Programming - - By Kevin Yank

Is Your Site This Dynamic?

From the immensely entertaining The Daily WTF, a daily digest of horribly bad code spotted in the wild, comes this cautionary tale of dynamic web development gone awry.

Developer Stephan Jennewein was hired to update a web site for Firefox compatibility. What at first glance appeared to be a modest web site made up of 15-20 static pages turned out to be an intricate mixture of JavaScript and PHP code. Every one of the apparently static pages contained code resembling this:

<html>
  <head>
    <link href="dynsitebase/styles.php" rel="stylesheet" type="text/css" />
    <script src="dynsitebase/base.php" language="JavaScript"></script>
    <script src="dynsitebase/themes.php" language="JavaScript"></script>
    <script src="dynsitebase/sitedata.php" language="JavaScript"></script>
    <script src="dynsitebase/pagelayout.php" language="JavaScript"></script>
    <script language="JavaScript">
      document.write("<title>" + CurrentPage.Title + "</title>");
    </script>
   </head>
   <body>
    <script language="JavaScript">
      DataInterface.initialize();
      DataInterface.bindToPage(CurrentPage);
      ImageLoader.preload(CurrentPage);
      LinkLoader.bindToContext(CurrentPage);

      PagePrinter.printHeader(CurrentPage);
      PagePrinter.printNavigation(CurrentPage);
      PagePrinter.printTitle(CurrentPage);
      PagePrinter.printSubTitle(CurrentPage);
      PagePrinter.printMainContent(CurrentPage);
      PagePrinter.printFooter(CurrentPage);

      DataInterface.close();
      ImageLoader.close();
      LinkLoader.close();
      PagePrinter.close();
    </script>
   </body>
</html>

The entire content of the page was being generated and displayed by a series of JavaScript objects, which in turn were being generated by a series of PHP scripts on the server! Upon loading any page of this site, a browser with JavaScript disabled would display an empty window.

If that weren’t ridiculous enough, the PHP scripts responsible for generating the JavaScript code determined what needed to be displayed on the page based on the address of the HTML page, as reported by the unreliable HTTP Referer header:

function dynsitebase_PagePrinter_render()
{
  echo "var PagePrinter = new Object()";

  echo "PagePrinter.printHeader = function(pageObj)";
  echo "{";
  echo "  document.write("<div class='$css_headerdivclass'>");";
  echo "  document.write("<h1 class='$css_h1headerdivclass'>");";
  echo "  if (pageObj.header) ";
  echo "  {";
  echo "    document.write(pageObj.header);";
  echo "  }";
  echo "  else";
  echo "  {";
  echo "    document.write("$headerToRender");";
  echo "  }";

  ...

}

Worse than code written by someone who isn’t quite fluent in JavaScript or PHP, the author of this monstrosity obviously knew the languages in question rather well. What he or she lacked was an understanding of what makes code robust, efficient and maintainable.

Read The Daily WTF (RSS feed); it’ll make you feel better about yourself. If it doesn’t, you might need to take a remedial course in computer science.

Sponsors