james mckay dot net

Meh.

I hate naive code that sends data to a database by concatenating it into a SQL string.

Unfortunately, there is far too much of it knocking around — no doubt because of the proliferation of rubbishy tutorials that teach beginners that that is the way to do database access.

Take this C# example:

public int InsertEvent(DateTime date, string description)
{
    using (SqlConnection cn = new SqlConnection(connectionString)) {
        cn.Open();
        SqlCommand cmd = new SqlCommand(cn,
            "insert into Events (Date, Description) values "" +
            date.ToString() + "", "" +
            description + "";select @@IDENTITY");
        return (int)cmd.ExecuteScalar();
    }
}

It’s not just the SQL injection vulnerability that makes this code stink like a sewer: it has localisation problems as well.

Here in the UK we write dates as day/month/year, so today would be 26/09/2007. However, on the other side of the pond, they write dates as month/day/year, so today would be 09/26/2007. So if the locale of your ASP.NET application is different from the locale of your database login, you will get either the wrong date or a data conversion error.

On your development computer and your production server you will probably have your locales set up so that it all works correctly. However, it causes problems when you have to set up the application on a new box — for instance, when another developer starts to work on the project. Especially if the other developer is in another country.

Please stop doing this!!!!

Any decent, modern programming language will let you use parametrised queries to keep your SQL and data separate. These also allow you to send dates and times to the database in native, unambiguous datetime format, avoiding any thorny localisation issues, and they all but eliminate SQL injection vulnerabilities.

The only excuse for using string concatenation in this way is that you still have to support PHP 4 which does not give you the option of parametrised SQL queries for MySQL. Even then, if at all possible, you should be upgrading to PHP 5, which does.

Comments closed »

Posted at 21:00 on 26 September 2007.

My computer had slowed down to a crawl. Since it was a while since I last defragmented the hard disk, I decided to give that a try — only to find that my primary partition (of 48 gigabytes) was almost completely full.

When you are confronted with something like this, you need some kind of utility that will give you a graphical report of all the directories on your hard drive, so you can quickly drill down and see where it has all gone.

A quick Google search led me to JDiskReport. It is a Java application that scans your entire hard disk and produces a report that you can easily drill down to find the culprit. There are some commercial (shareware) programs knocking around that do much the same thing, but this one is free, which is pretty nice.

You can easily drill down through your directories — it lists the biggest ones first — and zoom in on anything particularly horrendous. In my case, the worst offenders appeared to be Google Desktop Search, two gigabytes of photos that I no longer need, and stacks of backup files and things. In the end I managed to clear out about seven gigabytes of disk space. Perhaps I should clear out more — my user profile would be better off on the much larger D: drive for instance with the rest of the data files. I like to keep as much free space on my primary partition as possible to avoid hurting performance.

Unfortunately it seems a bit sluggish on Windows — it took nearly twelve minutes to scan all 48 gigabytes of my primary partition. I suspect this is probably more to do with Windows than the application itself though. There is a similar feature built in to Ubuntu and it is pretty responsive by comparison. Then again, I have always found Windows a bit slow with some file operations (especially moving and deleting) compared to their Linux equivalents.

Comments closed »

Posted at 18:22 on 20 September 2007.
Tagged: computer maintenance

C# introduced some very useful concepts in version 2: generics, the yield statement, and anonymous methods (which are similar to closures). However, VB.NET was largely left behind: it has generics, but it still misses out on both the yield statement and anonymous methods, and it had to wait until version 2 to get the simple but convenient and frequently used syntactic sugar of C#’s using statement.

C’mon, Microsoft, these are pretty useful language constructs. Sure, a lot of developers don’t know what they are or how to use them, but once you’ve seen how powerful they can be, you wonder how you managed to get by without them. It seems that in .NET land, VB is definitely a second class citizen, perhaps more comfortable for novices to use, but with some gaps in the feature set that will irritate more advanced developers.

PHP suffers the same dumbing-down problem. It has seen massive improvements in version 5 since version 4, but there are still some fairly major gaps that are not likely to be filled in the foreseeable future. For example, apparently Rasmus Lerdorf is of the opinion that PHP is not likely ever to get closures because most PHP developers would not have a clue what to do with them.

This kind of thinking seems flawed to me. There are some language features such as these, which more advanced developers can use to write code that is much more concise, clearer and easier to understand, while the less experienced can use the language without being aware of them, albeit perhaps not as idiomatically and concisely. JavaScript is a good example of this: despite the insanities of cross-browser quirks, it is easy enough for most novice developers to achieve some results, yet it has some powerful functional features that make it potentially very expressive and idiomatic — just look at what you can achieve with jQuery for instance.

Just because a language’s core constituency is dominated by beginners doesn’t mean you should leave out useful features that advanced developers can use. Don’t forget that experienced coders often have to use VB and PHP too.

Comments closed »

Posted at 21:39 on 13 September 2007.
Tagged: functional programming, PHP, VB.NET

Regular readers of my blog will no doubt be aware that over the past eighteen months or so I have been fairly active on Wikipedia, notching up just under a thousand edits or so. This may sound like a lot but it is not uncommon to find Wikipedians with edit counts reaching well into the tens of thousands, so I am not the most active by a long shot.

However, I have decided that it is time to call it a day.

The main reason is to help me stay focused. Editing Wikipedia and participating in all the discussions etc can be fun, but it can also be pretty distracting if you are not careful. It is also all too easy to get lost in all the masses and masses of trivia that are to be found there: if you have ever gone on to it looking for information about cryptographic hash algorithms and ended up with a dozen articles open at pages such as Jennifer Aniston, Self Diagnosis and Eta Carinae after five hours of fascinated clicking, having totally forgotten what you went on to Wikipedia for in the first place, you will know exactly what I mean.

“Computer Joe” Anderson wrote a blog entry recently in which he attempted to debunk some “myths” about Wikipedia (or “the Wikipedia” as he calls it). It’s gives an interesting insight into Wikipedian culture that most casual readers have no idea about, such as the recent changes patrol and the Arbitration Committee. However, while his arguments are all factually accurate, I must disagree with his conclusions. Despite all its processes, policies, procedures and patrollers, Wikipedia still has very much the feel of being the Wild West of encyclopedia territory: chaotic, anarchic and at times pretty bewildering.

I must admit to finding it curious that Wikipedia policy states in no uncertain terms that “Wikipedia is not an indiscriminate collection of information.” After all, as far as indiscriminate collections of information go, Wikipedia has few rivals. After all, when you encounter articles like Globus Cassus — an obscure book that you’ve almost certainly never heard of, which outlines a completely whacked out and bizarre proposal to dismantle the earth and use it to build a flying saucer the size of Saturn — and then discover that it survived not just one but two deletion debates, you just have to shake your head and say to yourself, “Only on Wikipedia”. But it turns out that it featured at one of those highfalutin modern art exhibitions where you expect to see cows in formaldehyde, piles of bricks, and avant garde paintings by elephants and chimpanzees. Apparently that makes it Notable. Go figure.

Comments closed (1) »

Posted at 19:46 on 11 September 2007.
Tagged: Wikipedia

Can somebody please explain to me why the pointy-haired bosses in the Scottish transport office have a fetish for ridiculously low speed limits at roadworks? It’s down to thirty miles an hour on the motorway leading up to the Forth Road Bridge and ten miles an hour on a stretch of the A90 a few miles south of Aberdeen.

I’ve never encountered speed limits that low in comparable situations south of the border, but then again there are other factors at play back home. The sheer volume of traffic on the M25 reduces things to a complete crawl at times, for instance.

Comments closed »

Posted at 00:30 on 27 August 2007.
Tagged: driving, holiday, Scotland

I’ve now been typing in Dvorak for about six weeks, and it finally seems to have clicked. This is my fourth attempt, and this time it all slotted into place after about two weeks. Unlike my previous attempt, this time I have had no discomfort, probably because I am using my Kinesis keyboard almost exclusively now both at work and at home, and avoiding flat keyboards like the plague.

I wouldn’t claim to be the world’s fastest typist yet, but it has certainly improved my keyboard discipline. I am now at last able to touch type properly in a way that I was never able to do on qwerty, for starters, and this in turn means that I am finally getting the most out of my Kinesis contoured keyboard. It’s also fun to see people’s reactions when they try to use my keyboard and find that not only are they confused by the shape of the thing, it doesn’t give them the letters that they expect. Hehe…

One thing I have found however is that while Dvorak is a definite improvement for text, the difference is smaller when you are programming, particularly in a curly-brackety language like C# or JavaScript, since you are making much more use of numbers and symbols. Having said that, a lot of what you have to do as a programmer involves writing text — comments, specs and the like — so it is still an improvement anyway.

