Slashdot's Setup, Part 2- Software

Today we have Part 2 in our exciting 2 part series about the infrastructure that powers Slashdot. Last week Uriah told us all about the hardware powering the system. This week, Jamie McCarthy picks up the story and tells us about the software... from pound to memcached to mysql and more. Hit that link and read on.

The software side of Slashdot takes over at the point where our load balancers -- described in Friday's hardware story -- hand off your incoming HTTP request to our pound servers.

Pound is a reverse proxy, which means it doesn't service the request itself, it just chooses which web server to hand it off to. We run 6 pounds, one for HTTPS traffic and the other 5 for regular HTTP. (Didn't know we support HTTPS, did ya? It's one of the perks for subscribers: you get to read Slashdot on the same webhead that admins use, which is always going to be responsive even during a crush of traffic -- because if it isn't, Rob's going to breathe down our necks!)

The pounds send traffic to one of the 16 apaches on our 16 webheads -- 15 regular, and the 1 HTTPS. Now, pound itself is so undemanding that we run it side-by-side with the apaches. The HTTPS pound handles SSL itself, handing off a plaintext HTTP request to its machine's apache, so the apache it redirects traffic to doesn't need mod_ssl compiled in. One less headache! Of our other 15 webheads, 5 also run a pound, not to distribute load but just for redundancy.

(Trivia: pound normally adds an X-Forwarded-For header, which Slash::Apache substitutes for the (internal) IP of pound itself. But sometimes if you use a proxy on the internet to do something bad, it will send us an X-Forwarded-For header too, which we use to try to track abuse. So we patched pound to insert a special X-Forward-Pound header, so it doesn't overwrite what may come from an abuser's proxy.)

The other 15 webheads are segregated by type. This segregation is mostly what pound is for. We have 2 webheads for static (.shtml) requests, 4 for the dynamic homepage, 6 for dynamic comment-delivery pages (comments, article, pollBooth.pl), and 3 for all other dynamic scripts (ajax, tags, bookmarks, firehose). We segregate partly so that if there's a performance problem or a DDoS on a specific page, the rest of the site will remain functional. We're constantly changing the code and this sets up "performance firewalls" for when us silly coders decide to write infinite loops.

But we also segregate for efficiency reasons like httpd-level caching, and MaxClients tuning. Our webhead bottleneck is CPU, not RAM. We run MaxClients that might seem absurdly low (5-15 for dynamic webheads, 25 for static) but our philosophy is if we're not turning over requests quickly anyway, something's wrong, and stacking up more requests won't help the CPU chew through them any faster.

All the webheads run the same software, which they mount from a /usr/local exported by a read-only NFS machine. Everyone I've ever met outside of this company gives an involuntary shudder when NFS is mentioned, and yet we haven't had any problems since shortly after it was set up (2002-ish). I attribute this to a combination of our brilliant sysadmins and the fact that we only export read-only. The backend task that writes to /usr/local (to update index.shtml every minute, for example) runs on the NFS server itself.

The apaches are versions 1.3, because there's never been a reason for us to switch to 2.0. We compile in mod_perl, and lingerd to free up RAM during delivery, but the only other nonstandard module we use is mod_auth_useragent to keep unfriendly bots away. Slash does make extensive use of each phase of the request loop (largely so we can send our 403's to out-of-control bots using a minimum of resources, and so your page is fully on its way while we write to the logging DB).

Slash, of course, is the open-source perl code that runs Slashdot. If you're thinking of playing around with it, grab a recent copy from CVS: it's been years since we got around to a tarball release. The various scripts that handle web requests access the database through Slash's SQL API, implemented on top of DBD::mysql (now maintained, incidentally, by one of the original Slash 1.0 coders) and of course DBI.pm. The most interesting parts of this layer might be:

(a) We don't use Apache::DBI. We use connect_cached, but actually our main connection cache is the global objects that hold the connections. Some small chunks of data are so frequently used that we keep them around in those objects.

(b) We almost never use statement handles. We have eleven ways of doing a SELECT and the differences are mostly how we massage the results into the perl data structure they return.

(c) We don't use placeholders. Originally because DBD::mysql didn't take advantage of them, and now because we think any speed increase in a reasonably-optimized web app should be a trivial payoff for non-self-documenting argument order. Discuss!

(d) We built in replication support. A database object requested as a reader picks a random slave to read from for the duration of your HTTP request (or the backend task). We can weight them manually, and we have a task that reweights them automatically. (If we do something stupid and wedge a slave's replication thread, every Slash process, across 17 machines, starts throttling back its connections to that machine within 10 seconds. This was originally written to handle slave DBs getting bogged down by load, but with our new faster DBs, that just never happens, so if a slave falls behind, one of us probably typed something dumb at the mysql> prompt.)

(e) We bolted on memcached support. Why bolted-on? Because back when we first tried memcached, we got a huge performance boost by caching our three big data types (users, stories, comment text) and we're pretty sure additional caching would provide minimal benefit at this point. Memcached's main use is to get and set data objects, and Slash doesn't really bottleneck that way.

Slash 1.0 was written way back in early 2000 with decent support for get and set methods to abstract objects out of a database (getDescriptions, subclassed _wheresql) -- but over the years we've only used them a few times. Most data types that are candidates to be objectified either are processed in large numbers (like tags and comments), in ways that would be difficult to do efficiently by subclassing, or have complicated table structures and pre- and post-processing (like users) that would make any generic objectification code pretty complicated. So most data access is done through get and set methods written custom for each data type, or, just as often, through methods that perform one specific update or select.

Overall, we're pretty happy with the database side of things. Most tables are fairly well normalized, not fully but mostly, and we've found this improves performance in most cases. Even on a fairly large site like Slashdot, with modern hardware and a little thinking ahead, we're able to push code and schema changes live quickly. Thanks to running multiple-master replication, we can keep the site fully live even during blocking queries like ALTER TABLE. After changes go live, we can find performance problem spots and optimize (which usually means caching, caching, caching, and occasionally multi-pass log processing for things like detecting abuse and picking users out of a hat who get mod points).

In fact, I'll go further than "pretty happy." Writing a database-backed web site has changed dramatically over the past seven years. The database used to be the bottleneck: centralized, hard to expand, slow. Now even a cheap DB server can run a pretty big site if you code defensively, and thanks to Moore's Law, memcached, and improvements in open-source database software, that part of the scaling issue isn't really a problem until you're practically the size of eBay. It's an exciting time to be coding web applications.

Lacks certain details

Could we have a better run-down of what unpatched software is running on the server? It would really help. Thanks.

Re:Lacks certain details

Could we have a better run-down of what passwords or certificates are on the server? It would really help. Thanks.

Re:Lacks certain details

Could we have a better run-down of how to make a joke funny? It would really help. Thanks.

Re:Lacks certain details

How do you select using DBI without using statement handles? Do you mean you use a convenience method like selectall_arrayref on the database handle instead?

Re:Lacks certain details

[jamie]

Right, of course we use statement handles but our DB software layer doesn't return them for the rest of the application to iterate through. We encapsulate some of DBI.pm's various convenience methods and in a few cases roll our own.

Re:Lacks certain details

[kaivix]

Could we have a better run-down of how to have a better run-down of how to have a better-run down of how to have a better run-down

Segmentation fault

Nothing for you to see here. Please move along.

[corsec67]

Yay for segregated caching, where one machine gets data before the others do...

Re:Nothing for you to see here. Please move along.

[jamie]

Heh. Actually that's a longstanding bug because of the way we write out .shtml files. We don't pick a timestamp and use it consistently on both index.shtml and the articles' .shtml files. Our backend task grabs a list of which stories are "live" and then chugs through all of them writing that list, then when it's done, writes the index.shtml file. But when it's done, a minute boundary may have been crossed, and index.shtml may be pointing to an article .shtml that wasn't written.

For example, when this story went live, the task wrote, in order:

Fri Oct 26 16:52:12 2007 [freshenup.pl] index.pl virtual_user=slashdot ssi=yes section='idle' bytes=19132
Fri Oct 26 16:53:04 2007 [freshenup.pl] updated xxxxx meta:07/10/22/145209 (Slashdot's Setup, Part 2- Software)

so for those 52 seconds index.shtml pointed to a 145209.shtml that hadn't been written.

I should probably get around to fixing this. But at this point it's kinda become one of those Slashdot things. It's barely a bug, it's almost like an easter egg to find a "nothing to see here." OK, I'm rationalizing. I should get around to fixing this. The index.pl and article.pl scripts need to accept a timestamp on the command line that mean "pretend it's this time."

The workaround is to create an account and log in so you get dynamic article.pl pages :)

Re:Nothing for you to see here. Please move along.

[analog_line]

I often get "Nothing to see here, move along" for quite awhile, and I always am logged in. Is this a different issue?

Re:Nothing for you to see here. Please move along.

[jamie]

Often like apart from this morning? Because (ironically) we had database replication problems this morning. First time in months though.

If so please shoot me a private email and we can try to figure out what's going on.

Re:Nothing for you to see here. Please move along.

[Cutriss]

The workaround is to create an account and log in so you get dynamic article.pl pages :)

Considering that it sometimes happens to me while I'm logged in, perhaps there's a bit more to this bug than you suspect? :P

Re:Nothing for you to see here. Please move along.

[AsnFkr]

I also get the "nothing for you to see here" error when logged in, normally around once or twice week. It's *always* on brand new stories (less than 10 comments).

Re:Nothing for you to see here. Please move along.

[Cyberax]

Yes, I'm always logged on, but I frequently see "Nothing to see here..." (it usually goes away in a minute, so not a big problem).

Re:Nothing for you to see here. Please move along.

[Cutriss]

Ditto. It's always on new stories.

Re:Nothing for you to see here. Please move along.

[creativeHavoc]

I was very excited the first time i got mine. I was logged in, it was on a brand new story. After getting my camera and taking a picture of myself beside it (i'm joking, I swear that never happened...) I clicked refresh and it was the story it should be, and had comments already posted (i believe... lets say 70% sure, as my comment that I posted was a couple down from the top)

Re:Nothing for you to see here. Please move along.

[grub]

I'll second (or third or fourth) that.

I see it very often immediately after a story goes leaves the ~mysterious future~ and hits the present.

Re:Nothing for you to see here. Please move along.

[iMaple]

ditto -- I get that very often on new stories

Re:Nothing for you to see here. Please move along.

[goofyheadedpunk]

Yep, I get it quite often even when logged in, as well.

Re:Nothing for you to see here. Please move along.

[kevin_conaway]

I too, have seen those errors while logged in.

Re:Nothing for you to see here. Please move along.

[LiquidCoooled]

I don't ever seem to get it (and I'm around quite a bit)
i wonder if it depends on which machine you get load balanced into - the might be a none randomness in the order which may explain why some people get them a lot and others don't.

Re:Nothing for you to see here. Please move along.

[jdoss]

Did you guys take bets as to whether or not this article's comments would become a series of bug reports? If not, you should have. The guy betting "yes" would have had a lot of free beer tonight. :)

Re:Nothing for you to see here. Please move along.

[analog_line]

Yes, apart from this morning. It will happen on new stories quite often for a few seconds if I'm being very slashdot-happy refreshing a lot because I'm bored waiting for something to finish up, but sometimes for around a minute. The next time I catch it, I'll note the time, story, etc, and send an e-mail with that information.

No placeholders?

Seems like only a matter of time before someone could nail you with an sql injection attack. Maybe I will download your code...

Re:No placeholders?

[jamie]

Please do download our code (and email us at security@slashcode.com if you find any bugs). We quote arguments in the approved fashion before using them in a query string, and additionally we do regex whitelist-style filtering on many commonly-used params (e.g. $form->{cid} is guaranteed to be numeric). Generally we're pretty good at this stuff. Which is not to say we never make mistakes...

Re:No placeholders?

[Spy+Hunter]

I think your justification for not using placeholders is rather, uh, wrong. I agree that the argument order thing can be an issue, but that's what *named* placeholders are for. The major benefit of placeholders is not speed, it's absolute resistance to SQL injection. You may be diligent in quoting, but standard software development wisdom is that it's always better to eliminate the possibility of a bug than rely on programmer checking all the time, due to Murphy's Law of course. Also, the admittedly small speed benefit of placeholders when used with precompiled statements is going to be on the DB side, not the web side, which can make a bigger difference (as the DB is harder to scale).

Re:No placeholders?

[bob.appleyard]

Does MySQL have named placeholders? I've only ever used it through PHP, and you need to use question marks if you wanna do that. I've never really bothered (not actually written anything I'd think to release yet in this arena) myself. A few days ago I and a friend had a go at writing a wrapper to handle named placeholders, but it was a pretty dirty hack (using preg_replace_callback and global variables ... uurrrgghh).

Re:No placeholders?

[pudge]

I think your justification for not using placeholders is rather, uh, wrong. ... The major benefit of placeholders is ... absolute resistance to SQL injection. Yes, but there is more than one way to do it.

You may be diligent in quoting, but standard software development wisdom is that it's always better to eliminate the possibility of a bug than rely on programmer checking all the time Sure. We do not rely on programmers to check all the time. Indeed, what jamie didn't mention (I think) is that most of the time, we sanitize user input before it ever gets to the programmer. A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized.

Not that we are perfect, but we have a pretty good track record that, I think, speaks for itself. So I'll say that saying it is "wrong" is rather, uh, wrong. ;-)

Re:No placeholders?

[Fweeky]

You can avoid using globals by making an object to handle the replacements, like this example I hacked together a while back.

Re:No placeholders?

[kcbrown]

Sure. We do not rely on programmers to check all the time. Indeed, what jamie didn't mention (I think) is that most of the time, we sanitize user input before it ever gets to the programmer. A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized.

Most of the time?

So sanitization isn't a guaranteed thing?

There's your SQL injection security hole right there. All it takes is one field that isn't properly sanitized to ruin your entire day.

You should never rely on diligence over mechanism for security.

For shame. You people should know better than this by now.

Re:No placeholders?

[pudge]

There's your SQL injection security hole right there. False. It's only a hole if it is a hole.

Re:No placeholders?

[hostyle]

Suppose its a well paid perl function masquerading as a hole? Slash::HiddenFeatures->NotAHole($rly) comes to mind ...

Re:No placeholders?

[gnuman99]

Security is about how things are done not how they turn out to be. This means you use placeholders such that then the database layer doesn't have to parse the data. If the database driver is stupid such that placeholders are just cosmetic, then well, no security gained.

If you don't use placeholders on ASCII text files, easy to sanitize anyway. But if you don't use placeholders on multi-byte encoded characters, then it is SQL injection and a security hole.

http://www.postgresql.org/docs/techdocs.50

PostgreSQL was hit by the problem. The problem was later identified in MySQL and other databases as well. Escaping only works properly in regular ASCII, but still a pain for the parser. Data may be passed to the server faster and securely with prepared statements.

Re:No placeholders?

[Anonymous+Crowhead]

Please do download our code (and email us at security@slashcode.com if you find any bugs)

Nah. I've submitted bugs to slashcode at sourceforge in the past. Actual bugs. They are always closed with snarky remarks about how it's not a bug. You should add a status "Will Not Fix" or "Cannot Fix". At least admit where your site is broken and maybe give a little explanation as to why.

The most obvious of these is how nested mode is horribly broken in stories with a lot of comments or a comment that receives a large number of replies such that it is beyond the comments per page threshold. If you try to go to the next page, you get the same page of comments. Same with the next page and the next. A side effect is that many comments are completely lost in this mode. This has been a bug for many years.

Re:No placeholders?

A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized.

And what if the programmer wants to use $form->{uid}* in some other place than an SQL query? Does he have to unescape it himself, or will he catch the PHP disease of spewing backslashes all over the page?

* Or some other form value that can legitimately contain arbitrary text, if uid isn't one of those.

Re:No placeholders?

So fucking true. I swear, what fucking planet are most of these guys employed on? The endless idealism here about what coders should spend their time doing is just so detached from real life it's just bizarre.

Re:No placeholders?

[kcbrown]

False. It's only a hole if it is a hole.

The problem is that you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero.

In this case, you have a defense against it but it's not a bulletproof defense. You're relying on some combination of the form parameter being sanitized (which requires diligence on the part of the programmer who writes the form handler) and the value being quoted (which requires diligence on the part of the programmer writing the code which is sending the value to the database).

In other words, you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes.

You can eliminate SQL injection attacks entirely by using placeholders.

You can furthermore avoid the need to quote anything by using placeholders.

Oh, and placeholders give you one more advantage: they're database independent. If a database supports placeholders at all, you're done. If you instead do quoting, you have to tailor your quoting function to the database engine you're using, because they're not all alike in that regard.

So from where I sit, placeholders have significant advantages and have no disadvantages. Why in the world aren't you using them?

Re:No placeholders?

[pudge]

Security is about how things are done not how they turn out to be. Sure. And they way we do it works.

This means you use placeholders ... Well, no. That is ONE way to do it.

But if you don't use placeholders on multi-byte encoded characters, then it is SQL injection and a security hole. No. If you do not use placeholders on data that is potentially dangerous, THAT is a security hole.

