|
You might have been thinking of perl 6 
|
#
?
Jul 27, 2012 19:46
|
|
|
|
| # ? Apr 29, 2024 03:54 |
|
|
PHP6 got dropped, and they decided instead of making a full version update, to roll the "featured" changes PHP6 was going to have into smaller portions. PHP6 basically became PHP 5.3 and 5.4. There are still a few features that have been discussed and planned for 6 that we haven't seen yet though.
|
|
#
?
Jul 27, 2012 20:30
|
|
|
But it's not like the PHP devs are exactly jonesing for a total overhaul of their language, is it? Isn't the guiding development philosophy "'Real' programmers are idiots?"
|
|
#
?
Jul 27, 2012 20:56
|
|
|
GrumpyDoctor posted:But it's not like the PHP devs are exactly jonesing for a total overhaul of their language, is it? Isn't the guiding development philosophy "'Real' programmers are idiots?" I think that was only the original designer of the language, not the current team. I could be wrong, though.
|
|
#
?
Jul 27, 2012 21:08
|
|
|
Frozen-Solid posted:PHP6 got dropped, and they decided instead of making a full version update, to roll the "featured" changes PHP6 was going to have into smaller portions. PHP6 basically became PHP 5.3 and 5.4. There are still a few features that have been discussed and planned for 6 that we haven't seen yet though. PHP6 tried to add unicode, and strayed from the true path of UTF-8, and suffered as a result. Unicode support is still missing from PHP.
|
|
#
?
Jul 27, 2012 21:10
|
|
|
Haha wait, what? Where can I read more about PHP not handling unicode? This is awesome.
|
|
#
?
Jul 27, 2012 21:12
|
|
|
pokeyman posted:Haha wait, what? Where can I read more about PHP not handling unicode? This is awesome. It's more awesome than you think: http://pooteeweet.org/blog/1689
|
|
#
?
Jul 27, 2012 22:06
|
|
|
Golbez posted:I am probably missing something here, but why the hell would this return "unexpected results" because of a large file? It can't see if that file exists if it's more than 2gb? What unexpected results would we have? Returning false if the file is actually there? Is this actually a thing that happens? I like to think that PHP tries to open and read the whole file just to determine if it exists and is readable, but fails if it can't load all the contents into memory.
|
|
#
?
Jul 27, 2012 23:36
|
|
|
Zamujasa posted:I think that was only the original designer of the language, not the current team. I could be wrong, though.
|
|
#
?
Jul 27, 2012 23:39
|
|
|
Frozen-Solid posted:PHP6 got dropped, and they decided instead of making a full version update, to roll the "featured" changes PHP6 was going to have into smaller portions. PHP6 basically became PHP 5.3 and 5.4. There are still a few features that have been discussed and planned for 6 that we haven't seen yet though. This is basically not true. You'll want to view Andrei Zmievski's slides, wherein he explains both the PHP6 unicode conundrum and why full unicode support will basically never happen. Hint: it destroys backwards compatibly in both obvious and subtle ways. PHP 6 was never slated to have any of the features we've gotten in 5.3 and 5.4, and will get in the next release. People basically got pissed off at the autocracy that was php-internals and managed to push through an RFC process. It's only through the RFC process and a modern managed release cycle that there's been any progress on making PHP a better language. Even then...
|
|
#
?
Jul 28, 2012 00:12
|
|
|
McGlockenshire posted:PHP 6 was never slated to have any of the features we've gotten in 5.3 and 5.4, and will get in the next release. People basically got pissed off at the autocracy that was php-internals and managed to push through an RFC process. That isn't entirely true either. The last time I heard about PHP6 was in early '09, before the death of PHP6. At that point in time namespaces, closures, and goto were all intended to be included in PHP6. The first patches for namespaces were all done as a part of PHP6. There were also a lot of things that were being talked about that were going to be looked into after PHP6 was finished. For example: http://www.nullislove.com/2007/07/06/php-6-namespaces/ All of this was long before the death of PHP6, and before work had begun on PHP 5.3. Even in May 2008, (The PHP|Tek 2008 Conference, which I attended) those features were still planned for PHP6. By Summer of 2008, those features were back ported into PHP 5 and turned into PHP 5.3 alpha 1, which was released in August 2008. You are correct in that by the time Andrei Zmievski's slideshow that you linked was made, the only part of PHP6 that was different was unicode support. It was officially killed in 2010, when work on PHP5.4 began, as mentioned in his slideshow.
|
|
#
?
Jul 28, 2012 01:11
|
|
|
//Get the number of items in the array list item_count = myArrayList.ToArray().length; Jesus gently caress. Why is this happening to me? Why is this in production code?
|
|
#
?
Jul 28, 2012 08:17
|
|
|
DrankSinatra posted://Get the number of items in the array list
|
|
#
?
Jul 28, 2012 10:30
|
|
|
PrBacterio posted:Eh. You know in comparison to some of the horrors in this thread this one is so utterly trivial that I can't really get worked up over it. And it's so easily fixed too. A real horror is when its some dumb poo poo repeated over dozens or hundreds of functions, with subtle changes in each instance and so intrinsically entwined with the inner workings of the program that it can't be easily ripped out and fixed without breaking the whole thing. That's true. I'm basically in the middle of rewriting everything he's done. There's nothing subtly wrong. It's just thousands of lines of poo poo that nobody out of CS100 would have thought was a reasonable idea. "Oh you want me to convert this base64 string back to a byte array? Ok. I'll cast it to byte[]." It's just hundreds of trivial things that might possibly look okay at the surface level, but make no sense at all when you give them more than thirty seconds of thought.
|
|
#
?
Jul 28, 2012 14:49
|
|
|
DrankSinatra posted:"Oh you want me to convert this base64 string back to a byte array? Ok. I'll cast it to byte[]."  baby's first serialization
|
|
#
?
Jul 28, 2012 18:22
|
|
|
PrBacterio posted:A real horror is when its some dumb poo poo repeated over dozens or hundreds of functions, with subtle changes in each instance and so intrinsically entwined with the inner workings of the program that it can't be easily ripped out and fixed without breaking the whole thing. Haha, at least your poo poo is in functions! 
|
|
#
?
Jul 28, 2012 23:32
|
|
|
Zamujasa posted:Haha, at least your poo poo is in functions! Every time I've worked with off-shored, lowest-bidder code I've run into the 4000+ line monolithic function that invariably 'dispatches' by switch statement.
|
|
#
?
Jul 30, 2012 01:55
|
|
|
We have that too, but instead of a function it's buried in an Ajax request that fires off a file_get_contents("http://magic_url_to_our_api"), which collapses through about 10 nested if ($validated = 1) {, which eventually falls into a two-case switch statement. Inside that statement is code that is really great, like this: code:Oh. Another fun thing from Friday. My boss learned about this: code:For the record, the previous way he was doing it was something like this: code:
|
|
#
?
Jul 30, 2012 03:40
|
|
|
does this qualify as far as I can tell, the Flash installer creates a local webserver in order to serve javascript to itself, which is displaying its UI using IE's rendering/JS engine. Their JS has an error, causing the installer to fail (but first it overwrites enough so that the outdated version is now broken)
|
|
#
?
Jul 30, 2012 08:20
|
|
|
Aleksei Vasiliev posted:does this qualify Yes, anything made by Adobe always qualifies.
|
|
#
?
Jul 30, 2012 10:26
|
|
|
Here's a "fun" coding horror: Most recent Ubisoft games install a remote execution exploit as a browser plugin. Here's a POC that runs calc.exe:JavaScript code:e: http://pastehtml.com/view/c6gxl1a79.html hosted version if you want to try it out Threep fucked around with this message at 11:15 on Jul 30, 2012 |
|
#
?
Jul 30, 2012 11:09
|
|
|
The exploit is literally just handing the plugin a base64 encoded path to whatever file you want to execute. This is a bigger  than Super Meat Boy.
|
|
#
?
Jul 30, 2012 11:13
|
|
|
Can that actually be used to do anything malicious like 'download and run this trojan'? Real question. Also, just tested using UPlay installed from their site. Doesn't work on Win 7 x64 in any browser (IE/Chrome/FF). But they may distribute a different version with their games; it didn't install a browser plugin. edit, unrelated: How not to reassure people over a security issue Malloc Voidstar fucked around with this message at 11:33 on Jul 30, 2012 |
|
#
?
Jul 30, 2012 11:23
|
|
|
Aleksei Vasiliev posted:Can that actually be used to do anything malicious like 'download and run this trojan'? Real question. Threep fucked around with this message at 11:27 on Jul 30, 2012 |
|
#
?
Jul 30, 2012 11:25
|
|
|
It could also execute echo "malicious code">somefile.exe&&somefile.exe
|
|
#
?
