CodeSOD: When You Can’t Use WordPress

Initech had a lovely little Content Management System built by a third party that was good at "building" CMSes. That is to say, this company knew its way around a WordPress template.

When Initech needed a new public-facing website, they went straight back to that vendor. Now, this new website was a complicated statistical tool, with all sorts of complicated business rules and requiring a large amount of custom programming. So the vendor that just cranked out WordPress templates may not have been a good fit for the project, but that didn't stop anybody.

That's how Magnus M found code which looks like this:

$dataTotalArray[$md['adt_group_id']][$md['atss_id']]['adt_text'] = $md['adt_text']; if($md['type'] == "totalthisyear") { $dataTotalArray[$md['adt_group_id']][$md['atss_id']]['amount'] = $md['amount']; $dataTotalArray[$md['adt_group_id']][$md['atss_id']]['count'] = $md['count']; }

There are so many nested braces here I'd almost suspect this was a LISP dialect instead of PHP.

That's just ugly and incomprehensible, and it isn't the WTF. The real WTF is that someone had it in their head that "web code" meant anyone doing "view source" could see the code. This complete misunderstanding about what constitutes server-side code lead them to ensure that all their constants were obfuscated via an MD5 hash.

if($_GET['size_cat'] == '59e9effecfe048c8-b13a76da69cc12df') { $adt_old_type = 0; } else { $adt_old_type = 1; } // later in document - in the "presentation" part if ($_GET['size_cat'] == '59e9effecfe048c8-b13a76da69cc12df') { echo "ADT"; } else { echo "ADT"; }

Magnus writes:

In some cases even the arguments to their stored procedures requires the arguments MD5'ed. Makes for wonderful debugging.

[Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today!

This post originally appeared on The Daily WTF.

Leave a Reply

Your email address will not be published.