Headaches!

I had a request from a customer to review an existing legacy web app to see if my company would take over it's maintenance. The app uses some "max framework" or something, which had some .. uhm .. shall we say "pretty interesting" bits of code. I'm sharing some of those nuggets here. Sometimes I'm very happy to be able to turn down customers!

So - it seems that the authors of this framework really are lazy. So lazy indeed, that they felt the need to rewrite basic PHP functionality and wrap it with their own names. No additional useful functionality, mind you!

// for includin php file
function _inc($f){
        include($f);
}
function _req($f){
        require($f);
}
function _req1($f){
        require_once($f);
}

... But wait, there's more! They also figured that they can wrap around other built-in functions as well, to "protect" against SQL injections for example:

function sql_insert_text($v){
 $v = str_replace("'","''",$v);
 $v = str_replace("\\","\\\\",$v);
 return $v;
}

Of course, if you're at this level of competence, there's hardly anything stopping you from mixing languages at will. And redirecting via HTTP headers like a decent developer is something of the past, since... we have JAVASCRIPT today! So let's use it!

function _gourl($url){
?>
<script language="JavaScript">
 window.location="<?php _e($url); ?>";
</script>
<?php
        exit;
}

The last piece I want to show "helps" storing strings in a very, very secure way. Behold, the DOUBLE BASE64:

function encode($v){
 return base64_encode(base64_encode($v));
}
function decode($v){
 return base64_decode(base64_decode($v));
}