I nominate the University of Sydney for "Downtime Notice Of The Year 2012"



  • @Lorne Kates said:

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    If it does (I honestly have no idea) it's almost certainly off by default and poorly documented.

    With PHP, the question is not Does feature X exist in PHP? but rather Does any PHP developer know that feature X exists in PHP? PHP's documentation is so awful, and there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.



  • Did you perhaps mean the backtick syntax that runs a string using the shell after doing normal variable replacements?

    That's a language feature and is not gonna get deprecated or removed, since it does exactly what it was designed and the design has no flaws.



  • @Lorne Kates said:

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to [b]172.20[/b].9.1...



  • @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?



  • @Mason Wheeler said:

    @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

     

     

    From RFC 1918

     

    3. Private Address Space

    The Internet Assigned Numbers Authority (IANA) has reserved the
    following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)</pre><p>&nbsp;</p><p>&nbsp;</p>


  • @Mason Wheeler said:

    @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...
     

    Why did you bold the first half of that IP address? Is there something significant about that subnet that we ought to recognize when we see it?

    RFC1918?



  • @Mason Wheeler said:

    Why did you
     

    .. nope. Too obvious.

    Move along. Nothing to see.



  •  Oh, so that's why my work's servers all begin with those numbers. I see.



  • Morons! Everyone knows you wrap your debugging output in HTML comments!

    (the source is nicely formatted, anyway)



  • @Someone You Know said:

    there's such a wealth of incredibly bad example code easily found on Google, that it doesn't really matter if a good way of doing something exists — the bad ways are almost always more discoverable and easier to implement.

    It's this. Here's the proof. The first Google search result for "php mysql tutorial" is your classic terrible "webmaster tutorials" website and inadvertently teaches visitors how to build SQL injection vulnerabilities:

    
    $first=$_POST['first'];
    $last=$_POST['last'];
    $phone=$_POST['phone'];
    $mobile=$_POST['mobile'];
    $fax=$_POST['fax'];
    $email=$_POST['email'];
    $web=$_POST['web'];
    
    mysql_connect(localhost,$username,$password);
    @mysql_select_db($database) or die( "Unable to select database");
    
    $query = "INSERT INTO contacts VALUES ('','$first','$last','$phone','$mobile','$fax','$email','$web')";
    mysql_query($query);

    You can always tell you're dealing with highly-experienced professional PHP software engineers when the webserver bears the number one tell-tale mark of the cowboy.



  • Did you take a screenshot? It's gone now but I'm curious as to what was in the stack trace :P

    Reminds me of when I saw some print_r debugging on one of the biggest news sites in Australia (news.com.au). The University of Sydney one is a lot worse though.



  • @bezking said:

    @Lorne Kates said:
    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    No, it doesn't - there is no way to restrict the output of print_r() or even the PHP notice/warnings/errors etc without some if() statements...

    Uh.. Yes there is (for warnings at least). Print_r is the developer wanting to output data. Maybe he shouldn't ahve wanted to output it in this case.. but it was the developers intention.

    As for hiding/showing errors... the common use is to NEVER show errors/warnings/notices on production, potentially to show them on development... and in the case of production to Log them to a file instead. Plus, if you really wanted to get creative, you could actually check for the current status of error reporting. If you are sending stuff to a log, you could trigger_error the print_r and send it to your error log as well.

    Or if you were particularly apt.. not to rely on built-in logging functions (for print_r on DB fail) and build your own logging utility

    Just because PHP is easy to make fun of, doesn't mean that you're correct in your statements.


  • Discourse touched me in a no-no place

    @bezking said:

    Personally, I like the fact that their database server, erp-db-pro-1.ucc.usyd.edu.au, resolves on their public DNS server to 172.20.9.1...

    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.



  • @PJH said:

    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.
     

    It is? I thought the whole point of the private address space was that those IPs would never appear (or resolve) outside of a LAN, keeping traffic internal.

    ObDerail: many years back we had a circular from Sage (financials) bleating all about their new products. At the bottom was a link we were invited to click on, which read something like: http://192.168.0.1/websites/default/pages/index.htm (no, that's not linkified). When I informed them of the link, their response was along the lines of "we tested it here and it works fine. If you're still experiencing problems, have your Network Administrator raise a ticket with your Internet Solutions Provider".



  • @Daniel15 said:

    Did you take a screenshot? It's gone now but I'm curious as to what was in the stack trace :P

    It's been quoted verbatim a few times in the comments on the Reddit article. Also from there:

    @CaptnKhaos said:

    Yeah, just gave them a call. The entire /news/ folder is throwing the error. As soon as the guy saw it, I could hear his jaw hit the floor. 9AM here, so a decent way for the helpdesk to start the day!


  • Discourse touched me in a no-no place

    @Cassidy said:

    @PJH said:

    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.
     

    It is? I thought the whole point of the private address space was that those IPs would never appear (or resolve) outside of a LAN, keeping traffic internal.

    The two aren't contradictory. It just saves having to host DNS on your private LAN to resolve addresses on your private LAN. Or in the cases where I've actually seen it, to provide a 'back-up' if the locally hosted DNS which does know about the hostnames fails for whatever reason.



  • @blakeyrat said:

    Well we know for sure at least one PHP file remains, haha.

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

    Yeah, still enabled. In fact, I had to use it in a production system the other day... BRB I need a drink.



  • @PJH said:

    Or in the cases where I've actually seen it, to provide a 'back-up' if the locally hosted DNS which does know about the hostnames fails for whatever reason.
     

    Ooohhh... yeah, that makes sense. Didn't think of that situation.

    "whats the IP address of our internal staging webserver?"

    "dunno. Ask the internet. They'll know..."

    I'm using the trick of hosting an unresolvable TLD (.LAN) internally so that any FQDNs unrecognised by my DNS get chucked externally. Unfortuntely that means using the public A-REC for my server causes my laptop to hop out through the gateway only to stroll back in again. Makes my firewall frown at times.



  • @toon said:

    Yeah, still enabled.
     

    Say WHAT? I thought it could be disabled with some NOEXEC directive in php.ini.

    Aha - yup. Still enabled by default, can be cluebatted off a server with the disable_functions parameter.

    @toon said:

    In fact, I had to use it in a production system the other day...

    Obligatory "if u need it ur doin it rong" observ --

    @toon said:

    BRB I need a drink.

    -- oh.. you already know.



  • @blakeyrat said:

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)
     

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.  I was more curious about if MySQL had something similar-- since they've exposed their db credentials. And people can log into the DB. And then run whatever_linux_cmdshell through a query.



  •  @PJH said:

    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.

    What about reverse DNS?

    $ dig -x 192.168.1.2

    ; <<>> DiG 9.6-ESV-R4-P3 <<>> -x 192.168.1.2
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1441
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa.    IN    PTR

    ;; ANSWER SECTION:
    2.1.168.192.in-addr.arpa. 99258    IN    PTR    192-168-1-2.tpgi.com.au.

    ;; AUTHORITY SECTION:
    1.168.192.in-addr.arpa.    107829    IN    NS    ns1.tpgi.com.au.
    1.168.192.in-addr.arpa.    107829    IN    NS    ns2.tpgi.com.au.

    ;; Query time: 73 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue Nov 27 23:39:16 2012
    ;; MSG SIZE  rcvd: 115

    Of course they haven't set the forward zones:

    $ dig 192-168-1-2.tpgi.com.au

    ; <<>> DiG 9.6-ESV-R4-P3 <<>> 192-168-1-2.tpgi.com.au
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58479
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;192-168-1-2.tpgi.com.au.    IN    A

    ;; AUTHORITY SECTION:
    tpgi.com.au.        2808    IN    SOA    ns1.tpgi.com.au. dna.tpg.com.au. 2012112000 10800 3600 2419200 3600

    ;; Query time: 50 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue Nov 27 23:39:24 2012
    ;; MSG SIZE  rcvd: 89




  • @Lorne Kates said:

    and that they've elevated Apache to run as root
     

    My uni circa 2001 ran student webpages on an apache running as root (AFAWCT) and had all staff and student usernames and passwords in a unencrypted file (somewhere under /etc from memory). And had a CGI script with a directory traversal bug. Oops!

     



  • @Lorne Kates said:

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.


  • Discourse touched me in a no-no place

    @Zemm said:

     @PJH said:

    It's quite legitimate (if highly unusual) to have hostnames publicly resolve to RFC1918 addresses.

    What about reverse DNS?

    I would expect most public DNS (and most private) servers to effectively blackhole any reverse queries.





