So? You're still being myopic. We are all people, and we all live in a society. We all want that entire society to be better and more equitable, not merely a small part of that society. We're people first and programmers second.
This idea is an instance of the broken window fallacy. If the money had to have been spent on proprietary software, it wouldn't have been used for other things. In the end, FOSS software is a win for us all.
I've always found the word "consumer" to have a sinister connotation. It implies hierarchy and control, and implies that there are people in society who do, and then there are those who just receive. It's offensive.
Dammit, we're "citizens", "people", "internet users", and a million other terms. I never want to be called a "consumer".
And should we not make any progress because we might step on a few toes while doing it? If Google can get your into uber-secret-private-database, so ran random user, or random Russian cracker. Fix your damn site if you're worried about this particular attack.
It's probably too late in this article's lifecycle for my comment to be read, but I have to spread this information as far as possible.
DO consider NYU's CS program. Professor Dewar there is the best hacker I've ever met, and the rest of the faculty is just as good. New York City is a great environment, and, hell, the school is 70% female. The sci-fi club there is pretty strong, and overall, there's a strong intellectual culture at NYU. If you like to think, go there.
DO NOT attend the University at Buffalo. The computer science program there is much more prominent, but it's a load of java-infused bunk. I had a professor once who recommended that two threads busy-wait, without synchronization (cache coherency? wuzzat?), on each other. The operating systems class doesn't involve any actual operating systems programming.
Microsoft sends boxes of free software to UB, and consequently, all the classes are Microsoft-centric. I was the lone voice in the dark recommending free software, and everyone, even my fellow students, thought I was a bit eccentric for doing so.
That's not to say that the entire department at UB is incompetent; there are a few good people who got suckered into staying - Smith, Schindler, and the guy who teaches Computer Vision. But the core curriculum is the stuff of horror, and I sure as hell don't want to use anything written by a graduate of that program.
Alas, I transferred from the former to the latter for some whore. It was the biggest mistake of my life.
I suppose reasonable people can differ on this point. At least we both agree that the user should never see unescaped data, which is something too few people even think about.
No, leaving unencoded data in the database does not leave one open to XSS attacks, tools or not. If a tool dumps unescaped HTML to a browser, it's broken, and needs to be fixed. And when it's fixed, you'll just see double-escaping with your scheme. Putting encoded data in the database ensures that every tool that uses the database remains broken in exactly the same way. The cure is worse than the disease.
I disagree. Nothing in the database should be HTML-encoded, or otherwise encoded. The entity encoding should take place on the display side, no matter where the data actually come from. Leaving encoded data in the database makes querying it by hand that much more difficult and subverts part of the purpose of having a database in the first place.
I've seen programmers (in Java) use the PreparedStatement class but still build their entire SQL statement via string concatenation and just slam it through the PreparedStatement.
That just supports the old adage that as soon as you make something foolproof, the universe will go create a bigger fool. You'd think using the parameterized query facility would be easier that building one yourself, so this novice programmer wouldn't go through all that trouble. I guess not.
As far as blacklists go, though, I find it distasteful to limit user input except in ways that are absolutely necessary. I've seen too many "Jill & Jane's Craft Shop" managers get fed up go elsewhere. I think quoting, whether automatic (preferably) or manual, is sufficient.
Also, public urination counts as a sex offense in some areas. This is a modern-day witch hunt. That said, you sound like intelligent, reasonable people; why not move to a more liberal (small 'l') state and let your selection encourage the creation of reasonable laws?
Hear, hear! When we hire, I'm involved in the interviewing. One of the first questions I ask every candidate is, "can you please describe a SQL injection vulnerability for me?" It's depressing that most candidates have no idea what I'm talking about and stammer out a half-baked answer. The one who had a clue as to what I was talking about excited me, until he told me the solution was to look for "SELECT", "UPDATE", and "DROP" in user strings and signal an error if they're found.
No!
Just escape the damn things and you never have to worry about the actual contents.
At least for our (ugh) PHP applications, using prepared statements required twice the number of round-trips to the server. We just wrote our own library that does the same the same kind of escaping on the client side. For example, $res = db_query("SELECT name FROM person WHERE age >= ?", 65);
or for a slightly more complex example, $people = db_query_dl("SELECT name, age FROM person WHERE zip IN ([zips])",
array('zips' => array('90210', '10005', '12345'));
(db_query_dl queries the current global database and returns a list* of dictionaries* containing the results of the query.)
The library parses the SQL and ignores substitution parameters inside literal strings, and automatically converts x=? to x IS NULL if the substitution parameter is NULL. (The correctness of that conversion is debatable, but it is undoubtedly useful.)
Come to think of it, there's no reason we couldn't open-source this library if there's any interest in it.
* though it's a purely conceptual difference in PHP, where lists and dictionaries are the same type
If I hire a carpenter to build my house and it collapses, the carpenter is liable. Engineers won't cooperate if management wants to cut corners on a bridge: they have a code of ethics and a body that enforces it.
Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.
But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.
How it works? Light polarization. Each lens has a different polarization, so it only lets through the right light.
Neat trick: take modern 3D classes, hold them flat in front of an LCD monitor, and rotate them on the axis perpendicular to the monitor. You'll see the display behind dim and brighten as the lenses see it at varying angles.
Anonymous, your comment reveals more about you than you intended.
The operation of the free market? Bad? Just take all my money and give it to the poor already I guess.
...
...New Deal plans were spending large amounts of government money... and given to the poor and jobless. GG.
...
Everybody loves socialism but the rich.
If nearly everyone loves socialism, then as a democracy, that is what we should embrace. Do you reject democratic self-determination? If so, China is a much better fit for your ideal world vision than it is for mine; why don't you move there?
I welcome socialism. The Scandinavian countries are among the most socialist places on earth, and their people are among the happiest. Why shouldn't I want that?
Do you have a grudge against the poor? If this were 1901, would you wear a monocle? Society should be structured for the benefit of the many, not the few. RFK said it best:
Too much and too long, we seem to have surrendered community excellence and community values in the mere accumulation of material things. Our gross national product... if we should judge America by that - counts air pollution and cigarette advertising, and ambulances to clear our highways of carnage. It counts special locks for our doors and the jails for those who break them. It counts the destruction of our redwoods and the loss of our natural wonder in chaotic sprawl. It counts napalm and the cost of a nuclear warhead, and armored cars for police who fight riots in our streets. It counts Whitman's rifle and Speck's knife, and the television programs which glorify violence in order to sell toys to our children.
Yet the gross national product does not allow for the health of our children, the quality of their education, or the joy of their play. It does not include the beauty of our poetry or the strength of our marriages; the intelligence of our public debate or the integrity of our public officials. It measures neither our wit nor our courage; neither our wisdom nor our learning; neither our compassion nor our devotion to our country; it measures everything, in short, except that which makes life worthwhile. And it tells us everything about America except why we are proud that we are Americans.
Do you want to live in a society in which we focus on enriching a tiny already-wealth minority, or in one that focuses on a dignified life for everyone? If we have to sacrifice a little overall productivity, a little overall efficiency, in order to provide happiness for the greatest number of people, so be it. That is the quality we need to look at when optimizing society.
Remember a basic economic principle: government spending is wealth redistribution. I want to live in a society where one human isn't worth a hundred million more than another. This is a democracy.
You're an idiot. The great depression was caused extreme wealth inequality and a consumer debt spending. (The installment plan first became popular in the 20s). Hoover tried to wait it out. FDR's programs actually made a difference, and the regulations his administration enacted stopped the boom-bust cycle that had plagued the economy for hundreds of years.
Now that we've repealed a huge portion of the new deal legislation, we're seeing a return to the same extreme wealth concentration, and a return to the same old boom-bust cycle. We need to re-instance the new deal regulation, and even go beyond it, in order to ensure a stable economy.
Unless you want to return to the gilded age, of course.
Re:Shouldn't it be just "Wicked PHP?"
on
Wicked Cool PHP
·
· Score: 1
I'd rather solve ten problems in a usable fashion than solve one problem the "right" way.
That's a dangerous outlook. The "right" way is the right way for a reason, and PHP makes it very easy to get it terribly wrong. SQL injection attacks, cross-site scripting vulnerabilities, intimate tying of HTML to code, and non-existent internationalization are all the default for PHP. You may not think these things matter for your quick and dirty application, but programs are often used for far more than they were originally intended. And by the time that happens, the program is so tightly bound to PHP that we're stuck with it, all because the original designer thought PHP would be "easy."
