If your output is properly escaped and you're correctly using parameterized queries and not doing stupid dynamic SQL tricks that are generally necessitated by having a terrible DB layout, it doesn't matter. Go ahead. Put a billion apostrophes, and Unicode apostrophes (that MS SQL [and maybe others] will horrifically collapse down to regular if your connection is ASCII), semicolons, whatever you want. It'll sit there in the field looking pretty.
Uh, just don't make it 2.2 billion apostrophes. Bad things.
Compared to the overhead of reading from the database, building the rest of the page's HTML, and then sending over the network, practically nothing. This is not hyperbole.
Even if it wasn't nothing, it would have to be very significant, and performance would have to be a primary factor in the software's spec before I'd consider scrapping an extremely easy to use security practice in order for a faster runtime.
I'll do that as soon as you demonstrate how to bite your own ear off.
What's that? You never claimed it was possible? Huh.
An implicit assumption when talking about checking an HTTP header is that it's done somewhere that actually needs to check it. A browser is the source of the header. Looking at it is silly and irrelev[b]a[/b]nt. It's you that doesn't understand the problem.
Yeah, if everybody just starts doing what we haven't been able to get them to start doing for the last 40 years, things will be great! Come on guys, roll your sleeves up, let's get to it!
Ugh.
That link is suggesting that a regex is the proper way to validate an e-mail address.
NO NO NO NO NO NO NO NO NO NO NO NO NO
Parse it. On the server that will be committing the data, using the very same code. It is possible to do it right. Layered defense isn't a bad thing, but a crappy half measure is often worse than nothing at all.
It suggests that crappy heuristics is the proper way to ensure a user doesn't get access to a file they shouldn't have access to.
NO NO NO NO NO NO NO NO NO NO NO NO NO
You first decide exactly which file you will be accessing, and then check if it's within your sandbox. Optimally, you have a single class or set of functions that gates all access to files, and/or you don't put user input in the filesystem metadata at all to begin with.
Hilariously, it even suggests restricting user input to not allow it to contain SQL control characters. Man. The number of security bugs I've found and fixed when that fails... I've found, through experience, that explicitly allowing them actually results in more secure code, as it forces programmers to think for two seconds before committing and moving on building a new gaping hole, and ensures that they'll be in the test cases. People seriously don't even think about the possibility if it's not held right under their nose.
Your solution appears to be, "Do exactly what we've been doing, just more." My rebuttal to that is the entire history of computer security. While it's true that proper understanding of underlying standards and protocols would go a long way toward mitigating the problems, a more complete solution is to make such detail-oriented understanding unnecessary. Compartmentalization of knowledge is, in my opinion anyway, the primary benefit of computers, and the rejection of providing that benefit to other programmers or utilizing it yourself while writing software smacks of programmers who don't want others invading their turf.
I'll grant you, new does not necessarily mean better. Some new approaches work better, some work worse, but we already know exactly what the old approach accomplishes.
You pick up the speech patterns of people you hang out with. I can't say I've picked up much, if any, but I hang out with and talk to a lot of British folks every day, and if something came out, I wouldn't try to suppress it. That's being who you are. Hanging on to the same way you talked yesterday and ridiculing anyone who doesn't do the same is just part of being a bitter old... douche.
By the way, where do you suppose "for fuck's sake" started?
I'm actually not a big fan of validating inputs. I find proper escaping is a much more effective tool, and validation typically leads to both arbitrary restrictions of what your fields can hold and a false sense of security. It's why you can't put a + sign in e-mail fields, or have an apostrophe in your description field.
In short, if a data type can hold something, it should be able to read every possible value of that data type, and output every possible value of that data type. That means that if you have a Unicode string field, you should accept all valid Unicode characters, and be able to output the same. If you want to restrict it, don't use a string. Create a new data type. This makes escaping easy as well. You don't have a method that can output strings, at all. You have a method that can output HTMLString, and it escapes everything it outputs. If you want to output raw HTML, you have RawHTMLString. Makes it much harder to make a mistake when you're doing Response.Write(new RawHTMLString(userField)).
A multi-pronged approach is best, and input validation certainly has its place (ensuring that the user-supplied data conforms to the data type's domain, not trying to protect your output), but the first and primary line of defense should be making it harder to do it wrong than it is to do it right.
By that metric weather affects everything, and you'd be asking a completely useless question.
Ladies and gentlemen, we have a winner!
Most people realize the actual question being asked is whether cloud computing is affected by weather more than other generic things, to which the answer is no, in fact it's less affected by weather than other generic things. What do you prove by deliberately misinterpreting the survey question?
Rank the following in terms of likelihood:
1.) A person thinks cloud computing involves actual clouds.
2.) The people running the survey deliberately asked ridiculous or trick questions in order to get a sensational response that would drive readership and therefore profits.
3.) A person genuinely gave an over-literal response due to the weather's actual ability to take out a data center despite the question being intended to gauge whether a person thinks cloud computing involves actual clouds.
It's fairly smooth to me, although I can tell that it's not as smooth as it should be. I ran Firebug's profiler on this, Win 7 x64, 32-bit FF 15, this is an approx 2 second scroll using a mouse drag on the scroll thumb:
If you copy/paste that code block, it'll be formatted into readable columns. Compare it with your own run, see what the difference is.
From a quick look, the majority of the time seems to be spent in some janky event system that involves string concatenation and lowercasing for every event fire. Bleugh. I like the end result, it's an impressive grid, and I'm sure they had their reasons, but man working in JS can be awful.
I'd really like to know this as well. I hear anecdotes like this that sound incredibly strange all the time, and I can't help but wonder what the difference is.
Of course, to be honest, after 10 years of living in a city I had to think for a quarter second before I remembered what he meant by stars sparkling (or twinkling). On the rare occasions that you even bother to look up, because the sky is so uninteresting, the only stars visible are bright enough that they don't really twinkle.
Spending an evening in the country is always a very, "my God, it's full of stars!" moment.
Who's out of touch? I bought a brand-new laptop two years ago with 4GB of RAM for just over $600, and it was only that much because I wanted a decent video card in it.
That's why the "leave whenever you feel like it" clause is key. You just need to be dealing with someone who respects you enough to not worry about hurting your feelings by leaving, or they'll stay long past when they're bored (or worse, play even though they don't like it), and resent you for it.
Opera? No thanks. But I can get into any concert I actually want to be at dressed exactly how I like to dress. Decent restaurant? I've never noticed much of a correlation between a stringent dress code and how well the food is cooked. I think you're talking about a decent social preening ground that happens to serve food.
The thing is, I don't respect your "right" to have me dress up to sit in an uncomfortable chair next to strangers for hours on end. If I look like I just came out of the shower, chances are good that it's because I just came out of the shower. I do respect your right to not smell my BO (or gallons of awful cologne). If you're so disgusted by it, maybe you should charter your own flights so you don't have to deal with the rabble like me.
Yep, just download and run the 3rd-party app developed by "Mike" to get the secret URL to your files so you can put it in Microsoft's non-working WebDAV implementation. Easy as pie!
Slashdot Mirror
If your output is properly escaped and you're correctly using parameterized queries and not doing stupid dynamic SQL tricks that are generally necessitated by having a terrible DB layout, it doesn't matter. Go ahead. Put a billion apostrophes, and Unicode apostrophes (that MS SQL [and maybe others] will horrifically collapse down to regular if your connection is ASCII), semicolons, whatever you want. It'll sit there in the field looking pretty.
Uh, just don't make it 2.2 billion apostrophes. Bad things.
Seriously?
Compared to the overhead of reading from the database, building the rest of the page's HTML, and then sending over the network, practically nothing. This is not hyperbole.
Even if it wasn't nothing, it would have to be very significant, and performance would have to be a primary factor in the software's spec before I'd consider scrapping an extremely easy to use security practice in order for a faster runtime.
I'll do that as soon as you demonstrate how to bite your own ear off.
What's that? You never claimed it was possible? Huh.
An implicit assumption when talking about checking an HTTP header is that it's done somewhere that actually needs to check it. A browser is the source of the header. Looking at it is silly and irrelev[b]a[/b]nt. It's you that doesn't understand the problem.
Yeah, if everybody just starts doing what we haven't been able to get them to start doing for the last 40 years, things will be great! Come on guys, roll your sleeves up, let's get to it!
Ugh.
That link is suggesting that a regex is the proper way to validate an e-mail address.
NO NO NO NO NO NO NO NO NO NO NO NO NO
Parse it. On the server that will be committing the data, using the very same code. It is possible to do it right. Layered defense isn't a bad thing, but a crappy half measure is often worse than nothing at all.
It suggests that crappy heuristics is the proper way to ensure a user doesn't get access to a file they shouldn't have access to.
NO NO NO NO NO NO NO NO NO NO NO NO NO
You first decide exactly which file you will be accessing, and then check if it's within your sandbox. Optimally, you have a single class or set of functions that gates all access to files, and/or you don't put user input in the filesystem metadata at all to begin with.
Hilariously, it even suggests restricting user input to not allow it to contain SQL control characters. Man. The number of security bugs I've found and fixed when that fails... I've found, through experience, that explicitly allowing them actually results in more secure code, as it forces programmers to think for two seconds before committing and moving on building a new gaping hole, and ensures that they'll be in the test cases. People seriously don't even think about the possibility if it's not held right under their nose.
Your solution appears to be, "Do exactly what we've been doing, just more." My rebuttal to that is the entire history of computer security. While it's true that proper understanding of underlying standards and protocols would go a long way toward mitigating the problems, a more complete solution is to make such detail-oriented understanding unnecessary. Compartmentalization of knowledge is, in my opinion anyway, the primary benefit of computers, and the rejection of providing that benefit to other programmers or utilizing it yourself while writing software smacks of programmers who don't want others invading their turf.
I'll grant you, new does not necessarily mean better. Some new approaches work better, some work worse, but we already know exactly what the old approach accomplishes.
You pick up the speech patterns of people you hang out with. I can't say I've picked up much, if any, but I hang out with and talk to a lot of British folks every day, and if something came out, I wouldn't try to suppress it. That's being who you are. Hanging on to the same way you talked yesterday and ridiculing anyone who doesn't do the same is just part of being a bitter old ... douche.
By the way, where do you suppose "for fuck's sake" started?
Because writing a script to forge the Referer (sic) header is trivial.
Without an example it's tough to say for sure, but I suspect that it only works when the output isn't properly escaped.
I'm actually not a big fan of validating inputs. I find proper escaping is a much more effective tool, and validation typically leads to both arbitrary restrictions of what your fields can hold and a false sense of security. It's why you can't put a + sign in e-mail fields, or have an apostrophe in your description field.
In short, if a data type can hold something, it should be able to read every possible value of that data type, and output every possible value of that data type. That means that if you have a Unicode string field, you should accept all valid Unicode characters, and be able to output the same. If you want to restrict it, don't use a string. Create a new data type. This makes escaping easy as well. You don't have a method that can output strings, at all. You have a method that can output HTMLString, and it escapes everything it outputs. If you want to output raw HTML, you have RawHTMLString. Makes it much harder to make a mistake when you're doing Response.Write(new RawHTMLString(userField)).
A multi-pronged approach is best, and input validation certainly has its place (ensuring that the user-supplied data conforms to the data type's domain, not trying to protect your output), but the first and primary line of defense should be making it harder to do it wrong than it is to do it right.
By that metric weather affects everything, and you'd be asking a completely useless question.
Ladies and gentlemen, we have a winner!
Most people realize the actual question being asked is whether cloud computing is affected by weather more than other generic things, to which the answer is no, in fact it's less affected by weather than other generic things. What do you prove by deliberately misinterpreting the survey question?
Rank the following in terms of likelihood:
1.) A person thinks cloud computing involves actual clouds.
2.) The people running the survey deliberately asked ridiculous or trick questions in order to get a sensational response that would drive readership and therefore profits.
3.) A person genuinely gave an over-literal response due to the weather's actual ability to take out a data center despite the question being intended to gauge whether a person thinks cloud computing involves actual clouds.
Aww, copy and paste doesn't preserve formatting when not in preview. Man. Preview should follow the same code path as a post!
It's fairly smooth to me, although I can tell that it's not as smooth as it should be. I ran Firebug's profiler on this, Win 7 x64, 32-bit FF 15, this is an approx 2 second scroll using a mouse drag on the scroll thumb:
Function Calls Percent Own Time Time Avg Min Max File anonymous 50 38.89% 2.017ms 2.773ms 0.055ms 0.026ms 0.536ms dhtmlxgrid.js (line 60) anonymous 31 24.16% 1.253ms 2.039ms 0.066ms 0.031ms 0.264ms dhtmlxgrid.js (line 443) anonymous 81 14.04% 0.728ms 1.018ms 0.013ms 0.003ms 0.041ms dhtmlxcommon.js (line 891) anonymous 50 8.1% 0.42ms 0.42ms 0.008ms 0.006ms 0.015ms dhtmlxgrid.js (line 63) anonymous 50 5.65% 0.293ms 3.066ms 0.061ms 0.028ms 0.604ms dhtmlxgrid.js (line 287) anonymous 31 4.88% 0.253ms 0.29ms 0.009ms 0.005ms 0.027ms dhtmlxcommon.js (line 902) anonymous 32 2.85% 0.148ms 0.148ms 0.005ms 0.001ms 0.044ms dhtmlxgrid.js (line 287) anonymous 31 0.71% 0.037ms 0.037ms 0.001ms 0ms 0.002ms style.html (line 46) anonymous 1 0.39% 0.02ms 0.082ms 0.082ms 0.082ms 0.082ms dhtmlxgrid.js (line 287) anonymous 1 0.35% 0.018ms 0.062ms 0.062ms 0.062ms 0.062ms dhtmlxgrid.js (line 104)
If you copy/paste that code block, it'll be formatted into readable columns. Compare it with your own run, see what the difference is.
From a quick look, the majority of the time seems to be spent in some janky event system that involves string concatenation and lowercasing for every event fire. Bleugh. I like the end result, it's an impressive grid, and I'm sure they had their reasons, but man working in JS can be awful.
I gotta ask, if you can time-travel from the '80s when that was still a joke, why did you choose to come to the year 2012?
I'd really like to know this as well. I hear anecdotes like this that sound incredibly strange all the time, and I can't help but wonder what the difference is.
Of course, to be honest, after 10 years of living in a city I had to think for a quarter second before I remembered what he meant by stars sparkling (or twinkling). On the rare occasions that you even bother to look up, because the sky is so uninteresting, the only stars visible are bright enough that they don't really twinkle.
Spending an evening in the country is always a very, "my God, it's full of stars!" moment.
Use Firebug.
Who's out of touch? I bought a brand-new laptop two years ago with 4GB of RAM for just over $600, and it was only that much because I wanted a decent video card in it.
Yeah, if it weren't for all those pesky things you want your computer to do, it would be more than enough.
No, that's called competition.
Yeah, allies a great and all, but it's a real drag when you have to support them.
That's why the "leave whenever you feel like it" clause is key. You just need to be dealing with someone who respects you enough to not worry about hurting your feelings by leaving, or they'll stay long past when they're bored (or worse, play even though they don't like it), and resent you for it.
Hear, hear! I say, the judges should quit fucking around. Just cut his hands off and be done with it.
It's comforting to know you can kill a person without being able to be traced, huh?
Opera? No thanks. But I can get into any concert I actually want to be at dressed exactly how I like to dress. Decent restaurant? I've never noticed much of a correlation between a stringent dress code and how well the food is cooked. I think you're talking about a decent social preening ground that happens to serve food.
The thing is, I don't respect your "right" to have me dress up to sit in an uncomfortable chair next to strangers for hours on end. If I look like I just came out of the shower, chances are good that it's because I just came out of the shower. I do respect your right to not smell my BO (or gallons of awful cologne). If you're so disgusted by it, maybe you should charter your own flights so you don't have to deal with the rabble like me.
Yep, just download and run the 3rd-party app developed by "Mike" to get the secret URL to your files so you can put it in Microsoft's non-working WebDAV implementation. Easy as pie!
Er, except it doesn't work anymore. But other than that..
Way ahead of ya.