    Google blackhole by not replying:

    # dig -x 192.168.1.2 @8.8.8.8

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> -x 192.168.1.2 @8.8.8.8
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11837
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa. IN PTR

    ;; Query time: 21 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Tue Nov 27 13:58:24 2012
    ;; MSG SIZE rcvd: 42



    Verizon returns localhost:

    # dig -x 192.168.1.2 @4.2.2.2

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> -x 192.168.1.2 @4.2.2.2
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31188
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    168.192.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800

    ;; Query time: 10 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Tue Nov 27 14:00:38 2012
    ;; MSG SIZE rcvd: 101



    Whoever we get it from gives a non-routable result:

    # dig -x 192.168.1.2 @172.16.4.1

    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> -x 192.168.1.2 @172.16.4.1
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44484
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;2.1.168.192.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    168.192.in-addr.arpa. 161 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 2008072202 21600 3600 1209600 86400

    ;; Query time: 0 msec
    ;; SERVER: 172.16.4.1#53(172.16.4.1)
    ;; WHEN: Tue Nov 27 14:05:31 2012
    ;; MSG SIZE rcvd: 119


  • @toon said:

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

    If you're running Apache on Windows (which is goofy, but eh), then it's all in how you configure the service. IIS has its own account, of course, and gives anonymous Internet visitors to your site their own account (IUSR) for permissions purposes. And runs applications as "Network Service" by default. It's a little bit of a pain to configure it all, but it's a lot more secure by default.

    The idiots I've been having to work with for the last few months have Nginx running as root on their Ubuntu servers. I'll have to talk to them about that.



  • @toon said:

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

     

    Under Linux, Apache starts as root but then switches user to "apache" or "httpd" to run lower-priv'd. It's possible to run as non-root but it involves some sudo trickery to allow a non-root account to switch to another user without authentication credentials, so most people start/stop the service as root knowing it runs in an unpriv'd context.

    Modules like suPHP allow PHP code to run in the context of another user (separate from Apache) so any trojaned site affects just that account and not other accounts.

    Under Windows, Apache is installed as a service but can be given separate logon credentials, in much the same way that IIS no longer runs as Administrator.

    @Lorne Kates said:

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

    Of course, it doesn't stop someone from doing precisely that. I've encountered many websites containing root-owned files with change permissions set completely open (777) because permissions weren't set properly on the webroot area - so someone rootwalked into it, then set the permissions to 777 because Apache couldn't read root-owned content.

    Arseholes.....

     



  • @toon said:

    @Lorne Kates said:

    I would have no doubt shell_exec() is still active, and that they've elevated Apache to run as root.

    I believe that these days, Apache runs as the apache user, and under Ubuntu (I think, but am not sure, that they as a distro are unique in that respect) anything PHP does is run as the php user. All of the preceding is under Linux; I'm not sure how that works under Windows.

    It depends purely on setup. Apache wants to start as root wherever possible (for some reason linxu complains when normal permission applications try to grab a port) , but you can tell it to run as its own user. PHP will want to run as the Apache user, unless you use SuPHP to have each Apache/php process run as the websites user (which is good for security, but a pain in other ways).


    You could alway chroot Apache or Lighttpd as well to be super super secure.



    So many choices!



  • The problem with PHP has always been that 95% of what you find online is n00b garbage that teaches either only the basics or teachs the wrong things.  PHP isn't a bad language (although ugly as sin) when it's used by a software developer who understands things like design patterns, OOP, MVC and unit tests.  The problem is most of your PHP "developers" either found one of the aforementioned bad tutorials or picked up an equally bad book, learned the basics, and started marketing themselves as a professional developer.

    There was a quote that I read once comparing Ruby on Rails to PHP and it seems fairly apt here; replace Rails with pretty much any other language/platform:  [Rails] makes it easy to write good code and hard to write bad code.  PHP makes it easy to write bad code and hard to write good code.



  • @ObiWayneKenobi said:

    There was a quote that I read once comparing Ruby on Rails to PHP and it seems fairly apt here; replace Rails with pretty much any other language/platform:  [Rails] makes it easy to write good code and hard to write bad code.  PHP makes it easy to write bad code and hard to write good code.
     

    I highly doubt that.  I've seen languages that make writing good code easier--that's one of the main reasons I prefer Delphi--but I've never seen any language or framework that makes it any harder for a bad programmer to write bad code.  I honestly doubt such a thing exists.  Stupidity will always find a way.

     



  • PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.



  • @Lorne Kates said:

    Doesn't PHP at least have the concept of "only output debug commands to certain IP/subnets that are local to the server?" or something like that?

    If you're using one of the proper debug tools then yeah, you can limit where it's shown, but no programming language can protect against an idiot printing stuff to the screen if they want to :-/

     



  • @blakeyrat said:

    Well we know for sure at least one PHP file remains, haha.

