When the CEO becomes a developer II
-
To activate his account the user has to enter a key which is stored in the database in his account-record. How do we find this record? Well, we search the table:
$loginname = $_POST['loginname'];
$keyEntered = $_POST['key'];
$query = "SELECT * FROM user";$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($keyEntered == $row["activator"]){
$sql="UPDATE user SET activator = '', status='activated' WHERE username = '$loginname'";
mysql_query($sql);$time=time()+ 365\*24\*60\*60; setcookie("check", "1",$time);}
}if ($keyEntered != $row["activator"])
{
$msg2="Invalid key";
}So: - No escaping of the entered POST-parameters. - First query fetches ALL datasets! - WHERE-clause in second query takes the loginname given by the user, not the id of the dataset found Can this be worse?
-
To activate his account the user has to enter a key which is stored in the database in his account-record. How do we find this record? Well, we search the table:
$loginname = $_POST['loginname'];
$keyEntered = $_POST['key'];
$query = "SELECT * FROM user";$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($keyEntered == $row["activator"]){
$sql="UPDATE user SET activator = '', status='activated' WHERE username = '$loginname'";
mysql_query($sql);$time=time()+ 365\*24\*60\*60; setcookie("check", "1",$time);}
}if ($keyEntered != $row["activator"])
{
$msg2="Invalid key";
}So: - No escaping of the entered POST-parameters. - First query fetches ALL datasets! - WHERE-clause in second query takes the loginname given by the user, not the id of the dataset found Can this be worse?
Yes, it can. Garnish the whole thing with some empty catch blocks. Obfuscate these horrors with a generous helping of spaghetti (code). Use only obscure abreviations as names for variables. Avoid comments at all cost. Throw in some lengthy and totally needless string manipulation to avoid having to use any other data type. Let those string manipulations fail (sometimes) because the string was null to begin with, which omits about 10000 code lines by going directly to the empty catch block. Or how about this: Send some query to get a filled dataset with several tables and many rows. Then clear out all the rows (but prevent them from being deleted in the database). This way you conveniently get a dataset to fill with your own new rows. No hassle with setting up the dataset first. And I have this and many more great ideas in one big ball of rubbish. And the spaghetti parts are so good that any attempt to replace the most horrible parts one by one is doomed to fail.
A while ago he asked me what he should have printed on my business cards. I said 'Wizard'. I read books which nobody else understand. Then I do something which nobody understands. After that the computer does something which nobody understands. When asked, I say things about the results which nobody understand. But everybody expects miracles from me on a regular basis. Looks to me like the classical definition of a wizard.
-
Yes, it can. Garnish the whole thing with some empty catch blocks. Obfuscate these horrors with a generous helping of spaghetti (code). Use only obscure abreviations as names for variables. Avoid comments at all cost. Throw in some lengthy and totally needless string manipulation to avoid having to use any other data type. Let those string manipulations fail (sometimes) because the string was null to begin with, which omits about 10000 code lines by going directly to the empty catch block. Or how about this: Send some query to get a filled dataset with several tables and many rows. Then clear out all the rows (but prevent them from being deleted in the database). This way you conveniently get a dataset to fill with your own new rows. No hassle with setting up the dataset first. And I have this and many more great ideas in one big ball of rubbish. And the spaghetti parts are so good that any attempt to replace the most horrible parts one by one is doomed to fail.
A while ago he asked me what he should have printed on my business cards. I said 'Wizard'. I read books which nobody else understand. Then I do something which nobody understands. After that the computer does something which nobody understands. When asked, I say things about the results which nobody understand. But everybody expects miracles from me on a regular basis. Looks to me like the classical definition of a wizard.
-
Yes, it can. Garnish the whole thing with some empty catch blocks. Obfuscate these horrors with a generous helping of spaghetti (code). Use only obscure abreviations as names for variables. Avoid comments at all cost. Throw in some lengthy and totally needless string manipulation to avoid having to use any other data type. Let those string manipulations fail (sometimes) because the string was null to begin with, which omits about 10000 code lines by going directly to the empty catch block. Or how about this: Send some query to get a filled dataset with several tables and many rows. Then clear out all the rows (but prevent them from being deleted in the database). This way you conveniently get a dataset to fill with your own new rows. No hassle with setting up the dataset first. And I have this and many more great ideas in one big ball of rubbish. And the spaghetti parts are so good that any attempt to replace the most horrible parts one by one is doomed to fail.
A while ago he asked me what he should have printed on my business cards. I said 'Wizard'. I read books which nobody else understand. Then I do something which nobody understands. After that the computer does something which nobody understands. When asked, I say things about the results which nobody understand. But everybody expects miracles from me on a regular basis. Looks to me like the classical definition of a wizard.
-
To activate his account the user has to enter a key which is stored in the database in his account-record. How do we find this record? Well, we search the table:
$loginname = $_POST['loginname'];
$keyEntered = $_POST['key'];
$query = "SELECT * FROM user";$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($keyEntered == $row["activator"]){
$sql="UPDATE user SET activator = '', status='activated' WHERE username = '$loginname'";
mysql_query($sql);$time=time()+ 365\*24\*60\*60; setcookie("check", "1",$time);}
}if ($keyEntered != $row["activator"])
{
$msg2="Invalid key";
}So: - No escaping of the entered POST-parameters. - First query fetches ALL datasets! - WHERE-clause in second query takes the loginname given by the user, not the id of the dataset found Can this be worse?
