I refactored code in a web application today and came across something like this in the base class for all web pages:
if (Request.QueryString["IgnoreValidation"] != null)
{
if (Request.QueryString["IgnoreValidation"].ToUpper() == "TRUE")
{
SessionData.IgnoreValidation = true;
}
}
It seems to me that this is a very bad Thing ™, so I immediately deleted all traces of this flag from the code. Firstly, there were several if statements that checked the value of the flag, which led to cluttered and fuzzy logic. Secondly, I came across another, more dangerous flag named "IgnoreCreditCardValidation". You can guess that it did ...
Then I thought about it and recalled a similar example from a previous work. The application code, sold as a "secure authentication module", used the QueryString parameter, which is used to override the default behavior, which allows anyone who knows about this to bypass authentication.
Now my question is rather confirmation, is this practice as bad as it seems in my head, or am I just overreacting, and is this a common occurrence? Are there any cases where there is a good reason for this? For me, it just looks like a terrible mixture of laziness and negligence.
If this is a duplicate, feel free to point me in the right direction.
Thanks!
source
share