Re:No placeholders?

[pudge]

A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized. And what if the programmer wants to use $form->{uid}* in some other place than an SQL query? Does he have to unescape it himself, or will he catch the PHP disease of spewing backslashes all over the page? It is not escaped. So, no. :-)

Or some other form value that can legitimately contain arbitrary text, if uid isn't one of those. Yeah, we don't escape it, we sanitize it. Most of such data is integer data, or simple character data. Arbitrary text is handled by an API that escapes it on insertion/updating, and in the case of selects, we handle it case-by-case. It works for us.

Re:No placeholders?

[jamie]

$form->{sid} is sanitized, not escaped. It's guaranteed to match \d{2}/\d{2}/\d{2}/\d{3,8}|\d{1,8} but its value in perl is its actual value. When you pass it to the DB you have to escape it.

Re:No placeholders?

[pudge]

False. It's only a hole if it is a hole. The problem is that you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero. That's not true, unfortunately.

This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work.

Mechanisms only work if you use them.

In this case, you have a defense against it but it's not a bulletproof defense. In fact, when we use the defenses, yes, they are as bulletproof as placeholders. And when your bulletproof defense is to use placeholders, but then you don't use them, well, you are wide open.

You're relying on some combination of the form parameter being sanitized (which requires diligence on the part of the programmer who writes the form handler) It's handled centrally. So if there is a new form value to be accepted, yes, someone has to add it to the handler, Otherwise, no.

And this is really less about DB than it is about the displayed data to the end user (so we have to do less filtering on the web page), so I probably shouldn't have mentioned it in this context. Every once in awhile I might use $form->{uid} without escaping it, but really, we almost never do that, and when we do we are 100% sure it is perfectly safe, with no exceptions.

and the value being quoted (which requires diligence on the part of the programmer writing the code which is sending the value to the database). Yep. Just like it requires diligence by a programmer on your project to make sure he is using placeholders at all.

In other words, you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes. No moreso than anyone else.

You can eliminate SQL injection attacks entirely by using placeholders. Sure. If you use them. And if you use our methods, you also eliminate them entirely.

You can furthermore avoid the need to quote anything by using placeholders. And you can eliminate the need to use placeholders by quoting whatever needs to be quoted. Not that you'd want to, but, whatever floats your boat.

Oh, and placeholders give you one more advantage: they're database independent. So is our quoting method, actually.

So from where I sit, placeholders have significant advantages and have no disadvantages. Why in the world aren't you using them? I never find such questions to be very interesting, although the real answer is primarily historical. But in the end, I don't care why people do what they do, as long as it doesn't cause problems for me or anyone else.

Re:No placeholders?

[jamie]

Oh, and placeholders give you one more advantage: they're database independent. If a database supports placeholders at all, you're done. If you instead do quoting, you have to tailor your quoting function to the database engine you're using, because they're not all alike in that regard.

Actually, no, DBI.pm (and Slash's DB layer) handle that for you.

Of course there would be a zillion other things to do if we wanted Slash to be portable to other RDBMS software at this point...

you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero... you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes.

There's some places where you can't use placeholders or it's just silly or inefficient to. An IN clause, for example (we have some with a thousand or more IDs in an IN). Or if you want to compare a column's equality against a variable if the variable has a value but compare IS NULL if it's undef.

Whitelisting input to a regex solves other bugs as well (notably XSS), so we would do it anyway. It just happens to solve this problem pretty well too.

There's always the chance someone will write a clause with variables manually in the text and no one will catch it. You can make a rule "no bare variables in clause strings" but we chose instead to make a rule "no unquoted variables in clause strings (except numerics listed in filter_params)." Maybe there'll be a time our rule isn't followed, but if so there could be a time your rule isn't followed either - I don't think you can throw an assertion to stop it, really.

In a lot of places we construct long clauses algorithmically, often pushing clauses into an array and then doing a join(" AND ", @array) to get the master clause. To make placeholders work properly for that we'd have to write what sounds like a pretty ugly class to handle it. push @array, "x=$foo_q" and join(" AND ") are simpler and more flexible than $clauses->add("x=?", $foo) and $clauses->combine("AND"). It'd simply be better code in these places to drop the quoted values into the string and if we're going to do it there we might as well do it everywhere.

Also, I find placeholder code to be difficult to read, and difficult to comment to make it easier to read. I suspect eventually someone would make an edit that causes an off-by-one correspondence between the ?'s and the variables, bringing chaos and pain throughout the land.

I tend to agree with your theory, but in practice I think our system works as well or better.

I should point out that SQL injection is easier to defend against than XSS. We honestly have very few incoming data types, a few dozen covers like 95% or more, and since it's an SQL syntax error to send our database "sid=$sid", we end up having to write my $sid_q = $slashdb->sqlQuote($sid); ... "sid=$sid_q" anyway. That's injection-proof. The only variables we don't quote are numeric and filter_params checks all incoming numerics.

XSS is the hard one (and it's vaguely related). There's literally a dozen ways to strip/escape text you pull from the DB before emitting it to a webpage, picking the right one often requires a lot of thought, and picking the wrong one has a high probability of being exploitable. The impact is probably less than an SQL injection vuln, but still, we spend a lot more time thinking about XSS.

Re:No placeholders?

[davegaramond]

Instead of debating which one should be used, why don't just use both? More security, all the better.

Using placeholders is a form of dilligence too. What if some programmers (like the new guys) forget, some of the time, to use them for newly-written SQL statements? On the other hand, sanitizing request parameters e.g. uid, sid, *id will work on all new SQL statements that involve these parameters.

Re:No placeholders?

[kcbrown]

Actually, no, DBI.pm (and Slash's DB layer) handle that for you.

Sorry about that. It's been long enough since I've used quoting at all, much less in Perl, that I'd forgotten that DBI actually supplies the quoting method.

There's some places where you can't use placeholders or it's just silly or inefficient to. An IN clause, for example (we have some with a thousand or more IDs in an IN). Or if you want to compare a column's equality against a variable if the variable has a value but compare IS NULL if it's undef.

For the former, I usually define a function to get me a list of placeholders equal to the size of the list I want to put in my IN clause, so the end result is just about as easy to implement as it is with quoting, with the advantage that I don't have to quote my entire list before I pass it:

$sth = $dbh->prepare("SELECT a FROM b WHERE c IN (" . placeholderlist(@list) . ")");
$sth->execute(@list);

For the latter, quoting gives you no advantage at all over a placeholder, since you have to change the form of the query regardless.

There's always the chance someone will write a clause with variables manually in the text and no one will catch it. You can make a rule "no bare variables in clause strings" but we chose instead to make a rule "no unquoted variables in clause strings (except numerics listed in filter_params)." Maybe there'll be a time our rule isn't followed, but if so there could be a time your rule isn't followed either - I don't think you can throw an assertion to stop it, really.

I haven't given this enough thought to know whether it would be easier to automatically enforce the use of placeholders or the use of quoted variables, but I suspect it would be easier to enforce the use of placeholders (more precisely, to prevent the accidental use of inlined variables). Just off the top of my head (meaning, this isn't a complete solution by any means): have the SQL interface function throw an exception for any query that doesn't have a placeholder in it, unless some magic variable is set. :-) The theory there is that queries without at least one placeholder are very rare. It's not a complete solution, since it doesn't protect you against a mix, but I haven't given the problem a lot of thought.

Also, I find placeholder code to be difficult to read, and difficult to comment to make it easier to read. I suspect eventually someone would make an edit that causes an off-by-one correspondence between the ?'s and the variables, bringing chaos and pain throughout the land.

This depends greatly on the query, of course, but I've found that placeholders allow me to easily see what the query itself looks like in the abstract, which I've found useful. But yes, it does make it more difficult to match variables and such. Python's DB API makes it possible to use named placeholders, which is immensely easier to deal with in that regard.

I tend to agree with your theory, but in practice I think our system works as well or better.

Fair enough. Here's hoping that continues to be the case...

Re:No placeholders?

[kcbrown]

This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work.

Mechanisms only work if you use them.

The use of placeholders can be enforced in code, if incompletely. As far as I know, the use of quoting can't be enforced at all.

You can't prevent the programmer from bypassing the mechanisms you put in place, but that's not why they're there -- they're there to prevent mistakes.

In a way, this "quoting versus placeholders" debate is similar to the debate on weak typing versus strong typing. The former is quicker and easier to use, but the latter reduces the chances of a mistake. And years of experience with many languages have shown me that the latter is more desirable and less costly in the long run. Mechanism beats diligence for correctness every time.