You should run away when the chief advantage of a language is that it's "easy". "Powerful", "clean", "robust", and even "flexible" are all good words, but "easy" means "I don't have to think." Thinking is not optional. You will pay for not thinking one way or another. Consider that BASIC and PHP are both "easy", and you'll better understand my point.
You know what's really easy? Not re-inventing the wheel, or at least re-inventing it using robust, common libraries.
who cares if it's noun_verb, nounverb, or verb_noun? str_split, stripclashes, strip_tags... BFD!
It's a "BFD" when it leads to wrong-argument-order bugs, silent data corruption, or the user seeing a white page when he submits a form with a "'".
When we evaluate a new programmer for our legacy PHP projects, I always like to pick a site from his resume and type SQL metadata characters into one of the forms, hoping to cause an error. More than half the time, the applicant fails even this first test. PHP makes it too easy to take the ostrich approach of problem-solving, which is a bad thing for everyone in the long run.
Also, PHP's inconsistencies run deeper than you may think. Consider this: function blah() {
return array("world", "other"); }
$noun = blah()[0]; print "hello, $noun\n";
blah()[0] is a syntax error because of a silly omission in PHP's grammar. Some other things that make writing good programs in PHP difficult and annoying:
-no namespaces, making it tedious to cleanly isolate modules
-half-hearted exception support still eschewed by the developers and PEAR
-lax error handling abused by many legacy programs, which break with E_STRICT | E_ALL
-the attitude adopted by even the maintainers that could be roughly summed up as "the right way doesn't matter, lulz." That attitude led to the absolute insanity that was PHP4 object support.
These aren't arcane "computer-science" concepts. They're real world limitations that make it hard to write good software in PHP. Other languages, like Perl, Python, and Ruby force you to think about the inherent problems in web development, and with them, you can write software just as quickly as you can in PHP: instead of embedding variables in SQL statements, use a query builder. Instead of mixing HTML and code, use a template library. Instead of using $GET indescribably, structure your code so data only flow where they're needed.
You can do all these things in PHP, true, but by the time you'll have done that, you'll have put as much work into the project as you would have in a cleaner language. So why not use that cleaner language in the first place?
I see your car analogy and raise you one: using PHP when you could be using, say, Python, is like driving a Ford Pinto instead of a Honda Civic because you're used to the Pinto, only drive to the local store, and don't think you need airbags. Who knows when these assumptions might change?
Re:Shouldn't it be just "Wicked PHP?"
on
Wicked Cool PHP
·
· Score: 4, Insightful
Any language can be used well, but it's much easier to use some languages well than others. PHP is inconsistent and limiting; why would anyone who knows how to write good code use it instead of a different language?
Slashdot Mirror
So? You're still being myopic. We are all people, and we all live in a society. We all want that entire society to be better and more equitable, not merely a small part of that society. We're people first and programmers second.
This idea is an instance of the broken window fallacy. If the money had to have been spent on proprietary software, it wouldn't have been used for other things. In the end, FOSS software is a win for us all.
I've always found the word "consumer" to have a sinister connotation. It implies hierarchy and control, and implies that there are people in society who do, and then there are those who just receive. It's offensive.
Dammit, we're "citizens", "people", "internet users", and a million other terms. I never want to be called a "consumer".
And should we not make any progress because we might step on a few toes while doing it? If Google can get your into uber-secret-private-database, so ran random user, or random Russian cracker. Fix your damn site if you're worried about this particular attack.
It's probably too late in this article's lifecycle for my comment to be read, but I have to spread this information as far as possible.
DO consider NYU's CS program. Professor Dewar there is the best hacker I've ever met, and the rest of the faculty is just as good. New York City is a great environment, and, hell, the school is 70% female. The sci-fi club there is pretty strong, and overall, there's a strong intellectual culture at NYU. If you like to think, go there.
DO NOT attend the University at Buffalo. The computer science program there is much more prominent, but it's a load of java-infused bunk. I had a professor once who recommended that two threads busy-wait, without synchronization (cache coherency? wuzzat?), on each other. The operating systems class doesn't involve any actual operating systems programming.
Microsoft sends boxes of free software to UB, and consequently, all the classes are Microsoft-centric. I was the lone voice in the dark recommending free software, and everyone, even my fellow students, thought I was a bit eccentric for doing so.
That's not to say that the entire department at UB is incompetent; there are a few good people who got suckered into staying - Smith, Schindler, and the guy who teaches Computer Vision. But the core curriculum is the stuff of horror, and I sure as hell don't want to use anything written by a graduate of that program.
Alas, I transferred from the former to the latter for some whore. It was the biggest mistake of my life.
I suppose reasonable people can differ on this point. At least we both agree that the user should never see unescaped data, which is something too few people even think about.
No, leaving unencoded data in the database does not leave one open to XSS attacks, tools or not. If a tool dumps unescaped HTML to a browser, it's broken, and needs to be fixed. And when it's fixed, you'll just see double-escaping with your scheme. Putting encoded data in the database ensures that every tool that uses the database remains broken in exactly the same way. The cure is worse than the disease.
I disagree. Nothing in the database should be HTML-encoded, or otherwise encoded. The entity encoding should take place on the display side, no matter where the data actually come from. Leaving encoded data in the database makes querying it by hand that much more difficult and subverts part of the purpose of having a database in the first place.
That just supports the old adage that as soon as you make something foolproof, the universe will go create a bigger fool. You'd think using the parameterized query facility would be easier that building one yourself, so this novice programmer wouldn't go through all that trouble. I guess not.
As far as blacklists go, though, I find it distasteful to limit user input except in ways that are absolutely necessary. I've seen too many "Jill & Jane's Craft Shop" managers get fed up go elsewhere. I think quoting, whether automatic (preferably) or manual, is sufficient.
Also, public urination counts as a sex offense in some areas. This is a modern-day witch hunt. That said, you sound like intelligent, reasonable people; why not move to a more liberal (small 'l') state and let your selection encourage the creation of reasonable laws?
Hear, hear! When we hire, I'm involved in the interviewing. One of the first questions I ask every candidate is, "can you please describe a SQL injection vulnerability for me?" It's depressing that most candidates have no idea what I'm talking about and stammer out a half-baked answer. The one who had a clue as to what I was talking about excited me, until he told me the solution was to look for "SELECT", "UPDATE", and "DROP" in user strings and signal an error if they're found.
No!
Just escape the damn things and you never have to worry about the actual contents.
You only win slightly with server-side prepared queries, and that's only if the prepared queries are cached, not prepared once and thrown away.
At least for our (ugh) PHP applications, using prepared statements required twice the number of round-trips to the server. We just wrote our own library that does the same the same kind of escaping on the client side. For example,
$res = db_query("SELECT name FROM person WHERE age >= ?", 65);
or for a slightly more complex example,
$people = db_query_dl("SELECT name, age FROM person WHERE zip IN ([zips])",
array('zips' => array('90210', '10005', '12345'));
(db_query_dl queries the current global database and returns a list* of dictionaries* containing the results of the query.)
The library parses the SQL and ignores substitution parameters inside literal strings,
and automatically converts x=? to x IS NULL if the substitution parameter is NULL. (The correctness of that conversion is debatable, but it is undoubtedly useful.)
Come to think of it, there's no reason we couldn't open-source this library if there's any interest in it.
* though it's a purely conceptual difference in PHP, where lists and dictionaries are the same type
If I hire a carpenter to build my house and it collapses, the carpenter is liable. Engineers won't cooperate if management wants to cut corners on a bridge: they have a code of ethics and a body that enforces it.
Software, on the other hand, is a free-for-all today. We need an accreditation program and a code of ethics, just like more traditional disciplines of engineering. That's not to say that we'll restrict compilers to professionals; we don't reserve wrenches for professional mechanics.
But for a project that has the potential to cause so much harm to so many, a requirement to use trained and certified software engineers (with all the implications of the second word) would be invaluable.
The language makes it easily, or even tantalizing, to do it the wrong way, and very difficult to do it the right way.
openvpn uses plain old UDP so works just fine over a firewall. It even supports ethernet bridging. Who exactly is modern here?
Why TCP over TCP is a bad idea
A bias to the "left", relative to standard fare in American politics, is a bias toward reality and rationality.
Was archiving whitehouse.gov? AFAICS, archive.org still is.
These drugs help people whether they have the indicated "disease" or not.
How it works? Light polarization. Each lens has a different polarization, so it only lets through the right light.
Neat trick: take modern 3D classes, hold them flat in front of an LCD monitor, and rotate them on the axis perpendicular to the monitor. You'll see the display behind dim and brighten as the lenses see it at varying angles.
If nearly everyone loves socialism, then as a democracy, that is what we should embrace. Do you reject democratic self-determination? If so, China is a much better fit for your ideal world vision than it is for mine; why don't you move there?
I welcome socialism. The Scandinavian countries are among the most socialist places on earth, and their people are among the happiest. Why shouldn't I want that?
Do you have a grudge against the poor? If this were 1901, would you wear a monocle? Society should be structured for the benefit of the many, not the few. RFK said it best:
Do you want to live in a society in which we focus on enriching a tiny already-wealth minority, or in one that focuses on a dignified life for everyone? If we have to sacrifice a little overall productivity, a little overall efficiency, in order to provide happiness for the greatest number of people, so be it. That is the quality we need to look at when optimizing society.
Remember a basic economic principle: government spending is wealth redistribution. I want to live in a society where one human isn't worth a hundred million more than another. This is a democracy.
You're an idiot. The great depression was caused extreme wealth inequality and a consumer debt spending. (The installment plan first became popular in the 20s). Hoover tried to wait it out. FDR's programs actually made a difference, and the regulations his administration enacted stopped the boom-bust cycle that had plagued the economy for hundreds of years.
Now that we've repealed a huge portion of the new deal legislation, we're seeing a return to the same extreme wealth concentration, and a return to the same old boom-bust cycle. We need to re-instance the new deal regulation, and even go beyond it, in order to ensure a stable economy.
Unless you want to return to the gilded age, of course.
You should run away when the chief advantage of a language is that it's "easy". "Powerful", "clean", "robust", and even "flexible" are all good words, but "easy" means "I don't have to think." Thinking is not optional. You will pay for not thinking one way or another. Consider that BASIC and PHP are both "easy", and you'll better understand my point.
You know what's really easy? Not re-inventing the wheel, or at least re-inventing it using robust, common libraries.It's a "BFD" when it leads to wrong-argument-order bugs, silent data corruption, or the user seeing a white page when he submits a form with a "'".
When we evaluate a new programmer for our legacy PHP projects, I always like to pick a site from his resume and type SQL metadata characters into one of the forms, hoping to cause an error. More than half the time, the applicant fails even this first test. PHP makes it too easy to take the ostrich approach of problem-solving, which is a bad thing for everyone in the long run.
Also, PHP's inconsistencies run deeper than you may think. Consider this:
function blah() {
return array("world", "other");
}
$noun = blah()[0];
print "hello, $noun\n";
blah()[0] is a syntax error because of a silly omission in PHP's grammar. Some other things that make writing good programs in PHP difficult and annoying:
-no namespaces, making it tedious to cleanly isolate modules
-half-hearted exception support still eschewed by the developers and PEAR
-lax error handling abused by many legacy programs, which break with E_STRICT | E_ALL
-the attitude adopted by even the maintainers that could be roughly summed up as "the right way doesn't matter, lulz." That attitude led to the absolute insanity that was PHP4 object support.
These aren't arcane "computer-science" concepts. They're real world limitations that make it hard to write good software in PHP. Other languages, like Perl, Python, and Ruby force you to think about the inherent problems in web development, and with them, you can write software just as quickly as you can in PHP: instead of embedding variables in SQL statements, use a query builder. Instead of mixing HTML and code, use a template library. Instead of using $GET indescribably, structure your code so data only flow where they're needed.
You can do all these things in PHP, true, but by the time you'll have done that, you'll have put as much work into the project as you would have in a cleaner language. So why not use that cleaner language in the first place?
I see your car analogy and raise you one: using PHP when you could be using, say, Python, is like driving a Ford Pinto instead of a Honda Civic because you're used to the Pinto, only drive to the local store, and don't think you need airbags. Who knows when these assumptions might change?
Any language can be used well, but it's much easier to use some languages well than others. PHP is inconsistent and limiting; why would anyone who knows how to write good code use it instead of a different language?