I didn't strip tags, add slashes or anything that you should really do as standard procedure on ALL user input (assume it's all hostile) in that example for sake of getting the idea across clearly.
Never rely on stripping tags for the input. If you care about protecting your site from malicious user-generated HTML content, do it on output, where it belongs. Especially because this is a password, who are you to say that <script can't be my password?
For that matter, don't use addslashes either. If magic quotes is on, use stripslashes on all of your input and use PDO to protect your database and escapeshellcmd/escapeshellarg to protect your shell and... you get it. addslashes isn't the solution because not everything ends up in an ASCII-encoded MySQL database.
There is no point bolting another layer of that on top of them. Which is why I strongly dislike Smarty and it's ilk.
Preach it, brotha! I am a fan of PHP, but Smarty has been a huge waste everywhere I've seen it used. I do use "template pages" in PHP, but they're just PHP pages outside of Apache's doc root, separated for reusability.
class MyPage extends BasicPage { public function title() { return 'This is my title' } public function links() { return array( 'Home' => local_link('/'), 'PHP Advocacy' => local_link('/php/why'), 'PHP Home' => 'http://www.php.net/' ); }
public function content() { $blog = new SillyBlogPage($this->db, $this->get('page', 0)); $this->display('blog_template', array('blog' => $blog)); } }
$page = new MyPage($_SESSION, $_GET); $page->enable_compression(); $page->set_cache_seconds(600); //... gobs of other stuff defined in BasePage //... or you could just use global functions, //... if you're concerned about mental object bloat
print $page->display();
?>
Just have as many functions as you want overrideable parts. Template engine, database connection, etc. can all be set up within the context of the parent class.
Because it's better (in general) to do something like this:
mycontent.php: ============= <?php require('header.php'); ?> ... rest of the page in here ... <?php require('footer.php'); ?>
Benefits? * no risk of parameter injection * better URLs, especially combined with Apache MultiViews (which lets you omit file extensions, so no.html or.php required in URLs) * cache-friendly, since many HTTP proxies such as squid will never cache URLs with querystring parameters
There are other ways to do it, but in general, it's safest to view individual pages as "subclasses" of a common page layout, where querystring parameters are only necessary for *actually optional items*, the way the HTTP RFCs specify them. Don't try to make a huge framework inside PHP... the more you offload onto Apache/Squid/what-have-you, the more lightweight/simple your result will be... and that's one of the few strengths PHP has left (^:
Our legal code needs to be smaller and simpler; making it so would make it more effective and efficient, not less.
Too bad our legal system is roughly equivalent to the "defensive" programmer that introduces complexity that no one else understand for the sake of job security. After all, if 95% (number pulled out of my ass) of the population doesn't understand the legal system, that means the 5% in charge can take advantage of them!
If legal documents were treated like source code (text-based version control plus continual refactoring for clarity), it would only be extra work for the 5% in charge—and at a loss, because the resultant legal simplicity would reduce their stranglehold over the other 95%.
The network operators have to want this detection software enough to deploy and maintain it. It has to help their bottom line. Then it can be developed beyond a university research prototype.
It does help the bottom line of last-hop ISPs. If 50% of your network traffic is from virus-infected computers, you can double your effective capacity with perfect virus detection and quarantine. It also provides a pretty strong encouragement for users to get their computers fixed, since a virus means "no internet" rather than "slow internet".
Obviously, detection isn't perfect, and there's some point where the the cumulative cost of maintenance, false positives (support calls and subscription cancellation from angry customers), and false negatives (bandwidth cost for the viral traffic) goes too high. If the quality is below some point, it will just be a net financial burden. But I know at least one ISP that has used virus quarantining to good effect.
The spanish have a good term for this, it's estadounidense, something like unitedstatian.
I remember learning that in high school Spanish class, and thinking it was a pretty good idea. You can call us whatever you want when you talk amongst yourselves, but you shouldn't have a problem with us calling ourselves whatever we want when we talk amongst ourselves. It's not an attempt at superiority, it's just a learned habit to refer to myself as an American.
Just about any activity involving humans, even if it seems utterly random at first glance, will have underlying patterns which emerge once one analyzes the data.
Yeah, that's why trading and investing are solved problems, and no one goes bankrupt by following the advice of market experts. Just because something may be shown to have patterns doesn't mean that we actually have any meaningful knowledge about it. Check out Fooled By Randomness for a better explanation than I can provide.
I think it's useful and interesting to research social statistics like this, but they should all be taken with a very large grain of salt.
All my technical classes had to fall within a fairly narrow set of choices and roughly zero of the ones I took were applicable to what my career has ultimately been.
That's unfortunate... does that mean you don't write any software now? Almost all of my classes have ended up being useful for something or another (particularly anything involving Ralph Johnson, which AFAIK is something experienced by every UIUC CS major through senior design or software engineering). I also remember having a decent amount of flexibility in the technical elective coursework, but maybe my memory is playing tricks on me.
So if your last job was a.Net programming job, your next one probably will be too, because it'll be extremely difficult to convince anyone that you'll make a great Linux kernel programmer, for instance.
Conveniently, recent college graduates tend to have oodles of extra time with which to learn other skills at a hobby level, such as kernel hacking or x86 asm or python web apps. No spouse, no kids, less likely to take work home. IANAOldMan, but I'd expect that only when life gets in the way of technical learning will you really be pigeonholed—and by that time, you probably have more enjoyable things to look forward to than the latest 9-5 task.
That's like saying "I got tired of being a gourmet chef so now I am making vats of spaghetti-o's". It's more fun because they're shaped like dinosaurs.
That comment reveals your prejudices. Don't get me wrong, I'm no Ruby fan myself, but web apps are very different than embedded systems. You're still a programmer, but you're solving problems on a different scale. The tradeoff of performance for succinctness/clarity is a natural progression when hardware costs less than developer man-hours. A sligntly better analogy would be, "I got tired of being a gourmet chef so now I plan excellent menus for a large restaurant chain."
On the flip side unless you fully understand the hardware how can you write good optimised C code? In C you might use a long (assume long is 32 bits for now!) to hold a counter. But the assembler programmer will know to stay clear of longs because he's programming a 16 bit CPU, or maybe longs take a performance hit.
Isn't that the point of the C99 header stdint.h? For your example, I could use a fast_uint16_t and let the local platform configuration handle what that actually means.
Type sizes aside, I agree with you, though. If you don't understand low-level compiler/machine details, you can't possibly expect to bend the language to your performance-obsessed will. This holds for all languages; it's just that in some cases (Java/Lua/Python/Perl6/...) the "machine" you need to learn is a virtual machine, and you end up inspecting bytecodes instead of asm.
Some schools might offer good CS courses but the majority of grads I deal with know nothing more than buzzword garbage, and I am not alone in my views; I regularly hear associates complain that they can't get a CS person who knows their ass from an infinite loop.
I hear you, man. I am a recent graduate myself (UIUC), so I see this from the other side. Our program is pretty good compared to most things that I've heard on the net (and various people I've met from CMU/MIT/Standford/...), but a couple of things to point out:
There were a good deal of idiotic undergrad slackers. I wouldn't trust these people to do anything except ride the wave of someone else's success. These were the ones who didn't understand why we used OCaml for one class here, or were expected to use Java at the drop of a hat (gasp, no hand-holding?).
There were a few people that were adept at being thrown into a computery environment and just learning. This definitely isn't CS, but these people could set up subversion/trac/apache/whatnot on their home servers, or build a decent Makefile—in short, effective tools users.
There were a few people (most of which ended up in grad school) who could really nail algorithms and "true" CS topics. Even though this is the heart of the program, I've met so many people who only came out with a weak grasp of the theory.
There were a good amount of people who were capable of programming. Most of the good "true CS" people also fell into this category, since programming is the natural way to express an algorithm. These people showed up a lot in the higher level subject-matter courses, such as networking (yes, TCP/UDP/IP among other things), graphics (OpenGL, raytracing, general linear algebra), etc. Due to the nature of the program, there's not much opportunity for a lot of these types of classes unless you come in with a lot of AP credit or you stay an extra year. This set of people is probably the class of people that you've seen at interviews that seem like they have an OK head on their shoulder, but still don't seem to have a clue about developing software (which is OK, because it's a CS degree, not a 2-year trade school).
No one touched assembly outside of the required MIPS coursework. My friends in Computer Engineering did a lot of low-level programming (mostly on x86), but the CS program only covered the bare minimum to understand the physics/logic of a computer, let alone be proficient in handling it.
The only professor who cared about anything remotely buzzwordish was Ralph Johnson; that was essentially part of is role, since UIUC doesn't have a separate software engineering discipline. Even still, most of his focus was around architecture and decent real-world software design, rather than AJAX/Ruby/whatnot. Most of the people in his courses were the ones that had relevant software-development experience and would be excellent hires out of school... but they're still a different beast from the research-oriented curriculum that the rest of the school pushes.
There is no way to separate the two [Amazon vs. third party merchant] in searching. That is my complaint. Therefore, it makes it more difficult to shop at Amazon if one wants to purchase only from Amazon (and not their merchants).
While I agree it may be an inconvenience to not have that option, it is likely an intentional omission. I expect many merchants would be far less likely to use Amazon's functionality if they knew that they could be made effectively invisible to their potential customer base with a single checkbox.
It doesn't sound like a great deal to complain about... it's like complaining "Why doesn't Google let me omit websites designed for IE only when I search?" Technical issues aside, the user's situation is the same. When you're presented with a list of search results, you always need to comb through the results and manually evaluate which results are best, because a search algorithm will never take all of your personal criteria (i.e. "no Amazon marketplace merchants") into account.
One big difference between Islamic terrorism and the rest of the terrorism community - is that I think they are the only group not only willing to commit suicide for their beliefs, but to kill as many infidels as possible. This is like the zerg strategy in Starcraft - what can you do about it?
Spider mines, siege tanks, m&m, and lots of micro.
Funny that you mention Starcraft, though. In that game, there is a counter available for everything, because all you have to do is kill everything that you see. It's much harder to deal with a large group of innocent-enough people, of whom 0.1% are secretly bent on exploding in your face.
But, you've helped me see some of their potential. Maybe I'll give them another shot the next time I'm a player. (Or maybe a druid NPC is going to menace the party next week.) Good points, all.
I'd like to add some of the non-combat benefits of being a druid...
High survivability in the wildnerness for weeks at a time without 100lbs of rations (clerical spells plus druid special abilities, IIRC)
Lost in a forest/ravine? Fly up a few hundred feet and look around. Oh, there's the town you came from, and a mysterious looking structure in another direction!
Need to scout without being detected? Send your rogue and hope he rolls high on move silent and hide, or send an inconspicuous sparrow/squirrel/rabbit to hang out in plain view for hours.
Obvious hooks for wilderness-based campaigns. That's the same as any other class, but in most D&D worlds cities are separated by large spans of wilderness.
Basically, unless you spend all of your time in a city, you get some benefit from having a magical tree-hugging hippie.
No no no! The benefit of electrical tape is that it won't leave the same horrendous marks as duct tape. Though I hear for a case like this, gaffer's tape would be best (think about what gets used to tape cables to the ground on stages). It's "unsticky" like electrical tape, but wide like duct tape and fairly thick.
Are you actually arguing that there is NO creative content in a sports broadcast?
I would prefer a little less creative content in the little sports broadcasting that I've seen. I remember watching ESPN at my parents' house around Thanksgiving. It was a HD widescreen broadcast, but they managed to do a vertical "letterbox", and I remember a dancing robot turkey that kept showing up on the left, and random player stats cycling on the right. WTF? Just show more of the field!
ESPN reminds me of D&D (3e) character sheets. Fit as many facts as possible onto a double-sided piece of paper.
Nothing specifically wrong with that picture (or with transvestites, drunk or sober) except that the kid is family to the President of the friggin' United States!
So? No one voted for that kid; they voted for Bushie himself. Personally, I would think it very unfair if someone judged me based on my relatives. You can control who becomes your friends, but you can't control who is your family.
If your uncle is President you should be bright enough to understand that your behaviour can do him damage, or someone older and wiser should have drummed that understanding into your head.
All that may mean to an angsty teen is an easy way to take revenge for (perceived or real) wrongdoings. The scrutiny of a public eye is simply a weakness to be taken advantage of.
Slashdot Mirror
Never rely on stripping tags for the input. If you care about protecting your site from malicious user-generated HTML content, do it on output, where it belongs. Especially because this is a password, who are you to say that <script can't be my password?
For that matter, don't use addslashes either. If magic quotes is on, use stripslashes on all of your input and use PDO to protect your database and escapeshellcmd/escapeshellarg to protect your shell and... you get it. addslashes isn't the solution because not everything ends up in an ASCII-encoded MySQL database.
You mean "Use PDO and prepared statements", don't you? If you are using a shared host that doesn't provide PHP5 or PDO, get a different shared host.
Preach it, brotha! I am a fan of PHP, but Smarty has been a huge waste everywhere I've seen it used. I do use "template pages" in PHP, but they're just PHP pages outside of Apache's doc root, separated for reusability.
You can get more sophisticated with your pages...
... gobs of other stuff defined in BasePage ... or you could just use global functions, ... if you're concerned about mental object bloat
<?php
require('core.php');
class MyPage extends BasicPage
{
public function title() {
return 'This is my title'
}
public function links() {
return array(
'Home' => local_link('/'),
'PHP Advocacy' => local_link('/php/why'),
'PHP Home' => 'http://www.php.net/'
);
}
public function content() {
$blog = new SillyBlogPage($this->db, $this->get('page', 0));
$this->display('blog_template', array('blog' => $blog));
}
}
$page = new MyPage($_SESSION, $_GET);
$page->enable_compression();
$page->set_cache_seconds(600);
//
//
//
print $page->display();
?>
Just have as many functions as you want overrideable parts. Template engine, database connection, etc. can all be set up within the context of the parent class.
Because it's better (in general) to do something like this:
.html or .php required in URLs)
mycontent.php:
=============
<?php require('header.php'); ?>
...
rest of the page in here
...
<?php require('footer.php'); ?>
Benefits?
* no risk of parameter injection
* better URLs, especially combined with Apache MultiViews (which lets you omit file extensions, so no
* cache-friendly, since many HTTP proxies such as squid will never cache URLs with querystring parameters
There are other ways to do it, but in general, it's safest to view individual pages as "subclasses" of a common page layout, where querystring parameters are only necessary for *actually optional items*, the way the HTTP RFCs specify them. Don't try to make a huge framework inside PHP... the more you offload onto Apache/Squid/what-have-you, the more lightweight/simple your result will be... and that's one of the few strengths PHP has left (^:
Too bad our legal system is roughly equivalent to the "defensive" programmer that introduces complexity that no one else understand for the sake of job security. After all, if 95% (number pulled out of my ass) of the population doesn't understand the legal system, that means the 5% in charge can take advantage of them!
If legal documents were treated like source code (text-based version control plus continual refactoring for clarity), it would only be extra work for the 5% in charge—and at a loss, because the resultant legal simplicity would reduce their stranglehold over the other 95%.
It does help the bottom line of last-hop ISPs. If 50% of your network traffic is from virus-infected computers, you can double your effective capacity with perfect virus detection and quarantine. It also provides a pretty strong encouragement for users to get their computers fixed, since a virus means "no internet" rather than "slow internet".
Obviously, detection isn't perfect, and there's some point where the the cumulative cost of maintenance, false positives (support calls and subscription cancellation from angry customers), and false negatives (bandwidth cost for the viral traffic) goes too high. If the quality is below some point, it will just be a net financial burden. But I know at least one ISP that has used virus quarantining to good effect.
I imagine they're just as disgusted by them as I am. I don't understand how those movies succeed.
I remember learning that in high school Spanish class, and thinking it was a pretty good idea. You can call us whatever you want when you talk amongst yourselves, but you shouldn't have a problem with us calling ourselves whatever we want when we talk amongst ourselves. It's not an attempt at superiority, it's just a learned habit to refer to myself as an American.
Yeah, that's why trading and investing are solved problems, and no one goes bankrupt by following the advice of market experts. Just because something may be shown to have patterns doesn't mean that we actually have any meaningful knowledge about it. Check out Fooled By Randomness for a better explanation than I can provide.
I think it's useful and interesting to research social statistics like this, but they should all be taken with a very large grain of salt.
That's unfortunate... does that mean you don't write any software now? Almost all of my classes have ended up being useful for something or another (particularly anything involving Ralph Johnson, which AFAIK is something experienced by every UIUC CS major through senior design or software engineering). I also remember having a decent amount of flexibility in the technical elective coursework, but maybe my memory is playing tricks on me.
Conveniently, recent college graduates tend to have oodles of extra time with which to learn other skills at a hobby level, such as kernel hacking or x86 asm or python web apps. No spouse, no kids, less likely to take work home. IANAOldMan, but I'd expect that only when life gets in the way of technical learning will you really be pigeonholed—and by that time, you probably have more enjoyable things to look forward to than the latest 9-5 task.
That comment reveals your prejudices. Don't get me wrong, I'm no Ruby fan myself, but web apps are very different than embedded systems. You're still a programmer, but you're solving problems on a different scale. The tradeoff of performance for succinctness/clarity is a natural progression when hardware costs less than developer man-hours. A sligntly better analogy would be, "I got tired of being a gourmet chef so now I plan excellent menus for a large restaurant chain."
Isn't that the point of the C99 header stdint.h ? For your example, I could use a fast_uint16_t and let the local platform configuration handle what that actually means.
Type sizes aside, I agree with you, though. If you don't understand low-level compiler/machine details, you can't possibly expect to bend the language to your performance-obsessed will. This holds for all languages; it's just that in some cases (Java/Lua/Python/Perl6/...) the "machine" you need to learn is a virtual machine, and you end up inspecting bytecodes instead of asm.
I hear you, man. I am a recent graduate myself (UIUC), so I see this from the other side. Our program is pretty good compared to most things that I've heard on the net (and various people I've met from CMU/MIT/Standford/...), but a couple of things to point out:
While I agree it may be an inconvenience to not have that option, it is likely an intentional omission. I expect many merchants would be far less likely to use Amazon's functionality if they knew that they could be made effectively invisible to their potential customer base with a single checkbox.
It doesn't sound like a great deal to complain about... it's like complaining "Why doesn't Google let me omit websites designed for IE only when I search?" Technical issues aside, the user's situation is the same. When you're presented with a list of search results, you always need to comb through the results and manually evaluate which results are best, because a search algorithm will never take all of your personal criteria (i.e. "no Amazon marketplace merchants") into account.
Isac Neutron? Is that like Isaac Newton's evil twin or something?
Spider mines, siege tanks, m&m, and lots of micro.
Funny that you mention Starcraft, though. In that game, there is a counter available for everything, because all you have to do is kill everything that you see. It's much harder to deal with a large group of innocent-enough people, of whom 0.1% are secretly bent on exploding in your face.
Can you prove that?
I'd like to add some of the non-combat benefits of being a druid...
- High survivability in the wildnerness for weeks at a time without 100lbs of rations (clerical spells plus druid special abilities, IIRC)
- Lost in a forest/ravine? Fly up a few hundred feet and look around. Oh, there's the town you came from, and a mysterious looking structure in another direction!
- Need to scout without being detected? Send your rogue and hope he rolls high on move silent and hide, or send an inconspicuous sparrow/squirrel/rabbit to hang out in plain view for hours.
- Obvious hooks for wilderness-based campaigns. That's the same as any other class, but in most D&D worlds cities are separated by large spans of wilderness.
Basically, unless you spend all of your time in a city, you get some benefit from having a magical tree-hugging hippie.No no no! The benefit of electrical tape is that it won't leave the same horrendous marks as duct tape. Though I hear for a case like this, gaffer's tape would be best (think about what gets used to tape cables to the ground on stages). It's "unsticky" like electrical tape, but wide like duct tape and fairly thick.
Unfortunately, that means He's in everyone's toilet bowl, as well. Tomorrow's going to be tough for Him after the wing sauce starts hitting!
I would prefer a little less creative content in the little sports broadcasting that I've seen. I remember watching ESPN at my parents' house around Thanksgiving. It was a HD widescreen broadcast, but they managed to do a vertical "letterbox", and I remember a dancing robot turkey that kept showing up on the left, and random player stats cycling on the right. WTF? Just show more of the field!
ESPN reminds me of D&D (3e) character sheets. Fit as many facts as possible onto a double-sided piece of paper.
You can pick your friends' noses if you're fast enough. You may lose some friends...
So? No one voted for that kid; they voted for Bushie himself. Personally, I would think it very unfair if someone judged me based on my relatives. You can control who becomes your friends, but you can't control who is your family.
All that may mean to an angsty teen is an easy way to take revenge for (perceived or real) wrongdoings. The scrutiny of a public eye is simply a weakness to be taken advantage of.