27

Well... I had in over 15 years of programming a lot of PHP / HTML projects where I asked myself: What psychopath could have written this?

(PHP haters: Just go trolling somewhere else...)

In my current project I've "inherited" a project which was running around ~ 15 years. Code Base looked solid to me... (Article system for ERP, huge company / branches system, lot of other modules for internal use... All in all: Not small.)

The original goal was to port to PHP 7 and to give it a fresh layout. Seemed doable...

The first days passed by - porting to an asset system, cleaning up the base system (login / logout / session & cookies... you know the drill).

And that was where it all went haywire.

I really have no clue how someone could have been so ignorant to not even think twice before setting cookies or doing other "header related" stuff without at least checking the result codes...

Basically the authentication / permission system was fully fucked up. It relied on redirecting the user via header modification to the login page with an error set in a GET variable...
Uh boy. That ain't funny.
Ported to session flash messages, checked if headers were sent, hard exit otherwise - redirect.

But then I got to the first layers of the whole "OOP class" related shit...

It's basically "whack a mole".

Whoever wrote this, was as dumb and as ignorant to build up a daisy chain of commands for fixing corner cases of corner cases of the regular command... If you don't understand what I mean, take the following example:

Permissions are based on group (accumulation of single permissions) and single permissions - to get all permissions from a user, you need to fetch both and build a unique array.

Well... The "names" for permissions are not unique. I'd never expected to be someone to be so stupid. Yes. You could have two permissions name "article_search" - while relying on uniqueness.

All in all all permissions are fetched once for lifetime of script and stored to a cache...

To fix this corner case… There is another function that fetches the results from the cache and returns simply "one" of the rights (getting permission array).

In case you need to get the ID of the other (yes... two identifiers used in the project for permissions - name and ID (auto increment key))...

Let's write another function on top of the function on top of the function.

My brain is seriously in deep fried mode.

Untangling this mess is basically like getting pumped up with pain killers and trying to solve logic riddles - it just doesn't work....

So... From redesigning and porting from PHP 7 I'm basically rewriting the whole base system to MVC, porting and touching every script, untangling this dumb shit of "functions" / "OOP" [or whatever you call this garbage] and then hoping everything works...

A huge thanks to AURA. http://auraphp.com/

It's incredibily useful in this case, as it has no dependencies and makes it very easy to get a solid ground without writing a whole framework by myself.

Amen.

Comments
  • 1
    I know EXACTLY what you are going through since it is EXACTLY what I have to deal with in terms of one of our applications at work.

    It is a quite large application, used as a tool for generating budget reports 0.o the header fuckery that was done in this application before I got my hands on it is beyond fucky. Apparently, the previous developer had a knack for doing everything as fast as possible disregarding basic security practices. This application is only accessible to our network, but still, it is pretty bad.

    Errors were passed through the headers, there were "admin" accounts stored in plaint text,, not ONE single sql query was escaped or checked for injections. It was bad man, really bad.
  • 1
    PHP sucks tho.

    Sry, couldn't resist 🤣
Add Comment