PDR Blog Registration Bug and more!
Tue Aug 22, 2023 3:27pm

I was bored and ran a few tests against the registration page on the blog.

It doesn't look like it checks if the username or password field are just blank spaces with no characters.

I just registered an account where the username and password are both a single space.

2nd bug I found, when I went to 'View Comments' on my regular account and then clicked on the 'Edit comment' link. I get a 404. This is the URL it attempted: It looks like the link is missing the '.php' extension and should be: but that gives me the following: "Error Comments can only be edited by the user who posted them."

I'll stop poking around now.

    • I modified my name in the edit comment field by removing the 'readonly' attribute of the input tag then tried to submit. I got this page: But it's missing the CSS styling.
      • You weren't supposed to get there - Puckdropper, Thu Aug 31 2023 4:08pm
        But you did! Good thing I didn't trust the client. I've fixed it. I had to not output anything until after I sent a redirect header, so not every message got CSS'd.
        • Two things actually. Not sure if you wanted directory listing on /blog/includes/ but it's available. The other one is the includes/footer.php gets stuck in an infinite loop and taxes the server hardcore if you open it directly in the browser or via curl (You can bypass the '406' response with curl... more
          • The footer is loading the footer for the whole website - Puckdropper, Tue Sep 05 2023 4:41pm
            It's not supposed to be opened alone. Here's the offending line: include "../includes/footer.php"; So when the footer is loaded in the correct place, it drops past /blog/ into / and gets the footer for the website. When loaded in includes/ it bounces down to /blog/ and back up to /blog/includes.... more
            • Well that's done... - Puckdropper, Sun Sep 10 2023 1:20am
              I had to: define("SETTINGS_STATUS", "Good.", true) instead of define("SETTINGS_STATUS", true, true); because PHP interpreted SETTINGS_STATUS to be true even if it was never set. Some thing about it not being null or something, I guess.
              • Oh wow, that's a odd quirk to have. - Erik_, Mon Sep 11 2023 2:36pm
                I would have also assumed that not set = false. Is the 'define' sub yours or a PHP thing?
                • It's a PHP thing. If you define the symbol, you can use it - Puckdropper, Tue Sep 12 2023 3:08am
                  elsewhere in your code. Kinda like a global, but not really a global. (And globals aren't. You have to explicitly tell your subroutine to use the global variable.) You'd think, and even a function checking for existence would tell you it didn't exist, but nothing really seemed to work. Perhaps... more
                  • because == wasn't equal enough. I think I found why it was evaluating to true if it wasn't defined in one of the comments in the PHP Manual: Be aware that if "Notice"-level error reporting is turned off, then trying to use a constant as a variable... more
                    • I think PHP has === too......... - Puckdropper, Fri Sep 15 2023 5:51am
                      What really got me about the comment was everything before the comma: Be aware that if "Notice"-level error reporting is turned off, WHAT! The program behaves differently if a certain type of error reporting is enabled? I'd have never even thought about that as a possibility. The car pulls to... more
                      • I didn't even catch that! - Erik_, Sat Sep 16 2023 10:17am
                        That's crazy. It's like they took Perl's "use strict" and "use warnings" and combined them under just warnings for some reason.
            • They sounds like a good idea - Erik_, Tue Sep 05 2023 5:54pm
              My worry would be either sone crawling bot or random person queuing up a bunch of parallel requests to the footer.php file directly and tanking the whole site. I wonder if it would tank NE and UCL as well? Probably, right? Are they all just sub dirs?
              • There are script limits to help prevent mistakes - Puckdropper, Sun Sep 10 2023 2:04am
                from doing that. Imagine, you're on a shared server and you can take down other sites by a simple infinite loop. You can't access the includes directories now. I wonder if I should just upload a blank index page, too. That seems a little less server dependent. I'm running the same code on the... more
                • Ah, makes sense. My host has them too. - Erik_, Mon Sep 11 2023 2:14pm
                  Koyeb is way more strict than Heroku (probably free vs paid thing though). On the NE DiscApp Stats page, before I made a fix, I could cause the server to reboot on any export due to the memory spike it would cause. So, while it would protect everyone else on that shared server, if someone was to constantly... more
    • So the comment error was an off-by-one error - Puckdropper, Wed Aug 30 2023 5:41pm
      Or really it was a "I shoulda use a named attribute, not a stupid number." My documentation showed you reported the bug several years ago. Guess I never got around to fixing it. Time to wake the girls up.
      • Was it the same bug reported? - Erik_, Wed Aug 30 2023 8:27pm
        I sort of remember some post a long time ago saying I was "bug reporter of the year" or something for finding one. By named vs number are you referring to the result set returned from the DB? Ex: my $comment_id = $results->[2]; vs. my $comment_id = $results->{'comment_id'}; (I know it's actually... more
        • Yep. I might have added or removed an attribute or just - Puckdropper, Thu Aug 31 2023 3:44pm
          started counting at 1. If I had just done $results["name"] the bug would have been prevented and the code would have been clearer.
          • I've had that happen before too - Erik_, Sat Sep 02 2023 12:58pm
            I wrote an internal support ticket submitting website for work in C# about 10 or so years ago and did the same thing. The DB results were referenced by index instead of column name so if the select statement changed, things had to be reworked that used the result set directly. Not too much of an issue... more
    • Not a bug, a feature. Ok, it's a bug. - Puckdropper, Fri Aug 25 2023 5:47am
      I'll have to pull that old code out and fix those things. It's not really a problem that your username is " ", I think. But it might get whitespace removed to "", which could be unfortunate. (UPDATE name SET name="Erik_" WHERE name=" " becomes UPDATE name SET name="Erik_" WHERE name="" and now Erik_... more
"Forces act when not restrained" - Puckdropper