I found a gem
if($user == false || $user['admin'] == false)
{
Header("Location: ".$login_url);
}
the correction was
$login_url = 'https://oursite.login.com/';
if( ($user == null) || ($user === false || $user['admin'] == false))
{
Header("Location: ".$login_url);
}
yshiphuf123
@yshiphuf123
Best posts made by yshiphuf123
Latest posts made by yshiphuf123
-
Yet another
-
RE: Emailed SQL Statements
Ha, that would be true.
about student*15 + graduates*0 + adults*30
The prices were hard coded. The values were only echoed and never stored:
Price: <?= student*15 + graduates*0 + adults*30 ?>
The variable graduates exists and is used only once on the page. (same line). Perhaps in verions 0.9 they used to prompt the user for that info. (perhaps using a custom built tri-state checkbox)
-
Emailed SQL Statements
I think the title says it all but I will elaborate.
I was given the task to add a PayFriend "Pay Now" button. To a "very simple" php page. I made an over-estimate of 6 hours to complete the task. All I knew is that the purpose of the page was to sign up for an event, if you are a student you could recieve a discount and a MySQL database is involved -- how bad could it be?
Turns out pretty darn bad.
Well the database was total feces. There were many tables, and the tables were interlinked with each other. But only two table were actually ever used (through out the entire webpage. Most features were turned off - perhaps because they didnt work) - the in use tables consisted of a user table, an order table. Unfortunatly it didn't occur to me to check to see which tables were actually used by the system until late in the day. And even then a quick grep told me that every table was called on almost every page. It wasn't until I got down into the nitty-gritty log-in feature that I realized that these extra tables were not actually in use.
The user table held an email address, a boolean spam flag, a company name text field, and a paid boolean flag. The order table held a primary key a user_id column, and a boolean paid flag.
To place an order you first specify the event to attend, then specify the number of people you are signing up, Next the names, companies and is_student values for each user. Lastly you confirm the order.
The way it actually worked was like hell on earth.
After selecting an event you are redirected to /page.php?event_id=123&admin=0
Next the page checks if you are logged in (there is no log in page setting admin=1 specifies the same php code in a seperate block)
Please note that I cleaned up this code just to illustrate the major wtf's and avoiding many of the landmines.
if($admin) {
//code ABC
} else {
//code ABC
}
I suppose that code was removed and the thought of if( false ) never occurred to the original programmer.
Next if the first of the user names not yet submitted does not exist then the number of students to add is asked:
if( $names[0] == '' ){
?> <select><option>1</option><.... yes these were written out... ></select> <?
}Next the page checks to see if each company name has already been inserted into the user table. If this is true then an error message is displayed and the page will not continue. Perhaps the logic of this feature was designed to keep only a single person from any company to attend any event. Or perhaps they wanted unique company names so they could be used as a primary key later (seriously). Or perhaps the programmers came straight from hell and were just into sick jokes like that. I'm still not sure.
The rest of the flow of logic worked mostly in this way. If the something has a null value (or pre-determined value) then present the user with the html prompting for that thing otherwise put that value in a hidden field. The html would just be inserted where ever the php code may lie. perhaps the php code was echo'ed, or perhaps stored in a variable and echoed later. Ironiclly the hidden fields end position were very predictable.
At some point the user is given the price(s) s/he is expected to pay. That logic worked similar to the following mess:
students15 + graduates0 + adults*30
The database did not store the price quoted to the user. And it was impossible to determine what the quoted price was later because of the wtf that follows.
Next the user is asked to confirm everything. At this point the system shoots off an email. The email is similar to:
INSERT INTO users (...) values (...);INSERT INTO users (...) values (...);INSERT INTO users (...) values (...);
INSERT INTO orders (user_id, paid) VALUES ($user_id, true);INSERT INTO orders (user_id, paid) VALUES ($user_id, true);INSERT INTO orders (user_id, paid) VALUES ($user_id, true);This was emailed directly to the last developer (hard-coded email address in the page) and stored in a log.
After this point the developer could create a custom static html page. Doing a select * from the users table and dumping that to a text file, and then with a little copy and paste magic a html page was created. This would have a list of every user in the system. Each represented with a button with their name on it. If the button is clicked (and if the sql command was present) the user's purchase would be recorded. This button was clicked at the entrance of the event after the user paid.
-
U-Haul WTF
I had the privledge of trying to rent a U-Haul truck today. The phone book gave me a local number and the hours 8-6 M-F. Called it but they were closed, so I dialed their 800 number. Where I confirmed that they are open and placed a reservation and recieved a pick up time and confirmation number. They also informed me that I was very close to the pick up location. I told them that although they advertised as being open they in fact were not. I was reassured that they were indeed open. The phone call was about to end..
Just one thing, where is the truck? They don't have that information but it's no problem I can wait to recieve a call sometime the next day (the day of the rental). Or if I wanted I could find out right now. ---I just need to dial a second 800 number to get so that information could be given to me....
So I called the second 800 number (it was different) and gave them the confirmation code. Automatically they knew my name and order, they gave me the address to pick up the truck at. Which was only 20 miles further away (they charge per mile). Great, next I ask about parking and pick up time. They don't have that information but no problem I just need to call the local office.
Called the local branch office. They don't need my confirmation code,just my last name.. no, no Mr. Smith here. Ok so they need my confirmation code. Yes they have the truck in stock I am lucky. Until now I could have recieved any truck of equal or greator value for the same price, but turns out the one I ordered is available. Great, I recieve the address. Just in case I confirm the pick up time. Nope not doable, but an hour later should be fine.
I mention this as WTF for two reasons:
1) 3 phone calls are needed to complete the transaction passing each one a unique id (Querystrings anyone?) although the data is shared among all three offices instantly.
and
2) The information flows only in one direction. This data flow is all too familiar. The management makes the big decisions operating with absolutly no knowledge of what is actually going on while the actual decisions, data (availablilty of trucks, open/closing days/times, parking availability) is all at the end nodes (along with the comptent workers).