james mckay dot net

Meh.

I hate naive code that sends data to a database by concatenating it into a SQL string.

Unfortunately, there is far too much of it knocking around — no doubt because of the proliferation of rubbishy tutorials that teach beginners that that is the way to do database access.

Take this C# example:

public int InsertEvent(DateTime date, string description)
{
    using (SqlConnection cn = new SqlConnection(connectionString)) {
        cn.Open();
        SqlCommand cmd = new SqlCommand(cn,
            "insert into Events (Date, Description) values \"" +
            date.ToString() + "\", \"" +
            description + "\";select @@IDENTITY");
        return (int)cmd.ExecuteScalar();
    }
}

It’s not just the SQL injection vulnerability that makes this code stink like a sewer: it has localisation problems as well.

Here in the UK we write dates as day/month/year, so today would be 26/09/2007. However, on the other side of the pond, they write dates as month/day/year, so today would be 09/26/2007. So if the locale of your ASP.NET application is different from the locale of your database login, you will get either the wrong date or a data conversion error.

On your development computer and your production server you will probably have your locales set up so that it all works correctly. However, it causes problems when you have to set up the application on a new box — for instance, when another developer starts to work on the project. Especially if the other developer is in another country.

Please stop doing this!!!!

Any decent, modern programming language will let you use parametrised queries to keep your SQL and data separate. These also allow you to send dates and times to the database in native, unambiguous datetime format, avoiding any thorny localisation issues, and they all but eliminate SQL injection vulnerabilities.

The only excuse for using string concatenation in this way is that you still have to support PHP 4 which does not give you the option of parametrised SQL queries for MySQL. Even then, if at all possible, you should be upgrading to PHP 5, which does.

Comment on this »

Posted at 21:00 in Programming

My computer had slowed down to a crawl. Since it was a while since I last defragmented the hard disk, I decided to give that a try — only to find that my primary partition (of 48 gigabytes) was almost completely full.

When you are confronted with something like this, you need some kind of utility that will give you a graphical report of all the directories on your hard drive, so you can quickly drill down and see where it has all gone.

A quick Google search led me to JDiskReport. It is a Java application that scans your entire hard disk and produces a report that you can easily drill down to find the culprit. There are some commercial (shareware) programs knocking around that do much the same thing, but this one is free, which is pretty nice.

You can easily drill down through your directories — it lists the biggest ones first — and zoom in on anything particularly horrendous. In my case, the worst offenders appeared to be Google Desktop Search, two gigabytes of photos that I no longer need, and stacks of backup files and things. In the end I managed to clear out about seven gigabytes of disk space. Perhaps I should clear out more — my user profile would be better off on the much larger D:\ drive for instance with the rest of the data files. I like to keep as much free space on my primary partition as possible to avoid hurting performance.

Unfortunately it seems a bit sluggish on Windows — it took nearly twelve minutes to scan all 48 gigabytes of my primary partition. I suspect this is probably more to do with Windows than the application itself though. There is a similar feature built in to Ubuntu and it is pretty responsive by comparison. Then again, I have always found Windows a bit slow with some file operations (especially moving and deleting) compared to their Linux equivalents.

Comment on this »

Posted at 18:22 in Miscellany

C# introduced some very useful concepts in version 2: generics, the yield statement, and anonymous methods (which are similar to closures). However, VB.NET was largely left behind: it has generics, but it still misses out on both the yield statement and anonymous methods, and it had to wait until version 2 to get the simple but convenient and frequently used syntactic sugar of C#’s using statement.

C’mon, Microsoft, these are pretty useful language constructs. Sure, a lot of developers don’t know what they are or how to use them, but once you’ve seen how powerful they can be, you wonder how you managed to get by without them. It seems that in .NET land, VB is definitely a second class citizen, perhaps more comfortable for novices to use, but with some gaps in the feature set that will irritate more advanced developers.

PHP suffers the same dumbing-down problem. It has seen massive improvements in version 5 since version 4, but there are still some fairly major gaps that are not likely to be filled in the foreseeable future. For example, apparently Rasmus Lerdorf is of the opinion that PHP is not likely ever to get closures because most PHP developers would not have a clue what to do with them.

This kind of thinking seems flawed to me. There are some language features such as these, which more advanced developers can use to write code that is much more concise, clearer and easier to understand, while the less experienced can use the language without being aware of them, albeit perhaps not as idiomatically and concisely. JavaScript is a good example of this: despite the insanities of cross-browser quirks, it is easy enough for most novice developers to achieve some results, yet it has some powerful functional features that make it potentially very expressive and idiomatic — just look at what you can achieve with jQuery for instance.

Just because a language’s core constituency is dominated by beginners doesn’t mean you should leave out useful features that advanced developers can use. Don’t forget that experienced coders often have to use VB and PHP too.

Comment on this »

Posted at 21:39 in Programming

Regular readers of my blog will no doubt be aware that over the past eighteen months or so I have been fairly active on Wikipedia, notching up just under a thousand edits or so. This may sound like a lot but it is not uncommon to find Wikipedians with edit counts reaching well into the tens of thousands, so I am not the most active by a long shot.

However, I have decided that it is time to call it a day.

The main reason is to help me stay focused. Editing Wikipedia and participating in all the discussions etc can be fun, but it can also be pretty distracting if you are not careful. It is also all too easy to get lost in all the masses and masses of trivia that are to be found there: if you have ever gone on to it looking for information about cryptographic hash algorithms and ended up with a dozen articles open at pages such as Jennifer Aniston, Self Diagnosis and Eta Carinae after five hours of fascinated clicking, having totally forgotten what you went on to Wikipedia for in the first place, you will know exactly what I mean.

“Computer Joe” Anderson wrote a blog entry recently in which he attempted to debunk some “myths” about Wikipedia (or “the Wikipedia” as he calls it). It’s gives an interesting insight into Wikipedian culture that most casual readers have no idea about, such as the recent changes patrol and the Arbitration Committee. However, while his arguments are all factually accurate, I must disagree with his conclusions. Despite all its processes, policies, procedures and patrollers, Wikipedia still has very much the feel of being the Wild West of encyclopedia territory: chaotic, anarchic and at times pretty bewildering.

I must admit to finding it curious that Wikipedia policy states in no uncertain terms that “Wikipedia is not an indiscriminate collection of information.” After all, as far as indiscriminate collections of information go, Wikipedia has few rivals. After all, when you encounter articles like Globus Cassus — an obscure book that you’ve almost certainly never heard of, which outlines a completely whacked out and bizarre proposal to dismantle the earth and use it to build a flying saucer the size of Saturn — and then discover that it survived not just one but two deletion debates, you just have to shake your head and say to yourself, “Only on Wikipedia”. But it turns out that it featured at one of those highfalutin modern art exhibitions where you expect to see cows in formaldehyde, piles of bricks, and avant garde paintings by elephants and chimpanzees. Apparently that makes it Notable. Go figure.

Comments (1) »

Posted at 19:46 in Miscellany