There's another choice, you can fight for freedom. You may die but you can take some oppressors out with you. As Thomas Jefferson said, "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. It is it's natural manure." However as with past civilizations, people have become lazy and fearful.
Fight how?
When Thomas Jefferson wrote his passage about refreshing the tree of liberty, the firepower of the average civilian was about the same as the firepower of the average soldier. That meant a large enough number of average people could actually kick out an occupying force if they really wanted to.
Fast forward to today. Today, the firepower of the average soldier is anywhere between a few thousand to one and a few million to one in favor of the soldier, depending on what weapons you decide the soldier has available to him. Give him nuclear weapons and it's millions to one. Meaning that the military would be able to kill anywhere from thousands to millions of civilians while losing just one soldier.
You don't think a malevolent totalitarian government would hesitate to nuke one of its own cities to demonstrate its power and resolve? If you don't think that then you don't understand such governments. No, I don't think it would ever even come close to that -- the resistance would remain a nuisance, much like it is in Iraq, but nothing more.
Yes, you heard that right: the resistance in Iraq is a nuisance. It's not a real threat. How do I know? Simple: we're still there, and we're not budging, and any inclination on our part to leave would come as a result of us wanting to leave, not being forced to leave.
So what does this mean? Simple: during Thomas Jefferson's time, "give me liberty or give me death" could mean either liberty or death -- you had a reasonable chance of either if you fought for liberty. But today, "give me liberty or give me death" simplifies to merely "give me death".
So: if someone knew for a fact that if they tried to fight for freedom, they would not only die but they would also fail, do you still believe that person would fight nonetheless, knowing that it would do absolutely no good at all? Some would, I think, but very few. And I'll tell you why:
Because there's always a chance you might somehow be able to change things as long as you're alive. Once you're dead, there's no chance at all.
This ain't the 1700's anymore. It's time people stopped thinking as if it were.
Liberty and Freedom for all should be more important than any of us, or for enough of us to use our time off to avoid the TV and think about the good we can do. No one of us can do a damned thing. You more than most, I see. Collectively we can.
I reiterate: exactly what do you think "we" can do? Even collectively?
We can't vote our way out of it, because we don't control who gets on the ballot. This remains steadfastly true regardless of how much support we collectively give someone. And even if we could control such a thing, we don't have any control over the only means of information distribution that matters: the mass media. The internet is no match. Howard Dean proved that.
We can't talk our way out of it, because nobody who is in a position of power cares to listen -- because they're paid not to.
We can't write our way out of it for the same reason.
We can't buy our way out of it because doing so just transfers the money to those whom we are opposed (the mass media is owned by the very people who want fascism in America)!
And even collectively, we can't shoot our way out of it because we don't have the numbers to overcome the thousands to millions to one advantage in firepower per person the government ultimately has.
You keep saying that "we" can do something. But your wish to do something must adhere to that which is logically and realistically possible. The system as it is right now is set up such that nothing which could possibly work otherwise is possible. The bad guys have all the exits covered with enough firepower to make sure that nothing gets out alive.
And even worse, you vastly underestimate the ability of the government to disrupt collective action. What, do you think those in power are going to stand by while we little people try to do something contrary to their wishes? How naive are you??
Has it ever occurred to you to ask why totalitarian governments are historically so numerous and long lived compared with their non-totalitarian counterparts? It has nothing to do with what the little people want and everything to do with how little is possible that is against the wishes of those in power.
You may as well be trying to break the laws of physics for all the good it'll do you and everyone else. You're welcome to try, of course, and it may be better to try than to not. But regardless, the chance of you succeeding, even if you get a whole pile of collective support, is effectively zero.
I'm a realist first. And the reality is that there is nothing to do and nowhere to go. As I said, it might be better to act anyway despite the odds. But don't fool yourself into thinking that there is any real chance of success.
Do something to stop it, or I'm pointing at you and saying "You are all for it. You are fascism's little cheerleader, By saying nothing. You did this."
Okay, so we should do something about it.
What would you suggest?
Here's a hint: there's nothing that the average person can do about it. Nothing.
He can't vote his way out of it, because he's not in control of who appears on the ballot.
He can't buy his way out of it, because he's not among the richest 1% of the country (who have the bulk of the wealth).
He can't write his way out of it (like you tried, and will fail, to do), because the "representatives" he can write to are paid to not read what he has to say, much less act on it.
And he can't shoot his way out of it, because the government has all the real guns, along with the intelligence infrastructure to tell them where to point them.
That leaves him only one option: he can leave. But that won't solve the problem, and based on how things are going elsewhere in the world, it looks like the problem will just follow him wherever he goes.
Got any other bright ideas? Bet not.
Get this through your thick head: we are well and truly fucked, and there's not a damned thing any of us average people can do about it. Nothing. I wish to God there was (and I'm not even a religious person myself), but there's not.
The entire world will descend into darkness, and it will not emerge from it again for hundreds, perhaps even thousands, of years.
This has absolutely nothing to do with the Tenth Amendment, period. The Tenth Amendment is a limitation on the power of the federal government, not on any specific part of the federal government. If the President cannot do something because the Tenth Amendment restricts him, then neither is Congress allowed to permit the President to do it.
My point in citing the Tenth Amendment was to point out that the nature of the Constitution itself is to deny power by default unless explicitly granted, rather than to grant power by default unless denied. The purpose of the Tenth Amendment, I think, is to make that completely clear.
The Constitution does not grant to the government as a whole any power at all. Every power it grants is granted to a specific branch within the government.
So if any power is to be exercised by the executive branch, it must either have been granted explicitly by the Constitution or as a result of the passage of a law by the legislative branch.
The warrantless wiretapping the executive has engaged in was not a power granted by the Constitution, nor was it granted to the executive by Congress. In fact, Congress passed a law explicitly forbidding warrantless wiretaps. So I fail to see any basis whatsoever, much less a plausible one, for any reasonable belief that the wiretapping in question could be considered to be legal in any way.
Fine. Tell that to the FISA Court of Review, which noted "the President's inherent constitutional authority to conduct warrantless foreign intelligence surveillance."
Various courts are well known for "interpreting" the Constitution in anything other than a straightforward manner (and especially without regard to the various treatises written by the various founders of the country which describe the fundamental reasons they had for writing the Constitution the way they did). I see little reason to believe that the FISA Court of Review did anything else here.
It turns out I was wrong about at least one thing: seems the NSA isn't a civilian agency. It's a military establishment.
However, note that even the armed forces themselves only exist due to Congressional power (establishment of the Navy and the Army are powers explicitly granted to Congress by the Constitution). So the NSA thus only exists as a result of powers granted by Congress, which means anything the NSA does must conform to the limitations imposed by Congress.
To conclude anything else, you'd have to make arguments which can only ultimately result in the conclusion that the President effectively has limitless power and authority, a conclusion which is very obviously a contradiction of the many writings of the founders which emphasize their distrust of concentrated power.
If the Constitution doesn't grant a power, then neither the executive branch nor congress have the legal justification to authorize a third party (the telcos, in this specific case) to act based on that power, which means the actions of the third party cannot be excused as a result of acting on behalf of the government (instead of on its own) -- said third party is therefore in that case subject to the standard laws of the land, as if the government was not involved at all.
I don't buy it. If you have reasonable belief that the President is exercising a lawful authority, it's not reasonable to say that you've done anything wrong by acting on that, where the Constitutional law is so terribly unclear.
What person in their right mind would believe that the President was exercising lawful authority when a reading of the Constitution makes it abundantly clear that the President has no such authority except as a result of congressional authority? If you don't believe me then read the Constitution for yourself. The section enumerating the independent power of the executive is blissfully short and clear, and makes no mention at all of any law enforcement authority on the part of the executive whatsoever. It does say that the executive may be granted additional powers by congress, but that is by definition congressional authority.
That section plus the tenth amendment make it abundantly clear that the executive has no power to act in a law enforcement capacity outside the restrictions set forth by congress. The only truly independent power the executive has is as commander in chief of the armed forces and the militia, and that clearly doesn't apply here because the NSA is a civilian agency which was created by congress (so any authority the executive may have over it is granted by congress and not inherent to the executive).
But we're not talking statutes here, we are talking about a very controversial area of Constitutional law, and since we cannot just as the Supreme Court to give us their opinion, we have to make our own best guesses.
It is true that the Supreme Court has given very little guidance as to whether or not warrantless wiretaps are a violation of the 4th amendment, but given the FISA law and the fact that the executive blatantly violated it, I think it's clear that the wiretaps needn't be a 4th amendment violation to nevertheless be unconstitutional, since the wiretaps in question were conducted without congressional authority and, therefore, without Constitutional authority.
And, why aren't they yelling at AT&T for providing information to the Executive branch on the online activities of US citizens without a warrant? Is this not exactly the same thing as what Yahoo! is being lambasted for, except Yahoo! was *following* the law, and AT&T (and others) were *breaking* it?
Nobody here seems to really get it yet. Time for me to explain.
All the vitriol, the accusations, the namecalling, etc. on the part of Congress add up to...nothing. Nada. Zilch. Not a damned thing.
It's part of the game. Congress pulls the Yahoo execs in and questions them about what they're doing and generally gives them a hard time. Why? Because it's on record. It's a cynical attempt on the part of Congress to appear like they actually give a shit about human rights and such.
But make no mistake: it's just a game. Know what's going to happen to the Yahoo execs after all this is said and done? Not a goddamned thing, that's what. Hell, after the hearings are over with, I won't be surprised at all to find these same members of Congress and the Yahoo execs getting together for drinks afterwards and laughing it up.
And those who own and run the big corporations, who really own the government these days as well, like it that way. Which is why this dog and pony show won't have any real effect at all. At least, none that would be of any benefit to anyone other than those in the gilded ruling class.
You didn't state a third option here (though you allude to it later): that it was illegal because it is not Constitutionally authorized. This is the argument that many people who are against the wiretapping make, actually. The limits and requirements within the wiretapping law are there because the law would be unconstitutional otherwise.
That is not substantially different from the first option.
Except that I thought we were talking about wiretapping which violated the very provisions of the law I mentioned, namely the provisions requiring that the government get a warrant from the FISA court within 72 hours of the wiretapping action.
The first option was, if I'm not misreading things, congressional authorization. But congressional authorization has as its basis of legality the very same thing that executive power does: the Constitution.
In the case of the wiretapping in question, the executive branch very clearly didn't have congressional authorization because it violated provisions of the law that congress had passed.
But even if Congress had passed a law allowing the executive branch to conduct warrantless wiretapping directly against U.S. citizens on U.S. soil, that congressional authorization would be worthless, because it exceeds (for the very same reasons those who argue the unconstitutionality of the wiretapping in question use) the power granted to both congress and the executive branch by the Constitution.
If the Constitution doesn't grant a power, then neither the executive branch nor congress have the legal justification to authorize a third party (the telcos, in this specific case) to act based on that power, which means the actions of the third party cannot be excused as a result of acting on behalf of the government (instead of on its own) -- said third party is therefore in that case subject to the standard laws of the land, as if the government was not involved at all.
We're probably in agreement on all this -- I just didn't see you give much coverage to it as one of the options...
The fact that home computers and professional workstations are the same right now is a temporary state of affairs.
It's not temporary as long as corporations want their employees to work 24x7, which means working from home, working while on "vacation", working while in the hospital, etc.
There's only two options: either it was illegal because it required Congressional authorization, or it falls under Executive authority and was therefore legal.
You didn't state a third option here (though you allude to it later): that it was illegal because it is not Constitutionally authorized. This is the argument that many people who are against the wiretapping make, actually. The limits and requirements within the wiretapping law are there because the law would be unconstitutional otherwise. It still might be unconstitutional even with the limitations, but as far as I know nobody has taken it to the Supreme Court for a ruling.
If it's not Constitutionally authorized, then the companies in question may be guilty of an illegal act, depending on whether or not there's some law forbidding individuals or companies from doing what they did.
They care that the people that think are being distracted and rendered useless. Because with them out of way, and with the idiots that are in power today, the current situation will favour them more and more and...
If by "them" you mean the people who are in power, then this comment is spot on. If by "them" you mean those most people think of as "terrorists" then those "terrorists" are idiots of the worst kind.
Why?
Simple: because the government in charge of an oppressive police state is even more interested in power and control, and less interested in what anyone else thinks, than the government in charge of a democratic republic. And the more interested in power and control a given government is, the more such power and control it wants, which means it will attempt to expand and exert control over ever larger regions. Including the regions the "terrorists" inhabit.
If the "terrorists" think things are "bad" now, just wait until they're dealing with a government that really doesn't give a fuck about what they or anyone else thinks. As in at all. With a democratic republic, the "terrorists" at least have a chance of getting through to that republic's government through the people it governs. With a fascist totalitarian state, they have no such option at all.
Fascist totalitarian states have no trouble with steamrolling over anyone they want. Including "terrorists". They won't think twice about it, and they won't listen to anyone's argument against it, except those who are at least as well armed as they are. And that ain't the "terrorists". Against a fascist totalitarian U.S. (which isn't there yet but is really close now, I think), that's damned few countries, actually.
So if the aim of the "terrorists" is their own destruction, then they are well on their way towards accomplishing their goals.
In other words, the terrorists haven't won. They've lost. And so have we. The only people who have "won" are those who are already rich and powerful.
"WWAN could well end up supplanting copper sooner than anyone expects: do you want these companies in charge of it?"
I fully expect that these companies will wind up "in charge" of it by fiat if nothing else. It's only a matter of time. Like the article said, these companies own Congress. Well, Congress makes laws that govern "interstate commerce" (which the courts have interpreted as shorthand for, basically, any damned thing they please), so Congress can, and will, do the equivalent of declaring them as being the sole carriers for this stuff if the competition keeps them from taking that role otherwise.
Didn't you get the memo about what fascism is really all about?
Only one response suits your comment: Perl, in a Nutshell. It even includes a concession about Perl being hard to read... although it does so sarcastically.
LOL! That song is awesome!:-)
Very well done! You've got talent with the guitar, dude...
I said it requires a great deal of discipline to do consistently.
And that is a clearly false statement. I, and many other people, do it all the time, without any significant exertion.
Really? And how exactly are you measuring this? By asking your equally fluent peers if they can easily read it? That's hardly a good measure of how readable a language is! Any language is easy to read to those who are experts at the language.
The readability of a language (as opposed to the readability of a section of code, which is determined by more than just the language -- you can make pretty much any section of code unreadable) has to be measured by how easily someone who has no more than a basic understanding of that specific language can read it. And for that, Perl is in my experience significantly worse than a number of others. This is because Perl requires greater knowledge on the part of the programmer to achieve the same ability to read and understand code written in it than some/many other languages do. You won't realize this until you walk away from Perl for a while (long enough to forget a lot of the little things) and then go back to it, and find you have to look up a lot of things that you wouldn't have to with more readable languages.
It is because you were presenting your (uneducated) opinion about Perl as fact. Saying you don't prefer Perl is fine. Making categorical statements about Perl that simply aren't true in the real world -- for people who are software engineers rather than computer scientists -- is boring.
My opinion is based on many years of first hand experience and observation. I don't care if you believe I have that experience or not because your belief doesn't alter the truth of it. That experience includes using Perl extensively as well as not using it much for a relatively large period of time afterwards. I dare say your experience doesn't include the latter, so I find it difficult to see how my opinion could therefore be called any more "uneducated" than yours.
As for the distinction between software engineers and computer scientists, software engineers engineer code first and foremost. That means they put effort into designing software up front before the write a single line of code, and the good ones choose tools, including languages and methodologies, which will yield the lowest long-term cost, which includes factors such as maintainability, scalability, suitability for the problem domain, etc.
The choice of language to use for Slashdot is largely historical -- you (meaning, those who developed Slash) were constrained by what was available at the time and by what capabilities the various available languages brought to the table. Once such a decision is made, it is nearly impossible to reverse. So I certainly cannot fault you for that decision. I could easily make the same decision given the constraints of the time. And even today, Perl might be the best language for the job, though in my experience there are other languages that are probably equally well-suited for the task and which are also by their nature more readable than Perl -- meaning I (as a software engineer) would choose them over Perl if that were the case.
The other things you say may have merit. But I just don't care.
I do not believe you for a second. No one truly competent in Perl believes it is hard to write readable Perl.
I didn't say it was hard to do, I said it requires a great deal of discipline to do consistently. Perl has a wealth of abbreviated constructs that are very powerful. That makes it very tempting to use them, and their use generally reduces the readability of the code. That is why writing readable Perl consistently requires a great deal of discipline.
This is twice that you've refused to read the rest of what I've said, apparently because I don't happen to hold your favorite language with the same high regard that you do. From where I sit, that means it is you who is showing disregard for reason, because by doing so you implicitly assume that, because I fundamentally disagree with you about this one particular thing, the other things I have to say must have no merit. That is clearly a questionable position on your part.
It's your right to do that, of course, but it comes across as a bit immature.
Ah, here we go. A language bigot. Someone who lacks proficiency in a language sufficient to judge it with any rationality, and yet condemns it despite his ignorance.
What is true, likely, is that YOU do not understand written Perl. Written Perl is very easy for me to understand. I write, and read, Perl every day. It doesn't take anything "inhuman." It only takes competent programmers who know Perl. You are not one of those, more likely because of the lack of knowledge of Perl than because of the lack of competence in general, I assume, but your disregard of reason makes me disregard the rest of your post.
This is pretty laughable considering that I've used Perl for various things for some 17 years, with about 10 of them involving intense development at times. I suppose, then, that you might regard me as incompetent, but I assure you it won't be for lack of familiarity with the language (that said, I've not done any serious Perl for about the last 5 years).
I didn't mean to say that Perl is entirely unreadable. I meant that Perl is on average harder to read than a number of other languages (particularly those designed with readability in mind). Someone intimately familiar with it will obviously have an easier time of it but even with that kind of intimate familiarity with it, Perl allows you to write constructs in so many different ways that it's often not as easy to discern the intent of the author of the code as it is with other languages that place emphasis on readability and maintainability. You can write code that's hard to discern in any language, of course, but in my experience, it's easier to do that in Perl than in a number of others, because Perl makes brevity at the expense of readability easy.
This (brevity) is something that is often valued by people who really like Perl. People such as, apparently, yourself, since you obviously place value on how small your lines of code are. There's nothing wrong with that in and of itself, but it comes at a price. That price is something you don't seem to have experienced yet. Perhaps you never will -- Perl seems to be the language you have by far the most invested in. Aside from C, I can't tell from examining your web site what other languages you have familiarity with.
To put the above another way, Perl requires greater knowledge on the part of the programmer to achieve the same ability to read and understand code written in it than some other languages do. You won't realize this until you walk away from Perl for a little while (long enough to forget a lot of the little things) and then go back to it, and find you have to look up a lot of things that you wouldn't have to with more readable languages.
I used to believe as you apparently do. Perl was by far my favorite language. It wasn't until I stopped using it for a bit and then went back to it that I realized that there was a kernel of truth in what people said about its readability.
I will say this about Perl: it's a lot better about readability now than it used to be. Even so, there's a reason Perl is at the receiving end of jokes about readability.
As for my "disregard for reason", I have a set of opinions, based on experience and understanding. If those opinions are demonstrably incorrect then I will change them, because I'm a realist, and being right is more important to me than just about anything else (being right is a very useful, while being wrong is pretty much useless).
So: if you have some factual or logical basis for claiming that my opinions are incorrect, put it on the table. I haven't seen it yet.
Historically, totalitarianism of one form or another has been by far the preferred form of government, as evidenced by the fact that the vast majority of the people who have ever lived have lived under it.
Do you have evidence of this assertion? Or is it just conjecture?
You're kidding, right?
Look at the history of the world. The entirety of China has never lived under anything other than a totalitarian form of government (the specific form of totalitarianism has changed over time but the fact that the form has been totalitarian has not). The entirety of Russia has similarly done so except for the relatively brief period of time after the Berlin Wall fell. Those two countries alone are probably enough to make my case, but there's a lot more. India was totalitarian for its entire history until 1950. The entirety of Europe was totalitarian until the mid to late 1700s. The Roman Republic and the lands it represented were briefly nontotalitarian (for about 450 years) but were totalitarian otherwise -- the Republic lasted until the advent of the Roman Empire, which itself lasted about the same amount of time. After that, it was ruled by one empire or monarchy or another until about 1950. After that, it's been democratic (the specific time that any given territory of the Roman Empire went with democracy depends, but very few appear to have done so earlier than about 1800). And then, of course, you have the Egyptian Empire, which lasted longer than any other government ever.
See a pattern here? Throughout history and throughout the world, totalitarianism is the norm. Freedom and self-determination are very much the exception. Real democracy as a form of government (where the people have a real say in their government) isn't new at all, but it's rare.
The telco execs can lie to congress all day long and they won't get so much as a slap on the wrist for it.
For the same reason, congress ultimately won't do anything about the telcos and cable companies blocking content -- they're paid (bribed, in various forms, most of which are almost certainly not on the record) not to.
Not only are they paid not to by the telcos, they're paid not to by the RIAA, MPAA, and the media corporations. That latter is especially important because without the support of the media, you will not win an election campaign, period.
Big corporations rule the U.S. these days, and there's no stopping it now. There's no way to, even including violent revolution. We're way past the point of no return. And it's not just the U.S., either, but most of the rest of the world as well.
Historically, totalitarianism of one form or another has been by far the preferred form of government, as evidenced by the fact that the vast majority of the people who have ever lived have lived under it. The experiment with freedom in the world is tiny in comparison.
Well, it was nice while it lasted. I'm going to miss it.
Exactly. That's what I meant. If the mechanisms are not used, they don't work. Same as our mechanisms.
You can't prevent the programmer from intentionally bypassing your mechanisms. But that's not the point. The point is to prevent him from accidentally bypassing your mechanisms -- to prevent him from making mistakes. This is what strongly typed languages attempt to do (with some success, I might add), and what a checking mechanism would also attempt to do.
A checking mechanism can be put in place to attempt to ensure that the programmer always uses placeholders. It can be bypassed, but the programmer would have to do so intentionally, which is not what you're trying to protect against. The purpose is to prevent mistakes, not willful misuse. Security holes almost always come about as a result of coding mistakes.
Who cares? Our development time is much quicker, our lines of code much smaller, than a strongly typed language. I'll take a very rare problem that would have been caught by strong typing, as I am way ahead even still.
And you know your development time is much quicker how, exactly?
Even if your development time is faster than with a strongly typed language, you generally lose all of that advantage and then some as a result of having to chase down and fix the additional bugs that arise from the nature of the language you're using. Because now you have to contend with those bugs and the types of bugs that you always get regardless of language.
Also, I think you're confusing strictness with richness and/or expressiveness. Yes, strongly typed languages have traditionally been relatively sparse but a language's strictness does not forbid it from being rich, or easy to develop in.
And who cares about how big or small your lines of code are? What matters is how easy the code is to write and to understand (you want both). Perl is generally horrible in the latter regard (it's possible to write easily-read Perl but that requires inhuman amounts of discipline to do consistently). How short your lines of code are is not a function of the strictness of the language, either.
You can't eliminate bugs entirely, short of doing a full mathematical correctness proof of the code. But the earlier in the development cycle you prevent them, the less expensive the project will end up being in the end. Decades of experience in the computing field and in other engineering fields, for that matter, have shown this to be the case. It astonishes me that it's still common to find people who still arrogantly believe otherwise.
No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks
And I am saying you're clearly wrong. There's no rational basis for this claim, other than "I don't prefer your method."
Really? Then tell me: how would you go about automatically checking whether or not someone has quoted all the variables they are using to build a query with?
I can come up with more than one way to do the same with placeholders. They may not be perfect, but perfection isn't necessary -- it only needs to be more reliable and thorough than the same mechanism (if one exists) for quoting would be.
And can you safely insert arbitrary data, including binary data, into the database using quoting? No. I tried, and it threw errors. But I can do that using placeholders (as proven by a test using Perl DBI with PostgreSQL).
False. It works every single time, unless the programmer doesn't do it. Just like placeholders.
It works every single time for preventing injection attacks, yes. It doesn't work every single time for getting data into the database. But placeholders do (at the very least when the underlying database supports them. DBD implements placeholders in
but that's not why they're there -- they're there to prevent mistakes.
They are there to prevent security holes. Which is no different from our mechanisms.
No, I meant mechanisms which would enforce the use of placeholders to keep developers from inadvertently using unsafe queries. Those mechanisms could be bypassed intentionally by the programmer, and if they are then there's an increased risk of security holes because the security mechanism you want the programmer to use (placeholders) isn't being used.
Sorry if I didn't make that clear.
And yet, we use Perl, which has no typing at all.
Yes. And how many bugs have you encountered at runtime that occurred because of this, when a strongly-typed language would have caught them at compile time? My bet is that it's significantly more than zero.
Some languages are better about this than others. Python is especially bad about this because everything, up to and including the methods attached to a class, is ultimately dynamic.
The bottom line here is that you are correct, except in that you think I am incorrect. We're both correct. There is no Right Way, except as defined by the people running the project.
The Right Way is defined by the set of goals and their relative priority. More precisely, the goals determine the ordering of solutions in terms of their desirability and suitability. Saying that there's no Right Way can be interpreted to mean that all solutions are equivalent, which is clearly not the case.
If we have an actual hole, obviously, that's Wrong. But that's not the case here: you just think we're preventing holes "wrongly," and that does not compute.
No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks (along with having other problems). It works towards that end, yes, but it's not the best approach for accomplishing that task. My point here is that the use of placeholders is a more complete solution which can more easily be enforced upon the programmer and which is a superior method of getting data into the database safely because it was designed explicitly for that task. Quoting is just a kludge. It happens to work most of the time, but it's still a kludge.
Sanitization works as long as the sanitized result can't itself be valid form of SQL. So it helps to reduce the chance of a SQL injection attack, of course, and it should be used regardless (input checking is a form of correctness checking and thus should be done as a matter of course). So it's really orthogonal to the use of quoting or placeholders.
But quoting no substitute for a backend mechanism designed explicitly to allow passing data to the database, which is what placeholders are. Quoting is nice and has its place like any tool, but it can't, and doesn't, compare with placeholders for the purpose of passing data to the database. With placeholders, I can pass arbitrary data to the database, including binary data. I know this, because I just tested it. Works great with placeholders, doesn't work with quoting.
I'll be happy to post the test code I'm using that proves this if you want.
This talk of diligence is weird to me. This only comes up when you are writing a new call to the DB, or modifying one; so if you don't properly handle data that needs to be handled, how is that significantly different from, say, not using placeholders? Writing a function that bypasses them? That's possible too. It's not a zero probability at all. Both methods work, if the methods are used. If they are not used, they don't work.
Mechanisms only work if you use them.
The use of placeholders can be enforced in code, if incompletely. As far as I know, the use of quoting can't be enforced at all.
You can't prevent the programmer from bypassing the mechanisms you put in place, but that's not why they're there -- they're there to prevent mistakes.
In a way, this "quoting versus placeholders" debate is similar to the debate on weak typing versus strong typing. The former is quicker and easier to use, but the latter reduces the chances of a mistake. And years of experience with many languages have shown me that the latter is more desirable and less costly in the long run. Mechanism beats diligence for correctness every time.
Actually, no, DBI.pm (and Slash's DB layer) handle that for you.
Sorry about that. It's been long enough since I've used quoting at all, much less in Perl, that I'd forgotten that DBI actually supplies the quoting method.
There's some places where you can't use placeholders or it's just silly or inefficient to. An IN clause, for example (we have some with a thousand or more IDs in an IN). Or if you want to compare a column's equality against a variable if the variable has a value but compare IS NULL if it's undef.
For the former, I usually define a function to get me a list of placeholders equal to the size of the list I want to put in my IN clause, so the end result is just about as easy to implement as it is with quoting, with the advantage that I don't have to quote my entire list before I pass it:
$sth = $dbh->prepare("SELECT a FROM b WHERE c IN (" . placeholderlist(@list) . ")");
$sth->execute(@list);
For the latter, quoting gives you no advantage at all over a placeholder, since you have to change the form of the query regardless.
There's always the chance someone will write a clause with variables manually in the text and no one will catch it. You can make a rule "no bare variables in clause strings" but we chose instead to make a rule "no unquoted variables in clause strings (except numerics listed in filter_params)." Maybe there'll be a time our rule isn't followed, but if so there could be a time your rule isn't followed either - I don't think you can throw an assertion to stop it, really.
I haven't given this enough thought to know whether it would be easier to automatically enforce the use of placeholders or the use of quoted variables, but I suspect it would be easier to enforce the use of placeholders (more precisely, to prevent the accidental use of inlined variables). Just off the top of my head (meaning, this isn't a complete solution by any means): have the SQL interface function throw an exception for any query that doesn't have a placeholder in it, unless some magic variable is set.:-) The theory there is that queries without at least one placeholder are very rare. It's not a complete solution, since it doesn't protect you against a mix, but I haven't given the problem a lot of thought.
Also, I find placeholder code to be difficult to read, and difficult to comment to make it easier to read. I suspect eventually someone would make an edit that causes an off-by-one correspondence between the ?'s and the variables, bringing chaos and pain throughout the land.
This depends greatly on the query, of course, but I've found that placeholders allow me to easily see what the query itself looks like in the abstract, which I've found useful. But yes, it does make it more difficult to match variables and such. Python's DB API makes it possible to use named placeholders, which is immensely easier to deal with in that regard.
I tend to agree with your theory, but in practice I think our system works as well or better.
Fair enough. Here's hoping that continues to be the case...
The problem is that you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero.
In this case, you have a defense against it but it's not a bulletproof defense. You're relying on some combination of the form parameter being sanitized (which requires diligence on the part of the programmer who writes the form handler) and the value being quoted (which requires diligence on the part of the programmer writing the code which is sending the value to the database).
In other words, you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes.
You can eliminate SQL injection attacks entirely by using placeholders.
You can furthermore avoid the need to quote anything by using placeholders.
Oh, and placeholders give you one more advantage: they're database independent. If a database supports placeholders at all, you're done. If you instead do quoting, you have to tailor your quoting function to the database engine you're using, because they're not all alike in that regard.
So from where I sit, placeholders have significant advantages and have no disadvantages. Why in the world aren't you using them?
Sure. We do not rely on programmers to check all the time. Indeed, what jamie didn't mention (I think) is that most of the time, we sanitize user input before it ever gets to the programmer. A programmer using $form->{uid} directly in SQL will never allow SQL injection, because the programmer will never get $form without $form->{uid} having already been sanitized.
Most of the time?
So sanitization isn't a guaranteed thing?
There's your SQL injection security hole right there. All it takes is one field that isn't properly sanitized to ruin your entire day.
You should never rely on diligence over mechanism for security.
For shame. You people should know better than this by now.
I, too keep hearing stories about how bad Vista is, and not just from Slashdot. Cranky Geeks (not a pro-Linux show) went on for five minutes last week about how useless it is.
Still, I walk into any computer store and see only Vista machines for meters and meters. The whole thinig confuses me.;)
It's not confusing at all. What you're seeing is the direct result of Microsoft really being in a monopoly position. People can deny it all they want ("Microsoft doesn't have 100% of the desktop, so they can't be a monopoly!!"), but Microsoft's ability to bend the market against the wishes of the customer and the retailer is precisely what makes them a monopoly.
Slashdot Mirror
Fight how?
When Thomas Jefferson wrote his passage about refreshing the tree of liberty, the firepower of the average civilian was about the same as the firepower of the average soldier. That meant a large enough number of average people could actually kick out an occupying force if they really wanted to.
Fast forward to today. Today, the firepower of the average soldier is anywhere between a few thousand to one and a few million to one in favor of the soldier, depending on what weapons you decide the soldier has available to him. Give him nuclear weapons and it's millions to one. Meaning that the military would be able to kill anywhere from thousands to millions of civilians while losing just one soldier.
You don't think a malevolent totalitarian government would hesitate to nuke one of its own cities to demonstrate its power and resolve? If you don't think that then you don't understand such governments. No, I don't think it would ever even come close to that -- the resistance would remain a nuisance, much like it is in Iraq, but nothing more.
Yes, you heard that right: the resistance in Iraq is a nuisance. It's not a real threat. How do I know? Simple: we're still there, and we're not budging, and any inclination on our part to leave would come as a result of us wanting to leave, not being forced to leave.
So what does this mean? Simple: during Thomas Jefferson's time, "give me liberty or give me death" could mean either liberty or death -- you had a reasonable chance of either if you fought for liberty. But today, "give me liberty or give me death" simplifies to merely "give me death".
So: if someone knew for a fact that if they tried to fight for freedom, they would not only die but they would also fail, do you still believe that person would fight nonetheless, knowing that it would do absolutely no good at all? Some would, I think, but very few. And I'll tell you why:
Because there's always a chance you might somehow be able to change things as long as you're alive. Once you're dead, there's no chance at all.
This ain't the 1700's anymore. It's time people stopped thinking as if it were.
I reiterate: exactly what do you think "we" can do? Even collectively?
We can't vote our way out of it, because we don't control who gets on the ballot. This remains steadfastly true regardless of how much support we collectively give someone. And even if we could control such a thing, we don't have any control over the only means of information distribution that matters: the mass media. The internet is no match. Howard Dean proved that.
We can't talk our way out of it, because nobody who is in a position of power cares to listen -- because they're paid not to.
We can't write our way out of it for the same reason.
We can't buy our way out of it because doing so just transfers the money to those whom we are opposed (the mass media is owned by the very people who want fascism in America)!
And even collectively, we can't shoot our way out of it because we don't have the numbers to overcome the thousands to millions to one advantage in firepower per person the government ultimately has.
You keep saying that "we" can do something. But your wish to do something must adhere to that which is logically and realistically possible. The system as it is right now is set up such that nothing which could possibly work otherwise is possible. The bad guys have all the exits covered with enough firepower to make sure that nothing gets out alive.
And even worse, you vastly underestimate the ability of the government to disrupt collective action. What, do you think those in power are going to stand by while we little people try to do something contrary to their wishes? How naive are you??
Has it ever occurred to you to ask why totalitarian governments are historically so numerous and long lived compared with their non-totalitarian counterparts? It has nothing to do with what the little people want and everything to do with how little is possible that is against the wishes of those in power.
You may as well be trying to break the laws of physics for all the good it'll do you and everyone else. You're welcome to try, of course, and it may be better to try than to not. But regardless, the chance of you succeeding, even if you get a whole pile of collective support, is effectively zero.
I'm a realist first. And the reality is that there is nothing to do and nowhere to go. As I said, it might be better to act anyway despite the odds. But don't fool yourself into thinking that there is any real chance of success.
Okay, so we should do something about it.
What would you suggest?
Here's a hint: there's nothing that the average person can do about it. Nothing.
He can't vote his way out of it, because he's not in control of who appears on the ballot.
He can't buy his way out of it, because he's not among the richest 1% of the country (who have the bulk of the wealth).
He can't write his way out of it (like you tried, and will fail, to do), because the "representatives" he can write to are paid to not read what he has to say, much less act on it.
And he can't shoot his way out of it, because the government has all the real guns, along with the intelligence infrastructure to tell them where to point them.
That leaves him only one option: he can leave. But that won't solve the problem, and based on how things are going elsewhere in the world, it looks like the problem will just follow him wherever he goes.
Got any other bright ideas? Bet not.
Get this through your thick head: we are well and truly fucked, and there's not a damned thing any of us average people can do about it. Nothing. I wish to God there was (and I'm not even a religious person myself), but there's not.
The entire world will descend into darkness, and it will not emerge from it again for hundreds, perhaps even thousands, of years.
My point in citing the Tenth Amendment was to point out that the nature of the Constitution itself is to deny power by default unless explicitly granted, rather than to grant power by default unless denied. The purpose of the Tenth Amendment, I think, is to make that completely clear.
The Constitution does not grant to the government as a whole any power at all. Every power it grants is granted to a specific branch within the government.
So if any power is to be exercised by the executive branch, it must either have been granted explicitly by the Constitution or as a result of the passage of a law by the legislative branch.
The warrantless wiretapping the executive has engaged in was not a power granted by the Constitution, nor was it granted to the executive by Congress. In fact, Congress passed a law explicitly forbidding warrantless wiretaps. So I fail to see any basis whatsoever, much less a plausible one, for any reasonable belief that the wiretapping in question could be considered to be legal in any way.
Various courts are well known for "interpreting" the Constitution in anything other than a straightforward manner (and especially without regard to the various treatises written by the various founders of the country which describe the fundamental reasons they had for writing the Constitution the way they did). I see little reason to believe that the FISA Court of Review did anything else here.
It turns out I was wrong about at least one thing: seems the NSA isn't a civilian agency. It's a military establishment.
However, note that even the armed forces themselves only exist due to Congressional power (establishment of the Navy and the Army are powers explicitly granted to Congress by the Constitution). So the NSA thus only exists as a result of powers granted by Congress, which means anything the NSA does must conform to the limitations imposed by Congress.
To conclude anything else, you'd have to make arguments which can only ultimately result in the conclusion that the President effectively has limitless power and authority, a conclusion which is very obviously a contradiction of the many writings of the founders which emphasize their distrust of concentrated power.
What person in their right mind would believe that the President was exercising lawful authority when a reading of the Constitution makes it abundantly clear that the President has no such authority except as a result of congressional authority? If you don't believe me then read the Constitution for yourself. The section enumerating the independent power of the executive is blissfully short and clear, and makes no mention at all of any law enforcement authority on the part of the executive whatsoever. It does say that the executive may be granted additional powers by congress, but that is by definition congressional authority.
That section plus the tenth amendment make it abundantly clear that the executive has no power to act in a law enforcement capacity outside the restrictions set forth by congress. The only truly independent power the executive has is as commander in chief of the armed forces and the militia, and that clearly doesn't apply here because the NSA is a civilian agency which was created by congress (so any authority the executive may have over it is granted by congress and not inherent to the executive).It is true that the Supreme Court has given very little guidance as to whether or not warrantless wiretaps are a violation of the 4th amendment, but given the FISA law and the fact that the executive blatantly violated it, I think it's clear that the wiretaps needn't be a 4th amendment violation to nevertheless be unconstitutional, since the wiretaps in question were conducted without congressional authority and, therefore, without Constitutional authority.
Nobody here seems to really get it yet. Time for me to explain.
All the vitriol, the accusations, the namecalling, etc. on the part of Congress add up to...nothing. Nada. Zilch. Not a damned thing.
It's part of the game. Congress pulls the Yahoo execs in and questions them about what they're doing and generally gives them a hard time. Why? Because it's on record. It's a cynical attempt on the part of Congress to appear like they actually give a shit about human rights and such.
But make no mistake: it's just a game. Know what's going to happen to the Yahoo execs after all this is said and done? Not a goddamned thing, that's what. Hell, after the hearings are over with, I won't be surprised at all to find these same members of Congress and the Yahoo execs getting together for drinks afterwards and laughing it up.
And those who own and run the big corporations, who really own the government these days as well, like it that way. Which is why this dog and pony show won't have any real effect at all. At least, none that would be of any benefit to anyone other than those in the gilded ruling class.
Except that I thought we were talking about wiretapping which violated the very provisions of the law I mentioned, namely the provisions requiring that the government get a warrant from the FISA court within 72 hours of the wiretapping action.
The first option was, if I'm not misreading things, congressional authorization. But congressional authorization has as its basis of legality the very same thing that executive power does: the Constitution.
In the case of the wiretapping in question, the executive branch very clearly didn't have congressional authorization because it violated provisions of the law that congress had passed.
But even if Congress had passed a law allowing the executive branch to conduct warrantless wiretapping directly against U.S. citizens on U.S. soil, that congressional authorization would be worthless, because it exceeds (for the very same reasons those who argue the unconstitutionality of the wiretapping in question use) the power granted to both congress and the executive branch by the Constitution.
If the Constitution doesn't grant a power, then neither the executive branch nor congress have the legal justification to authorize a third party (the telcos, in this specific case) to act based on that power, which means the actions of the third party cannot be excused as a result of acting on behalf of the government (instead of on its own) -- said third party is therefore in that case subject to the standard laws of the land, as if the government was not involved at all.
We're probably in agreement on all this -- I just didn't see you give much coverage to it as one of the options...
It's not temporary as long as corporations want their employees to work 24x7, which means working from home, working while on "vacation", working while in the hospital, etc.
You didn't state a third option here (though you allude to it later): that it was illegal because it is not Constitutionally authorized. This is the argument that many people who are against the wiretapping make, actually. The limits and requirements within the wiretapping law are there because the law would be unconstitutional otherwise. It still might be unconstitutional even with the limitations, but as far as I know nobody has taken it to the Supreme Court for a ruling.
If it's not Constitutionally authorized, then the companies in question may be guilty of an illegal act, depending on whether or not there's some law forbidding individuals or companies from doing what they did.
If by "them" you mean the people who are in power, then this comment is spot on. If by "them" you mean those most people think of as "terrorists" then those "terrorists" are idiots of the worst kind.
Why?
Simple: because the government in charge of an oppressive police state is even more interested in power and control, and less interested in what anyone else thinks, than the government in charge of a democratic republic. And the more interested in power and control a given government is, the more such power and control it wants, which means it will attempt to expand and exert control over ever larger regions. Including the regions the "terrorists" inhabit.
If the "terrorists" think things are "bad" now, just wait until they're dealing with a government that really doesn't give a fuck about what they or anyone else thinks. As in at all. With a democratic republic, the "terrorists" at least have a chance of getting through to that republic's government through the people it governs. With a fascist totalitarian state, they have no such option at all.
Fascist totalitarian states have no trouble with steamrolling over anyone they want. Including "terrorists". They won't think twice about it, and they won't listen to anyone's argument against it, except those who are at least as well armed as they are. And that ain't the "terrorists". Against a fascist totalitarian U.S. (which isn't there yet but is really close now, I think), that's damned few countries, actually.
So if the aim of the "terrorists" is their own destruction, then they are well on their way towards accomplishing their goals.
In other words, the terrorists haven't won. They've lost. And so have we. The only people who have "won" are those who are already rich and powerful.
"Terrorists". Bah. Fucking morons...
I fully expect that these companies will wind up "in charge" of it by fiat if nothing else. It's only a matter of time. Like the article said, these companies own Congress. Well, Congress makes laws that govern "interstate commerce" (which the courts have interpreted as shorthand for, basically, any damned thing they please), so Congress can, and will, do the equivalent of declaring them as being the sole carriers for this stuff if the competition keeps them from taking that role otherwise.
Didn't you get the memo about what fascism is really all about?
LOL! That song is awesome! :-)
Very well done! You've got talent with the guitar, dude...
Really? And how exactly are you measuring this? By asking your equally fluent peers if they can easily read it? That's hardly a good measure of how readable a language is! Any language is easy to read to those who are experts at the language.
The readability of a language (as opposed to the readability of a section of code, which is determined by more than just the language -- you can make pretty much any section of code unreadable) has to be measured by how easily someone who has no more than a basic understanding of that specific language can read it. And for that, Perl is in my experience significantly worse than a number of others. This is because Perl requires greater knowledge on the part of the programmer to achieve the same ability to read and understand code written in it than some/many other languages do. You won't realize this until you walk away from Perl for a while (long enough to forget a lot of the little things) and then go back to it, and find you have to look up a lot of things that you wouldn't have to with more readable languages.
My opinion is based on many years of first hand experience and observation. I don't care if you believe I have that experience or not because your belief doesn't alter the truth of it. That experience includes using Perl extensively as well as not using it much for a relatively large period of time afterwards. I dare say your experience doesn't include the latter, so I find it difficult to see how my opinion could therefore be called any more "uneducated" than yours.
As for the distinction between software engineers and computer scientists, software engineers engineer code first and foremost. That means they put effort into designing software up front before the write a single line of code, and the good ones choose tools, including languages and methodologies, which will yield the lowest long-term cost, which includes factors such as maintainability, scalability, suitability for the problem domain, etc.
The choice of language to use for Slashdot is largely historical -- you (meaning, those who developed Slash) were constrained by what was available at the time and by what capabilities the various available languages brought to the table. Once such a decision is made, it is nearly impossible to reverse. So I certainly cannot fault you for that decision. I could easily make the same decision given the constraints of the time. And even today, Perl might be the best language for the job, though in my experience there are other languages that are probably equally well-suited for the task and which are also by their nature more readable than Perl -- meaning I (as a software engineer) would choose them over Perl if that were the case.
That is nobody's loss but your own.
I didn't say it was hard to do, I said it requires a great deal of discipline to do consistently. Perl has a wealth of abbreviated constructs that are very powerful. That makes it very tempting to use them, and their use generally reduces the readability of the code. That is why writing readable Perl consistently requires a great deal of discipline.
This is twice that you've refused to read the rest of what I've said, apparently because I don't happen to hold your favorite language with the same high regard that you do. From where I sit, that means it is you who is showing disregard for reason, because by doing so you implicitly assume that, because I fundamentally disagree with you about this one particular thing, the other things I have to say must have no merit. That is clearly a questionable position on your part.
It's your right to do that, of course, but it comes across as a bit immature.
This is pretty laughable considering that I've used Perl for various things for some 17 years, with about 10 of them involving intense development at times. I suppose, then, that you might regard me as incompetent, but I assure you it won't be for lack of familiarity with the language (that said, I've not done any serious Perl for about the last 5 years).
I didn't mean to say that Perl is entirely unreadable. I meant that Perl is on average harder to read than a number of other languages (particularly those designed with readability in mind). Someone intimately familiar with it will obviously have an easier time of it but even with that kind of intimate familiarity with it, Perl allows you to write constructs in so many different ways that it's often not as easy to discern the intent of the author of the code as it is with other languages that place emphasis on readability and maintainability. You can write code that's hard to discern in any language, of course, but in my experience, it's easier to do that in Perl than in a number of others, because Perl makes brevity at the expense of readability easy.
This (brevity) is something that is often valued by people who really like Perl. People such as, apparently, yourself, since you obviously place value on how small your lines of code are. There's nothing wrong with that in and of itself, but it comes at a price. That price is something you don't seem to have experienced yet. Perhaps you never will -- Perl seems to be the language you have by far the most invested in. Aside from C, I can't tell from examining your web site what other languages you have familiarity with.
To put the above another way, Perl requires greater knowledge on the part of the programmer to achieve the same ability to read and understand code written in it than some other languages do. You won't realize this until you walk away from Perl for a little while (long enough to forget a lot of the little things) and then go back to it, and find you have to look up a lot of things that you wouldn't have to with more readable languages.
I used to believe as you apparently do. Perl was by far my favorite language. It wasn't until I stopped using it for a bit and then went back to it that I realized that there was a kernel of truth in what people said about its readability.
I will say this about Perl: it's a lot better about readability now than it used to be. Even so, there's a reason Perl is at the receiving end of jokes about readability.
As for my "disregard for reason", I have a set of opinions, based on experience and understanding. If those opinions are demonstrably incorrect then I will change them, because I'm a realist, and being right is more important to me than just about anything else (being right is a very useful, while being wrong is pretty much useless).
So: if you have some factual or logical basis for claiming that my opinions are incorrect, put it on the table. I haven't seen it yet.
You're kidding, right?
Look at the history of the world. The entirety of China has never lived under anything other than a totalitarian form of government (the specific form of totalitarianism has changed over time but the fact that the form has been totalitarian has not). The entirety of Russia has similarly done so except for the relatively brief period of time after the Berlin Wall fell. Those two countries alone are probably enough to make my case, but there's a lot more. India was totalitarian for its entire history until 1950. The entirety of Europe was totalitarian until the mid to late 1700s. The Roman Republic and the lands it represented were briefly nontotalitarian (for about 450 years) but were totalitarian otherwise -- the Republic lasted until the advent of the Roman Empire, which itself lasted about the same amount of time. After that, it was ruled by one empire or monarchy or another until about 1950. After that, it's been democratic (the specific time that any given territory of the Roman Empire went with democracy depends, but very few appear to have done so earlier than about 1800). And then, of course, you have the Egyptian Empire, which lasted longer than any other government ever.
See a pattern here? Throughout history and throughout the world, totalitarianism is the norm. Freedom and self-determination are very much the exception. Real democracy as a form of government (where the people have a real say in their government) isn't new at all, but it's rare.
The telco execs can lie to congress all day long and they won't get so much as a slap on the wrist for it.
For the same reason, congress ultimately won't do anything about the telcos and cable companies blocking content -- they're paid (bribed, in various forms, most of which are almost certainly not on the record) not to.
Not only are they paid not to by the telcos, they're paid not to by the RIAA, MPAA, and the media corporations. That latter is especially important because without the support of the media, you will not win an election campaign, period.
Big corporations rule the U.S. these days, and there's no stopping it now. There's no way to, even including violent revolution. We're way past the point of no return. And it's not just the U.S., either, but most of the rest of the world as well.
Historically, totalitarianism of one form or another has been by far the preferred form of government, as evidenced by the fact that the vast majority of the people who have ever lived have lived under it. The experiment with freedom in the world is tiny in comparison.
Well, it was nice while it lasted. I'm going to miss it.
You can't prevent the programmer from intentionally bypassing your mechanisms. But that's not the point. The point is to prevent him from accidentally bypassing your mechanisms -- to prevent him from making mistakes. This is what strongly typed languages attempt to do (with some success, I might add), and what a checking mechanism would also attempt to do.
A checking mechanism can be put in place to attempt to ensure that the programmer always uses placeholders. It can be bypassed, but the programmer would have to do so intentionally, which is not what you're trying to protect against. The purpose is to prevent mistakes, not willful misuse. Security holes almost always come about as a result of coding mistakes.
And you know your development time is much quicker how, exactly?
Even if your development time is faster than with a strongly typed language, you generally lose all of that advantage and then some as a result of having to chase down and fix the additional bugs that arise from the nature of the language you're using. Because now you have to contend with those bugs and the types of bugs that you always get regardless of language.
Also, I think you're confusing strictness with richness and/or expressiveness. Yes, strongly typed languages have traditionally been relatively sparse but a language's strictness does not forbid it from being rich, or easy to develop in.
And who cares about how big or small your lines of code are? What matters is how easy the code is to write and to understand (you want both). Perl is generally horrible in the latter regard (it's possible to write easily-read Perl but that requires inhuman amounts of discipline to do consistently). How short your lines of code are is not a function of the strictness of the language, either.
You can't eliminate bugs entirely, short of doing a full mathematical correctness proof of the code. But the earlier in the development cycle you prevent them, the less expensive the project will end up being in the end. Decades of experience in the computing field and in other engineering fields, for that matter, have shown this to be the case. It astonishes me that it's still common to find people who still arrogantly believe otherwise.
Really? Then tell me: how would you go about automatically checking whether or not someone has quoted all the variables they are using to build a query with?
I can come up with more than one way to do the same with placeholders. They may not be perfect, but perfection isn't necessary -- it only needs to be more reliable and thorough than the same mechanism (if one exists) for quoting would be.
And can you safely insert arbitrary data, including binary data, into the database using quoting? No. I tried, and it threw errors. But I can do that using placeholders (as proven by a test using Perl DBI with PostgreSQL).
It works every single time for preventing injection attacks, yes. It doesn't work every single time for getting data into the database. But placeholders do (at the very least when the underlying database supports them. DBD implements placeholders in
No, I meant mechanisms which would enforce the use of placeholders to keep developers from inadvertently using unsafe queries. Those mechanisms could be bypassed intentionally by the programmer, and if they are then there's an increased risk of security holes because the security mechanism you want the programmer to use (placeholders) isn't being used.
Sorry if I didn't make that clear.
Yes. And how many bugs have you encountered at runtime that occurred because of this, when a strongly-typed language would have caught them at compile time? My bet is that it's significantly more than zero.
Some languages are better about this than others. Python is especially bad about this because everything, up to and including the methods attached to a class, is ultimately dynamic.
The Right Way is defined by the set of goals and their relative priority. More precisely, the goals determine the ordering of solutions in terms of their desirability and suitability. Saying that there's no Right Way can be interpreted to mean that all solutions are equivalent, which is clearly not the case.
No, I'm saying that the method that you are using is not the best for minimizing SQL injection attacks (along with having other problems). It works towards that end, yes, but it's not the best approach for accomplishing that task. My point here is that the use of placeholders is a more complete solution which can more easily be enforced upon the programmer and which is a superior method of getting data into the database safely because it was designed explicitly for that task. Quoting is just a kludge. It happens to work most of the time, but it's still a kludge.
Sanitization works as long as the sanitized result can't itself be valid form of SQL. So it helps to reduce the chance of a SQL injection attack, of course, and it should be used regardless (input checking is a form of correctness checking and thus should be done as a matter of course). So it's really orthogonal to the use of quoting or placeholders.
But quoting no substitute for a backend mechanism designed explicitly to allow passing data to the database, which is what placeholders are. Quoting is nice and has its place like any tool, but it can't, and doesn't, compare with placeholders for the purpose of passing data to the database. With placeholders, I can pass arbitrary data to the database, including binary data. I know this, because I just tested it. Works great with placeholders, doesn't work with quoting.
I'll be happy to post the test code I'm using that proves this if you want.
The use of placeholders can be enforced in code, if incompletely. As far as I know, the use of quoting can't be enforced at all.
You can't prevent the programmer from bypassing the mechanisms you put in place, but that's not why they're there -- they're there to prevent mistakes.
In a way, this "quoting versus placeholders" debate is similar to the debate on weak typing versus strong typing. The former is quicker and easier to use, but the latter reduces the chances of a mistake. And years of experience with many languages have shown me that the latter is more desirable and less costly in the long run. Mechanism beats diligence for correctness every time.
Sorry about that. It's been long enough since I've used quoting at all, much less in Perl, that I'd forgotten that DBI actually supplies the quoting method.
For the former, I usually define a function to get me a list of placeholders equal to the size of the list I want to put in my IN clause, so the end result is just about as easy to implement as it is with quoting, with the advantage that I don't have to quote my entire list before I pass it:
$sth = $dbh->prepare("SELECT a FROM b WHERE c IN (" . placeholderlist(@list) . ")");
$sth->execute(@list);
For the latter, quoting gives you no advantage at all over a placeholder, since you have to change the form of the query regardless.
I haven't given this enough thought to know whether it would be easier to automatically enforce the use of placeholders or the use of quoted variables, but I suspect it would be easier to enforce the use of placeholders (more precisely, to prevent the accidental use of inlined variables). Just off the top of my head (meaning, this isn't a complete solution by any means): have the SQL interface function throw an exception for any query that doesn't have a placeholder in it, unless some magic variable is set. :-) The theory there is that queries without at least one placeholder are very rare. It's not a complete solution, since it doesn't protect you against a mix, but I haven't given the problem a lot of thought.
This depends greatly on the query, of course, but I've found that placeholders allow me to easily see what the query itself looks like in the abstract, which I've found useful. But yes, it does make it more difficult to match variables and such. Python's DB API makes it possible to use named placeholders, which is immensely easier to deal with in that regard.
Fair enough. Here's hoping that continues to be the case...
The problem is that you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero.
In this case, you have a defense against it but it's not a bulletproof defense. You're relying on some combination of the form parameter being sanitized (which requires diligence on the part of the programmer who writes the form handler) and the value being quoted (which requires diligence on the part of the programmer writing the code which is sending the value to the database).
In other words, you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes.
You can eliminate SQL injection attacks entirely by using placeholders.
You can furthermore avoid the need to quote anything by using placeholders.
Oh, and placeholders give you one more advantage: they're database independent. If a database supports placeholders at all, you're done. If you instead do quoting, you have to tailor your quoting function to the database engine you're using, because they're not all alike in that regard.
So from where I sit, placeholders have significant advantages and have no disadvantages. Why in the world aren't you using them?
Most of the time?
So sanitization isn't a guaranteed thing?
There's your SQL injection security hole right there. All it takes is one field that isn't properly sanitized to ruin your entire day.
You should never rely on diligence over mechanism for security.
For shame. You people should know better than this by now.
It's not confusing at all. What you're seeing is the direct result of Microsoft really being in a monopoly position. People can deny it all they want ("Microsoft doesn't have 100% of the desktop, so they can't be a monopoly!!"), but Microsoft's ability to bend the market against the wishes of the customer and the retailer is precisely what makes them a monopoly.
Your observation is just confirmation of that.