344
Comments
  • 39
    I understand some people write:
    If Boolean == true

    It is more readable for them.

    But if true

    Else if false

    That I cannot understand why... Seriously wtf!
  • 129
    So the accounts database gets copied to the frontend to evaluate and passwords are plain text?

    Nice.
  • 78
    I'm calling the police...
  • 23
    @Meta just noticed that lol.

    I hope OP did the Todo note I mean better put it in a different file and make it harder for the hacker to find it 🤷🏼‍♂️
  • 7
    @Brosyl this is the result of failing Data structure & Algorithms course
  • 19
    Wby bother with loading users table at all. Just go fuck all and set the cookie value to logged in regardless of what bullshit is entered as username and password
  • 25
    Its not any fucking code, Its a piece of art... I'm going to get it framed right now.
  • 6
    I cry everytime i see this
  • 18
    Using client-side scripting to handle auth. I mean, why even evaluate the password? The dev world needs to fall the fuck out of love with JavaScript.
  • 10
    Please, for the love of god tell me this is fake.
  • 5
    Out the developer who wrote this
  • 9
    @bahua Why blame the language instead of the obviously incompetent developer?
  • 5
    @MonkeyParade

    Because the dev's biggest mistake is the use of JavaScript for this. Handling auth on the client side is inherently insecure. Since all the code is visible to the client, they can just set the auth variable themselves to ignore the evaluation segment entirely.
  • 15
    @bahua but that isn’t the languages fault it’s the retard who wrote the code.
  • 2
    @delegate212

    Yes, but there's literally no way to do this securely, with JavaScript.
  • 18
    @bahua Its not a language issue its a placement issue. The auth implementation should be placed serverside not client side. You could implement it in Node using JS server side if you wanted.
  • 6
    This is wrong on so many levels...
  • 12
    Bloody fucking hell, this is a masterpiece.

    Take the keyboard away from this "dev" and shove it up his ass.

    Edit: had to put dev it quotes.
  • 13
    What I especially love is how it loads every user’s username and password into client-side memory.

    Anyone with a console could learn every other user’s password.
  • 3
    No one mentioned the todo...
  • 17
    OH. MY. GOD.
    Beautiful.
    EXXXXXXQUISITE!
    AJAXing your sql query from frontend as plaintext into backend which i bet just dumbly pipes it right into the database...
    YUM.
    Bobby Tables approves.
  • 5
    @bahua yes there is, its called nodejs and it can be run on the server.
  • 7
    Haha, at least he used triple equals 😂
  • 4
    This is exactly why you should pay your dev a good paycheck.
  • 3
    This is... Scary. Very.
  • 4
    I really wanted this to be node.js when I previewed the image.
  • 4
    This is a joke, right? This just cannot be true.
  • 5
    "true" === "true"
    My god just kill me
  • 1
    @CodeMasterAlex the joke is that this is true
  • 13
    http://programmingpolice.com

    I own that domain.

    reply if anyone wants to develop that idea with me.

    code like this needs police

    and it needs to be jailed
  • 6
    @rant1ng I say you turn it into a programmer's hall of shame and showcase (anonymously) terrible code that people have encountered in the wild.

    Would be great both as a learning tool and just for a laugh!
  • 3
    @devios1 that is a good idea, I want to allow people to submit them, they get voted on, there can be replies and discussion, suggestions on how to fix them, even some roasting

    that's just too much and I've got loads on my plate, maybe ill submit a collab, see if someone picks it up

    there would be money of course
  • 3
    @rant1ng I think it's a great idea, but I'm the same, quite busy with other stuff atm and not really looking to get heavily involved in a web project, but I'd be interested in actually using such a site and maybe brainstorming some ideas.
  • 6
    Kill it with fire.
  • 3
    @bahua I agree re: JavaScript. IMO it was designed for enhancing web frontends and should not have been ported to backend. It just seems to encourage laziness and/or confusion problems like in the OP’s screenshot.