Re:No placeholders?

[tknd]

The major benefit of placeholders is not speed

Oh, there are speed benefits, but you have to use a statement handle (which they also do not use):

my $sth = $dbh->prepare("insert into SOME_TABLE values (?, ?)");

foreach $something (@bunch_of_somethings) {
$sth->execute($something->{'key'}, $something->{'value'});
}

$dbh->commit;

Note: you should always check for DBI errors but I did not for the sake of simplicity.

What that code essentially does is reuse the same statement handle to perform multiple insert statements. This prevents the database's SQL parser from being called on the same statement more than once. Advanced databases can actually avoid this to some degree by statement caching. But if you change the SQL literals, the caching doesn't work.

Another advantage is if you split the binds into seperate calls, you can actually detect errors on binding to a particular field when it occurs using the database's type checking rather than your own. For example if you declare a table that has a field to store number types and somehow a string gets bound to the variable, you *should* get a DBI error on binding the variable rather than on execution of the SQL statement.

Re:No placeholders?

[kcbrown]

Sanitization works as long as the sanitized result can't itself be valid form of SQL. So it helps to reduce the chance of a SQL injection attack, of course, and it should be used regardless (input checking is a form of correctness checking and thus should be done as a matter of course). So it's really orthogonal to the use of quoting or placeholders.

But quoting no substitute for a backend mechanism designed explicitly to allow passing data to the database, which is what placeholders are. Quoting is nice and has its place like any tool, but it can't, and doesn't, compare with placeholders for the purpose of passing data to the database. With placeholders, I can pass arbitrary data to the database, including binary data. I know this, because I just tested it. Works great with placeholders, doesn't work with quoting.

I'll be happy to post the test code I'm using that proves this if you want.

Re:No placeholders?

[pudge]

This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work. Mechanisms only work if you use them. The use of placeholders can be enforced in code, if incompletely. Well that's the thing, it is easy to bypass them.

You can't prevent the programmer from bypassing the mechanisms you put in place Exactly.

but that's not why they're there -- they're there to prevent mistakes. They are there to prevent security holes. Which is no different from our mechanisms.

In a way, this "quoting versus placeholders" debate is similar to the debate on weak typing versus strong typing. The former is quicker and easier to use, but the latter reduces the chances of a mistake. And years of experience with many languages have shown me that the latter is more desirable and less costly in the long run. And yet, we use Perl, which has no typing at all.

The bottom line here is that you are correct, except in that you think I am incorrect. We're both correct. There is no Right Way, except as defined by the people running the project. If we have an actual hole, obviously, that's Wrong. But that's not the case here: you just think we're preventing holes "wrongly," and that does not compute.

Re:No placeholders?

[kcbrown]

but that's not why they're there -- they're there to prevent mistakes.

They are there to prevent security holes. Which is no different from our mechanisms.

No, I meant mechanisms which would enforce the use of placeholders to keep developers from inadvertently using unsafe queries. Those mechanisms could be bypassed intentionally by the programmer, and if they are then there's an increased risk of security holes because the security mechanism you want the programmer to use (placeholders) isn't being used.

Sorry if I didn't make that clear.

And yet, we use Perl, which has no typing at all.

Yes. And how many bugs have you encountered at runtime that occurred because of this, when a strongly-typed language would have caught them at compile time? My bet is that it's significantly more than zero.

Some languages are better about this than others. Python is especially bad about this because everything, up to and including the methods attached to a class, is ultimately dynamic.

The bottom line here is that you are correct, except in that you think I am incorrect. We're both correct. There is no Right Way, except as defined by the people running the project.

The Right Way is defined by the set of goals and their relative priority. More precisely, the goals determine the ordering of solutions in terms of their desirability and suitability. Saying that there's no Right Way can be interpreted to mean that all solutions are equivalent, which is clearly not the case.

If we have an actual hole, obviously, that's Wrong. But that's not the case here: you just think we're preventing holes "wrongly," and that does not compute.

No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks (along with having other problems). It works towards that end, yes, but it's not the best approach for accomplishing that task. My point here is that the use of placeholders is a more complete solution which can more easily be enforced upon the programmer and which is a superior method of getting data into the database safely because it was designed explicitly for that task. Quoting is just a kludge. It happens to work most of the time, but it's still a kludge.

Re:No placeholders?

[drachenstern]

Okay you two, just walk away for like, five days, then ... quit.

We all see the merits of each side, and each of you is defending a position that is entirely seperate from the other person's position.

Yeah, it's great to use the libs to do stuff, because the libs have been committee-vetted
Yeah, it's great to roll your own, because you don't have to worry about removing features

So give it up, the blood pressure increases are not worth the hassle of proving "I'm right"

Re:No placeholders?

[pudge]

but that's not why they're there -- they're there to prevent mistakes. They are there to prevent security holes. Which is no different from our mechanisms. No, I meant mechanisms which would enforce the use of placeholders to keep developers from inadvertently using unsafe queries. Those mechanisms could be bypassed intentionally by the programmer, and if they are then there's an increased risk of security holes because the security mechanism you want the programmer to use (placeholders) isn't being used. Exactly. That's what I meant. If the mechanisms are not used, they don't work. Same as our mechanisms.

And yet, we use Perl, which has no typing at all. Yes. And how many bugs have you encountered at runtime that occurred because of this, when a strongly-typed language would have caught them at compile time? My bet is that it's significantly more than zero. Who cares? Our development time is much quicker, our lines of code much smaller, than a strongly typed language. I'll take a very rare problem that would have been caught by strong typing, as I am way ahead even still.

The Right Way is defined by the set of goals and their relative priority. The Right Way is determined by whoever is doing the project. There is no obejctive "right way." That's something CS people often don't get.

Saying that there's no Right Way can be interpreted to mean that all solutions are equivalent Yes, I cannot prevent incorrect interpretations.

No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks And I am saying you're clearly wrong. There's no rational basis for this claim, other than "I don't prefer your method."

It happens to work most of the time False. It works every single time, unless the programmer doesn't do it. Just like placeholders.

Re:No placeholders?

[pudge]

So give it up, the blood pressure increases are not worth the hassle ... I am not in the least bit excited, angry, upset, etc. Your mood meter needs calibration!

Re:No placeholders?

[kcbrown]

Exactly. That's what I meant. If the mechanisms are not used, they don't work. Same as our mechanisms.

You can't prevent the programmer from intentionally bypassing your mechanisms. But that's not the point. The point is to prevent him from accidentally bypassing your mechanisms -- to prevent him from making mistakes. This is what strongly typed languages attempt to do (with some success, I might add), and what a checking mechanism would also attempt to do.

A checking mechanism can be put in place to attempt to ensure that the programmer always uses placeholders. It can be bypassed, but the programmer would have to do so intentionally, which is not what you're trying to protect against. The purpose is to prevent mistakes, not willful misuse. Security holes almost always come about as a result of coding mistakes.

Who cares? Our development time is much quicker, our lines of code much smaller, than a strongly typed language. I'll take a very rare problem that would have been caught by strong typing, as I am way ahead even still.

And you know your development time is much quicker how, exactly?

Even if your development time is faster than with a strongly typed language, you generally lose all of that advantage and then some as a result of having to chase down and fix the additional bugs that arise from the nature of the language you're using. Because now you have to contend with those bugs and the types of bugs that you always get regardless of language.

Also, I think you're confusing strictness with richness and/or expressiveness. Yes, strongly typed languages have traditionally been relatively sparse but a language's strictness does not forbid it from being rich, or easy to develop in.

And who cares about how big or small your lines of code are? What matters is how easy the code is to write and to understand (you want both). Perl is generally horrible in the latter regard (it's possible to write easily-read Perl but that requires inhuman amounts of discipline to do consistently). How short your lines of code are is not a function of the strictness of the language, either.

You can't eliminate bugs entirely, short of doing a full mathematical correctness proof of the code. But the earlier in the development cycle you prevent them, the less expensive the project will end up being in the end. Decades of experience in the computing field and in other engineering fields, for that matter, have shown this to be the case. It astonishes me that it's still common to find people who still arrogantly believe otherwise.

No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks

And I am saying you're clearly wrong. There's no rational basis for this claim, other than "I don't prefer your method."

Really? Then tell me: how would you go about automatically checking whether or not someone has quoted all the variables they are using to build a query with?

I can come up with more than one way to do the same with placeholders. They may not be perfect, but perfection isn't necessary -- it only needs to be more reliable and thorough than the same mechanism (if one exists) for quoting would be.

And can you safely insert arbitrary data, including binary data, into the database using quoting? No. I tried, and it threw errors. But I can do that using placeholders (as proven by a test using Perl DBI with PostgreSQL).

False. It works every single time, unless the programmer doesn't do it. Just like placeholders.

It works every single time for preventing injection attacks, yes. It doesn't work every single time for getting data into the database. But placeholders do (at the very least when the underlying database supports them. DBD implements placeholders in

Re:No placeholders?

[pudge]

I had responded to most of your post, and then I got here:

And who cares about how big or small your lines of code are? What matters is how easy the code is to write and to understand (you want both). Perl is generally horrible in the latter regard (it's possible to write easily-read Perl but that requires inhuman amounts of discipline to do consistently) Ah, here we go. A language bigot. Someone who lacks proficiency in a language sufficient to judge it with any rationality, and yet condemns it despite his ignorance.

What is true, likely, is that YOU do not understand written Perl. Written Perl is very easy for me to understand. I write, and read, Perl every day. It doesn't take anything "inhuman." It only takes competent programmers who know Perl. You are not one of those, more likely because of the lack of knowledge of Perl than because of the lack of competence in general, I assume, but your disregard of reason makes me disregard the rest of your post.

Re:No placeholders?

Generally, if a story that that many comments, none of them are really worth bothering to read.

Re:No placeholders?

[kcbrown]

Ah, here we go. A language bigot. Someone who lacks proficiency in a language sufficient to judge it with any rationality, and yet condemns it despite his ignorance.

What is true, likely, is that YOU do not understand written Perl. Written Perl is very easy for me to understand. I write, and read, Perl every day. It doesn't take anything "inhuman." It only takes competent programmers who know Perl. You are not one of those, more likely because of the lack of knowledge of Perl than because of the lack of competence in general, I assume, but your disregard of reason makes me disregard the rest of your post.

This is pretty laughable considering that I've used Perl for various things for some 17 years, with about 10 of them involving intense development at times. I suppose, then, that you might regard me as incompetent, but I assure you it won't be for lack of familiarity with the language (that said, I've not done any serious Perl for about the last 5 years).

I didn't mean to say that Perl is entirely unreadable. I meant that Perl is on average harder to read than a number of other languages (particularly those designed with readability in mind). Someone intimately familiar with it will obviously have an easier time of it but even with that kind of intimate familiarity with it, Perl allows you to write constructs in so many different ways that it's often not as easy to discern the intent of the author of the code as it is with other languages that place emphasis on readability and maintainability. You can write code that's hard to discern in any language, of course, but in my experience, it's easier to do that in Perl than in a number of others, because Perl makes brevity at the expense of readability easy.

This (brevity) is something that is often valued by people who really like Perl. People such as, apparently, yourself, since you obviously place value on how small your lines of code are. There's nothing wrong with that in and of itself, but it comes at a price. That price is something you don't seem to have experienced yet. Perhaps you never will -- Perl seems to be the language you have by far the most invested in. Aside from C, I can't tell from examining your web site what other languages you have familiarity with.

To put the above another way, Perl requires greater knowledge on the part of the programmer to achieve the same ability to read and understand code written in it than some other languages do. You won't realize this until you walk away from Perl for a little while (long enough to forget a lot of the little things) and then go back to it, and find you have to look up a lot of things that you wouldn't have to with more readable languages.

I used to believe as you apparently do. Perl was by far my favorite language. It wasn't until I stopped using it for a bit and then went back to it that I realized that there was a kernel of truth in what people said about its readability.

I will say this about Perl: it's a lot better about readability now than it used to be. Even so, there's a reason Perl is at the receiving end of jokes about readability.

As for my "disregard for reason", I have a set of opinions, based on experience and understanding. If those opinions are demonstrably incorrect then I will change them, because I'm a realist, and being right is more important to me than just about anything else (being right is a very useful, while being wrong is pretty much useless).

So: if you have some factual or logical basis for claiming that my opinions are incorrect, put it on the table. I haven't seen it yet.

Re:No placeholders?

[pudge]

This is pretty laughable considering that I've used Perl for various things for some 17 years, with about 10 of them involving intense development at times. I suppose, then, that you might regard me as incompetent, but I assure you it won't be for lack of familiarity with the language (that said, I've not done any serious Perl for about the last 5 years). I do not believe you for a second. No one truly competent in Perl believes it is hard to write readable Perl.

I am not bothering to read the rest of your post.

Re:No placeholders?

[kcbrown]

I do not believe you for a second. No one truly competent in Perl believes it is hard to write readable Perl.

I didn't say it was hard to do, I said it requires a great deal of discipline to do consistently. Perl has a wealth of abbreviated constructs that are very powerful. That makes it very tempting to use them, and their use generally reduces the readability of the code. That is why writing readable Perl consistently requires a great deal of discipline.

This is twice that you've refused to read the rest of what I've said, apparently because I don't happen to hold your favorite language with the same high regard that you do. From where I sit, that means it is you who is showing disregard for reason, because by doing so you implicitly assume that, because I fundamentally disagree with you about this one particular thing, the other things I have to say must have no merit. That is clearly a questionable position on your part.

It's your right to do that, of course, but it comes across as a bit immature.

Re:No placeholders?

[pudge]

I said it requires a great deal of discipline to do consistently. And that is a clearly false statement. I, and many other people, do it all the time, without any significant exertion.

This is twice that you've refused to read the rest of what I've said, apparently because I don't happen to hold your favorite language with the same high regard that you do. False. It is because you were presenting your (uneducated) opinion about Perl as fact. Saying you don't prefer Perl is fine. Making categorical statements about Perl that simply aren't true in the real world -- for people who are software engineers rather than computer scientists -- is boring.

From where I sit, that means it is you who is showing disregard for reason, because by doing so you implicitly assume that, because I fundamentally disagree with you about this one particular thing, the other things I have to say must have no merit. False. I implicitly assume no such thing. I merely consider someone who presents their (uneducated) opinion as fact is not interested in reason, and therefore I won't bother spending more time on the discussion.

The other things you say may have merit. But I just don't care.

Re:No placeholders?

[kcbrown]

I said it requires a great deal of discipline to do consistently.

And that is a clearly false statement. I, and many other people, do it all the time, without any significant exertion.

Really? And how exactly are you measuring this? By asking your equally fluent peers if they can easily read it? That's hardly a good measure of how readable a language is! Any language is easy to read to those who are experts at the language.

The readability of a language (as opposed to the readability of a section of code, which is determined by more than just the language -- you can make pretty much any section of code unreadable) has to be measured by how easily someone who has no more than a basic understanding of that specific language can read it. And for that, Perl is in my experience significantly worse than a number of others. This is because Perl requires greater knowledge on the part of the programmer to achieve the same ability to read and understand code written in it than some/many other languages do. You won't realize this until you walk away from Perl for a while (long enough to forget a lot of the little things) and then go back to it, and find you have to look up a lot of things that you wouldn't have to with more readable languages.

It is because you were presenting your (uneducated) opinion about Perl as fact. Saying you don't prefer Perl is fine. Making categorical statements about Perl that simply aren't true in the real world -- for people who are software engineers rather than computer scientists -- is boring.

My opinion is based on many years of first hand experience and observation. I don't care if you believe I have that experience or not because your belief doesn't alter the truth of it. That experience includes using Perl extensively as well as not using it much for a relatively large period of time afterwards. I dare say your experience doesn't include the latter, so I find it difficult to see how my opinion could therefore be called any more "uneducated" than yours.

As for the distinction between software engineers and computer scientists, software engineers engineer code first and foremost. That means they put effort into designing software up front before the write a single line of code, and the good ones choose tools, including languages and methodologies, which will yield the lowest long-term cost, which includes factors such as maintainability, scalability, suitability for the problem domain, etc.

The choice of language to use for Slashdot is largely historical -- you (meaning, those who developed Slash) were constrained by what was available at the time and by what capabilities the various available languages brought to the table. Once such a decision is made, it is nearly impossible to reverse. So I certainly cannot fault you for that decision. I could easily make the same decision given the constraints of the time. And even today, Perl might be the best language for the job, though in my experience there are other languages that are probably equally well-suited for the task and which are also by their nature more readable than Perl -- meaning I (as a software engineer) would choose them over Perl if that were the case.

The other things you say may have merit. But I just don't care.

That is nobody's loss but your own.

Re:No placeholders?

[drachenstern]

'Twas more his I was concerned with. PR facing people don't normally need to be told to chill, they just go have a smoke* and grab another cup o' joe. Plus you got the office to rant to if a*holes get out of line.

I was really talking to the other poster, who is trying to slam ya'll repeatedly, for no apparent purpose, as he doesn't want to see a different viewpoint.

Cheerio

*or not, as appropriate to smoking preferences

Re:No placeholders?

[pudge]

Only one response suits your comment: Perl, in a Nutshell. It even includes a concession about Perl being hard to read ... although it does so sarcastically.

Re:No placeholders?

[kcbrown]

Only one response suits your comment: Perl, in a Nutshell. It even includes a concession about Perl being hard to read ... although it does so sarcastically.

LOL! That song is awesome! :-)

Very well done! You've got talent with the guitar, dude...

Re:No placeholders?

[nacturation]

I'm jumping late into the conversation here, but this caught my eye:

In fact, when we use the defenses, yes, they are as bulletproof as placeholders. And when your bulletproof defense is to use placeholders, but then you don't use them, well, you are wide open. Would not the use of stored procedures make it bulletproof? Assuming your programmers don't have admin access to the database, you could provide them with a database user who has no access other than to make calls to certain stored procedures. This would enforce the security model as they otherwise couldn't do anything with the DB.

Re:No placeholders?

[pudge]

Perhaps, but stored procedures have their own set of problems.

The best security model would be requiring writing everything in assembly, and then not having any developers to risk our security. :D

Code defensively? What's that?

[ackthpt]

Sadly, where I work, they just hope for the best and throw more hardware at the problem. We're running a new site, hosted off-site, which is killing our network bandwidth. Not my choice. I just shake my head.

Re:Code defensively? What's that?

[cerberusss]

If it's hosted off-site, why is it killing your company's network bandwidth? The point of hosting off-site is that:

• It's cheaper because your datacenter buys energy and connectivity wholesale
• The connectivity gives you lots more headroom when the going gets tough

So... what traffic is passing between the datacenter and your company?

Re:Code defensively? What's that?

[ackthpt]

So... what traffic is passing between the datacenter and your company?

The problem is this is mostly web traffic. The application has gone from a thin client, which cached details on the workstation to web pages, which are rather large and a lot more page loads than with the old system. The network concern is that internally we have plenty of bandwidth - but this is hosted outside which at times is saturating our connection to the outside world. Eventually it will be hosted internally, but not for months. We don't have a lot of money to throw around right now, so upgrading our pipe isn't likely.

Re:Code defensively? What's that?

[cerberusss]

OK the app is used in-house... Interesting situation. Well, there doesn't seem a lot you can do. Maybe Apache's mod_deflate, or else you could put some work in streamlining the output of the web app. I.e. add paginating instead of laaarge pages. Remove images. Put stylesheets and javascript outside of the pages so the browser caches them.

Error descriptions

[192939495969798999]

I've always wondered, what's happening system-wise when we see "nothing for you to see here" vs. "page not found"?

Re:Error descriptions

[eln]

The "Nothing to see here" page exists so people can make vaguely on-topic jokes about it in the first few posts, especially in articles about censorship or vaporware.

Re:Error descriptions

[jamie]

I mentioned this phenomenon here -- but ironically, this morning the databases have been hallucinating (sigh)

Placeholders

[archen]

c) We don't use placeholders. Originally because DBD::mysql didn't take advantage of them, and now because we think any speed increase in a reasonably-optimized web app should be a trivial payoff for non-self-documenting argument order. Discuss!

I guess speed might be one consideration. Generally I like to use place holders because it adds simplicity when passing some types of queries. If there's one thing I've seen a problem with, it's failing to properly sanitize incoming information that is passed to the database. A LOT of php code out there is rather easy to blow a hole through due to this. It also simplifies a lot of junk I'd rather not deal with like quoting and such. In either case you're an idiot if you don't sanitize everything first anyway, but my mantra is safety first. I actually loath doing many applications where I can't use them (like the ruby database libraries).

Well that's my take anyway. There's some rather nice code in slash that taut me some better methods in perl, and I'd say you guys are way above my level.

Re:Placeholders

[grassy_knoll]

That caught my eye as well.

Personally, I much prefer placeholders / bind variables. They do help with sanitizing the data, but also ( for databases which have the feature ) can really reduce CPU utilization ( since the "same" statement isn't reparsed over and over again just because the variables changed ).

What about IPv6?

It would be nice if a tech site like slashdot supported IPv6

Re:What about IPv6?

[hostyle]

And I, for my part, would like a pony.

Thanks guys!

Re:What about IPv6?

Are you sure that's really what you want? Please check the screenshots and decide carefully.

Speaking for myself, I've really learned to like teal and the general lack of ponies here.

Comment removed

[account_deleted]

Comment removed based on user account deletion

OS?

[mmullings]

But what version of Windows Server are you running all this on? *duck*

Re:OS?

[suggsjc]

They just got upgraded to Server 2003 - Web SP2 about 2 years ago. But from what I heard, they are evaluating Windows Server Vista Edition.

Personally, I can't wait for that. It will really improve the looks of the site (+1 for the eye-candy). I mean it is Areo for websites (took them long enough). I just can't wait till M$ releases SQL-FS so they can ditch MySQL. Probably shouldn't be saying this, but its been rumored that they are going to do a total re-write in F# so that everyone (even Joe Sixpack himself) can understand how a big website is coded.

Re:OS?

[mmullings]

I really just want to know, all that fancy hardware running all that open source software, can or will it run linux?
I mean sheesh, that whole list of software with, with custom compiled kernels (Incidently, I didn't even know you could do that in Windows...)
But no mention of which version of Windows....odd.

https and login

[Spy+der+Mann]

One question. When someone logs in, is there a way to login through https? Because it doesn't matter if you get to https AFTER login - the login procedure can be sniffed anyway :-/

Re:https and login

[jamie]

You have to be a subscriber, and go directly to https://slashdot.org/login.pl.

Re:https and login

[Spy+der+Mann]

Thanks for the info, Jamie. Anyway I noticed something - there is unencrypted content in the page, so the address bar doesn't turn yellow. I had to look at the source code to find out which content wasn't encrypted. IMHO it'd be better to just encrypt all content so the user knows his password won't be sniffed.

Again, thanks!

Re:https and login

[jamie]

Ads, I'm guessing. That's not really something we have control over, I don't think.

Re:https and login

[brunascle]

when you have outsourced ads on an HTTPS page, you'll often find that. (it's on my company's too, and i hate it.) even if you change your side of the code so that it accesses the first javascript file over HTTPS, that javascript file might write a script tag (or img, etc) for another that doesnt use HTTPS.

i've experimented with a way to fix this by overloading document.write, regexing for script tags and replacing the source HTTP with HTTPS, but i'm hesitant to make it live.

Re:https and login

[Shakrai]

Because it doesn't matter if you get to https AFTER login - the login procedure can be sniffed anyway :-/

I'm all about security and paranoia, but do you really think there is somebody sitting on a router or network between you and /. with nothing better to do then steal your /. pw?

Granted, I'll be using https the next time I get some spare cash to subscribe, now that I know it exists.... but not because I'm worried about somebody sniffing my pw.

Re:https and login

when you have outsourced ads on an HTTPS page, you'll often find that. (it's on my company's too, and i hate it.) even if you change your side of the code so that it accesses the first javascript file over HTTPS, that javascript file might write a script tag (or img, etc) for another that doesnt use HTTPS.

i've experimented with a way to fix this by overloading document.write, regexing for script tags and replacing the source HTTP with HTTPS, but i'm hesitant to make it live.

Question of curiousity from the ignorant AC here, could this problem be related to the possible fact(?) that the page being no longer secure if it allows outside sources for content, in this case advertisements? If so then wouldn't security be better served by having the login page nothing more then needed for a secure login and fast entry to the site?

*Please, no RTFM comments, I don't do HTML or plan on it anytime soon, just curious if the question that came to my mind is valid or not.

Re:https and login

[tkdtaylor]

How about not putting ads on a login page?

Re:https and login

Yes. Beware bored ISP employees. And of course if you're browsing over public wifi and you don't encrypt your passwords then you're just asking for it.

Re:https and login

[Shakrai]

Beware bored ISP employees

Uhh, I worked at an ISP and I assure you that I had better things to do then start snooping into packets to steal website passwords.

nd of course if you're browsing over public wifi and you don't encrypt your passwords then you're just asking for it.

Good point there.

Re:https and login

Uhh, I worked at an ISP and I assure you that I had better things to do then start snooping into packets to steal website passwords.

That just means you're not bored, which is why I used that word. I bet that you've shared many horror stories about your colleagues, whether at your ISP or at other ISPs. Do you honestly think that there is nobody in all of that who is both competent enough to sniff passwords and bored and dickheaded enough to actually try it?

Re:https and login

[Fulcrum+of+Evil]

Damn straight - if I hack somebody's slashpass, what are the chances I also have their email password or bank site password?

Re:https and login

[MBHkewl]

You are mistaken.

I saw this the first time on Yahoo! mail. Their login pge was a normal HTTP page, and submitted the code off to an HTTPS script. I sniffed my own traffic and everything was encrypted.
What happens at the lower layers is that an encrypted connection is initiated, THEN your form is submitted over SSL.

Don't make claims of which you are not sure of.

Re:https and login

[jesboat]

The problem with that is that unless the form is also encrypted, you need to read the source to be sure the that when you click Submit, the form actually will go to the right place. If the form isn't under https, an attacker could modify it in transit to submit to somewhere else.

Re:Strange

i also got this bug once this morning. first time i open an article there were no comments (even though the index page said there were about 100), then i refreshed and there about 100. i presume this was introduced with the changes made today (the "Loading" ajax message, the lightgrey already-read-this-comment color)

My number one complaint

[OverlordQ]

(Didn't know we support HTTPS, did ya? It's one of the perks for subscribers: you get to read Slashdot on the same webhead that admins use, which is always going to be responsive even during a crush of traffic -- because if it isn't, Rob's going to breathe down our necks!)

Yes, it's a nice perk, but a even nicer perk would be to let everybody at least login through HTTPS. Weren't we bashing companies earlier for not using SSL by default for logins?

Re:My number one complaint

[gatekeep]

Yes, it's a nice perk, but a even nicer perk would be to let everybody at least login through HTTPS. Weren't we bashing companies earlier for not using SSL by default for logins?

Logging in via HTTPS, and using cookies for authentication persistence won't keep anyone with a sniffer from getting access to your account. From getting your password, yes, but not your account.

They don't use Windows Server, duh

[empaler]

OS/2. To The Maxxxxx.

Is this the place for complaints/suggestions?

[KWTm]

If this is the place for suggestions and complaints for Slashdot, may I put in my two cents? Sounds like people have been suggesting a number of new mods and changes to the old ones. Could this be revised? For example:

- separating +1 Funny into "+1 Funny-Raise Karma" and "+1 Funny-Karma Unaffected"
- combining -1 Flamebait with -1 Troll
- adding -1 Wrong (or -1 Misinformed), the opposite of "+1 Informative"
- combining +1 Interesting with +1 Insightful

(In fact, we can have diametrically opposed mods, like Informative/Misinformed, Underrated/Overrated, Insightful/Flamebait, Funny/Rude, etc. ... but maybe we'll take it one step at a time.)

And, yes, put in my vote for logging in via HTTPS.

Re:Is this the place for complaints/suggestions?

[mce]

- combining +1 Interesting with +1 Insightful

Asking for that change means that you don't understand what the word insightful means. Don't worry, you're not alone: quite a few moderators don't. But please allow those who do understand to use the words properly. There are enough of us around to still make the distinction work.

Re:Is this the place for complaints/suggestions?

[finnw]

combining -1 Flamebait with -1 Troll Please don't do that. It will spoil my +2 troll modifier.
I find the posts marked "Troll" are the most interesting/entertaining ones. Anyone else do that?

Re:Is this the place for complaints/suggestions?

[uglyduckling]

The idea behind moderation is that it's meant to be positive, so that the truly informative, insightful, interesting or funny posts rise out of the general hubub. The negative moderation, as far as I can see, is intended to increase the signal to noise ratio without unduly affecting genuine posters.

I've found a few times that I've been moderated overrated for posting a contentious comment: in other words, some moderators misuse their points to give their opinion on the conclusion that is being stated. Really moderation should be about the quality of the post: if something is well-argued and presents and interesting perspecive then it deserves to rise above the crowd, even if the conclusion doesn't fit with some people's views. The danger with diametrically opposed mods is that it will turn into a fight between mods to promote posts that fit with their pre-conceived opinions and demote posts that don't.

Your idea of '-1, Misinformed' seems like a good idea at first blush, but the problem is that it's giving moderators license to comment on the conclusion of the post, rather than the quality of the post. It's much better to let the posts with decent references/links, well-reasoned arguments etc. to rise to the fore than have moderators blasting down posts because they think the author got it wrong. That's what replies are for.

Re:Is this the place for complaints/suggestions?

[bennomatic]

But why can't we combine "+1 Crow" with "+1 Black Bird"? Every time I see a crow, it's a black bird. I don't see any problem with combining the two!

Re:Is this the place for complaints/suggestions?

[Baddas]

Ding ding ding, I do it as well, though mine's a +5. It's lolz all the way down when you read slash for the trolls.

Though I think lately they've been dying off. Rather sad, really, that's most of the reason I come here.

Re:Is this the place for complaints/suggestions?

[jobsagoodun]

And while you're at it, how about making it possible to undo mods done via the ajaxy-dropdown thing. I've accidentally modded a few things the wrong way (doh) and the only way to reverse it is to post a pointless comment to the article...

Re:Is this the place for complaints/suggestions?

[mce]

Because as a reader I tend to value "+X insightful" over "+X interesting". Yes, the really insightful ones will likely also be interesting, but not the other way around. Look at it this way: if I'm a crow looking for a mate, I'm not interested in just any black bird, but I sure am interested in other crows (even those of the wrong sex, as they are unwanted competition :-) ).

Re:Is this the place for complaints/suggestions?

[bennomatic]

:) That is exactly the point I was making. I understand the (not-so) subtle difference and was giving an illustration of where the confusion may lay.

Maybe "+1 Interesting" should be renamed "+1 Interesting, but not insightful". But if it's interesting and not insightful, then it's really merely entertaining. However, if we add a "+1 Entertaining", people would confuse it with "+1 Funny". To resolve that, we'd have to add "+1 Entertaining, but not funny".

Otherwise, people might just have to think about how they use words. That may, unfortunately, not be a reasonable burden for many to bear.

Re:Is this the place for complaints/suggestions?

[Leebert]

- adding -1 Wrong (or -1 Misinformed), the opposite of "+1 Informative"

It's much better for the discussion if you post a reply explaining WHY they are wrong or misinformed. This *is* a discussion site, after all, and how else do you expect the person to understand why you think they are wrong?

Re:Is this the place for complaints/suggestions?

[smash]

Yeah, i have troll/flamebait set to +2. it makes the site much more amusing :)

Re:Is this the place for complaints/suggestions?

is it -1 Funny / +1 Rude

or +1 Funny / -1 Rude?

Re:Is this the place for complaints/suggestions?

[kaivix]

I find your insight into the interesting difference between 'insightful' and 'interesting' to be interestingly insightful. Though more seriously, I'm not sure how one could confuse the two at all. Insight has absolutely nothing to do with interest. Either can exist without the other, both can exist together, and often, neither exists. If anything, the top 2 or 3 reasons for scores should be output, with the most prevalent tag first. So if a comment has been marked as insightful by many, and interesting by fewer, then the output should be "(Score:5; Insightful, Interesting)".

Re:Is this the place for complaints/suggestions?

[mce]

So if a comment has been marked as insightful by many, and interesting by fewer, then the output should be "(Score:5; Insightful, Interesting)".

Yes, indeed. Or if only a single world can be displayed, the one that was used most should be chosen. Right now, a true +5 insightful can be sort of "destroyed" by a single subsequent malicious "-1 troll". OK, the resulting "+4 troll" still is a sign that the post might be worth something, but the annotation looses the reason why. Malda, are you reading this?

Re:Is this the place for complaints/suggestions?

[Cyberscythe]

That's very insightful.

Re:Is this the place for complaints/suggestions?

[beuges]

Because there are loads of +5 Insightful posts here which are quite simply misinformed. After the first 5 people post replies pointing out why the item is misinformed, what is left to do? The only other option really is to mod the offending post Redundant, which isn't entirely true. The other problem is that unless a post is explicitly marked as Misinformed, the uneducated masses who believe every positively rated comment is accurate will go on repeating that misinformed content as if it were the gospel truth.

Re:Is this the place for complaints/suggestions?

[Leebert]

After the first 5 people post replies pointing out why the item is misinformed, what is left to do?

Moderate those replies up?

Moderation should ideally be minimally subjective.

Slash update?

[GBC]

Just curious if there is another release of Slash coming anytime soon?

Also is there an up-to-date list of other sites running the code? The Slashcode sites list is sadly empty these days (which I hope doesn't mean there aren't any other sites that run Slash)

Re:Slash update?

[pudge]

No, I doubt we will ever do another release of the code. We make it available on CVS for anyone to grab it, and use CVS tags to mark "releases." And we don't have an up-to-date list of Slash sites, but there are bunches.

Re:Slash update?

[Single+GNU+Theory]

And we don't have an up-to-date list of Slash sites, but there are bunches.

Yeah, just Google for Slash...

Er, maybe don't. Tyrol/Boomer, fine. Helo/Boomer, that's fine too. It's the Tyrol/Helo stuff I needed the mental floss for.

CPU bottleneck: Sun servers?

If CPU is a bottleneck, have you thought about using Sun's Niagra-based servers at all? They have CPU (and RAM) to spare.

Re:CPU bottleneck: Sun servers?

[jon3k]

Because sun loses the dollar/MFLOP contest?

Re:CPU bottleneck: Sun servers?

[harmless_mammal]

Gee, I didn't know Slash depended heavily on floating-poing math performance... I thought it was all about moving bytes around.

Re:CPU bottleneck: Sun servers?

[jon3k]

The point stands. You'll get more for your money from x86. Thanks for adding nothing to the discussion.

Re:CPU bottleneck: Sun servers?

I wouldn't be so harsh. a while back our company did a comparison between x4100 (running windows) and T1000 boxes running solaris 10. the coolthreads won hands down, both performance wise and price wise (even before factoring in the windows price).

consider that, for the purposes of veritas fs licensing, a 6 core t1000 is in same band as a single core opteron box IIRC.

When did you drop the FrontPage Extensions?

[Thrustworthy]

It seemed an oddity to me that the old /. code base used FrontPage Extensions. Why did you use it and what did you replace it with when you dropped it?

your post deserves a

[circletimessquare]

+0.5 Somewhat Useful Kvetching

Bookmarked

[UltraAyla]

Honestly, I never bookmark anything on slashdot because it's news (and so is in passing) - but I bookmarked this. This is a resource. I do perl application coding for the web, and while I don't pretend to be an expert in any form, this could be really useful if I ever need to scale up performance - thanks for posting this!

Re:Bookmarked

[hostyle]

I totally concur. This is the best slashdot article in at least 2 years.

More Jamie please ...

using a proxy..

So where is the process that slashdot attempts to my port 80 periodically.
Is that your abuse system?

Is This Some Kind of Joke?

[Black-Man]

'cause I see no reference to IIS, SQL Server, .NET and I just read a Microsoft press release that says high-volume web portals can't provide high-availability service w/o them??

Redefining .shtml?

[VGPowerlord]

Last time I checked (which was like 10 years ago), .shtml stood for Server Side Includes (SSI) HTML, which are definitely not static.

Wouldn't it have been better to choose an extension/term not already used, such as .htmls?

Re:Redefining .shtml?

[pudge]

Last time I checked (which was like 10 years ago), .shtml stood for Server Side Includes (SSI) HTML, which are definitely not static.

Wouldn't it have been better to choose an extension/term not already used, such as .htmls? They are static files on the filesystem. "Static" doesn't preclude being parsed on the way out by the server (mostly just to slap in the header and footer). This is as opposed to dynamic pages which are generated entirely on-the-fly.

X-FORWARDED-FOR headers

[analogueblue]

Isn't the standard thing to do to append the source IP you (pound or whatever) see to the existing contents of the header (if the header exists) separated by commas? There should be no need for a separate header. This works fine using F5 Load Balancers certainly, although I haven't used Pound myself.

From wikipedia:

X-Forwarded-For: client1, proxy1, proxy2

Re:X-FORWARDED-FOR headers

[wtarreau]

Isn't the standard thing to do to append the source IP you (pound or whatever) see to the existing contents of the header (if the header exists) separated by commas? There should be no need for a separate header. Technically speaking, the proxy should add another X-Forwarded-For header after existing ones, and it is recommended that it merges them all by separating them with commas, though it's not strictly required. It's up to the server to read all values in all X-Forwarded-For headers and use the last one for instance.

The comma is just used in HTTP to compact multiple headers into one, and has no special meaning for this particular header. There are headers which are not allowed to be repeated multiple times (eg: Content-Length, Transfer-Encoding, ...). Apache 1.3 still happily merges multiple Host headers into one, BTW ;-)

Willy

So what?

Cfr. Subject.

Re:No mention of Boa for image serving?

[hostyle]

Because Boa is just about the best thing ever at serving static content.

Mine eyes

[/dev/trash]

for when us silly coders deci
When WE silly coders. It sounds goofy if you say when us decide, doesn't it?

Re:https and login - Try using relative URLs

[QuestionsNotAnswers]

http://www.nedbatchelder.com/blog/200710.html#e20071017T215538
From the article:

If this reference appears in an HTTPS page, the mixed content warning will appear. How to craft a reference that works for both? The answer is again relative URLs, but using a more obscure syntax:

<img src='//fast.cdn.net/pix/smiley.jpg' />

One NFS Server?-No Redundancy

[Gehenna]

So you run 1 box to share all of the data to the webservers? Is this kinda dangerous in the fact that losing that box knocks out all your webservers? I would expect /. to run some sort of clustered NFS service or have some redundancy build in. I know RHEL runs a cluster GFS config that allows for multiple boxes to run NFS servers.

ALTER TABLE blocking

[Matt+Perry]

even during blocking queries like ALTER TABLE

You must have something seriously borked up if ALTER TABLE is blocking your reads/writes.

Re:ALTER TABLE blocking

[Ant+P.]

The SQL server's probably not optimised for that since people don't usually do weird things like 300 ALTERs per minute.

Re:ALTER TABLE blocking

[Matt+Perry]

It's not a matter of optimization; That's how RDBMS are designed. Readers don't block writers and writers don't block readers. Even MySQL has finally fixed this, at least I though so.

NFS isn't scary.

[allenw]

Like you, I've seen a lot of people freak out when one mentions using NFS. I've come to the conclusion that either a) these people didn't know what they were doing or b) were using an incredibly broken/fragile NFS implementation.

What annoys me in particular about the latter is that sometimes these implementations evolve from fragile to usable or good enough or whatever. But some admins seem to be unable to comprehend that things improve and stick to some home grown process without looking to see what has changed outside their world. They could spend less time re-applying bandages and more time doing fun things. [Like log processing with Hadoop. :) ]

Of course, there are the usual complaints about NFS security from folks who didn't know that NFS had a spec for Kerberos support or their OS-of-choice didn't support it. All hail NFSv4 for making Kerberos support a requirement...

DBMS Query compilation?

[grantek]

Also, I find placeholder code to be difficult to read, and difficult to comment to make it easier to read. Fair enough, so obviously the CPU improvement you'd get from caching compiled statements isn't worth it? I don't know much about the internals of mysql, but I've seen one or two badly-written apps peg their DB servers' CPUs just compiling bazillions of queries, where placeholders would solve the problem.

Re:DBMS Query compilation?

[jamie]

the CPU improvement you'd get from caching compiled statements isn't worth it?

Well, I haven't rewritten the whole application to benchmark it :) but I can say pretty definitively, not even close.

but I've seen one or two badly-written apps peg their DB servers' CPUs just compiling bazillions of queries, where placeholders would solve the problem

I think the badly-written part is the bazillions of queries, not the lack of placeholders. Except when you need to insert a bazillion rows, I can't think of any other case where code should have to issue the same query a large number of times in a row.

Slash doesn't really have anyplace where we do that kind of insert, that I can think of offhand. Actually there's a bazillion-row REPLACE sequence in some code I'm working on now. I haven't checked the DB's CPU while that runs, but it's at the end of hours of other DB-intensive processing. My guess is that disk I/O is the bottleneck there anyway, not CPU. I have to imagine that the time to parse INSERT INTO foo VALUES ('x', 2, 3) is measured in microseconds, and the time to commit it, milliseconds.

Anyplace where code is doing SELECT x FROM foo WHERE y=$z more than a few times in a row is simply not using the database correctly. (If I'm wrong about that, counterexamples are welcome!) The fix is to rewrite to use IN clauses and multiple tables to combine queries, which can gain you orders magnitude of speed. Making a badly-written algorithm 2% faster doesn't help.

Already an old thread, but here I go

As I read, non-character or non-integer data is escaped. Is that the reason why we cannot use Unicode characters? (Sorry, not a computer major). At least the characters you can type on a keyboard with non-US layout (for eg. I can press Alt Gr+E and it will print a euro sign), should be supported.

I know, I know, Slashdot is US centric... but...

MySQL supports placeholders

[psyclone]

MySQL supports [named] placeholders just fine. It is PHP that does not. PHP is the suck for databases unless you use PDO. See examples 1737 for named placeholders and 1738 and 1739 for prepared statements.

I recommend prepared statements with positional placeholders (the '?' style) as the exact same sytax is used with Java, PHP, and Perl.