Article 58P9D CodeSOD: Imploded Code

CodeSOD: Imploded Code

by
Remy Porter
from The Daily WTF on (#58P9D)

Cassi's co-worker (previously) was writing some more PHP. This code needed to take a handful of arguments, like id and label and value, and generate HTML text inputs.

Well, that seems like a perfect use case for PHP. I can't possibly see how this could go wrong.

echo $sep."<SCRIPT>CreateField(" . implode(', ', array_map('json_encode', $args)) . ");</SCRIPT>\n";

Now, PHP's array_map is a beast of a function, and its documentation has some pretty atrocious examples. It's not just a map, but also potentially a n-ary zip, but if you use it that way, then the function you're passing needs to be able to handle the right number of arguments, and- sorry. Lost my train of thought there when checking the PHP docs. Back to the code.

In this case, we use array_map to make all our fields JavaScript safe by json_encodeing them. Then we use implode to mash them together into a comma separated string. Then we concatenate all that together into a CreateField call.

CreateField is a JavaScript function. Cassi didn't supply the implementation, but lets us know that it uses document.write to output the input tag into the document body.

So, this is server side code which generates calls to client side code, where the client side code runs at page load to document.write HTML elements into the document... elements which the server side code could have easily supplied.

I'll let Cassi summarize:

I spent 5 minutes staring at this trying to figure out what to say about it. I just... don't know. What's the worst part? json_encoding individual arguments and then imploding them? Capital HTML tags? A $sep variable that doesn't need to exist? (Trust me on this one.) Maybe it's that it's a line of PHP outputting a Javascript function call that in turn uses document.write to output a text HTML input field? Yeah, it's probably that one.

buildmaster-icon.png [Advertisement] Utilize BuildMaster to release your software with confidence, at the pace your business demands. Download today! TheDailyWtf?d=yIl2AUoC8zAKO8u4XS5hKk
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments