Close Menu

    CodeSOD: An Echo In Here in here

    Tobbi sends us a true confession: they wrote this code.

    The code we’re about to look at is the kind of code that mixes JavaScript and PHP together, using PHP to generate JavaScript code. That’s already a terrible anti-pattern, but Tobbi adds another layer to the whole thing.

    
<span class="hljs-keyword">if</span> (AJAX)
{
    <span class="hljs-meta"><?php</span>
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"AJAX.open("POST", '/timesheets/v2/rapports/FactBCDetail/getDateDebutPeriode.php', true);"</span>;
            
    <span class="hljs-meta">?></span>
    
    AJAX.<span class="hljs-title function_ invoke__">setRequestHeader</span>(<span class="hljs-string">"Content-type"</span>, <span class="hljs-string">"application/x-www-form-urlencoded"</span>);
    AJAX.onreadystatechange = callback_getDateDebutPeriode;
    AJAX.<span class="hljs-title function_ invoke__">send</span>(strPostRequest);
}

<span class="hljs-keyword">if</span> (AJAX2)
{
    <span class="hljs-meta"><?php</span>
        <span class="hljs-keyword">echo</span> <span class="hljs-string">"AJAX2.open("POST", '/timesheets/v2/rapports/FactBCDetail/getDateFinPeriode.php', true);"</span>;
    <span class="hljs-meta">?></span>
    AJAX2.<span class="hljs-title function_ invoke__">setRequestHeader</span>(<span class="hljs-string">"Content-type"</span>, <span class="hljs-string">"application/x-www-form-urlencoded"</span>);
    AJAX2.onreadystatechange = callback_getDateFinPeriode;
    AJAX2.<span class="hljs-title function_ invoke__">send</span>(strPostRequest);
}

    So, this uses server side code to… output string literals which could have just been written directly into the JavaScript without the PHP step.

    “What was I thinking when I wrote that?” Tobbi wonders. Likely, you weren’t thinking, Tobbi. Have another cup of coffee, I think you need it.

    All in all, this code is pretty harmless, but is a malodorous brain-fart. As for absolution: this is why we have code reviews. Either your org doesn’t do them, or it doesn’t do them well. Anyone can make this kind of mistake, but only organizational failures get this code merged.

    <!– Easy Reader Version: –>

    [Advertisement]
    Keep the plebs out of prod. Restrict NuGet feed privileges with ProGet. Learn more.

    Source: Read More 

    Related Posts

    Leave A Reply

    For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.