This Is Really Empty

Remy Porter

Computers were a mistake, which is why I'm trying to shoot them into space. Editor-in-Chief for TDWTF.

Konrad was trying to understand how an input form worked, and found this validation function.

function IsReallyEmpty($subject)
{
        $trimmed = trim(preg_replace("/&.*;/", "", $subject));
        return strlen($trimmed) != 0;
}

Now, I can understand why one might want to have a different definition of "empty" when it comes to strings. An all whitespace string, like " " may rightfully be considered an empty input for many applications.

So calling trim makes a lot of sense. It's the preg_replace that starts to worry me, because that regex is clearly trying to match an HTML entity, aka  . But it matches all HTML entities, not just ones like   which are whitespace characters, but ampersands and greater/less-than signs.

But there's another problem with the regex. The * operator is greedy. So  Hello World  would see the opening &, the closing ; and decide the entire string could be rejected.

But that's not the real WTF. The real WTF is the very last line. In a function called IsReallyEmpty, it returns true if the input string is not empty, thus stretching the definition of "really" to new levels.

"Is this string really empty?" "No, it is."

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!