Jul 30, 2012 12:02
|
|
|
Tamba posted:It could also execute I strongly doubt their launcher actually runs the thing through cmd.exe instead of just plain CreateProcess() or ShellExecute()ing it.
|
|
#
?
Jul 30, 2012 12:13
|
|
|
Threep posted:And of course if there's a way to add command line arguments then it's open season, and it would make sense to have such for a product launcher. edit: credit to Ubisoft for patching it already. except i think it's outweighed by having it in the first place. Malloc Voidstar fucked around with this message at 23:36 on Jul 30, 2012 |
|
#
?
Jul 30, 2012 12:25
|
|
|
The correct way to route URLs in ASP.NET is: (a) use the framework's inbuilt URL routing system, (b) roll your own routing solution with regexes or whatever, or (c) route your URLs with a 700 line stored procedure in your database. I think we all know which method my work decided to use.
|
|
#
?
Jul 31, 2012 08:51
|
|
|
redleader posted:The correct way to route URLs in ASP.NET is: d) make tons of folders and put a default.aspx in each of them
|
|
#
?
Jul 31, 2012 09:04
|
|
|
Biowarfare posted:d) make tons of folders and put a default.aspx in each of them Oh man, I wish I'd thought of this.
|
|
#
?
Jul 31, 2012 10:34
|
|
|
A new day, a new horror... If I'm becoming grating with Tales from The Boss, then let me know and I'll cut back on sharing them. Buried deep* in the code for Android devices** there was a hardcoded URL to "http://oursite.com/readfile.php?file=super_cool_video.mp4", presumably to test our video player. Well, you can probably figure out what that file does. Here's a hint: It definitely does not do any sort of validation or sanity check. "file=../../secure_file.php? Sure! " Of course, they stressed to the new hire that we're a very serious and secure company!  I think my favorite part was that this could've been solved by a) not using totally separate folders for http and https, b) using a symlink, or c) a rewrite rule in Apache. But instead he takes the most insecure path, completely missing the point. (Then again: This is the same person who thinks naming folders stupid names like "upload834713" is at all "secure".) * My boss is apparently very proud that this entire mobile app is contained in a single .php file, with a lot of (of course completely run-together) HTML segments in if-then-else. The whole mess is over a thousand lines long for what should be almost nothing but a few include()s. ** Yes, we do all of our browser checking based on the user-agent string (and even then, half-assedly). Media queries? Pfft! Capability checking? Ha!
|
|
#
?
Jul 31, 2012 13:06
|
|
|
Holy cow. I'm sitting here having just deployed my Django site worried about pretty much everything cause I'm no that good but god drat that's crazy bad.
|
|
#
?
Jul 31, 2012 17:29
|
|
|
Zamujasa posted:Of course, they stressed to the new hire that we're a very serious and secure company! Do you work for Tesco UK? Apparently saying "We're serious about security and our measures are robust" is the same thing as actually having robust security measures. TMYK
|
|
#
?
Jul 31, 2012 22:23
|
|
|
Zamujasa posted:Of course, they stressed to the new hire that we're a very serious and secure company! I've actually seen the following sentences back to back in a job ad: "We take security VERY seriously. All our code runs in the cloud."
|
|
#
?
Jul 31, 2012 22:32
|
|
|
Novo posted:I've actually seen the following sentences back to back in a job ad: "We take security VERY seriously. All our code runs in the cloud." That sounds like us.  Everyone throws around "cloud" and such like they know what they're talking about.
|
|
#
?
Jul 31, 2012 22:56
|
|
|
BP posted:True. I guess you can use a file existence check as a way to short-circuit unnecessary code--ie skip doing processing that will eventually fail due to a missing file, rather than waiting until you actually need the file before failing. But you should always also check at time of open.
|
|
#
?
Aug 1, 2012 04:59
|
|
|
But what if the file is deleted in between the existence check and the stat()???
|
|
#
?
Aug 1, 2012 14:10
|
|
|
Then stat will fail, which is a case that needs to be handled anyway, so the file existence check before the stat is pointless.
|
|
#
?
Aug 1, 2012 14:15
|
|
|
Suspicious Dish posted:But what if the file is deleted in between the existence check and the stat()???
|
|
#
?
Aug 1, 2012 15:10
|
|
|
|
| # ? Apr 29, 2024 03:54 |
|
|
Zamujasa posted:(Then again: This is the same person who thinks naming folders stupid names like "upload834713" is at all "secure".) "Security through obscurity" is the phrase that springs to mind.
|
|
#
?
Aug 1, 2012 15:27
|
|