I've been hired to an edutainment software company. It is college-funded so Pedagogy students can execute their projects and the code is released as open-source when finished. In only 6 months I've seen enough WTFs to affect my sanity.
First of all, the boss leaves at 5:30PM, so pretty much everyday we don't have to get home early we stay there for a few more hours playing L4D2 on the design workstations. That, along with the free coffee, make me love that job. People don't take nothing seriously, I have no idea how we get anything done, no-one can be fired and there are no deadlines.
I'm working on a Club Penguin clone where teachers can post homework and students can have blogs. The original project specifications called for a system of permissions that can be infinitely expanded (I have no idea what this means), but there is a simple Administrator -> Teacher -> Student hierarchy wrotten.
The main page is comprised by a .swf file that barely stands and used to have porn in a hidden layer. Whenever the user enters a house to access the blogs or homework systems, or changes the area he is currently on, the page reloads with a few GET arguments.
As for some PHP code snippets, translated wherever needed:
I saw (and left in its original state) a switch statement where every case followed this pattern:
case 2:
return "February";
break; // These breaks are there just to be sure.
The comment was in every single case.
case 2:
$search1->request("select * from $tabela_forum where $consulta and forum_id = '$forum_id'"); // This request is done to get only the count of how many results are there. There is no protection against SQL injection, and $forum_id comes straight from a GET request.
$this->counter = count($pesquisa1->result);
$pesquisa1->request("select * from $tabela_forum where $consulta and forum_id = '$forum_id' ORDER BY msg_id ASC LIMIT $pagina,10");
BTW, this other was in a completely commentless switch statement with 20+ cases.
$max_year = 9999999; // I do believe this code will last more than humanity in a working status.
This later checks if some operations don't exceed a max year. It's a shame that even the useless sanity check functions don't get called.
if ($internal_list[$i-1] == "\nend_year"){ // DON'T ASK. IT WORKS. GIVE IT A PRINT_R TO SEE.
I did check and it is pretty ingenious. WTF points for using \n in PHP.
if (basic SQL injection check that does not work){
// code
} else die("an horrible death");
Imagine opening the profile page of a teacher and the only thing that displays in the upper-left corner of your browser is "an horrible death" (sic).
There's an SQL table with an ID field to store uploaded pictures as BLOBs. Instead of relying on the id column, they try to get it via the filename, blog id and whether it was uploaded as homework or as a blog picture. Yes, you can upload two files with the same name to the same blog.
$consulta->request("SELECT * FROM $tabela_arquivos WHERE name = '$name' AND funcionalidade_tipo = '$funcionalidade_tipo' AND funcionalidade_id = '$funcionalidade_id';");
This one is self explanatory:
for ($camila_looks_pretty_hot_today=0,$size=count($nomes); $camila_looks_pretty_hot_today<$size; $camila_looks_pretty_hot_today++){
They're echo'ing though PHP the (constant) URL of the input, Also, who the hell uses <input type="image">?
<img src=<?="../../images/botoes/bt_postagem.png"?> border="0" align="right"/>
This one is cute, they're allowing the user to send an SQL query via Javascript.
<?$stringConsulta = "UPDATE $tabela_portfolioProjetos SET emAndamento = 0 WHERE id=$projeto_id";?>
<a class="finish" onClick="changeDB('<?=$stringConsulta?>');" href="#">[Finish Project]</a>
This one hurt my mind when I tried to comprehend it. Took me a moment to comprehend the codeflow.
$screen_res = resolution($screen_res); // Yes, calling a function that's defined one line under.
function resolution($screen_res) {
if($screen_res != "") {
$_SESSION['resolution'] = $screen_res;
}
if(isset($_SESSION["resolution"])){
$screen_res = intval($_SESSION["resolution"]);
}else{
?>
<script language="javascript">
<!--
resolution_send();
function resolution_send(){
location.href = 'index.php?screen_res='+ screen.width;
}
//-->
</script>
<?php
}
return $screen_res;
}