So, in your opinion then, it's ok for corporations to arbitrarily hire and fire on any basis, discriminatory or otherwise because, after all - here's the magic of the marketplace! - the person will just get hired by a different corporation! No. In my opinion, it is OK for a company to fire anyone at any time for any reason because that's what liberty necessarily means. I wasn't saying that we should remove restrictions on liberty because people will be hired anyway. I was just pointing out the fact that removing restrictions on liberty won't result in people being out of work, as was falsely claimed.
In your fairytale world, the market always smoothes things out. No. But it's still better than any alternative.
In real life, however, market forces are quite chaotic. Our example employee just might be one of the randoms who don't find another job, who lose their house and savings, who sink into depression and who die an untimely death. Which is no different than how it is now, in any other large-scale system man has ever devised, of course. Because speaking of real life, France has MUCH higher unemployment than the U.S. does (as do the other more restrictive economies of Europe). Let's not pretend restricting liberty in hiring and firing helps people.
Yes, and libertarians would also prevent other companies from coming along and hiring all of those fired workers! And would require people to do business with those evil companies who fired all those workers! No, the government would do that, rewarding companies that play along. See, this is where you are being illogical. You are making straw man attacks against libertarians, who would OPPOSE such government intervention. You can't cherry-pick libertarian philosophy and call them the enemy because a half-assed implementation of their philosophy would have ill effects.
I know in magical libertarian land this isn't possible because government spending would be vastly reduced It's not just spending. I guess I was right when I said you ddidn't understand libertarianism. In a libertarian society, the government would not have the right to reward companies who "play along," and indeed, the government would not have any interests to ask anyone to play along with in the first place.
but, as I pointed out, that part of the libertarian thing will not actually happen, or will happen and be reversed next election as everyone will hate it But that is not libertarianism.
But the loosening of business regulation will stay around for quite some time. But that is not libertarianism.
Just because libertarianism might be a reasonable plan if fully implemented doesn't mean it can't be very harmful if we only do the 'deregulate businesses' half and not the 'reduce government spending' half. But that is not libertarianism.
And as we cannot, politically, do the later, it seems rather inane to even be talking about. What's truly inane is claiming that we can become significantly more free by giving up our freedoms, as you are claiming.
Except that everyone already knows that you're a fatass who's on the take anyway. In a fascist society you're one of the fascist sympathizers who's benefitting from the system. Tell me more about that movie script you're writing!
Freedom and liberty, the supposed foundation of the USA, would probably usher in a society where you wouldn't have it so easy. I love the doublespeak. It's so cute. "You will have freedom and liberty when the government takes it by force."
It's utter nonsense to say we should hold anyone responsible for doing what the government told them they could do, when there's someone much more obvious and culpable to go after: the people who told them they could do it. So if I tell you to kill someone and you do it, you think that I will be the (only) one held responsible? Um, are you the government, the embodiment of law and order and authority? (Pssst: no! You're not!)
Most of what you wrote is incorrect, all that anti-coporation bullshit, that broadly translates as "avoiding fascism means having more government control over our lives." I won't bother addressing that, but there's something else you addressed that you got wrong, that many might not have understood.
... have you not looked at the telecom immunity stuff? That's classic fascism. The government breaks the law, the government gets private companies to break the law, the government gives said companies huge amounts of cash, the government attempts to make such behavior legal retroactively. First of all, it is extremely questionable whether any law was broken. But let's assume it was. It is utter nonsense to hold the corporations responsible: they did what the government told them to do. If Bush broke the law (including asking the telecoms to break the law), then impeach him. I'll enjoy watching you twist logic to show how he broke any law, but regardless, that is the proper way to deal with it.
It's not 'totalitarian' yet, as evidenced by the fact Democrats managed to stop the immunity, but it is fascism, at least the start of it. Shrug. Democratic Senator Jay Rockefeller -- who, for the record, was the ONLY Congressman to raise objections to the warrantless wiretapping before it was made public -- sponsored the immunity, for the reasons I gave above. So you're telling me Rockefeller sponsors fascism here, while he was the only one to object to it before? I disagree a lot with Rockefeller, but I have always believed him to be intelligent and principled.
