Representative Line: Get Explosive

Sean sends us a one-line function that is a delight, if by delight you mean “horror”. You’ll be shocked to know it’s PHP.

function proget(){foreach($_GET as $k=>$v){if($k=="h"){$GLOBALS["h"]=1;}$p=explode(",",$k);}return($p);} //function to process GET headers

Based on the comment, proget is a shorthand for process_get_parameters. Which is sort of what it does. Sort of.

Let’s go through this. We iterate across our $_GET parameters using $k for the key, $v for the value, but we never reference the value so forget it exists. We’re iterating across every key. The first thing we check is if a key "h" exists. We don’t look at its value, we just check if it exists, and if it does, we set a global variable. And this, right here, is enough for this to be a WTF. The logic of “set a global variable based on the existence of a query parameter regardless of the value of the query parameter” is… a lot. But then, somehow, this actually gets more out there.

We explode the key on commas (explode being PHP’s much cooler name for split), which implies… our keys may be lists of values? Which I feel like is an example of someone not understanding what a “key” is. But worse than that, we just do this for every key, and return the results of performing that operation on the last key. Which means that if this function is doing anything at all, it’s entirely dependent on the order of the keys. Which, PHP does order the keys by the order they’re added, which I take to mean that if the URL has query params like ?foo=1&h=0&a,b,c,d=wtf. Or, if we’re being picky about encoding, ?foo=1&h=0&a%2Cb%2Cc%2Cd=wtf. The only good news here is that PHP handles the encoding/decoding for you, so the explode will work as expected.

This is the kind of bad code that leaves me with lots of questions, and I’m not sure I want any of the answers. How did this happen, and why are questions best left unanswered, because I think the answers might cause more harm.

Source: Read More