Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
That's actually part of a wallpaper. My gf found it somewhere and sent it to me saying "hey I saw this and thought you might like it, would you put it on you phone? It looks cool"
At least she knows nothing about programming so I'm not that disappointed with her. But if someone finds the author let me know, I've got a headbutt preloaded for him -
*weird head shaking and facial expression*
I guess I would do an exorcism on the author.... That hurts. -
I can't decide which feature i like better. The loop over the users or the if "true" === "true" statement. Genious.
-
hjk10157504yEither that was a total noob and the last part is remnant of a test it this has to be on purpose to demonstrate how you can do wrong with syntactically and "working" code.
-
1. fetching all users and implementing the WHERE clause in the app?
2. plain-text passwords?
3. if (""true" === "true") ?
4. SELECT * ?
5. plain DB queries in the interactor layer?
6. Judging by the name of "apiService"... Is this the client-side code? Meaning any client can run any SQL they want by just calling apiService.sql("") ?
7. Do you have any bullets left for the glorious dev who wrote this? -
@sbiewald yes, exactly that!! Someone published it into AmoledPix as a wallpaper LOL
-
This could win some sort of award for the most number of wrong things in so few lines of code.
-
theuser48024y@netikras Yes one more thing, it won't work because it doesn't wait for the accounts to be fetched.
-
@PublicByte
Da fuck?!
Using the output of some ls,git commit,make would take only a few minutes, but they decided to go with this. -
@netikras Checking the reddit post, the lower part was left out.
Yeah, seeing that only makes things worse... It is absolutely client side. You can most likely drop all DB tables from your browser, or pretend to be any user.
Whether it's "real" or not, it's a great collection of reasons why you implement authentication either by following your backend framework documentation to the letter, or by hiring devs with plenty of experience with auth & security. -
korrat6344y@SortOfTested if this is client side code it doesn't matter whether the argument is hashed. It might as well be plaintext.
-
theuser48024y@korrat Indeed, the credentials are fetched straight from the inputs, but there might be an event that hashes the password "on the fly", but that algo would still need to be client-side.
-
korrat6344y@theuser you're right, the argument to the function might indeed be hashed. But if authentication happens on the client-side, these hashes don't get you any security over plaintext passwords.
-
@PublicByte probably not, i watched the first 3 minutes of it and when i realized it's a straight-faced video and not his usual mocking of the stuff, i very sparsely skimmed through the rest so i had no chance to notice any other WTFs besides Objective C.
-
Oh man, sending database queries from the client is my FAVORITE. (I got onboarded onto a project once that was sending Mongo queries from the client. Fun times, fun times.)
This is awful. -
Removing the last conditional must have broken the code, hence it's still there from some previous iteration. 🤣
-
@PublicByte well, i didn't see anything related to existence of braindead people on the thumbnail, so i checked out the video
-
@SortOfTested But then still, that would mean you aren't using something like BCrypt for hashting and that would already be an issue imo...
-
@linuxxx
I mean, its garbage code. First off it's JavaScript, so yeah. I just think we're assuming a lot here, like that the salt isn't stored in another location and the hash isn't computed before being passed to the function. -
@SortOfTested Why'd you store the salt in a different location? Even if someone would get an entire db dump, using a salt and storing it next to the hashed password would make rainbow tables (which a salt protects against) mostly useless regardless as far as I'm aware
-
@linuxxx
I smell the privilege or someone who has never had to work under complete idiots in charge of security policy. I am the envy. -
kLue2144y@PublicByte what if store it locally only( meant - users pc, no shared DB) , any better 🧐?
-
Lol... When you learn a programming stack in 7days and feel lyk you can now create the universe!
-
kubre17434yImagine joining in new, seeing this on your first day and knowing you have to maintain this.
Related Rants
Oh my dog, why?
rant
wtf
stupid
js