- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
No, ugly and kludgy.
Admin
If it were a shopping cart I would avoid the javascript portion of this by creating a confirmation page. Instead of auto-submitting the form, present it to the user as a data confirmation page.
Example
Please confirm your order details. Once complete click "submit order".
Order Details
Name: Bob
Total: $52
Shipping: $8
Submit Order
Admin
Don't you expect MS will sooner or later built something comparable to Java applets (or java web start) into .NET?
Admin
Couldn't agree more. He just said that anything running on the client was script. Not so.
Admin
Wasn't the applet a response to ActiveX?
Admin
Please redirect your web browser to www.zend.com then start to talking about
Admin
Actually, .Net "applets" have been possible since version 1.0 :)
Admin
If anything, it was the other way round. Applets were the form in which Java was originally promoted as THE hot next thing on the internet, gaining wide deployment by being integrated in Netscape 2.0 in December 1995. Microsoft responded by creating something similar with ActiveX, integrated in MSIE 3.0, which came out mid-1996. Though AFAIK it was really just a new name for something they already had (OCX, derived from OLE). Technologically, ActiveX is totally different from Java, the only similarity is that both can be integrated into webpages, in that, MS pretty clearly followed Sun's lead because they also believed at least partially in the applet hype and wanted to offer something similar.
Of course, today we know that Java applets turned out to be mostly a pointelss and annoying toy, that they probably more hurt than helped Java's ultimate success in a totally different area, and that ActiveX became mostly a source of security holes.
Which is why I don't really think anything similar will be built into .NET, though something like JavaWebStart may well be. It's a pretty good idea, only not executed very well, and badly underpromoted.
Admin
I don't think the condescending tone of your post was necessary
The choice of payment gateway is not currently nor was it ever up to me. I can only work with the choice my "client" has made, no matter how much I like or dislike it.
That said, the payment gateway I'm using does offer an API to their services. Every bit of payment processing could be done behind the scenes of any type of application I can think of.
The reason we're not using that is because the people I'm working with were very irresponsible with credit card data in the past, and so their higher ups have told them that they can't even touch sensitive credit card data. Sending the credit card number, no matter how encrypted, via SOAP or whatever, would get them a big slap on the wrist due to their previous incompetence. What they can do is have a reputable third party collect the necessary sensitive info, process that info, and then send us back the results which contain only the information we need to reconcile payments made through the third party with our data. Hence my need to redirect the users to the third party's site from our own.
That's essentially what I have been doing and what the " "experts" " here have suggested, as far as I can tell.
Admin
Be careful about making statements like that... Atlas is a huge part of ASP.NET 2.0.
Admin
That's rediculous. It's JavaScript on the client interacting with ASP.NET components on the server. Fundamentally, it's like every other HTTP request. There may be client libraries that interact with ASP.NET components, but that doesn't make those client libraries ASP.NET. You may as well say Google.com is ASP.NET because it has links to ASP.NET pages on it. I reiterate, anything executed client-side has very little to do with .NET.
Admin
The underlying language is irrelevant... it is a .NET specific technology. You should call Bill Gates and tell him his PDC keynote speach was incorrect. While I'm googling ASP.NET why don't you google this...
PDC Session PRS 312 "ASP.NET: Future Directions Developing Rich Applications with "Atlas" "
The .NET framework isn't written in C#, does that mean the .NET Framework isn't part of .NET? ... Atlas is a .NET specific technology written in JavaScipt...
Admin
While true that it may be a .NET technology, it doesn't run on the .NET platform. It runs on the client.
Admin
Everything in .NET, at some level, runs in a non-managed environment. We can't run Winforms without the comctl32.dll , we wouldn't have .NET Printing without the microsoft postscript printer, and remoting would be useless without non-managed transportation protocols. So getting back to your original statement that started this conversation:
Anything executed client-side has very little to do with .NET.
Isn't correct. MS long term strategy is to blur the lines between browsers and windows. MS can't rewrite the internet. Therefore many of the new .NET technolgies will be based on non-managed WC3 technologies and run in non-managed environments.
Admin
Oh, come on. Atlas is conceptually identical to Sarissa -- it is not .NET specific. It may blend well with the .NET concept of XML request/response and HTTP transport, but in essence it's nothing more than a wrapper for cross-browser XMLHttpRequest (and a workaround for a lack of support for getElementsByTagNameNS()). Can you do neat things with it? Sure -- but you can do exactly the same neat things without it. Atlas is a developer's productivity tool that does not change the game in any way, except to isolate the developer from some of the nastier bits of cross-browser coding (there are still some issues, even with the W3C DOM in place).
Admin
C'mon now, the difference between a scripting language is generally considered to be the presence or lack of compilation. Scripts are compiled at execution and sometimes even during execution, then thrown away. Usually the scripts themselves are just simple or complex one-offs. Programs are compiled once (well, whenever they change) and that code reused.
