I agree with all your points, and I also think your code snippets do look nice (I am particularly fond of placeholders = ['?' for item in list] ), but on the other hand it presupposes a language where such "fancy" syntax is available. Given a VB-style pseudocode, it doesn't get much better than CastrTroy's code above, which is currently for unfathomable reasons modded "3 Funny".
I somehow (generously) assumed you had a list with parameter names in it, but of course you are concatenating the actual values, directly opening for just the kind of SQL injection attack that this thread is all about.
You do NOT want to put the user input values (the keywords in this case) into the SQL query text directly, since this is what opens for a SQL injection attack: If one of the keywords is "Hello' drop tblUsers;" (note the ' escape character) then pasting that directly into the SQL query would result in tblUsers being dropped.
So what you do instead is to add a parameter (named or indexed, depending on the db) to the SQL query.
That is, instead of making your select statement look like this:
SELECT item FROM table WHERE keyword IN ('Hello', 'World')
You should ALWAYS make it look something like this:
SELECT item FROM table WHERE keyword IN (@Param1, @Param2)
And then you add the parameter values (the strings "Hello" and "World" in this case) separately (as parameter objects with matching names / indexes) using whatever API you have for this in your data access methodology of preference.
So, the code you cringe at does things exactly right, whereas your "refactored" version commits the very error that TFA tries to build awareness around.
You will have to loop through MyValueList anyway to put the values into sql parameters, Your code looks cleaner but leads to two iterations over the same set.
English is not my first language either, thank you for taking the time to figure out what I meant, because you indeed answer exactly what I was wondering about. (I meant "demonstrate" as "proof"). Big thanks!
Thank you for your interesting post. I have often wondered what the explanation for CO2 lagging temperatures was.
However, am I mistaken in thinking that in this case, we couldn't say that the CO2 / temp graphs actually _demonstrate_ the hypothesis that CO2 significantly enhances warming, only that such a hypothesis is consistent with the graph? In other words, _could_ the graph also be consistent with the hypothesis that CO2 did _not_ significantly enhance warming (for example in the case that no discernible signal telling us one way or the other could be found in the data)? Please note that I am asking this, not asserting anything.
Why? Couldn't 'scared off' be just as natural or normal a response as being 'stunned'?
I'm sure we can both imagine an ass who'd walk away. I can also easily imagine an ass who'd hang around to watch.
But as you point out, all people who hang around don't have to be asses - some of them are probably just 'stunned'.
On the other hand you claim that all people who walk away must be asses, which I find a bit curious - couldn't there be non-asses there too, like people being 'scared off', probably rationalizing to themselves just as the 'stunned' people that someone else must surely be better equipped to help, etc?
'Scared off' could of course take many forms. For example, some people get seriously weak in the knees at the sight of blood. They might react instinctively by turning around sharply and walking away hurriedly in very much the mostly involuntary fashion of someone who freezes up and stare because they are stunned.
"If you turn around and walk away I guess that doesn't make you the first responder, it just makes you an ass."
Or, according to your previous passionate pleading on the subject, it apparently only makes them ordinary people, because, you claimed, they probably think someone else is making the call.
What is the time limit within which I have to report? If I see a violent crime, then some time passes before I report it, could I suddenly be turning myself in by giving the call?
I wonder why this would not be called Darwinian evolution by natural selection? The modern synthesis considers self replicating entities, they don't have to replicate "vertically" - "horizontally" works just as well. This seems like yet a misinformed attack on Darwinism, such that someone investigates a particular feature of Darwinian evolution, and because it doesn't look exactly like what they were taught Darwinism to be, they think it is something else. But it isn't.
"But this is exactly why science should be trusted."
Couldn't agree more!
But trust in science != trust in IPCC or AGW.
I'm glad to hear your "faith" in science is "restored". Personally I have never seen a moment's reason to doubt the validity of the scientific method.
But why are we so happy to have that scientific method? Because it catches out just the kind of political spin-doctoring it would seem we have seen here.
So it would seem a curious reaction, then, to go on and hold those caught out in higher regard and as more trustworthy, because they have so eminently helped emphasize the case for the scientific method. That would be almost like praising criminals for their fine contributions to the commendable police work of a society.
"The IPCC claims were not based solely around this one point, it was simply one of many."