Clippy: I see that you entered the wrong password. The correct password is "apple"; shall I enter it for you?
-
To activate his account the user has to enter a key which is stored in the database in his account-record. How do we find this record? Well, we search the table:
$loginname = $_POST['loginname'];
$keyEntered = $_POST['key'];
$query = "SELECT * FROM user";$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
if ($keyEntered == $row["activator"]){
$sql="UPDATE user SET activator = '', status='activated' WHERE username = '$loginname'";
mysql_query($sql);$time=time()+ 365\*24\*60\*60; setcookie("check", "1",$time);}
}if ($keyEntered != $row["activator"])
{
$msg2="Invalid key";
}So: - No escaping of the entered POST-parameters. - First query fetches ALL datasets! - WHERE-clause in second query takes the loginname given by the user, not the id of the dataset found Can this be worse?
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
-
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
Distant memories of childhood wonderment:
Eight six four two zero(es).And yes, it has been useful these last 60-odd years. Cheers, Peter ps No idea why you got downvoted. Have my 5 in at least partial compensation.Software rusts. Simon Stephenson, ca 1994.
-
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
Nagy Vilmos wrote:
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Just last week I wrote a formula that included "numdays * 86400" and then I replaced it with "numdays * 24 * 60 * 60" because that adds clarity for the people who don't know how many seconds are in a day. If other people are going to read your code, it's easier to do 24*60*60 than to add a comment explaining why you're multiplying by 86400.
-
Nagy Vilmos wrote:
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Just last week I wrote a formula that included "numdays * 86400" and then I replaced it with "numdays * 24 * 60 * 60" because that adds clarity for the people who don't know how many seconds are in a day. If other people are going to read your code, it's easier to do 24*60*60 than to add a comment explaining why you're multiplying by 86400.
Indeed. Your compiler should do that multiplication as part of the optimization stage anyway, so feel free to leave arithmetic on constants like that in your code as long as it improves the situation. Even if it didn't optimize that out, if you're waiting on the SQL server to retrieve your results like that, the last thing you'll notice is 2 extra integer multiplication operations.
-
imagiro wrote:
$time=time()+ 365*24*60*60;
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Panic, Chaos, Destruction. My work here is done. or "Drink. Get drunk. Fall over." - P O'H
I didn't, but for some reason I know there are 525,600 minutes in a year. :rolleyes:
-
I didn't, but for some reason I know there are 525,600 minutes in a year. :rolleyes:
A workable "slide rule" approximation: 1 year = 10^7.5 seconds. [A leap year is even closer! ;P ]
Software rusts. Simon Stephenson, ca 1994.
-
A workable "slide rule" approximation: 1 year = 10^7.5 seconds. [A leap year is even closer! ;P ]
Software rusts. Simon Stephenson, ca 1994.
I guess now we know how you measure a year. :)
-
I guess now we know how you measure a year. :)
All is revealed! From the "Eight Days a Week" school of mathematical chronology. :laugh: :laugh:
Software rusts. Simon Stephenson, ca 1994.
-
Nagy Vilmos wrote:
Does nobody know that there are 86,400 seconds ina day? [I can't prove this but I have thios ingrained in my long-term memory.]
Just last week I wrote a formula that included "numdays * 86400" and then I replaced it with "numdays * 24 * 60 * 60" because that adds clarity for the people who don't know how many seconds are in a day. If other people are going to read your code, it's easier to do 24*60*60 than to add a comment explaining why you're multiplying by 86400.
Wow. So you replaced a "magic number" with a set of "magic numbers" for clarity? Replace the thing with a constant and you'd be doing far, far better.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak -
Wow. So you replaced a "magic number" with a set of "magic numbers" for clarity? Replace the thing with a constant and you'd be doing far, far better.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak#define SECONDS_IN_A_DAY 86400 is clearer and slightly educational to the reader, so definitely a better solution You trivialize my approach as using "magic numbers", but in the real world probably 90% of the population can tell what you're doing if you do 24 * 60 * 60 whilst maybe 15% of people know what 86400 is. So, I'd still say 24 * 60 * 60 is clearer than 86400 despite it being 3 "magic numbers" instead of 1. Astonishingly, if you add a fourth magic number, nearly every literate human on the Western calendar understands it with no explanation: "365 * 24 * 60 * 60".
-
#define SECONDS_IN_A_DAY 86400 is clearer and slightly educational to the reader, so definitely a better solution You trivialize my approach as using "magic numbers", but in the real world probably 90% of the population can tell what you're doing if you do 24 * 60 * 60 whilst maybe 15% of people know what 86400 is. So, I'd still say 24 * 60 * 60 is clearer than 86400 despite it being 3 "magic numbers" instead of 1. Astonishingly, if you add a fourth magic number, nearly every literate human on the Western calendar understands it with no explanation: "365 * 24 * 60 * 60".
Charvak Karpe wrote:
but in the real world probably 90% of the population can tell what you're doing if you do 24 * 60 * 60
You haven't worked with some of the developers I work with now. No, they couldn't tell you what that code was doing... seriously.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak