Oh my dog, why?

Is true true?
Plaintext?
Looping over accounts?

Yay

Who wrote this, what son of a bitch wrote this

Wow, so many wrong things on one picture its slightly disturbing.

That's actually part of a wallpaper. My gf found it somewhere and sent it to me saying "hey I saw this and thought you might like it, would you put it on you phone? It looks cool"

At least she knows nothing about programming so I'm not that disappointed with her. But if someone finds the author let me know, I've got a headbutt preloaded for him

*weird head shaking and facial expression*

I guess I would do an exorcism on the author.... That hurts.

I can't decide which feature i like better. The loop over the users or the if "true" === "true" statement. Genious.

The weird thing is that with JavaScript I'm not even sure that "true" === "true".

ew

Either that was a total noob and the last part is remnant of a test it this has to be on purpose to demonstrate how you can do wrong with syntactically and "working" code.

I think this originates from https://reddit.com/r/...

@PublicByte why link that video, though?

1. fetching all users and implementing the WHERE clause in the app?
2. plain-text passwords?
3. if (""true" === "true") ?
4. SELECT * ?
5. plain DB queries in the interactor layer?
6. Judging by the name of "apiService"... Is this the client-side code? Meaning any client can run any SQL they want by just calling apiService.sql("") ?

7. Do you have any bullets left for the glorious dev who wrote this?

@sbiewald yes, exactly that!! Someone published it into AmoledPix as a wallpaper LOL

Son of a bitch...

Hey, it's all fine, they used strict comparisons.

/s

Commodity coders be like.

@netikras
Could be hashes, I'll be kind and assume the arg was hashed.

TW : bad indentation

This could win some sort of award for the most number of wrong things in so few lines of code.

@netikras Yes one more thing, it won't work because it doesn't wait for the accounts to be fetched.

@PublicByte
Da fuck?!
Using the output of some ls,git commit,make would take only a few minutes, but they decided to go with this.

@Benutzername You never know when "true" will stop being true! Better test for it

I mean at least there's no SQL injection

This has to be a joke. This must be a joke!

@netikras Checking the reddit post, the lower part was left out.

Yeah, seeing that only makes things worse... It is absolutely client side. You can most likely drop all DB tables from your browser, or pretend to be any user.

Whether it's "real" or not, it's a great collection of reasons why you implement authentication either by following your backend framework documentation to the letter, or by hiring devs with plenty of experience with auth & security.

@SortOfTested if this is client side code it doesn't matter whether the argument is hashed. It might as well be plaintext.

Protip: use a loop to be protected against SQL-injections 🤣🤣🤣

@korrat Indeed, the credentials are fetched straight from the inputs, but there might be an event that hashes the password "on the fly", but that algo would still need to be client-side.

@theuser you're right, the argument to the function might indeed be hashed. But if authentication happens on the client-side, these hashes don't get you any security over plaintext passwords.

@PublicByte probably not, i watched the first 3 minutes of it and when i realized it's a straight-faced video and not his usual mocking of the stuff, i very sparsely skimmed through the rest so i had no chance to notice any other WTFs besides Objective C.

Oh man, sending database queries from the client is my FAVORITE. (I got onboarded onto a project once that was sending Mongo queries from the client. Fun times, fun times.)

This is awful.

Removing the last conditional must have broken the code, hence it's still there from some previous iteration. 🤣

@korrat
Given its calling SQL, it's unlikely to be client code.

@SortOfTested It is. The parameters comes from inputs that are fetched with JQuery.

Ehhh, this doesn’t really look safe.

@PublicByte well, i didn't see anything related to existence of braindead people on the thumbnail, so i checked out the video

@SortOfTested But then still, that would mean you aren't using something like BCrypt for hashting and that would already be an issue imo...

@linuxxx

I mean, its garbage code. First off it's JavaScript, so yeah. I just think we're assuming a lot here, like that the salt isn't stored in another location and the hash isn't computed before being passed to the function.

@SortOfTested Why'd you store the salt in a different location? Even if someone would get an entire db dump, using a salt and storing it next to the hashed password would make rainbow tables (which a salt protects against) mostly useless regardless as far as I'm aware

@linuxxx
I smell the privilege or someone who has never had to work under complete idiots in charge of security policy. I am the envy.

@PublicByte what if store it locally only( meant - users pc, no shared DB) , any better 🧐?

As It survived a code review tells me a lot of things.

Don't know this language but somehow I know it's very wrong

just... so much to unpack here.
Imma just save this, for uh, educational purposes.

Il don't see WHERE is the problem 😁

People can view all of their users database information in the browser 🙂

This is disturbing for some reason!

There is no sign of SQL injection here... Yay! 😂

Lol... When you learn a programming stack in 7days and feel lyk you can now create the universe!

Imagine joining in new, seeing this on your first day and knowing you have to maintain this.