The question is if they knew or at least had reason to believe this point to be false, because then including it in a grant application would be, ahem, extremely inappropriate (!) completely regardless of how many true statements it was padded by.
But it is potentially much easier for a computer to identify and address conflicting data points than for a human who, for some reason, seems susceptible to blinding themselves to such issues (cognitive dissonance).
When you have three data points, one claiming George Washington was a human, another claiming George Washington had 50 arms and a third claiming it is highly unusual for humans to have more than two arms (and more than ten arms would be unheard of), the computer could easily detect the logical conflict, flag data points as inconsistent and have a good idea for a topic about which to research more facts, potentially to establish sophisticated probabilities as to which claim is more likely to be bogus than the other.
This example might not provoke cognitive dissonance for many humans, rather it was intended as an easy-to-follow example of how a computer can improve its understanding of the world even in the face of disinformation, using logic and probability as guiding tools. Once that is easy to see, it follows how this also applies in situations where humans might be more susceptible to cognitive dissonance.
"It is not "that they are killing people", it is "who they are killing" that gets human rights violations involved"
The existence of bad does not preclude the existence of worse.
For example, for someone from the absolute majority of countries that do not practice capital punishment, killing convicted criminals they way USA does may well seem like a clear case of human rights violation.
However, a country killing political dissidents would seem even worse.
Thus you should probably read the argument as "not only are they X, they are also Y".
Slashdot Mirror
"regardless of the fact that average + below average is always > above average. That's the way a curve works."
Say what?
I agree with all your points, and I also think your code snippets do look nice (I am particularly fond of placeholders = ['?' for item in list] ), but on the other hand it presupposes a language where such "fancy" syntax is available. Given a VB-style pseudocode, it doesn't get much better than CastrTroy's code above, which is currently for unfathomable reasons modded "3 Funny".
Good morning.
I somehow (generously) assumed you had a list with parameter names in it, but of course you are concatenating the actual values, directly opening for just the kind of SQL injection attack that this thread is all about.
You do NOT want to put the user input values (the keywords in this case) into the SQL query text directly, since this is what opens for a SQL injection attack: If one of the keywords is "Hello' drop tblUsers;" (note the ' escape character) then pasting that directly into the SQL query would result in tblUsers being dropped.
So what you do instead is to add a parameter (named or indexed, depending on the db) to the SQL query.
That is, instead of making your select statement look like this:
SELECT item FROM table WHERE keyword IN ('Hello', 'World')
You should ALWAYS make it look something like this:
SELECT item FROM table WHERE keyword IN (@Param1, @Param2)
And then you add the parameter values (the strings "Hello" and "World" in this case) separately (as parameter objects with matching names / indexes) using whatever API you have for this in your data access methodology of preference.
So, the code you cringe at does things exactly right, whereas your "refactored" version commits the very error that TFA tries to build awareness around.
You will have to loop through MyValueList anyway to put the values into sql parameters,
Your code looks cleaner but leads to two iterations over the same set.
English is not my first language either, thank you for taking the time to figure out what I meant, because you indeed answer exactly what I was wondering about. (I meant "demonstrate" as "proof"). Big thanks!
"Yes, you were right. But that doesn't make you any less of a troll."
I suppose that explains a lot of the weird Troll moderations on /. lately...
Thank you for your interesting post. I have often wondered what the explanation for CO2 lagging temperatures was.
However, am I mistaken in thinking that in this case, we couldn't say that the CO2 / temp graphs actually _demonstrate_ the hypothesis that CO2 significantly enhances warming, only that such a hypothesis is consistent with the graph? In other words, _could_ the graph also be consistent with the hypothesis that CO2 did _not_ significantly enhance warming (for example in the case that no discernible signal telling us one way or the other could be found in the data)? Please note that I am asking this, not asserting anything.
"There is no temperature in which it's "impossible" to snow."
The positive degrees (for us Celsius types) will usually present a difficulty for snow to happen.
Indeed. "I heard it on the Internet" is the only source I'll accept!
And Miss Piggy isn't!? Haaaaayyyyaaaahhhh!
Why? Couldn't 'scared off' be just as natural or normal a response as being 'stunned'?
I'm sure we can both imagine an ass who'd walk away. I can also easily imagine an ass who'd hang around to watch.
But as you point out, all people who hang around don't have to be asses - some of them are probably just 'stunned'.