(And the same thing's happened with Blackwater.) Exactly, and the point's the same: where Blackwater has followed the law and its imposed regulations and rules, it should not be held liable while it is doing work for the government. If they go beyond their legal restrictions, then they should be. Same thing with the telecoms.
It's utter nonsense to say we should hold anyone responsible for doing what the government told them they could do, when there's someone much more obvious and culpable to go after: the people who told them they could do it.
I sit and talk reasonable about fascism, and you think Ron Paul is a reasonable alternative.
Newsflash: Libertarians are part of the problem, not part of the solution.
You do not actually understand the problem, or libertarianism.
They like to assert how they'd reduce government, but as social programs are immensely popular, they'd have absolutely no luck in reducing those any reasonable amount, and attempts to do so would quickly get them removed from office. Logically, of course, that doesn't make them part of the problem, but, rather, simply ineffective.
Meanwhile, they would happily remove government controls of corporation, leading us to fascism faster, and gut bankruptcy law even more, so now when your company fires you because you went to a political protest and you lose your house, now it's entirely legal! Or when your landlord does a check on what political party you belong to. Yes, and libertarians would also prevent other companies from coming along and hiring all of those fired workers! And would require people to do business with those evil companies who fired all those workers!
Oh wait. No they wouldn't. Darn, now I's is CORNFUZED!
Only one response suits your comment: Perl, in a Nutshell. It even includes a concession about Perl being hard to read... although it does so sarcastically.
I said it requires a great deal of discipline to do consistently. And that is a clearly false statement. I, and many other people, do it all the time, without any significant exertion.
This is twice that you've refused to read the rest of what I've said, apparently because I don't happen to hold your favorite language with the same high regard that you do. False. It is because you were presenting your (uneducated) opinion about Perl as fact. Saying you don't prefer Perl is fine. Making categorical statements about Perl that simply aren't true in the real world -- for people who are software engineers rather than computer scientists -- is boring.
From where I sit, that means it is you who is showing disregard for reason, because by doing so you implicitly assume that, because I fundamentally disagree with you about this one particular thing, the other things I have to say must have no merit. False. I implicitly assume no such thing. I merely consider someone who presents their (uneducated) opinion as fact is not interested in reason, and therefore I won't bother spending more time on the discussion.
The other things you say may have merit. But I just don't care.
This is pretty laughable considering that I've used Perl for various things for some 17 years, with about 10 of them involving intense development at times. I suppose, then, that you might regard me as incompetent, but I assure you it won't be for lack of familiarity with the language (that said, I've not done any serious Perl for about the last 5 years). I do not believe you for a second. No one truly competent in Perl believes it is hard to write readable Perl.
Just remember, if windows got taken down by a third party app, not only would you be screaming and shouting about bill gates and phalluses, but also you would be baying for the blood of anyone who dare use windows. Even if that were true -- it's not -- it doesn't apply here because there's no serious evidence presented that a third-party app is causing the problems. The citation of APE is rumor and speculation, nothing more.
I had responded to most of your post, and then I got here:
And who cares about how big or small your lines of code are? What matters is how easy the code is to write and to understand (you want both). Perl is generally horrible in the latter regard (it's possible to write easily-read Perl but that requires inhuman amounts of discipline to do consistently) Ah, here we go. A language bigot. Someone who lacks proficiency in a language sufficient to judge it with any rationality, and yet condemns it despite his ignorance.
What is true, likely, is that YOU do not understand written Perl. Written Perl is very easy for me to understand. I write, and read, Perl every day. It doesn't take anything "inhuman." It only takes competent programmers who know Perl. You are not one of those, more likely because of the lack of knowledge of Perl than because of the lack of competence in general, I assume, but your disregard of reason makes me disregard the rest of your post.
So give it up, the blood pressure increases are not worth the hassle... I am not in the least bit excited, angry, upset, etc. Your mood meter needs calibration!
but that's not why they're there -- they're there to prevent mistakes. They are there to prevent security holes. Which is no different from our mechanisms. No, I meant mechanisms which would enforce the use of placeholders to keep developers from inadvertently using unsafe queries. Those mechanisms could be bypassed intentionally by the programmer, and if they are then there's an increased risk of security holes because the security mechanism you want the programmer to use (placeholders) isn't being used. Exactly. That's what I meant. If the mechanisms are not used, they don't work. Same as our mechanisms.
