Friday, September 18, 2009

Facepalm supreme - Deceived by a button

Okay, so I've produced a piece of code looking like this. It's the peak, the epitome of simplicity, no doubt about it.

// We only want to be able to delete the item if we either:
// [1] have accesslevel 0 (admin privs), or
// [2] are the author of the item (identified by session and database id)

if(isset($_GET['delete_id']){
   $delete_id = // Sanitation removed for simplicity

   $author_id = // DB operations removed for simplicity

   if($_SESSION['accesslevel'] == 0 || $author_id == $_SESSION['user_id']){

      if(mysql_query("DELETE FROM table WHERE id=$delete_id") or $output = 'Error removing item '. $delete_id)
         $output = 'Item ' . $delete_id . 'deleted!';
   } else {
      $output = 'You do not have the privileges required to remove this item!'
   }
}


Then we have a couple of unrelated clauses, and the output of the list of items, which of course displays a possibility to delete the item if the privileges are upheld. It looks like follows:

$result = // Query for all relevant items

while($row = mysql_fetch_array($result)){
$button_delete = ''; // Empty if unprivileged
   if( /* $_SESSION['user_id'] is privileged enough */){
      $button_delete = "<a href='?page=$_GET[page]&delete_id=$row[id]'><input type='button' value='Delete'></a>";

   }
   echo "<tr><td>$row[item_name]</td> [...] <td>$button_delete</td></tr>";



// And finally the code to output the deletion-status, down here
echo $output;

Assuming all the code I decided to leave out are all without any errors and definitely doesn't interfere with the code above, can you find any errors?
My original source-file contained roughly 150 lines of code, and I was baffled when I found a very, very strange bug.

  • If I'm not privileged enough, I get the correct message that I lack privileges and the query is, of course, not executed.
  • If I'm privileged, the query is indeed executed, meaning we've entered the first IF-clause. ALAS, I get the same message as above (!!)


We simultaneously exeute the content of both the IF and the ELSE clauses. Whoa.


Isolating only the logical comparison part and running it, I was unable to reproduce the error. So some other part of the code had to be interfering. But there were no conflicts, there *could not be* any conflicts. Commenting my way through the code, I was assured of that. After spamming my code with outputs in the different clausules, (which only led me closer to the brink of insanity, since even though the code seemed to evaluate true (the query was executed), I did not get any output), the error was at long last stumbled upon.


<a href='?page=$_GET[page]&delete_id=$row[id]'><input type='button' value='Delete'></a> This here, ladies and gentlemen, was the perpetrator. The caused me such grief. Even though it was not supposed to have any effect on the code's workings (it was not in a form, it's value was never registered), it somehow managed to set some property amiss. Now, I'm not very well versed in the Document Object Model, but that my querystring was somehow "invisibly altered", and on top of that, that my evaluations were compared and their respective clauses were exectued before some variables were set (or set over again, as it appeared...), sounds very unreasonable, or at the very least, odd.



Just a short note regarding the debugging. For validating a user as author, I performed a simple query selecting the author's ID, storing it in a variable. When outputting this variable, before any DELETE-queries or basically anything at all was exectued, with unfulfilled privileges, I got the output correctly. But, when outputting it when it was true, it somehow was empty. Like the post had been deleted before the query was executed.
I'll write that again.


  1. Get author ID
  2. Echo this ID for debugging
  3. Compare to current user
  4. If true, perform DELETE
  5. If false, set errormessage


If #3 was false, we got the errormessage, and the author ID was echoed.
If #3 was true, we STILL got the errormessage, but the author ID was empty. The post was deleted before we performed the evaluation allowing the program to delete it, but ONLY when we actually DID have the permissions to do so.
My head still hurts...


Got any explanations to this? I'd love to hear about it!

9 comments:

  1. While doing this work they have faced with a huge problem and they can not get rid of this now.But on the other hand taking some time they will be able to solve this at once.So i wanna wish them good luck.





    Boomboxes

    ReplyDelete
  2. They have been deceived by some of their partners.So they have already aware oft this s that in next no one can cheat with them.So they started their new project work by the time.



    Camera

    ReplyDelete
  3. This is a wonderful post. I enjoyed the information lot. I will bookmark this page. Thanks for sharing this important information.

    ReplyDelete
  4. Your views are quite nice and also convincing.I think you should do more reserch regarding the topic.

    ReplyDelete
  5. i love it so much))) and you? you'll love it too)))

    ReplyDelete
  6. Read up your books, look at examples and how they work. Programming is all about learning as you go on. Write out your pseudo code, it helps a lot especially for difficult languages like Assembler.

    click here

    ReplyDelete
  7. I visited lot of site and read lot of article. I am really happy for this post in this site. So i always want to concentrate in this site about different article.
    Play backgammon iPad

    ReplyDelete
  8. I am really confident of this post. It is a more useful and suitable post. I like this. Thanks.
    IR35 accountants

    ReplyDelete
  9. Coding is an investigative method in which data, in both quantitative purchase essays online structure subjective is sorted to support examination. Coding infers the change of data into a structure reasonable by PC programming.

    ReplyDelete