On the other hand you claim that all people who walk away must be asses, which I find a bit curious - couldn't there be non-asses there too, like people being 'scared off', probably rationalizing to themselves just as the 'stunned' people that someone else must surely be better equipped to help, etc?
'Scared off' could of course take many forms. For example, some people get seriously weak in the knees at the sight of blood. They might react instinctively by turning around sharply and walking away hurriedly in very much the mostly involuntary fashion of someone who freezes up and stare because they are stunned.
"If you turn around and walk away I guess that doesn't make you the first responder, it just makes you an ass."
Or, according to your previous passionate pleading on the subject, it apparently only makes them ordinary people, because, you claimed, they probably think someone else is making the call.
What is the time limit within which I have to report? If I see a violent crime, then some time passes before I report it, could I suddenly be turning myself in by giving the call?
I wonder why this would not be called Darwinian evolution by natural selection? The modern synthesis considers self replicating entities, they don't have to replicate "vertically" - "horizontally" works just as well. This seems like yet a misinformed attack on Darwinism, such that someone investigates a particular feature of Darwinian evolution, and because it doesn't look exactly like what they were taught Darwinism to be, they think it is something else. But it isn't.
Oh dear, yes I guess it could be read like that...
By "it" in "why I trust it" I meant of course the scientific method, not the IPCC.
Indeed, it is my central point in another comment in this thread:
"But trust in science != trust in IPCC or AGW."
http://slashdot.org/comments.pl?sid=1522166&cid=30876934&art_pos=1
I'm sure you're not alone in interpreting my post the way you did, so thanks for pointing it out and making me clarify.
Wshooooo....
"But this is exactly why science should be trusted."
Couldn't agree more!
But trust in science != trust in IPCC or AGW.
I'm glad to hear your "faith" in science is "restored". Personally I have never seen a moment's reason to doubt the validity of the scientific method.
But why are we so happy to have that scientific method? Because it catches out just the kind of political spin-doctoring it would seem we have seen here.
So it would seem a curious reaction, then, to go on and hold those caught out in higher regard and as more trustworthy, because they have so eminently helped emphasize the case for the scientific method. That would be almost like praising criminals for their fine contributions to the commendable police work of a society.
"Why should you trust the IPCC?"
Your wonderful description of the scientific method describes elegantly why I trust it so much.
But if a source is found to put out false data, not by honest mistake but well aware the data is bad, can that source be trusted again?
I'm not saying I necessarily trust the daily mail on that, but the link from earlier in this thread at least seems to suggest this would be the case:
http://www.dailymail.co.uk/news/article-1245636/Glacier-scientists-says-knew-data-verified.html#ixzz0dUoPiTkG
"The IPCC claims were not based solely around this one point, it was simply one of many."
The question is if they knew or at least had reason to believe this point to be false, because then including it in a grant application would be, ahem, extremely inappropriate (!) completely regardless of how many true statements it was padded by.
But it is potentially much easier for a computer to identify and address conflicting data points than for a human who, for some reason, seems susceptible to blinding themselves to such issues (cognitive dissonance).
When you have three data points, one claiming George Washington was a human, another claiming George Washington had 50 arms and a third claiming it is highly unusual for humans to have more than two arms (and more than ten arms would be unheard of), the computer could easily detect the logical conflict, flag data points as inconsistent and have a good idea for a topic about which to research more facts, potentially to establish sophisticated probabilities as to which claim is more likely to be bogus than the other.
This example might not provoke cognitive dissonance for many humans, rather it was intended as an easy-to-follow example of how a computer can improve its understanding of the world even in the face of disinformation, using logic and probability as guiding tools. Once that is easy to see, it follows how this also applies in situations where humans might be more susceptible to cognitive dissonance.
"They may not have as good weapons, but they have much better brains."
Are you saying we should not use a robot army, but a zombie army instead?
"who needs man?"
Perhaps...man?
Could it also be hysteria?
"It is not "that they are killing people", it is "who they are killing" that gets human rights violations involved"
The existence of bad does not preclude the existence of worse.
For example, for someone from the absolute majority of countries that do not practice capital punishment, killing convicted criminals they way USA does may well seem like a clear case of human rights violation.
However, a country killing political dissidents would seem even worse.
Thus you should probably read the argument as "not only are they X, they are also Y".
Yes, but how about moderating?