You clearly haven't used either Postgres or any other serious database. SQL Server is only marginally better than the Sybase offering that it was based on - it has poor standards conformance and doesn't scale. In fact, that second point makes it worse than Sybase, which like Postgres I can put on a decent sized machine running an OS that scales well. In terms of features, Postgres wins on most counts compared to SQL Server. The Postgres dialect of SQL conforms closely to standards (although there are some deviations as with all implementations, they are far less than Microsofts). Replication with SQL server is an area that I'm not familiar enough to comment on, but otherwise I find Postgres is a far better fit for medium to large databases than SQL Server.
The only thing I'll trust SQL Server with is reporting systems that are fed data from the "real" database. This tends to be Oracle or Sybase, but that's because I work in the banking sector where these are the entrenched favourites with Informix a distant third. For backend systems, SQL Server doesn't even register on our radar, despite the historical ties with Sybase.
Hmm. Someone tells lies about you that might damage your reputation or livelihood. You want them to stop. Do you
a.) send someone to break their kneecaps
b.) smear shit all over their car
c.) call them lies back and sleep with their sister
d.) follow the legal remedy that has been established for centuries and appeal for relief against the harmful action?
Oh that's right. Except in America, the right thing to do is (b).
Depends on how hot their sister is, otherwise it's poo time.
Because he's a fucking idiot who needs the support? The stupid asshole forced the deletion of a package, depsite the packaging system telling him something depended on it, and then whines that his system is shafted. It's time ESR was ignored - he has a history of bandwagon jumping and lying. Good riddance.
Nothing surprising about this move. The petitions were only allowed for the same reason that public enquiries are allowed. They create an illusion of consultation, but because they usually come to the attention of only a few particularly interested people any opposition to the government view can be safely ignored. What the government failed to consider with online petitions are that they can be easily filled in by people once they have been informed of their existence by the same medium - the internet. This is why government sources described the person who came up wih the idea as an idiot last week (I'm not joking).
In this particular case the comnpanies that stand to make a fortune from government contracts to bring in the ID card are the same companies providing directorships to former ministers, MPs and civil servants. The so called "revolving door". As the right dishonourable Tony Blair MP is soon to be out of a job he's more than likely to go the extra mile to keep these companies happy. He needs a job after leaving office, as his mortgage commitments are astronomical (again, I'm not joking).
Imagine a persistance layer with no SQL, no extra user management, no extra connection layer, no filesystem under it and native object suport for any PL you wish to compile in.
I worked on just such a system, and ended up replacing it with a straightforward RDBMS. The object persistence layer serialised to disk, which offered no benefits over using an RDBMS as the backend data store (which had been in the original design oddly enough). It had to keep everything in memory - which proved impossible when the dataset grew to 80Gb. It was unreliable, couldn't perform adequately and could not be distributed across multiple machines without a ground up rewrite.
The replacement RDBMS directly queried from the business logic layer proved to be faster on the development machine (which had half the processors of the persistence stores production boxes). It was also easier to work with and far more reliable.
"Sun has now asked for our thoughts on moving the Solaris operating system to GPLv3 and what they would need to do to engage the free software developer community. Specifically, they see the advantages of creating a GNU system, utilising the kernel of Solaris."
Putting the GNU userland on top of the Solaris kernel would be like putting the body of a '72 Dodge Charger on the chassis of a BMW 530. The Sun command line tools may not have as many extra command line options as some of their GNU counterparts, but the libraries are far better coded than glibc.
Err, Gierschs company has been around a while, probably a lot longer than Google - so it wasn't some attempt to cash in on the fact that Google is now a very wealthy company.
First, the Russian Social Democrats split over some incredibly petty detail over how to phrase who should be allowed to join the party. Also, the proletarian class was not "insignificant", just very small. I'm not sure why you felt the need to include the first paragraph at all, but if it was to make yourself sound like an expert, you failed. Your jump from the temporary rise of the more moderate Menshiviks and Socialist (not "Social") Revolutionaries following the upheaval of Febuary to War Communism is no less unimpressive.
That "petty detail" was incredibly fundamental in that it broke with a key assumption of Marxism - that proletarian revolution would naturally follow a period of capitalism, when the proletariat would learn why they needed to overthrow that system. This idea that an intellectual elite could impose a revolution drove the Bolsheviks willingness to enforce their ideas through repression. They were convinced they were right, and that justified everything.
But here's the thing that gets me: you say "What followed was the period of War Communism, the brutal policies that helped the Bolsheviks to win the Russian Civil War. Much of the framework that was later used during the purges of the 1930's was created at this time, such as the secret police" as though this somehow proves it was only a matter of time till Communist Totalitarianism. Again, I'm not really interested in speculation about what could have been, but pointing out that a state created a reppressive apparatus during a time of civil war isn't exactly a scathing indictment.
My points were that Bolshevism was not popular amongst a majority of Russians, that Bolshevik leaders did not care (they knew they were "right") and that out of that arrogance comes an inevitable system of coercion. The War Communism period simply sped up the descent into state repression, and the increased entrenchment state institutions rather than one that would wither away into some kind of utopia. Trotsky only remains an admired figure for a small but vocal group of people because he was expelled in the leadership battle with Stalin (and subsequently murdered). I'm convinced that the same botched industrialisation programs and a large dgree of repression would have occured had he succeeded Lenin - or any of the leading Bolsheviks had succeeded him for that matter.
Oh, and forced collectivization was very much a hallmark of Stalinism in particular, so I don't understand that assumption. And this talk of
"failed industrialisation" is obviously an example of letting ideology blind you from reality. Suffice it for me to remind you that no other nation has ever industrialized as rapidly as the Soviet Union, and that Russia went from being a backwards, mostly feudal nation (as you yourself admitted) to becoming a world superpower AFTER suffering the majority of the Nazi war machine's wrath.
For other examples of collectivisation, see any regime that's tried to apply Marxist economics to a largely agrarian economy (China for example). As for industry in Russia, Stolypin's reforms had already laid the groundwork for a reasonable industrialisation - what stymied that was the the first world war. If you want to argue that Stalin's regime was successful at industrialisation in the 1930's, perhaps you want to look at the results of the five year plans. The increase in output in almost all areas were dismal. The need to increase output in the second world war was the big driver in this area, assisted afterwards by the plant and knowledge gained from occupied parts of Europe. As for ideology blinding me, I have none that I subscribe to (I'm probably best described as a lefty-liberal). I am actually very wary of anyone who subscribes to an ideology, as I went to university when it was still credible to call yourself a Marxist historian. Trying to rationally argue with them is a little like discussing homosexuality or abortion with a religious fundamenalist. They are so convinced of their own infallibility that they
Bolshevism gets its name from a play on the Russian for "majority", because at a meeting of exiled Russian socialists, the majority voted to pursue a Marxist revolution contrary to doctrine. Marxist doctrine has it that a state must pass through a highly industrialised capitalist phase before the dictatorship of the proletariat can begin. Russia at the time was a highly agrarian state that still had many feudal aspects (the emancipation of the serfs has only been carried out, semi-successfully, a few decades before). Industry was only really starting to grow in a few larger cities such as St Petersburg, and the proletariat formed an insignificant part of the population.
Following the second revolution, which ousted the Mensheviks (the "minority" group from the meeting of exiles), an election was held in Russia. This resulted in a clear win for moderate socialists and the agrarian based "Social Revolutionaries". The result was anulled by the Bolsheviks. What followed was the period of War Communism, the brutal policies that helped the Bolsheviks to win the Russian Civil War. Much of the framework that was later used during the purges of the 1930's was created at this time, such as the secret police. Trotsky was also the main drivng force behind these policies, something he never expressed any guilt or regret over. Lenin also expressed no remorse, however he did sanction a limited and temporary market economy to prevent a total collapse of the Bolshevik state.
It's highly unlikely that the Bolshevik state would have been any better for the ordinary Soviet citizen had Lenin lived, or had one of Stalin's rivals such as Trotsky or Zinoviev succeeded him. We would have most likely seen a similar series of events, with failed industrialisation programs and forced collectivisation of agriculture. Much like Camobodia under the Khmer Rouge - dogmatic leaders killing their populace for some unobtainable utopia.
