CodeSOD: Repetition is an Echo

by
Remy Porter
from The Daily WTF on (#61VNS)

Annie works in a bioinformatics department. There's a lot of internally developed code, and the quality is... special. But it's also got features that are on their critical path of doing their jobs.

One example is that, based on one input form, the next input form needs to display a drop down. The drop down elements don't change, but the individual item that's selected does. So, if the rank HTTP POST variable is set, we want to make sure the matching entry is selected.

 if(isset($_POST['rank'])){ if($_POST['rank']=='superkingdom'){ echo "<option selected='selected'>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; }elseif($_POST['rank']=='phylum'){ echo "<option>superkingdom</option>"; echo "<option selected='selected'>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='class'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option selected='selected'>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='order'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option selected='selected'>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='family'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option selected='selected'>family</option>"; echo "<option>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='genus'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option selected='selected'>genus</option>"; echo "<option>species</option>"; } elseif($_POST['rank']=='species'){ echo "<option>superkingdom</option>"; echo "<option>phylum</option>"; echo "<option>class</option>"; echo "<option>order</option>"; echo "<option>family</option>"; echo "<option>genus</option>"; echo "<option selected='selected'>species</option>"; } }

Talk about duplicated code. And, of course, there's no else clause.

And, of course, there's a bonus SQL injection attack that Annie found:

$sql = "SELECT locus,accession,length,date,definition,organisim,host". " FROM `gb` WHERE organisim LIKE '%".$_POST['orgname']."%'";
buildmaster-icon.png [Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments