your info? Because it certainly seems like the first name and last name arrays are both sorted alphabetically in the above snippet. Unless that's just a coincidence?

    How does it find which first name goes with which last name? Well, there's also a third array that encodes all of the indexes to the other arrays. At least that's what it looks like to me.

    My original comment was for the cargo-cult new Array() variable initializers, but there's still plenty of "gems" to mine in this WTF I guess.



  • Yes, in fact it looks like the third array is the actual data "table": each entry starts with  "index of first name + 100", then "index of last name + 100" and so on for all the other data like in which hotel you are, etc.

    This may actually be html 5's Web SQL?

    :-))))))))))



  • Even I, with a skill level somewhat equivalent to an infinite # of monkeys on an infinite number of typewriters, would not have implemented this.

    Well, not recently, anyway.

    Back in my TRS-80 days, maybe (using peek/poke to modify the source code the Data Statements at the end of the BASIC programming code.)

    But not now.

    Now I would use a delimited text file stored on a 3 1/2" floppy disk in the A: drive of the server.  Pipe delimited |, with strings identified with ~. And load the whole thing into a custom collection in memory.



  • Notice a gem like:

    with (Z){

    Taking the form, handily named Z so no one will figure what it is all about, and using it as a scope, so that the form elements can easily be referenced by their name. Bad practice has come home!

    Apart from being virtually unreadable, and the whole privacy issue, I'd say this is actually pretty slick code, it's certainly not written by some pussy who avoids complexity.


Log in to reply