Konrad was trying to understand how an input form worked, and found this validation function.
function IsReallyEmpty($subject)
{
$trimmed = trim(preg_replace("/&.*;/", "", $subject));
return strlen($trimmed) != 0;
}
Now, I can understand why one might want to have a different definition of "empty" when it comes to strings. An all whitespace string, like " " may rightfully be considered an empty input for many applications.
So calling trim makes a lot of sense. It's the preg_replace that starts to worry me, because that regex is clearly trying to match an HTML entity, aka . But it matches all HTML entities, not just ones like which are whitespace characters, but ampersands and greater/less-than signs.
But there's another problem with the regex. The * operator is greedy. So Hello World would see the opening &, the closing ; and decide the entire string could be rejected.
But that's not the real WTF. The real WTF is the very last line. In a function called IsReallyEmpty, it returns true if the input string is not empty, thus stretching the definition of "really" to new levels.
"Is this string really empty?" "No, it is."
[Advertisement]
BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
This post originally appeared on The Daily WTF.