Yup, someone holding my eyelids open so that I had to look at another picture of Britney's cellulite? Or that "upskirt" shot of her rather ravaged beaver? It would have me confessing to anything.
"Being pretty much accurate for most of the data most of the time is what you get when the untrained person attempts it."
They're usually better domain experts than the turf-protecting programmers.
You don't actually work in an a large company do you? They may be experts at their 'domain', but they are almost always incapable of translating that knowledge into database tables, data structures or algorithms that make for good software. The art of enterprise programming is to accurately gauge what functionality the user wants, how much of that functionality can be produced based on the data that is avaliable and to then produce an application that's stable, maintainable and performs well. You need domain experts not only in the data (the ones you allude to), but also in database design, application design and management. The jack of all trades here is normally the senior developer, who must handle a lot of the requirements gathering and design tasks. One of the best features of Extreme Programming is the insistence on keeping the customer on the loop throughout the project, not just at the beginning and end. However, this needs careful managing to prevent changes to the spec that are large increases in functionality (and as a result, and increase in timescales), as well as stressing that programmers are the domain experts at what they do.
This feature (it's not a bug) can bite you when using STL containers. Check out Cargill's "C++ Programming Style" or Meyer's "Effective..." books for examples. The implicit calls to single argument constructors to convert types can also result in unexpected copying. AS I pointed out, if you're concentrating all the time then this sort of thing can be avoided. However when writing a big system, the inevitable little lapses can really take their toll - that's another reason for unit testable code, as profiling the whole system isn't always practical.
That's effectively what Berkeley did when AT&T sued them over the release of the BSD Unix source code - they countered by pointing out that AT&T had stripped BSD copyright headers from a number of files included in System V. Berkeley pointed out that AT&T were welcome to restribute their code as a binary only, commercial product, but that the copyright stripping in the separately licensed source release contravened the BSD license.
If anybody wants an official statement, they should contact Berkeley's legal department.
But if the author of the Groklaw article had done that then his whole argument would have evaporated, and no lawyer likes to be proved wrong. More seriously though if a case is ever proposed with this argument, any competent lawyer is going to contact Berkeley for clarification as to what the intent of the license is - at which point it will be clear there is no case.
This seems like FUD to me, not something I would expect from Groklaw.
Oh come on, this is Groklaw - where any company other than IBM and any license other than the GPL are evil. PJ has done some useful work uncovering the dishonesty of SCO in their dispute with IBM, but whenever she or her contributors comments on other issues they totally balls it up. Rather than asking for an explanation of the BSD license from a FreeBSD, NetBSD or OpenBSD developer, perhaps even from the license authors at the University of California, Groklaw come up with this crap. Quite frankly, I'll be glad when the SCO-IBM case is over and Groklaw becomes an irrelevance.
Especially if you use something like C++ you know perfectly well how the resulting code will behave.
My usual assumption is that it will misbehave. As someone else pointed out with a slightly tongue in cheek quote, if you aren't totally on the ball you end up creating unexpected copies of your objects. I try to unit test my code with instrumentation on the constructors to see when they're called implicitly (default, single argument and copy constructors), then I can make sure my use of STL containers, initialiser lists and so on are optimal.
You really don't get this do you? You don't parse the strings trying to determine what needs escaping, you use the escaping built into the database specific driver that your vendor, who knows what to escape, has provided. Examine the JDBC API, where you construct a PreparedStatement such as:
PreparedStatement ps = new PreparedStatement("INSERT INTO foo (fooId, name, age) VALUES (DEFAULT, ?, ?)");
Then you use the JDBC API to safely insert data at the positional ? parameters. Supposing name to be a CHAR(), and age to be an INTEGER, you would write:
The age has already been validated to be an integer by your JSP tags, while any dodgy characters in the name will be escaped by the JDBC drivers implementation of setString, and wrapped in quotes.
Trying to do this yourself is prone to error - you don't know your database as well as the vendor does, and any changes in escaping requirements between versions of the database are hidden from you by the corresponding JDBC driver.
Quit with this "no such thing as a bad programming language, there are bad developers" bullshit. If a language encourages bad practices with an inconsistent, badly designed library and dubious features, then it is the fault of the language. Add in the poor tutorials (including most of those in printed books and on Zend's own website), and you've got a bad language made worse by ignorance. You ask where the articles are about good PHP apps and programmers. They don't exist, as most large scale web apps are written in Java - see this UKUUG paper for some reasons why. PHP lowers the barrier for getting a simple web app up and running, but it simply should not be used for anything large scale. The language is poorly designed, and poorly implemented (check out the number of vulnerabilities on bug tracking sites that are attributable to PHP itself rather than just the apps written with it).
register_globals is off by default, and has been that way for a long time. Anyone who turns it back on deserves what they get. It's a dead issue. magic_quotes is headed for the same fate in PHP 6. They seemed like good ideas at the time the web as young; they turned out not to be.
They'll be dead issues when they are removed completely from PHP. Too many tutorials and existing PHP applications turn them on if they aren't by default. As for "good ideas", they never were.
Configurable logging and reporting is a feature, not a bug.
So it is, but defaulting to all warnings and errors would be saner.
"fopen_urls: By default you can include scripts hosted on other websites!" I'll agree, that should probably be off by default. But a developer has to be naive or dim to either use an URL include, or include a variable in the include directive (and thus introduce the possibility of a URL inclusion) without being damn sure what they're doing.
Well, there's a lot of naive and dim developers out there. fopen_urls() should be binned.
And in C (bcopy versus memcpy, anyone?), and C++, and Perl, and Javascript, and... In fact, most of these "inconsistencies" stem from trying to stay consistent with functions borrowed from C, Perl, et cetera. That's a good goal.
Why is PHP, a high level web development framework, trying to "stay consistent" with C, C++ or Perl? As for consistency within standard languages and libraries C, C++ and Java are very consistent (bcopy is a bogus example as it's not part of any standard).
"Input checking is difficult...Do you want htmlentities() or htmlspecialchars()?" Depends on what you want to do, now, doesn't it? Developers have to know what conditions they need their data to adhere to, and PHP gives them a variety of tools to make it fit those conditions. Feature, not a bug.
That's strange, as the JSTL for Java Server Pages makes do with one escape routine. Of course, JSP and Java frameworks such as Spring encourage good practices that PHP makes difficult (pre version 5 at least).
It's easier to trip up badly in C (by commiting some memory buffer error) or Perl (by writing line noise code that you can't understand a week later) than PHP. But it's no longer fashionable to bash those languages.
I wouldn't write a web app in C, so the point is moot. As for Perl and PHP obfuscation, most of the PHP code I've seen fails to separate business logic from presentation, has masses of duplication and often amounts to line noise. Generally, the rewrites into something better (Java and JSP) that I've undertaken, start from the spec rather than the code because of the obfuscation of the PHP.
If your PHP security policy is full of stuff like "remove semi-colons", then it highlights your ineptitude - unless PHP doesn't offer a better way of escaping user input other than getting the user to do it on a case by case basis, in which case that highlights the ineptitude of the PHP developers. In a framework designed with security as a primary concern, features like prepared statements and database specific escaping built into the driver are essential. This is how Perl's DBI works, and also how Java's JDBC works. If PHP does offer similar features, then they need to be introduced at the earliest opportunity and used consistently in all PHP tutorials.
My last employer had a corporate vanity website, that acted as a glossy brochure to adverstise their subscription only websites. The brochure site was developed in PHP by an expensive, third part agency, who included a number of forms for submitting things like sales requests. When myself and the very competent graphic designer in my team expressed concerns about using PHP (the subscription only websites that we developed were JSP and Java) we were told that the agency claimed to know what they were doing, so no audit was necessary. Several months later, the company mail server was brought to it's knees, as it turned out you could use the PHP web forms to relay spam.
That isn't quite true, they are holding the funds until mid April
A policy that PayPal are very happy to enforce to the letter, as it means they can put the money on account for a guaranteed 180 days and make a tidy sum in interest.
Slashdot Mirror
I've experienced Solaris and its predecessors from the early 80's.
Bullshit. Solaris didn't exist until the early 90's.
You clearly haven't used either Postgres or any other serious database. SQL Server is only marginally better than the Sybase offering that it was based on - it has poor standards conformance and doesn't scale. In fact, that second point makes it worse than Sybase, which like Postgres I can put on a decent sized machine running an OS that scales well. In terms of features, Postgres wins on most counts compared to SQL Server. The Postgres dialect of SQL conforms closely to standards (although there are some deviations as with all implementations, they are far less than Microsofts). Replication with SQL server is an area that I'm not familiar enough to comment on, but otherwise I find Postgres is a far better fit for medium to large databases than SQL Server.
The only thing I'll trust SQL Server with is reporting systems that are fed data from the "real" database. This tends to be Oracle or Sybase, but that's because I work in the banking sector where these are the entrenched favourites with Informix a distant third. For backend systems, SQL Server doesn't even register on our radar, despite the historical ties with Sybase.
Hmm. Someone tells lies about you that might damage your reputation or livelihood. You want them to stop. Do you
a.) send someone to break their kneecaps
b.) smear shit all over their car
c.) call them lies back and sleep with their sister
d.) follow the legal remedy that has been established for centuries and appeal for relief against the harmful action?
Oh that's right. Except in America, the right thing to do is (b).
Depends on how hot their sister is, otherwise it's poo time.
And why should he have to, exactly?
Because he's a fucking idiot who needs the support? The stupid asshole forced the deletion of a package, depsite the packaging system telling him something depended on it, and then whines that his system is shafted. It's time ESR was ignored - he has a history of bandwagon jumping and lying. Good riddance.
Nothing surprising about this move. The petitions were only allowed for the same reason that public enquiries are allowed. They create an illusion of consultation, but because they usually come to the attention of only a few particularly interested people any opposition to the government view can be safely ignored. What the government failed to consider with online petitions are that they can be easily filled in by people once they have been informed of their existence by the same medium - the internet. This is why government sources described the person who came up wih the idea as an idiot last week (I'm not joking).
In this particular case the comnpanies that stand to make a fortune from government contracts to bring in the ID card are the same companies providing directorships to former ministers, MPs and civil servants. The so called "revolving door". As the right dishonourable Tony Blair MP is soon to be out of a job he's more than likely to go the extra mile to keep these companies happy. He needs a job after leaving office, as his mortgage commitments are astronomical (again, I'm not joking).
Imagine a persistance layer with no SQL, no extra user management, no extra connection layer, no filesystem under it and native object suport for any PL you wish to compile in.
I worked on just such a system, and ended up replacing it with a straightforward RDBMS. The object persistence layer serialised to disk, which offered no benefits over using an RDBMS as the backend data store (which had been in the original design oddly enough). It had to keep everything in memory - which proved impossible when the dataset grew to 80Gb. It was unreliable, couldn't perform adequately and could not be distributed across multiple machines without a ground up rewrite.
The replacement RDBMS directly queried from the business logic layer proved to be faster on the development machine (which had half the processors of the persistence stores production boxes). It was also easier to work with and far more reliable.
I suppose that could be true, but I usually take the words at their face value.
If you're in the US, do you by any chance take the National Enquirer as your daily newspaper?
"Sun has now asked for our thoughts on moving the Solaris operating system to GPLv3 and what they would need to do to engage the free software developer community. Specifically, they see the advantages of creating a GNU system, utilising the kernel of Solaris."
Putting the GNU userland on top of the Solaris kernel would be like putting the body of a '72 Dodge Charger on the chassis of a BMW 530. The Sun command line tools may not have as many extra command line options as some of their GNU counterparts, but the libraries are far better coded than glibc.
Monday 29th:
Bob from accounts looked at me funny. I'm sure he knows my secret.
Tuesday 30th:
I hear the directors laughing in the boardroom. They know too.
Wednesday 31st:
Arrived at work to find a crow standing on the window ledge outside my office window. I think this is a sign.
Thursday 1st:
The assault rifle, handgun and stun grenades are safely stored behind that old Vax in the machine room.
Friday 2nd:
Goodbye cruel world.
Err, Gierschs company has been around a while, probably a lot longer than Google - so it wasn't some attempt to cash in on the fact that Google is now a very wealthy company.
First, the Russian Social Democrats split over some incredibly petty detail over how to phrase who should be allowed to join the party. Also, the proletarian class was not "insignificant", just very small. I'm not sure why you felt the need to include the first paragraph at all, but if it was to make yourself sound like an expert, you failed. Your jump from the temporary rise of the more moderate Menshiviks and Socialist (not "Social") Revolutionaries following the upheaval of Febuary to War Communism is no less unimpressive.
That "petty detail" was incredibly fundamental in that it broke with a key assumption of Marxism - that proletarian revolution would naturally follow a period of capitalism, when the proletariat would learn why they needed to overthrow that system. This idea that an intellectual elite could impose a revolution drove the Bolsheviks willingness to enforce their ideas through repression. They were convinced they were right, and that justified everything.
But here's the thing that gets me: you say "What followed was the period of War Communism, the brutal policies that helped the Bolsheviks to win the Russian Civil War. Much of the framework that was later used during the purges of the 1930's was created at this time, such as the secret police" as though this somehow proves it was only a matter of time till Communist Totalitarianism. Again, I'm not really interested in speculation about what could have been, but pointing out that a state created a reppressive apparatus during a time of civil war isn't exactly a scathing indictment.
My points were that Bolshevism was not popular amongst a majority of Russians, that Bolshevik leaders did not care (they knew they were "right") and that out of that arrogance comes an inevitable system of coercion. The War Communism period simply sped up the descent into state repression, and the increased entrenchment state institutions rather than one that would wither away into some kind of utopia. Trotsky only remains an admired figure for a small but vocal group of people because he was expelled in the leadership battle with Stalin (and subsequently murdered). I'm convinced that the same botched industrialisation programs and a large dgree of repression would have occured had he succeeded Lenin - or any of the leading Bolsheviks had succeeded him for that matter.
Oh, and forced collectivization was very much a hallmark of Stalinism in particular, so I don't understand that assumption. And this talk of "failed industrialisation" is obviously an example of letting ideology blind you from reality. Suffice it for me to remind you that no other nation has ever industrialized as rapidly as the Soviet Union, and that Russia went from being a backwards, mostly feudal nation (as you yourself admitted) to becoming a world superpower AFTER suffering the majority of the Nazi war machine's wrath.
For other examples of collectivisation, see any regime that's tried to apply Marxist economics to a largely agrarian economy (China for example). As for industry in Russia, Stolypin's reforms had already laid the groundwork for a reasonable industrialisation - what stymied that was the the first world war. If you want to argue that Stalin's regime was successful at industrialisation in the 1930's, perhaps you want to look at the results of the five year plans. The increase in output in almost all areas were dismal. The need to increase output in the second world war was the big driver in this area, assisted afterwards by the plant and knowledge gained from occupied parts of Europe. As for ideology blinding me, I have none that I subscribe to (I'm probably best described as a lefty-liberal). I am actually very wary of anyone who subscribes to an ideology, as I went to university when it was still credible to call yourself a Marxist historian. Trying to rationally argue with them is a little like discussing homosexuality or abortion with a religious fundamenalist. They are so convinced of their own infallibility that they
Bolshevism gets its name from a play on the Russian for "majority", because at a meeting of exiled Russian socialists, the majority voted to pursue a Marxist revolution contrary to doctrine. Marxist doctrine has it that a state must pass through a highly industrialised capitalist phase before the dictatorship of the proletariat can begin. Russia at the time was a highly agrarian state that still had many feudal aspects (the emancipation of the serfs has only been carried out, semi-successfully, a few decades before). Industry was only really starting to grow in a few larger cities such as St Petersburg, and the proletariat formed an insignificant part of the population.
Following the second revolution, which ousted the Mensheviks (the "minority" group from the meeting of exiles), an election was held in Russia. This resulted in a clear win for moderate socialists and the agrarian based "Social Revolutionaries". The result was anulled by the Bolsheviks. What followed was the period of War Communism, the brutal policies that helped the Bolsheviks to win the Russian Civil War. Much of the framework that was later used during the purges of the 1930's was created at this time, such as the secret police. Trotsky was also the main drivng force behind these policies, something he never expressed any guilt or regret over. Lenin also expressed no remorse, however he did sanction a limited and temporary market economy to prevent a total collapse of the Bolshevik state.
It's highly unlikely that the Bolshevik state would have been any better for the ordinary Soviet citizen had Lenin lived, or had one of Stalin's rivals such as Trotsky or Zinoviev succeeded him. We would have most likely seen a similar series of events, with failed industrialisation programs and forced collectivisation of agriculture. Much like Camobodia under the Khmer Rouge - dogmatic leaders killing their populace for some unobtainable utopia.
Britney Spears.
Yup, someone holding my eyelids open so that I had to look at another picture of Britney's cellulite? Or that "upskirt" shot of her rather ravaged beaver? It would have me confessing to anything.
"Being pretty much accurate for most of the data most of the time is what you get when the untrained person attempts it."
They're usually better domain experts than the turf-protecting programmers.
You don't actually work in an a large company do you? They may be experts at their 'domain', but they are almost always incapable of translating that knowledge into database tables, data structures or algorithms that make for good software. The art of enterprise programming is to accurately gauge what functionality the user wants, how much of that functionality can be produced based on the data that is avaliable and to then produce an application that's stable, maintainable and performs well. You need domain experts not only in the data (the ones you allude to), but also in database design, application design and management. The jack of all trades here is normally the senior developer, who must handle a lot of the requirements gathering and design tasks. One of the best features of Extreme Programming is the insistence on keeping the customer on the loop throughout the project, not just at the beginning and end. However, this needs careful managing to prevent changes to the spec that are large increases in functionality (and as a result, and increase in timescales), as well as stressing that programmers are the domain experts at what they do.
This feature (it's not a bug) can bite you when using STL containers. Check out Cargill's "C++ Programming Style" or Meyer's "Effective ..." books for examples. The implicit calls to single argument constructors to convert types can also result in unexpected copying. AS I pointed out, if you're concentrating all the time then this sort of thing can be avoided. However when writing a big system, the inevitable little lapses can really take their toll - that's another reason for unit testable code, as profiling the whole system isn't always practical.
That's effectively what Berkeley did when AT&T sued them over the release of the BSD Unix source code - they countered by pointing out that AT&T had stripped BSD copyright headers from a number of files included in System V. Berkeley pointed out that AT&T were welcome to restribute their code as a binary only, commercial product, but that the copyright stripping in the separately licensed source release contravened the BSD license.
If anybody wants an official statement, they should contact Berkeley's legal department.
But if the author of the Groklaw article had done that then his whole argument would have evaporated, and no lawyer likes to be proved wrong. More seriously though if a case is ever proposed with this argument, any competent lawyer is going to contact Berkeley for clarification as to what the intent of the license is - at which point it will be clear there is no case.
This seems like FUD to me, not something I would expect from Groklaw.
Oh come on, this is Groklaw - where any company other than IBM and any license other than the GPL are evil. PJ has done some useful work uncovering the dishonesty of SCO in their dispute with IBM, but whenever she or her contributors comments on other issues they totally balls it up. Rather than asking for an explanation of the BSD license from a FreeBSD, NetBSD or OpenBSD developer, perhaps even from the license authors at the University of California, Groklaw come up with this crap. Quite frankly, I'll be glad when the SCO-IBM case is over and Groklaw becomes an irrelevance.
Especially if you use something like C++ you know perfectly well how the resulting code will behave.
My usual assumption is that it will misbehave. As someone else pointed out with a slightly tongue in cheek quote, if you aren't totally on the ball you end up creating unexpected copies of your objects. I try to unit test my code with instrumentation on the constructors to see when they're called implicitly (default, single argument and copy constructors), then I can make sure my use of STL containers, initialiser lists and so on are optimal.
You really don't get this do you? You don't parse the strings trying to determine what needs escaping, you use the escaping built into the database specific driver that your vendor, who knows what to escape, has provided. Examine the JDBC API, where you construct a PreparedStatement such as:
Then you use the JDBC API to safely insert data at the positional ? parameters. Supposing name to be a CHAR(), and age to be an INTEGER, you would write:
The age has already been validated to be an integer by your JSP tags, while any dodgy characters in the name will be escaped by the JDBC drivers implementation of setString, and wrapped in quotes.
Trying to do this yourself is prone to error - you don't know your database as well as the vendor does, and any changes in escaping requirements between versions of the database are hidden from you by the corresponding JDBC driver.
Quit with this "no such thing as a bad programming language, there are bad developers" bullshit. If a language encourages bad practices with an inconsistent, badly designed library and dubious features, then it is the fault of the language. Add in the poor tutorials (including most of those in printed books and on Zend's own website), and you've got a bad language made worse by ignorance. You ask where the articles are about good PHP apps and programmers. They don't exist, as most large scale web apps are written in Java - see this UKUUG paper for some reasons why. PHP lowers the barrier for getting a simple web app up and running, but it simply should not be used for anything large scale. The language is poorly designed, and poorly implemented (check out the number of vulnerabilities on bug tracking sites that are attributable to PHP itself rather than just the apps written with it).
register_globals is off by default, and has been that way for a long time. Anyone who turns it back on deserves what they get. It's a dead issue. magic_quotes is headed for the same fate in PHP 6. They seemed like good ideas at the time the web as young; they turned out not to be.
They'll be dead issues when they are removed completely from PHP. Too many tutorials and existing PHP applications turn them on if they aren't by default. As for "good ideas", they never were.
Configurable logging and reporting is a feature, not a bug.
So it is, but defaulting to all warnings and errors would be saner.
"fopen_urls: By default you can include scripts hosted on other websites!" I'll agree, that should probably be off by default. But a developer has to be naive or dim to either use an URL include, or include a variable in the include directive (and thus introduce the possibility of a URL inclusion) without being damn sure what they're doing.
Well, there's a lot of naive and dim developers out there. fopen_urls() should be binned.
And in C (bcopy versus memcpy, anyone?), and C++, and Perl, and Javascript, and... In fact, most of these "inconsistencies" stem from trying to stay consistent with functions borrowed from C, Perl, et cetera. That's a good goal.
Why is PHP, a high level web development framework, trying to "stay consistent" with C, C++ or Perl? As for consistency within standard languages and libraries C, C++ and Java are very consistent (bcopy is a bogus example as it's not part of any standard).
"Input checking is difficult...Do you want htmlentities() or htmlspecialchars()?" Depends on what you want to do, now, doesn't it? Developers have to know what conditions they need their data to adhere to, and PHP gives them a variety of tools to make it fit those conditions. Feature, not a bug.
That's strange, as the JSTL for Java Server Pages makes do with one escape routine. Of course, JSP and Java frameworks such as Spring encourage good practices that PHP makes difficult (pre version 5 at least).
It's easier to trip up badly in C (by commiting some memory buffer error) or Perl (by writing line noise code that you can't understand a week later) than PHP. But it's no longer fashionable to bash those languages.
I wouldn't write a web app in C, so the point is moot. As for Perl and PHP obfuscation, most of the PHP code I've seen fails to separate business logic from presentation, has masses of duplication and often amounts to line noise. Generally, the rewrites into something better (Java and JSP) that I've undertaken, start from the spec rather than the code because of the obfuscation of the PHP.
If your PHP security policy is full of stuff like "remove semi-colons", then it highlights your ineptitude - unless PHP doesn't offer a better way of escaping user input other than getting the user to do it on a case by case basis, in which case that highlights the ineptitude of the PHP developers. In a framework designed with security as a primary concern, features like prepared statements and database specific escaping built into the driver are essential. This is how Perl's DBI works, and also how Java's JDBC works. If PHP does offer similar features, then they need to be introduced at the earliest opportunity and used consistently in all PHP tutorials.
My last employer had a corporate vanity website, that acted as a glossy brochure to adverstise their subscription only websites. The brochure site was developed in PHP by an expensive, third part agency, who included a number of forms for submitting things like sales requests. When myself and the very competent graphic designer in my team expressed concerns about using PHP (the subscription only websites that we developed were JSP and Java) we were told that the agency claimed to know what they were doing, so no audit was necessary. Several months later, the company mail server was brought to it's knees, as it turned out you could use the PHP web forms to relay spam.
That isn't quite true, they are holding the funds until mid April
A policy that PayPal are very happy to enforce to the letter, as it means they can put the money on account for a guaranteed 180 days and make a tidy sum in interest.
:set showmode
Or better still, add it to your ~/.exrc file.