    IIRC back in the day PHP did have some sort of shell_exec() function, but whether it's still enabled I have no clue. (Considering this WTF, these clowns might have gone out of their way to turn it back on.)

    Oh it's still there, but I don't know many sane reasons why it would be used.

     



  • @GNU Pepper said:

    You can always tell you're dealing with highly-experienced professional PHP software engineers when the webserver bears the number one tell-tale mark of the cowboy.
     

    Christ on a bicycle. Hey Mr Webserver tell me all about yourself, your most intimate details.


     



  • @gu3st said:

    PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.

    The real problem though is the sheer number of bad tutorials out there still not advising about things like SQL injection, still advising the new dev to do some unbelievably stupid things.

    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser



  • @ASheridan said:

    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

    I blame StackOverflow for that. Problem? jQuery is the answer! No matter what the problem is! Desktop app? Well embed a Webkit so you can run jQuery! Database? Well write a quick function that can call out to jQuery! If you can't do it in jQuery it can't be done!

    At least they tried to make a better programming Q&A site. "Game-ify-ing" it just made it awful again though.



  • @ASheridan said:

    I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser
     

    And I've seen people do stuff in 20 lines of jQuer that could be replaced with a few lines of Javascript, which could be replaced by one line of jQuery.

     (Which could sometimes be replaced with zero lines of neither, if they had bothered to learn CSS)



  • @blakeyrat said:

    I blame StackOverflow for that. Problem? jQuery is the answer! No matter what the problem is! Desktop app? Well embed a Webkit so you can run jQuery! Database? Well write a quick function that can call out to jQuery! If you can't do it in jQuery it can't be done!

    At least they tried to make a better programming Q&A site. "Game-ify-ing" it just made it awful again though.

    This perfectly illustrates your point:

    http://stackoverflow.com/questions/3964072/overusing-jquery

    And one of the comments below is this:

    "I figure if I'm going to load a library on a page, I may as well use it as much as I can. I try to get the bang for my buck (so to speak)."

    With attitudes like that, no wonder it gets overused.

     



  • What people like that don't get is the bloat jQuery adds. A normal event object is maybe, say, 2k of various data and pointers. A jQuery event object is like 5 times the size. And if you're not careful, you can wrap jQuery objects in jQuery objects in jQuery objects and make bloat-zilla.



  • @blakeyrat said:

    And if you're not careful, you can ... make bloat-zilla.
     

    (first result for bloatzilla :p)


  • Impossible Mission - B

    @blakeyrat said:

    A normal event object is maybe, say, 2k of various data and pointers. A jQuery event object is like 5 times the size.

    [citation needed]

    I do find this hard to believe, considering the total number of events a page fires off in normal use. You could see dozens of events a second just from waving your mouse around; eg mouseover, mousemove, mouseout. If it had this much overhead, I would expect these sites to perform like mud, and I really haven't seen many terribly-performing sites even when the site's author drank the whole pitcher of jQuery kool-aid.

    Window.event, even considering all the proprietary extra junk that might be on it, I'd say at most has a couple dozen properties; if we guess two dozen properties at an average of 32-bits each, we only account for 768 bytesbits (92 bytes).

    A jQuery object might be as bloated as you say, I'm not sure how to actually measure it, but it sounds like a number pulled out of thin air.



  • @joe.edwards said:

    I do find this hard to believe, considering the total number of events a page fires off in normal use. You could see dozens of events a second just from waving your mouse around; eg mouseover, mousemove, mouseout. If it had this much overhead, I would expect these sites to perform like mud, and I really haven't seen many terribly-performing sites even when the site's author drank the whole pitcher of jQuery kool-aid.

    Window.event, even considering all the proprietary extra junk that might be on it, I'd say at most has a couple dozen properties; if we guess two dozen properties at an average of 32-bits each, we only account for 768 bytesbits (92 bytes).

    A jQuery object might be as bloated as you say, I'm not sure how to actually measure it, but it sounds like a number pulled out of thin air.

    jQuery creates new objects for each event that was triggered with it. It's not just a wrapper for addEventListener. That's not the only thing it does though. It creates a copy of the DOM as an object to allow it to search and manipulate the DOM more easily. Every match you make on the DOM using a jQuery selector is another object. This is what leads to the bloat.

     


  • Impossible Mission - B

    My first two paragraphs were in re of a "normal event object", as in, not-jQuery.



  • @ASheridan said:

    @gu3st said:

    PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.
    The real problem though is the sheer number of bad tutorials out there still not advising about things like SQL injection, still advising the new dev to do some unbelievably stupid things.

    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

    As someone who has recently started to become knowledgeable at Javascript (after being a jQuery numpty for a long time), I can't agree with you more. There does seem to be something about the web that people manage to be absolutely retarded. I don't know if it's the seemingly low barrier to entry (everyone and their cat can build a website).. or what it is.. but the web.. people who have no business programming anything.. manage to build websites at an alarming rate.



  • @gu3st said:

    @ASheridan said:

    @gu3st said:

    PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.
    The real problem though is the sheer number of bad tutorials out there still not advising about things like SQL injection, still advising the new dev to do some unbelievably stupid things.

    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

    As someone who has recently started to become knowledgeable at Javascript (after being a jQuery numpty for a long time), I can't agree with you more. There does seem to be something about the web that people manage to be absolutely retarded. I don't know if it's the seemingly low barrier to entry (everyone and their cat can build a website).. or what it is.. but the web.. people who have no business programming anything.. manage to build websites at an alarming rate.

    I wonder why anyone thinks this is any different from shitty ios apps that suck up battery life while doing nothing, or desktop programs that freeze the UI at the slightest provocation. The only difference is that we look at a much broader range of websites than other types of applications, so we get a much larger sample size.


  • Impossible Mission - B

    @pkmnfrk said:

    @gu3st said:
    @ASheridan said:

    @gu3st said:

    PHP doesn't really make it hard to write good code. It makes the bad code just tempting to people who aren't smart enough to make the distinction between good and bad.
    The real problem though is the sheer number of bad tutorials out there still not advising about things like SQL injection, still advising the new dev to do some unbelievably stupid things.

    It's not just PHP, any language can suffer from it. Consider Javascript. jQuery is one of the best and at the same time worst things to happen to it. I've seen people do stuff in 20 lines of jQuery that could be replaced with a few lines of straight Javascript,and it still works perfectly well cross-browser

    As someone who has recently started to become knowledgeable at Javascript (after being a jQuery numpty for a long time), I can't agree with you more. There does seem to be something about the web that people manage to be absolutely retarded. I don't know if it's the seemingly low barrier to entry (everyone and their cat can build a website).. or what it is.. but the web.. people who have no business programming anything.. manage to build websites at an alarming rate.

    I wonder why anyone thinks this is any different from shitty ios apps that suck up battery life while doing nothing, or desktop programs that freeze the UI at the slightest provocation. The only difference is that we look at a much broader range of websites than other types of applications, so we get a much larger sample size.

    I think the difference is that the source code is easier to view so everyone can see and point and laugh. I conjecture a proportionate number of closed-source applications are just as bad under the covers.



  • @pkmnfrk said:

    I wonder why anyone thinks this is any different from shitty ios apps that suck up battery life while doing nothing, or desktop programs that freeze the UI at the slightest provocation. The only difference is that we look at a much broader range of websites than other types of applications, so we get a much larger sample size.

    Yeah. Sometimes I catch myself thinking "I just need to get away from web development and I won't have to deal with this kind of wilful incompetence any more." Fortunately TDWTF provides me with a daily reality check for this notion.

    However, I do still cling to the hope that things will improve somewhat when I eventually manage to get out of *PHP* web development. PHP development is like DeviantART: almost everybody is producing terrible, ugly things, and their eye for quality is so underdeveloped that they don't even see how bad their work is.

    There are so many "PHP-only" developers with whom I've worked who actively resist the use of tools and practices that improve code quality. Things like testability, reusability, maintainability: I've seen these things dismissed as "over-engineering" by senior "PHP-only" colleagues in a couple of different workplaces at this point. There seems to be widespread belief in a sort of carte blanche artistic license when it comes to whether something is "good code" or not.

    What never ceases to amaze me is the lengths these people are willing to go to in order to work around the resulting garbage. They'll happily spend an entire week testing a simple design change to an email simply because it was too much work to write code that could be tested or even executed outside of the live production environment. Why not learn from one of these experiences and next time try to avoid writing indecipherable stream-of-consciousness code?



  • @pkmnfrk said:

    I wonder why anyone thinks this is any different from shitty ios apps that suck up battery life while doing nothing

    It's not just iOS. The DrawSomething app on Android eats through my battery faster than a starving rat. It doesn't really need to run the full app in the background, but it seems to :-/


  • Discourse touched me in a no-no place

    @gu3st said:

    I don't know if it's the seemingly low barrier to entry (everyone and their cat can build a website)..

    You make it sound like a special case. It's not. Even dead cats can get diplomas for example.


Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.