I decided in the end not to bother with any of the other alternative layouts. I briefly tried Colemak, and while my initial impressions were favourable, I came to the conclusion in the end that its advantages over Dvorak are too small to be worth bothering with. It seemed to work relatively well on a flat laptop keyboard but for some reason I found it no easier to get to grips with on my Kinesis than Dvorak.

There are actually several qwerty derivatives knocking about, and the main thing that makes Colemak different from, say, Asset or Arensito is its small but noisy fanboy community. Its Wikipedia article was deleted back in November on the grounds of non-notability and has since been protected to prevent re-creation, much to the disgust of the fanboys. Yeah, there was the CapsOff million dollar competition, but it seems that was an obscure affair where it turns out that the prize money was entirely funded by donations. Given that the CapsOff website says that they would list all donations on the website, and I couldn’t find any listed anywhere, it seems that Colemak won its designer a lot less than the touted million dollars by a very large margin. Sure, it may become more popular, but I’ve already put in enough effort switching to Dvorak, so I think I’ll give it a miss for now.

Comments closed (2) »

Posted at 13:03 on 23 August 2007.
Tagged: colemak, dvorak, fanboys, typing

The latest version of Comment Timeout 2.0 is now available. It fixes a bug that was letting comments from spam bots through on older posts. If you are using version 2.0 alpha 1 you should upgrade.

Comments closed (1) »

Posted at 18:32 on 11 August 2007.
Tagged: Comment Timeout

It seems that scarcely a week goes by these days without someone launching Yet Another Social Networking Site. There are more of them knocking around these days than you can shake a stick at: MySpace, Facebook, LinkedIn, Friendster, Bebo, Jaiku, Wayn, Twitter, Second Life, LiveJournal, meetup.com … the list goes on.

Pownce is one of the latest newcomers, and I got an invite for it just before Faith Camp. It was founded by various Web 2.0 entrepreneurs including Kevin Rose of Digg fame and launched about a month or so ago with great fanfare. Its purpose, as it says on the home page, is to “send stuff to your friends”:

Pownce is a way to send messages, files, links, and events to your friends. You’ll create a network of the people you know and then you can share stuff with all of them, just a few of them, or even just one other person really fast.

Right. So what exactly does it do that you can’t already do with a combination of MSN Messenger and either Facebook or MySpace?

It seems that your home page on Pownce shows the latest things that you and all your friends have posted on the site, so to make the most of it you need to have a network of friends who are using it. Visually, it looks pretty slick, and the concept seems similar in some ways to Twitter, but it still seems a bit pointless to me.

Social networking sites can absorb a lot of your time if you let them. You can spend hours on Facebook alone, and with a plethora of new ones on the scene it can be hard to keep track of all of them. However, most of my friends only make regular use of the biggest, best known and most useful ones: MySpace, Facebook, LinkedIn and YouTube, and maybe one or two others.

I wonder a bit if Web 2.0 is reaching saturation point somewhat. Or is it just another sign of the times we live in, where just as society re-invents itself every fortnight, the latest and greatest Internet phenomenon is a constantly and rapidly moving target?

Comments closed (1) »

Posted at 14:08 on 8 August 2007.
Tagged: hype, Pownce, social networking, Web 2.0

Since I am at our annual Faith Camp this week and spending copious amounts of time in a sheep shed with only a slow Internet connection over my mobile phone, I am spending very little time online this week. Hey, what do you expect? This isn’t RailsConf — there isn’t a MacBook or an Ubuntu T-shirt in sight…

I have found in recent months that spam comments are sneaking past my arsenal of defences at a rate of about three or four a week, so I have set my blog to moderate comments until I get back. So if you leave a comment and it does not appear immediately, please bear with me. Anything legitimate should be dealt with by the start of next week.

Comments closed »

Posted at 13:03 on 30 July 2007.
Tagged: Christianity, church, Faith Camp

Automattic releases the WordPress Stats 1.1 plugin, and the next day, it is found to have a SQL injection vulnerability.

Fortunately, the vulnerability has been fixed, but it is this kind of bug that I was talking about earlier today. With a solid, well thought out database access architecture using parametrised queries, SQL injection vulnerabilities like this could be all but eliminated.

If the WordPress guys don’t change their tune about GoPHP5 sometime soon and come up with a firm action plan to rework their application architecture to use PDO and nail these things on the head, I’m looking for another blog engine.

(Updated: added link to the fix)

Comments closed »

Posted at 20:03 on 27 July 2007.
Tagged: security, SQL injection, WordPress