The problem with avoiding "divisive" figures is that anyone becomes "divisive" when the other side (i.e. the anti-scientific side) attacks them. Then any effort anyone makes to correct the record becomes part of the "controversy."
If you jettison anyone fighting for your side (i.e. science) as soon as they are attacked, you will very soon run out of smart people like Gore and Dawkins. We get a Sagan once a generation, and to remain above the fray he had to go so far as refusing to denounce astrology. That was his choice, but I think more smart people should denounce astrology, and other dumb things, and I will support them when they do, even if they get attacked.
Drudge didn't say that "Clinton staffers" had sent the photo in question to him; he simply said that unnamed Clinton staffers had "circulated" the photo (where, he didn't say), and he quoted an accompanying e-mail message--without saying who the e-mail had gone to. Do you mind if we draw two simple conclusions--conclusions so simple a child could reach them? First: In all likelihood, no Clinton staffer sent the photo to Drudge, or the brilliant fellow would have said that they had. Second: For all anyone knows, some Clinton staffer sent the photo to a friend in Obama's campaign, and the photo and e-mail proceeded from there. Is that what happened? We have no idea. But then, no one but Drudge has the slightest idea what facts (if any) lay behind his report...
I think Somerby is too trusting when he makes the "if any" a parenthetical. I think it's just as likely that Drudge is mistaken or lying and that the Clinton campaign never "circulated" the photo at all. Why do I think that's just as likely? Because I don't trust a word that Drudge passes along from anonymous sources.
Some news outlets have built a solid reputation of accuracy and you can lend them some level of trust when they assert a fact without citing a named source to back it up. Drudge is not one of them.
The source was anonymous, but NOT with the Clinton campaign? I take it you are the source, or know the source personally, since you know this. Otherwise, I can't imagine how you could know it.
You really can't imagine?
Drudge said the photo was circulating somewhere, but didn't say where, i.e., whoever sent it to him remained anonymous.
And Drudge did not say that he got the photo from someone in the Clinton campaign. If someone in the Clinton campaign had sent it to him, of course he would have said so (the story would have been a hundred times better). He did not say so, ergo whoever sent it to him was not in the Clinton campaign.
he'd say as much just to keep his source in the Clinton campaign active - you don't burn your sources in public.
What "source in the Clinton campaign"? Why are you jumping to conclusions and assuming he has one?
How would his saying he got the photo from an anonymous source in the Clinton campaign burn that source?
I really don't think the slagging match that the Democrats are having is doing them any favours. Showing Obama wearing a turban... and making racial slurs is not a good way to win votes
I guess you pay too much attention to the mainstream news... you must think it was the Clinton campaign that "showed" Obama in the native garb. It was Matt Drudge who asserted it was the Clinton campaign circulating it. His source was anonymous, and he didn't get it from the Clinton campaign. Oh, and the Clinton campaign denied it immediately and the Obama campaign said they accepted the Clinton campaign's denial. But still the mainstream media went ahead and put it out there as "Clinton smears Obama with photo" because Matt Drudge rules their world. And you believed it.
As for the Clinton campaign "making racial slurs"... really? Really?! They have never done any such thing. You can't cite even one.
I don't favor Clinton over Obama. But it sickens me, the degree to which the media ignore basic journalistic principles and outright lie to attack her. Anything goes as long as it hurts a Clinton. (I'm sure they'll be doing Obama the same favor if he wins the nomination!)
FOX: I didn't take it deliberately as some kind of theatrical thing... You know..how about using the entire quote:
FOX: I didn't take it deliberately as some kind of theatrical thing but it seemed right for me to be -- to be uncomfortable in that situation.
Please give Rush Limbaugh the benefit of actually reading what Michael J. Fox said--he's admitting to 'tinkering' with his meds--but he did it not to be 'theatrical', but rather to be 'uncomfortable' during his presentation. [...] I'm left with the impression that Fox *did* (at one time) deliberately 'tinker' with his medications...
Here's what Fox actually said:
It isn't as if I didn't take it deliberately, as some kind of theatrical thing, but it seemed right for me to be -- to be uncomfortable in that situation.
Fox is explicitly denying the "impression" that you claim you have. You are using a quote from Rush Limbaugh, who chopped off the preface "It isn't as if," which gives the quote the exact opposite meaning.
And then you chastised me for not using the "entire quote." Wow.
I mean maybe you want to say Fox is a big liar or whatever, but to selectively edit his quote to pretend he's saying the exact opposite of what you say he's saying...? C'mon.
What Fox was saying was that he didn't do anything special with his meds that way, but (as he's explained elsewhere) he has good days and bad days, and it did seem somehow appropriate for him to be having a kind of bad day on that particular day. These two things can both be true.
I know you already said you like Glenn Beck, but... try to think for yourself please. Sheesh.
you are criticizing Rush Limbaugh because you think he insults people, and you chose to do that by... insulting him?
Hey jackhole, get a clue. When a bloated gasbag spews lies about an advocate for people with a debilitating disease, you're goddamned right he gets insulted. And when Rush mocks the disease's effects, shaking his body spastically around on camera to mimic Fox's illness, oh holy crap does he deserve to be insulted. Shakespeare didn't write enough insults for sick bastard whores like Rush Limbaugh.
But guess what? Rush was right. Fox later admitted that he purposely skips his medication before public events like this so people will see his worst case symptoms. Here is a video clip of him admitting this.
Guess what, you brain-dead moron? In that video clip Fox denies what he supposedly admitted, saying explicitly -- listen to your own video clip --
"It isn't as if I didn't take it deliberately, as some kind of theatrical thing."
Which of course pustulent corpse-raper Rush Limbaugh quotes as:
FOX: I didn't take it deliberately as some kind of theatrical thing...
Here, as usual, Rush listeners learn their facts about the world exactly backwards. It's the price you pay for giving a fat, impotent, parasitic slug-worm an invitation into your living room. Lend credence to the sneering ringmaster of a national freakshow and what happens is that you become stupid. Let me give you another example. If you'd bothered to learnsomething instead of lazily gulping down Limbaugh's diarrhea, you might have known that the visible tremors Rush was mocking come from the medication:
In fact, at the time he was over-medicated for his Parkinson's disease, Fox said Thursday in an exclusive interview with CBS Evening News anchor Katie Couric.
"The irony is that I was too medicated. I was dyskinesic," Fox told Couric. "Because the thing about... being symptomatic is that it's not comfortable. No one wants to be symptomatic; it's like being hit with a hammer."
His body visibly wracked by tremors, Fox appears in a political ad touting Missouri Democratic Senate candidate Claire McCaskill's stance in favor of embryonic stem cell research. That prompted Limbaugh to speculate that Fox was "either off his medication or acting."
Fox told Couric, "At this point now, if I didn't take medication I wouldn't be able to speak."
I'm not the president of the Michael J. Fox fan club or anything. But the guy has to take his meds in order to be able to talk and move and interact with the world with some kind of normalcy. Without the medication, Parkinson's patients' muscles become rigid, their movements slow, and they even become unable to move at all. At the start of the filming day, Fox doesn't know if he's going to nail the ad in one take or is going to be there all day, so you can only imagine how carefully he plans out how much medication he's going to take and when, to ride the tightrope between his disease's wracking paralysis and the cure's tremors. Did he guess exactly right? I don't know, maybe not. Is Rush Limbaugh the biggest hate-smeared asshole the world has ever seen for second-guessing a prescription for someone he's never met, someone who is just trying to help a cause he believe
I admit I haven't spent a lot of time dissecting Clinton and Obama's respective differences. This is partly because I live in Michigan and didn't get a vote that counted this year anyway. And my vote would have gone to Edwards, but he wasn't on my ballot and then he dropped out.
That said, I think the big stuff is what matters. The two big issues are the war and health care.
I'd favor Obama because I think he is the most likely of the two to start pulling troops out of Iraq immediately upon taking office. I know Clinton has said she will end the war but -- I admit this is merely a gut feeling -- I could see her compromising on this.
And I'd favor Clinton because her health care plan is more progressive. I support single-payer health care and her plan comes closest. Obama is attacking her from the right on this, which (as Paul Krugman points out) is something progressive Obama supporters don't seem to understand.
So my two big issues are split 50/50. Which would I vote for if I actually got to choose? I don't actually know. Tough call.
Republican Senators are right now stonewalling and trying to prevent a one-month extension of the same legislation they insisted last year was vital, urgent, and necessary to prevent terrorist attacks in "days, not weeks." The President has said he would veto a one-month extension of this legislation that, last year, we supposedly needed to stop the terrorists from attacking America.
They are protesting a one-month extension so that people who aren't paying attention will pressure Democrats to cave in and give Republicans what they want. The Republicans are literally -- if you believe their own words -- exposing America to danger of terrorist attack as a political tactic to pass the legislation they want.
And what they want is retroactive immunity for corporations so that we, the people, have no legal recourse to discover whether those corporations cooperated with the Bush administration in breaking the law.
The tools are already available. They allow the NSA to spy, and they allow American corporations to assist that spying. It's just that the laws must be followed. They are not difficult to follow. And corporations already are immune from both civil and criminal consequences if they can just demonstrate that, even though they broke the law, they acted on a good-faith belief at the time that what they did was legal.
If you think this about whether we can monitor what the terrorists are talking about, you're wrong.
I liked the comment by Sen. Bond (R-Mo.) that failure to give telecom providers retroactive immunity for any crimes they may have committed would be
leaving them open to disclosure and exceedingly serious competitive and reputational harm, perhaps even physical retaliation by radicals who oppose our intelligence gathering.
He is saying -- he is actually saying -- that Congress has to prevent its own laws from being applied to a corporation, because if the courts are allowed to proceed with civil lawsuits, angry mobs of disaffected citizens will storm the corporate headquarters of AT&T and Verizon and burn them to the ground because they oppose intelligence gathering. We must circumvent the legal process to soothe the hordes of Americans who are furious at the NSA. This is surely the most bizarre panem-et-circenses ever.
Or maybe he's saying Al Qaeda sleeper cells will launch attacks on key NOCs for our internet backbone... the only thing holding them back is they're waiting for word to come that a civil lawsuit has been filed against the owning corporation and depositions have been submitted and discovery is proceeding, Allahu Akbar!
(2) Either way, that's an extremely stupid comeback to a simple fact about polling. Unofficial polls prior to the official date are sometimes off by large margins, especially in primaries. It happens. That's not by itself a reliable indicator of fraud.
Does that mean that HTML5 should specify PNG exclusively for image content?
Last I knew, both JPEG and GIF were unencumbered by patents. An alleged JPEG patent claim would have expired last year even if valid, and Unisys's last GIF patents expired in 2003-6. If I missed something, let me know.
Please tag a story 'typo' when you see this. It'll alert us admins to a problem and it'll get fixed in probably less time than it takes to write a comment about it...
Pound, our reverse proxy, lets you redirect traffic based on header text. If it sees one of our user cookies, it directs you to a dynamic webhead even if the URL you're hitting is static by default. One of the relevant parts of our config file reads:
Back in 1993 or so, I was not only the chief Macintosh programmer for an educational-games company, I was its only in-house programmer and also the main Mac tech support guy. That meant my working on our next game would be interrupted by answering the phone to deal with customer complaints about the last game I'd written. It sounds cruel but it may have helped inspire me to write better software:)
Anyway, I got a really puzzling complaint from one woman who was irate, and had a right to be. Our software had infected her PC with the Michaelangelo virus. She was mad enough that I had to take the call despite it not being our Mac version. It took a lot of calming-down but I was able to make her understand that it was impossible for the floppy disks to leave our warehouse with the virus because we'd shipped the exact same disks to thousands of other people and hers was our first Michaelangelo complaint. But she had taken the disks to her local PC-repair shop and they'd tested positive for Michaelangelo.
So I asked her where she'd bought them. J&B Computer World. Fine. I called up her local J&B and eventually got put through to a manager... after some prodding, it turned out they'd had a Michaelangelo outbreak at their store a month prior. Oh, and yes they did sometimes "test out" the software they resold by playing it themselves. Oh, and yes, they had a shrink-wrapping machine.
I called back our customer with the news and she said she was going to take it up with J&B. I always wished I could have listened in on that call:)
the CPU improvement you'd get from caching compiled statements isn't worth it?
Well, I haven't rewritten the whole application to benchmark it:) but I can say pretty definitively, not even close.
but I've seen one or two badly-written apps peg their DB servers' CPUs just compiling bazillions of queries, where placeholders would solve the problem
I think the badly-written part is the bazillions of queries, not the lack of placeholders. Except when you need to insert a bazillion rows, I can't think of any other case where code should have to issue the same query a large number of times in a row.
Slash doesn't really have anyplace where we do that kind of insert, that I can think of offhand. Actually there's a bazillion-row REPLACE sequence in some code I'm working on now. I haven't checked the DB's CPU while that runs, but it's at the end of hours of other DB-intensive processing. My guess is that disk I/O is the bottleneck there anyway, not CPU. I have to imagine that the time to parse INSERT INTO foo VALUES ('x', 2, 3) is measured in microseconds, and the time to commit it, milliseconds.
Anyplace where code is doing SELECT x FROM foo WHERE y=$z more than a few times in a row is simply not using the database correctly. (If I'm wrong about that, counterexamples are welcome!) The fix is to rewrite to use IN clauses and multiple tables to combine queries, which can gain you orders magnitude of speed. Making a badly-written algorithm 2% faster doesn't help.
Oh, and placeholders give you one more advantage: they're database independent. If a database supports placeholders at all, you're done. If you instead do quoting, you have to tailor your quoting function to the database engine you're using, because they're not all alike in that regard.
Actually, no, DBI.pm (and Slash's DB layer) handle that for you.
Of course there would be a zillion other things to do if we wanted Slash to be portable to other RDBMS software at this point...
you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero... you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes.
There's some places where you can't use placeholders or it's just silly or inefficient to. An IN clause, for example (we have some with a thousand or more IDs in an IN). Or if you want to compare a column's equality against a variable if the variable has a value but compare IS NULL if it's undef.
Whitelisting input to a regex solves other bugs as well (notably XSS), so we would do it anyway. It just happens to solve this problem pretty well too.
There's always the chance someone will write a clause with variables manually in the text and no one will catch it. You can make a rule "no bare variables in clause strings" but we chose instead to make a rule "no unquoted variables in clause strings (except numerics listed in filter_params)." Maybe there'll be a time our rule isn't followed, but if so there could be a time your rule isn't followed either - I don't think you can throw an assertion to stop it, really.
In a lot of places we construct long clauses algorithmically, often pushing clauses into an array and then doing a join(" AND ", @array) to get the master clause. To make placeholders work properly for that we'd have to write what sounds like a pretty ugly class to handle it. push @array, "x=$foo_q" and join(" AND ") are simpler and more flexible than $clauses->add("x=?", $foo) and $clauses->combine("AND"). It'd simply be better code in these places to drop the quoted values into the string and if we're going to do it there we might as well do it everywhere.
Also, I find placeholder code to be difficult to read, and difficult to comment to make it easier to read. I suspect eventually someone would make an edit that causes an off-by-one correspondence between the ?'s and the variables, bringing chaos and pain throughout the land.
I tend to agree with your theory, but in practice I think our system works as well or better.
I should point out that SQL injection is easier to defend against than XSS. We honestly have very few incoming data types, a few dozen covers like 95% or more, and since it's an SQL syntax error to send our database "sid=$sid", we end up having to write my $sid_q = $slashdb->sqlQuote($sid);... "sid=$sid_q" anyway. That's injection-proof. The only variables we don't quote are numeric and filter_params checks all incoming numerics.
XSS is the hard one (and it's vaguely related). There's literally a dozen ways to strip/escape text you pull from the DB before emitting it to a webpage, picking the right one often requires a lot of thought, and picking the wrong one has a high probability of being exploitable. The impact is probably less than an SQL injection vuln, but still, we spend a lot more time thinking about XSS.
$form->{sid} is sanitized, not escaped. It's guaranteed to match \d{2}/\d{2}/\d{2}/\d{3,8}|\d{1,8} but its value in perl is its actual value. When you pass it to the DB you have to escape it.
Right, of course we use statement handles but our DB software layer doesn't return them for the rest of the application to iterate through. We encapsulate some of DBI.pm's various convenience methods and in a few cases roll our own.
Slashdot Mirror
The problem with avoiding "divisive" figures is that anyone becomes "divisive" when the other side (i.e. the anti-scientific side) attacks them. Then any effort anyone makes to correct the record becomes part of the "controversy."
If you jettison anyone fighting for your side (i.e. science) as soon as they are attacked, you will very soon run out of smart people like Gore and Dawkins. We get a Sagan once a generation, and to remain above the fray he had to go so far as refusing to denounce astrology. That was his choice, but I think more smart people should denounce astrology, and other dumb things, and I will support them when they do, even if they get attacked.
Good memory! I've added as Related Stories the stories that Slashdot ran at the time. Thanks.
That's pretty much correct. To quote the incomparable Bob Somerby:
I think Somerby is too trusting when he makes the "if any" a parenthetical. I think it's just as likely that Drudge is mistaken or lying and that the Clinton campaign never "circulated" the photo at all. Why do I think that's just as likely? Because I don't trust a word that Drudge passes along from anonymous sources.
Some news outlets have built a solid reputation of accuracy and you can lend them some level of trust when they assert a fact without citing a named source to back it up. Drudge is not one of them.
You really can't imagine?
Drudge said the photo was circulating somewhere, but didn't say where, i.e., whoever sent it to him remained anonymous.
And Drudge did not say that he got the photo from someone in the Clinton campaign. If someone in the Clinton campaign had sent it to him, of course he would have said so (the story would have been a hundred times better). He did not say so, ergo whoever sent it to him was not in the Clinton campaign.
he'd say as much just to keep his source in the Clinton campaign active - you don't burn your sources in public.What "source in the Clinton campaign"? Why are you jumping to conclusions and assuming he has one?
How would his saying he got the photo from an anonymous source in the Clinton campaign burn that source?
I don't think you've thought this through.
I guess you pay too much attention to the mainstream news... you must think it was the Clinton campaign that "showed" Obama in the native garb. It was Matt Drudge who asserted it was the Clinton campaign circulating it. His source was anonymous, and he didn't get it from the Clinton campaign. Oh, and the Clinton campaign denied it immediately and the Obama campaign said they accepted the Clinton campaign's denial. But still the mainstream media went ahead and put it out there as "Clinton smears Obama with photo" because Matt Drudge rules their world. And you believed it.
As for the Clinton campaign "making racial slurs"... really? Really?! They have never done any such thing. You can't cite even one.
I don't favor Clinton over Obama. But it sickens me, the degree to which the media ignore basic journalistic principles and outright lie to attack her. Anything goes as long as it hurts a Clinton. (I'm sure they'll be doing Obama the same favor if he wins the nomination!)
Happy to oblige :)
Please give Rush Limbaugh the benefit of actually reading what Michael J. Fox said--he's admitting to 'tinkering' with his meds--but he did it not to be 'theatrical', but rather to be 'uncomfortable' during his presentation. [...] I'm left with the impression that Fox *did* (at one time) deliberately 'tinker' with his medications...
Here's what Fox actually said:
Fox is explicitly denying the "impression" that you claim you have. You are using a quote from Rush Limbaugh, who chopped off the preface "It isn't as if," which gives the quote the exact opposite meaning.
And then you chastised me for not using the "entire quote." Wow.
I mean maybe you want to say Fox is a big liar or whatever, but to selectively edit his quote to pretend he's saying the exact opposite of what you say he's saying...? C'mon.
What Fox was saying was that he didn't do anything special with his meds that way, but (as he's explained elsewhere) he has good days and bad days, and it did seem somehow appropriate for him to be having a kind of bad day on that particular day. These two things can both be true.
I know you already said you like Glenn Beck, but... try to think for yourself please. Sheesh.
you are criticizing Rush Limbaugh because you think he insults people, and you chose to do that by... insulting him?
Hey jackhole, get a clue. When a bloated gasbag spews lies about an advocate for people with a debilitating disease, you're goddamned right he gets insulted. And when Rush mocks the disease's effects , shaking his body spastically around on camera to mimic Fox's illness, oh holy crap does he deserve to be insulted. Shakespeare didn't write enough insults for sick bastard whores like Rush Limbaugh.
But guess what? Rush was right. Fox later admitted that he purposely skips his medication before public events like this so people will see his worst case symptoms. Here is a video clip of him admitting this.
Guess what, you brain-dead moron? In that video clip Fox denies what he supposedly admitted, saying explicitly -- listen to your own video clip --
Which of course pustulent corpse-raper Rush Limbaugh quotes as:
Here, as usual, Rush listeners learn their facts about the world exactly backwards. It's the price you pay for giving a fat, impotent, parasitic slug-worm an invitation into your living room. Lend credence to the sneering ringmaster of a national freakshow and what happens is that you become stupid. Let me give you another example. If you'd bothered to learn something instead of lazily gulping down Limbaugh's diarrhea, you might have known that the visible tremors Rush was mocking come from the medication:
I'm not the president of the Michael J. Fox fan club or anything. But the guy has to take his meds in order to be able to talk and move and interact with the world with some kind of normalcy. Without the medication, Parkinson's patients' muscles become rigid, their movements slow, and they even become unable to move at all. At the start of the filming day, Fox doesn't know if he's going to nail the ad in one take or is going to be there all day, so you can only imagine how carefully he plans out how much medication he's going to take and when, to ride the tightrope between his disease's wracking paralysis and the cure's tremors. Did he guess exactly right? I don't know, maybe not. Is Rush Limbaugh the biggest hate-smeared asshole the world has ever seen for second-guessing a prescription for someone he's never met, someone who is just trying to help a cause he believe
I admit I haven't spent a lot of time dissecting Clinton and Obama's respective differences. This is partly because I live in Michigan and didn't get a vote that counted this year anyway. And my vote would have gone to Edwards, but he wasn't on my ballot and then he dropped out.
That said, I think the big stuff is what matters. The two big issues are the war and health care.
I'd favor Obama because I think he is the most likely of the two to start pulling troops out of Iraq immediately upon taking office. I know Clinton has said she will end the war but -- I admit this is merely a gut feeling -- I could see her compromising on this.
And I'd favor Clinton because her health care plan is more progressive. I support single-payer health care and her plan comes closest. Obama is attacking her from the right on this, which (as Paul Krugman points out) is something progressive Obama supporters don't seem to understand.
So my two big issues are split 50/50. Which would I vote for if I actually got to choose? I don't actually know. Tough call.
Republican Senators are right now stonewalling and trying to prevent a one-month extension of the same legislation they insisted last year was vital, urgent, and necessary to prevent terrorist attacks in "days, not weeks." The President has said he would veto a one-month extension of this legislation that, last year, we supposedly needed to stop the terrorists from attacking America.
They are protesting a one-month extension so that people who aren't paying attention will pressure Democrats to cave in and give Republicans what they want. The Republicans are literally -- if you believe their own words -- exposing America to danger of terrorist attack as a political tactic to pass the legislation they want.
And what they want is retroactive immunity for corporations so that we, the people, have no legal recourse to discover whether those corporations cooperated with the Bush administration in breaking the law.
The tools are already available. They allow the NSA to spy, and they allow American corporations to assist that spying. It's just that the laws must be followed. They are not difficult to follow. And corporations already are immune from both civil and criminal consequences if they can just demonstrate that, even though they broke the law, they acted on a good-faith belief at the time that what they did was legal.
If you think this about whether we can monitor what the terrorists are talking about, you're wrong.
I liked the comment by Sen. Bond (R-Mo.) that failure to give telecom providers retroactive immunity for any crimes they may have committed would be
He is saying -- he is actually saying -- that Congress has to prevent its own laws from being applied to a corporation, because if the courts are allowed to proceed with civil lawsuits, angry mobs of disaffected citizens will storm the corporate headquarters of AT&T and Verizon and burn them to the ground because they oppose intelligence gathering. We must circumvent the legal process to soothe the hordes of Americans who are furious at the NSA. This is surely the most bizarre panem-et-circenses ever.
Or maybe he's saying Al Qaeda sleeper cells will launch attacks on key NOCs for our internet backbone... the only thing holding them back is they're waiting for word to come that a civil lawsuit has been filed against the owning corporation and depositions have been submitted and discovery is proceeding, Allahu Akbar!
(1) You meant that the other way around.
(2) Either way, that's an extremely stupid comeback to a simple fact about polling. Unofficial polls prior to the official date are sometimes off by large margins, especially in primaries. It happens. That's not by itself a reliable indicator of fraud.
These things happen in primaries. Often a lot of independents swing the same way, or last-minute campaigning changes people's minds.
As Bob Somerby points out, the polling for the New Hampshire primary was wrong, by a larger margin, the last time we had a two-party primary:
You misspelled "Slashdot."
He sounds like a real people person. I can't imagine why companies aren't jumping at the chance to hire this guy.
Last I knew, both JPEG and GIF were unencumbered by patents. An alleged JPEG patent claim would have expired last year even if valid, and Unisys's last GIF patents expired in 2003-6. If I missed something, let me know.
(Just picking nits.)
It's in the FAQ. It's actually been included in the tagging FAQ since its first version, January 2006.
Please tag a story 'typo' when you see this. It'll alert us admins to a problem and it'll get fixed in probably less time than it takes to write a comment about it...
We're unlikely to try including very many comments in a book. That didn't work out so well last time...
Pound, our reverse proxy, lets you redirect traffic based on header text. If it sees one of our user cookies, it directs you to a dynamic webhead even if the URL you're hitting is static by default. One of the relevant parts of our config file reads:
More on software
I had a bad shrink-wrapping experience once.
Back in 1993 or so, I was not only the chief Macintosh programmer for an educational-games company, I was its only in-house programmer and also the main Mac tech support guy. That meant my working on our next game would be interrupted by answering the phone to deal with customer complaints about the last game I'd written. It sounds cruel but it may have helped inspire me to write better software :)
Anyway, I got a really puzzling complaint from one woman who was irate, and had a right to be. Our software had infected her PC with the Michaelangelo virus. She was mad enough that I had to take the call despite it not being our Mac version. It took a lot of calming-down but I was able to make her understand that it was impossible for the floppy disks to leave our warehouse with the virus because we'd shipped the exact same disks to thousands of other people and hers was our first Michaelangelo complaint. But she had taken the disks to her local PC-repair shop and they'd tested positive for Michaelangelo.
So I asked her where she'd bought them. J&B Computer World. Fine. I called up her local J&B and eventually got put through to a manager... after some prodding, it turned out they'd had a Michaelangelo outbreak at their store a month prior. Oh, and yes they did sometimes "test out" the software they resold by playing it themselves. Oh, and yes, they had a shrink-wrapping machine.
I called back our customer with the news and she said she was going to take it up with J&B. I always wished I could have listened in on that call :)
Well, I haven't rewritten the whole application to benchmark it :) but I can say pretty definitively, not even close.
but I've seen one or two badly-written apps peg their DB servers' CPUs just compiling bazillions of queries, where placeholders would solve the problemI think the badly-written part is the bazillions of queries, not the lack of placeholders. Except when you need to insert a bazillion rows, I can't think of any other case where code should have to issue the same query a large number of times in a row.
Slash doesn't really have anyplace where we do that kind of insert, that I can think of offhand. Actually there's a bazillion-row REPLACE sequence in some code I'm working on now. I haven't checked the DB's CPU while that runs, but it's at the end of hours of other DB-intensive processing. My guess is that disk I/O is the bottleneck there anyway, not CPU. I have to imagine that the time to parse INSERT INTO foo VALUES ('x', 2, 3) is measured in microseconds, and the time to commit it, milliseconds.
Anyplace where code is doing SELECT x FROM foo WHERE y=$z more than a few times in a row is simply not using the database correctly. (If I'm wrong about that, counterexamples are welcome!) The fix is to rewrite to use IN clauses and multiple tables to combine queries, which can gain you orders magnitude of speed. Making a badly-written algorithm 2% faster doesn't help.
Oh, and placeholders give you one more advantage: they're database independent. If a database supports placeholders at all, you're done. If you instead do quoting, you have to tailor your quoting function to the database engine you're using, because they're not all alike in that regard.
Actually, no, DBI.pm (and Slash's DB layer) handle that for you.
Of course there would be a zillion other things to do if we wanted Slash to be portable to other RDBMS software at this point...
you've increased the probability of a SQL injection attack from zero (which is what you'd get if you were using placeholders) to nonzero... you're relying on programmer diligence to avoid security holes when a mechanism exists to avoid those very same holes.
There's some places where you can't use placeholders or it's just silly or inefficient to. An IN clause, for example (we have some with a thousand or more IDs in an IN). Or if you want to compare a column's equality against a variable if the variable has a value but compare IS NULL if it's undef.
Whitelisting input to a regex solves other bugs as well (notably XSS), so we would do it anyway. It just happens to solve this problem pretty well too.
There's always the chance someone will write a clause with variables manually in the text and no one will catch it. You can make a rule "no bare variables in clause strings" but we chose instead to make a rule "no unquoted variables in clause strings (except numerics listed in filter_params)." Maybe there'll be a time our rule isn't followed, but if so there could be a time your rule isn't followed either - I don't think you can throw an assertion to stop it, really.
In a lot of places we construct long clauses algorithmically, often pushing clauses into an array and then doing a join(" AND ", @array) to get the master clause. To make placeholders work properly for that we'd have to write what sounds like a pretty ugly class to handle it. push @array, "x=$foo_q" and join(" AND ") are simpler and more flexible than $clauses->add("x=?", $foo) and $clauses->combine("AND"). It'd simply be better code in these places to drop the quoted values into the string and if we're going to do it there we might as well do it everywhere.
Also, I find placeholder code to be difficult to read, and difficult to comment to make it easier to read. I suspect eventually someone would make an edit that causes an off-by-one correspondence between the ?'s and the variables, bringing chaos and pain throughout the land.
I tend to agree with your theory, but in practice I think our system works as well or better.
I should point out that SQL injection is easier to defend against than XSS. We honestly have very few incoming data types, a few dozen covers like 95% or more, and since it's an SQL syntax error to send our database "sid=$sid", we end up having to write my $sid_q = $slashdb->sqlQuote($sid); ... "sid=$sid_q" anyway. That's injection-proof. The only variables we don't quote are numeric and filter_params checks all incoming numerics.
XSS is the hard one (and it's vaguely related). There's literally a dozen ways to strip/escape text you pull from the DB before emitting it to a webpage, picking the right one often requires a lot of thought, and picking the wrong one has a high probability of being exploitable. The impact is probably less than an SQL injection vuln, but still, we spend a lot more time thinking about XSS.
$form->{sid} is sanitized, not escaped. It's guaranteed to match \d{2}/\d{2}/\d{2}/\d{3,8}|\d{1,8} but its value in perl is its actual value. When you pass it to the DB you have to escape it.
Right, of course we use statement handles but our DB software layer doesn't return them for the rest of the application to iterate through. We encapsulate some of DBI.pm's various convenience methods and in a few cases roll our own.