And yet, we use Perl, which has no typing at all. Yes. And how many bugs have you encountered at runtime that occurred because of this, when a strongly-typed language would have caught them at compile time? My bet is that it's significantly more than zero. Who cares? Our development time is much quicker, our lines of code much smaller, than a strongly typed language. I'll take a very rare problem that would have been caught by strong typing, as I am way ahead even still.
The Right Way is defined by the set of goals and their relative priority. The Right Way is determined by whoever is doing the project. There is no obejctive "right way." That's something CS people often don't get.
Saying that there's no Right Way can be interpreted to mean that all solutions are equivalent Yes, I cannot prevent incorrect interpretations.
No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks And I am saying you're clearly wrong. There's no rational basis for this claim, other than "I don't prefer your method."
It happens to work most of the time False. It works every single time, unless the programmer doesn't do it. Just like placeholders.
This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work. Mechanisms only work if you use them. The use of placeholders can be enforced in code, if incompletely. Well that's the thing, it is easy to bypass them.
You can't prevent the programmer from bypassing the mechanisms you put in place Exactly.
but that's not why they're there -- they're there to prevent mistakes. They are there to prevent security holes. Which is no different from our mechanisms.
In a way, this "quoting versus placeholders" debate is similar to the debate on weak typing versus strong typing. The former is quicker and easier to use, but the latter reduces the chances of a mistake. And years of experience with many languages have shown me that the latter is more desirable and less costly in the long run. And yet, we use Perl, which has no typing at all.
The bottom line here is that you are correct, except in that you think I am incorrect. We're both correct. There is no Right Way, except as defined by the people running the project. If we have an actual hole, obviously, that's Wrong. But that's not the case here: you just think we're preventing holes "wrongly," and that does not compute.
False. It's only a hole if it is a hole. The problem is that you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero. That's not true, unfortunately.
This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work.
Mechanisms only work if you use them.
In this case, you have a defense against it but it's not a bulletproof defense. In fact, when we use the defenses, yes, they are as bulletproof as placeholders. And when your bulletproof defense is to use placeholders, but then you don't use them, well, you are wide open.
You're relying on some combination of the form parameter being sanitized (which requires diligence on the part of the programmer who writes the form handler) It's handled centrally. So if there is a new form value to be accepted, yes, someone has to add it to the handler, Otherwise, no.
And this is really less about DB than it is about the displayed data to the end user (so we have to do less filtering on the web page), so I probably shouldn't have mentioned it in this context. Every once in awhile I might use $form->{uid} without escaping it, but really, we almost never do that, and when we do we are 100% sure it is perfectly safe, with no exceptions.
and the value being quoted (which requires diligence on the part of the programmer writing the code which is sending the value to the database). Yep. Just like it requires diligence by a programmer on your project to make sure he is using placeholders at all.
In other words, you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes. No moreso than anyone else.
You can eliminate SQL injection attacks entirely by using placeholders. Sure. If you use them. And if you use our methods, you also eliminate them entirely.
You can furthermore avoid the need to quote anything by using placeholders. And you can eliminate the need to use placeholders by quoting whatever needs to be quoted. Not that you'd want to, but, whatever floats your boat.
Oh, and placeholders give you one more advantage: they're database independent. So is our quoting method, actually.
So from where I sit, placeholders have significant advantages and have no disadvantages. Why in the world aren't you using them? I never find such questions to be very interesting, although the real answer is primarily historical. But in the end, I don't care why people do what they do, as long as it doesn't cause problems for me or anyone else.
A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized. And what if the programmer wants to use $form->{uid}* in some other place than an SQL query? Does he have to unescape it himself, or will he catch the PHP disease of spewing backslashes all over the page? It is not escaped. So, no.:-)
Or some other form value that can legitimately contain arbitrary text, if uid isn't one of those. Yeah, we don't escape it, we sanitize it. Most of such data is integer data, or simple character data. Arbitrary text is handled by an API that escapes it on insertion/updating, and in the case of selects, we handle it case-by-case. It works for us.
Security is about how things are done not how they turn out to be. Sure. And they way we do it works.
This means you use placeholders... Well, no. That is ONE way to do it.
But if you don't use placeholders on multi-byte encoded characters, then it is SQL injection and a security hole. No. If you do not use placeholders on data that is potentially dangerous, THAT is a security hole.
Last time I checked (which was like 10 years ago),.shtml stood for Server Side Includes (SSI) HTML, which are definitely not static.
Wouldn't it have been better to choose an extension/term not already used, such as.htmls? They are static files on the filesystem. "Static" doesn't preclude being parsed on the way out by the server (mostly just to slap in the header and footer). This is as opposed to dynamic pages which are generated entirely on-the-fly.
I think your justification for not using placeholders is rather, uh, wrong.... The major benefit of placeholders is... absolute resistance to SQL injection. Yes, but there is more than one way to do it.
You may be diligent in quoting, but standard software development wisdom is that it's always better to eliminate the possibility of a bug than rely on programmer checking all the time Sure. We do not rely on programmers to check all the time. Indeed, what jamie didn't mention (I think) is that most of the time, we sanitize user input before it ever gets to the programmer. A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized.
Not that we are perfect, but we have a pretty good track record that, I think, speaks for itself. So I'll say that saying it is "wrong" is rather, uh, wrong.;-)
No, I doubt we will ever do another release of the code. We make it available on CVS for anyone to grab it, and use CVS tags to mark "releases." And we don't have an up-to-date list of Slash sites, but there are bunches.
The point is, however, that with all the additional features of D2 that sorting by score isn't necessary. Define necessary. It would serve little, if any, purpose in this system.
But a bunch of people noticed the feature was gone and miss it. Yes. However, while I can understand missing flat mode, but it is not clear what benefit could even be derived from sorting by score in D2 when you can show only Score:5 comments, and dynamically load in Score:4 when you wish to.
Again, to each his own. I kept using Mac OS 9 until Max OS X 10.2 came out, and for good reason. But a lot of people looked at me funny. So I won't judge people for disliking the new system, but I still don't see why scoring by score in D2 would be in any way useful.
OK, then, perhaps we should say this: D2 appears to ignore the sort preference from the user preference sheet. Correct.
If this is not what the programmers intend, it is a bug. If it is what the programmers intend, it is a misfeature.
Once D2 allows for threaded sort by score, I (and others) will switch over. (I really like it, otherwise.) I'm glad you like it apart from that. The point is, however, that with all the additional features of D2 that sorting by score isn't necessary. Those sort orders and thread modes were all ways to get around difficulties that are being solved through the dynamic features of D2.
Of course, to each is own: some people just like things a certain way. I speak from experience myself...
Slashdot Mirror
... have you not looked at the telecom immunity stuff? That's classic fascism. The government breaks the law, the government gets private companies to break the law, the government gives said companies huge amounts of cash, the government attempts to make such behavior legal retroactively. First of all, it is extremely questionable whether any law was broken. But let's assume it was. It is utter nonsense to hold the corporations responsible: they did what the government told them to do. If Bush broke the law (including asking the telecoms to break the law), then impeach him. I'll enjoy watching you twist logic to show how he broke any law, but regardless, that is the proper way to deal with it. It's not 'totalitarian' yet, as evidenced by the fact Democrats managed to stop the immunity, but it is fascism, at least the start of it. Shrug. Democratic Senator Jay Rockefeller -- who, for the record, was the ONLY Congressman to raise objections to the warrantless wiretapping before it was made public -- sponsored the immunity, for the reasons I gave above. So you're telling me Rockefeller sponsors fascism here, while he was the only one to object to it before? I disagree a lot with Rockefeller, but I have always believed him to be intelligent and principled. (And the same thing's happened with Blackwater.) Exactly, and the point's the same: where Blackwater has followed the law and its imposed regulations and rules, it should not be held liable while it is doing work for the government. If they go beyond their legal restrictions, then they should be. Same thing with the telecoms.It's utter nonsense to say we should hold anyone responsible for doing what the government told them they could do, when there's someone much more obvious and culpable to go after: the people who told them they could do it.
You do not actually understand the problem, or libertarianism. They like to assert how they'd reduce government, but as social programs are immensely popular, they'd have absolutely no luck in reducing those any reasonable amount, and attempts to do so would quickly get them removed from office. Logically, of course, that doesn't make them part of the problem, but, rather, simply ineffective. Meanwhile, they would happily remove government controls of corporation, leading us to fascism faster, and gut bankruptcy law even more, so now when your company fires you because you went to a political protest and you lose your house, now it's entirely legal! Or when your landlord does a check on what political party you belong to. Yes, and libertarians would also prevent other companies from coming along and hiring all of those fired workers! And would require people to do business with those evil companies who fired all those workers!Newsflash: Libertarians are part of the problem, not part of the solution.
Oh wait. No they wouldn't. Darn, now I's is CORNFUZED!
Only one response suits your comment: Perl, in a Nutshell. It even includes a concession about Perl being hard to read ... although it does so sarcastically.
The other things you say may have merit. But I just don't care.
I am not bothering to read the rest of your post.
What is true, likely, is that YOU do not understand written Perl. Written Perl is very easy for me to understand. I write, and read, Perl every day. It doesn't take anything "inhuman." It only takes competent programmers who know Perl. You are not one of those, more likely because of the lack of knowledge of Perl than because of the lack of competence in general, I assume, but your disregard of reason makes me disregard the rest of your post.
The bottom line here is that you are correct, except in that you think I am incorrect. We're both correct. There is no Right Way, except as defined by the people running the project. If we have an actual hole, obviously, that's Wrong. But that's not the case here: you just think we're preventing holes "wrongly," and that does not compute.
This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work.
Mechanisms only work if you use them. In this case, you have a defense against it but it's not a bulletproof defense. In fact, when we use the defenses, yes, they are as bulletproof as placeholders. And when your bulletproof defense is to use placeholders, but then you don't use them, well, you are wide open. You're relying on some combination of the form parameter being sanitized (which requires diligence on the part of the programmer who writes the form handler) It's handled centrally. So if there is a new form value to be accepted, yes, someone has to add it to the handler, Otherwise, no.
And this is really less about DB than it is about the displayed data to the end user (so we have to do less filtering on the web page), so I probably shouldn't have mentioned it in this context. Every once in awhile I might use $form->{uid} without escaping it, but really, we almost never do that, and when we do we are 100% sure it is perfectly safe, with no exceptions. and the value being quoted (which requires diligence on the part of the programmer writing the code which is sending the value to the database). Yep. Just like it requires diligence by a programmer on your project to make sure he is using placeholders at all. In other words, you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes. No moreso than anyone else. You can eliminate SQL injection attacks entirely by using placeholders. Sure. If you use them. And if you use our methods, you also eliminate them entirely. You can furthermore avoid the need to quote anything by using placeholders. And you can eliminate the need to use placeholders by quoting whatever needs to be quoted. Not that you'd want to, but, whatever floats your boat. Oh, and placeholders give you one more advantage: they're database independent. So is our quoting method, actually. So from where I sit, placeholders have significant advantages and have no disadvantages. Why in the world aren't you using them? I never find such questions to be very interesting, although the real answer is primarily historical. But in the end, I don't care why people do what they do, as long as it doesn't cause problems for me or anyone else.
Wouldn't it have been better to choose an extension/term not already used, such as
Not that we are perfect, but we have a pretty good track record that, I think, speaks for itself. So I'll say that saying it is "wrong" is rather, uh, wrong.
No, I doubt we will ever do another release of the code. We make it available on CVS for anyone to grab it, and use CVS tags to mark "releases." And we don't have an up-to-date list of Slash sites, but there are bunches.
Yeah well, if I weren't using Perl I could have done a more complex and flexible system ... ;-)
Maybe he can. That'd be super-sweet.
Again, to each his own. I kept using Mac OS 9 until Max OS X 10.2 came out, and for good reason. But a lot of people looked at me funny. So I won't judge people for disliking the new system, but I still don't see why scoring by score in D2 would be in any way useful.
Once D2 allows for threaded sort by score, I (and others) will switch over. (I really like it, otherwise.) I'm glad you like it apart from that. The point is, however, that with all the additional features of D2 that sorting by score isn't necessary. Those sort orders and thread modes were all ways to get around difficulties that are being solved through the dynamic features of D2.
Of course, to each is own: some people just like things a certain way. I speak from experience myself