Over the years I have noticed that there are a lot of PHP programmers who don't understand the importance of making sure you always include parentheses, even when it is "not needed." (hint: it is always needed)
Example Scenario:
You are tasked with updating the login page to allow the usage of either their existing password or a login token with a username.
The existing code looks something like this:
if ($password_is_valid && $username_is_valid) {
// Success
} else {
// Failure
}
You update the code to look like this:
if ($password_is_valid || $token_is_valid && $username_is_valid) {
// Success
} else {
// Failure
}
After a few tests to make sure that users can still login, you confirm all is well and call it a day. Fast-forward a few weeks or months and your manager is yelling at you to find out how one of the sales staff was able to login as an admin and give himself a raise without knowing that admin's password.
After reading through all the login code 3 times over you are completely in the dark of how this could happen. Finally you resort to some manual testing, and eventually you find out that anyone's correct password will work with anyone else's username, as long as that username actually exists in the database.
How is this possible?
Please Note: This post is purely to help newer/less-seasoned developers with a common problem based on a misunderstanding of how && and || work together. I did try to find a similar post on S.O. however I wasn't able to find one, or at least not for PHP.
Aucun commentaire:
Enregistrer un commentaire