    Although, full disclosure: I have done some react native development
  • 4
    What a gem you have got.
    You can now start course on hacking.
    Start with this as introductory video and then make a course on Udemy earn for life 🤑🤑🤑🤑🤑🤑🤑
    The following course will be the same as others
    - don't store password in plain text
    - using metasploit
    - hacking XP
    - tor
    - dark web ...

    Oh I missed block-chain and AI.
  • 2
    If this is not a fake then it was written by an amateur.
    Not only he/she is using 'var', but he actually uses a for loop.
    For years now JavaScript has been declarative.
    People iterate using methods (especially when using jQuery), or at least a 'for in' or 'for of' loop.
    Then there's the different brackets styles, poor logic and the redundant, counter intuitive condition for the False return.
    Not even talking by the login algorithm itself.
  • 0
    @Noob these code will go around the internet for tens of years. So no blaming for var/for loops.
  • 0
    @Codex404 true, but thq quality of the image and the monokai color theme make me think that it's relatively new.
  • 0
    @Noob it's because I took the image from my ide of a clone of his git repo
  • 0
    @bigworld12 how old is the code?
  • 0
    @Codex404 the latest update to that file was ~2 months ago
  • 0
    Ooh well fuck! And my day is ruined just like that!
  • 1
    @CodesNotHot see it like this: all the code you will write today will be better than this.
  • 1
    At least SQL Code injection while login is not possible. Well everything else....
  • 0
    Pretty optimistic security level
  • 0
    The real concern... Did he ever fulfill that todo? 😂
  • 3
    What in the name of Jesus’ Mexican dicknuggets is this shit?

    1. Why is the database copied to the frontend in its entirety on each login
    2. Why is the input not validated in any way
    3. What the fucking fuck is ‘if (“true” === “true”)’
    4. What the fuck is the brace style there
    5. Plaintext passwords?!

    I have so many questions
  • 1
    @linuswillner to answer point 3: thats an if statement with a condition that returns true
  • 1
    @Codex404 Yes thank you Cpt. Obvious but why the hell is it there? What function does it have?
  • 2
    @linuswillner maybe it’s checking, whether the ===-Operator is still working...

    I mean, you can do wierd stuff in JS...
  • 1
    @dder Tbh not far-fetched at all
  • 0
    @linuswillner yup, referring to this crazy „canthiseverevaluatetotrue“-riddle of the recruites it is not at all!
  • 0
    @rstular I've been telling myself to post a collab for a week now

    I should just do that today ... ill do it tonight, no matter what
  • 1
    At least they avoid SQL injections...
  • 2
    @Meta it looks like you can just run queries straight from your browsers console. Lemme just change everyone's login details real quick
  • 5
    why even bother with sql injection when you can execute
    apiService.sql("drop table users");
  • 4
    @bigworld12 How about apiService.sql(“UPDATE users SET password = ‘12345’”)? 🙂
  • 0
  • 3
    if true === true return false 🤣
  • 3
    if ("true" === "true") {return false;}

    Reminds me of my ex.
  • 2
    That's what I call serverless
  • 1
    Sometimes I use `x === false` because x could be 0 and that would return true in `!x` which I don't want
  • 0
    @rant1ng sounds like something possible within a week if you use laravel 😉
  • 0
    The monsters live among us XD
  • 2
    O goshh .... Kick that guy out of your team :O
  • 1
    Please God kill me. I can't see these things anymore.
  • 1
    Tell me this isn’t real
  • 1
    You just know that whomever wrote this has one or more extra chromosomes.
  • 1
    ...is that sql in front end JavaScript...?!
    ****infosec intensifies ****
  • 1
    The guy who wrote was pretty gutsy or it never meant to be in production 😆
  • 1
    @Brosyl this is neither An async nor callback promise. There’s to way to get it work regardless the conditions
  • 1
    Support for parralel universes ;)
  • 1
    Have you tried replacing it with "DROP TABLE users"?
  • 0
    This code sucks like a pornstar
Add Comment