Some languages blur this: PHP can generally be compiled, optimized, and cached now; ASP was moving in this direction before ASP.Net made it moot. .Net includes far more dynamic execution possibilities than C++/Java, and vb.net and js.net still often default to variant types to support loose typing. But most people still build crappy underengineered stuff with PHP and vbscript/js/asp.net, major applications in C#/Delphi.Net, and application-lites with vb, so their monikers aren't entirely useless.
Eventually some firmer definition will have to come out, but it's pointless arguing about it when no one bothers to define what makes something a scripting language.
Admin
Well, put the blame on MS: When they say .NET, they mean different things. One is the java-like thingy, including C#, IL and the CLR; the other means a general, rather blurry "big picture" which at some time included Hailstorm, Passport and-what-not. You see the same distinction in the dotGNU-Project: There is portable.net, which is implementing the C#, IL, CLR thingy; and there is the more general (rather blurry;-) dotGNU project which portable.net is part of.
Admin
Here is what worries me in this WTF. Maybe someone else mentioned it but my medication (home sick) is blurring my vision. The purpose of this request, seems clearly to take into account the data got to the server via HTTP and not HTTPS, and then take the exact data, and push it into a HTTPS request.
That is like saying "We got this data sent from the client to the server, but its double secret data so we have to send this data back to the client, then get the client to send it to us in double secret code."
If you already get the data at the client, and the data is supposed to be encrypted in the first place, that is an error condition period - sending that exact data back to the client so it can then be sent back once again encrypted - I would not only fire any programmer that did this but tatoo "dangerous idiot" to his forehead first.
Secondly, I can't think of any reason why you would send secure data over a GET request. Its already been mentioned GET data stays in the browser's history. It also (I am pretty sure even for HTTPS, but not 100% sure) that it gets logged in all the log files. This could then end up with sensitive information sent off to India or what ever nation the contracted fly by night SEO company resides. I am not sure if the logs are kept seperately for HTTP and HTTPS requests, but you ever have to treat your access logs as sensitive credit card data records the process is broken badly already.
The biggest problem that I have with this, is its not just a typical "burn CPU" wtf or doing things the really really hard (dumb) way, or introducing bugs. Its taking a broken system that is leaking sensitive data, and "fixing" it in a way that doesn't remove the leak, just makes it harder to see.
Admin
Second note (after writing above post): I realized that even if the HTTPS requests didn't go in the main log files, the HTTP request that that builds the forwarding form will. So, no matter what, using this script will result in whatever data should be HTTPS encrypted appearing plainly in the logs for anyone in a contracted SEO company to see, or anyone else with access to the logs, and yet use HTTPS to actually process that data, as if it was magically secure on a "best two out of three" approach to security. Its really quite awful.
Admin
Irrespective of the browser history, the point of SSL is to stymie packet sniffing, yes? Hence the need for secure GET requests also. The only way somebody could get to my browser history would be to break into my house and steal the computer.
Admin
Interfece: The process of throwing shit at each other [;)]
Admin
I am pretty sure even the SSL requests get logged in a log file. The IP, basic browser info, and the URL, including the GET variables, would reside in the server long after the session was concluded.
I will say that there is a good reason to use GET requests via SSL, because you often want the data being sent back to the browser to be secure, such as for banking records, and sending data such as the page number in the GET data is no biggy. Thats assuming you already logged in via a secure POST request, and your session is being maintained.
By "secure data" I meant "sensitive data", I should have been more clear. In the WTF cited, whats really noteworthy is that it does it gets all the data via an insecure route, then sends it back insecurely to get it resent securely, even though it already got it all and the damage was already done.
Admin
My hope was that this page wasn't sending over any useful information, that it was just switching over to https and sending "action=cartupdate&sort=price" or something like that.
If it's collecting and sending over passwords, card info, or anything like that... be very scared.
Admin
Or better yet, on the top of the processing page, print "Please wait..." and dump the existing buffer to the client before starting the real processing.
Admin
No touch deployment is more or less the .NET equivalent of Java Web Start. And let me tell you, I would take JWS any day of the week. You cannot use no-touch in many normal, acceptable situations for various reasons, including, but not limited to the fact that the app runs as ieexec and not your user. This includes using OLE, which in Windows is something you really shouldn't take away if you plan on doing anything useful.
Admin
Well, if you say bad things about a programming language per se, you well earn the heat!
After reading too many WTFs, you really should know that it is the programmer who writes bad code, not the language.
Admin
[:D] Beautiful, man... Just beautiful.
Come to think of it, quite a lot of API's I've used over the years have have multiple interfeces in them...
Admin
Allow me to suggest the alternate construction, "WTFs are platform agnostic."
Admin
Firstly, I'm a Struts Programmer by choice. I can use PHP and will continue to do small projects which don't need scalability, etc, through PHP.
Anyone who uses a massive J2EE app to have a blog, personal website or in fact, for that matter, anyone who regurgitates this kind of bile on top of anyone who uses PHP for those tasks, is overly compensating for something. It seems to me that anyone who puts a programing language down without giving a scope for it (like the original poster did) seems to have missed that PHP was designed for such "hobbyists"
Heavens forbid that people wanting to program "real web applications" (such as PHPBB) can't afford their own server.
You covered yourself nicely with the "heck, I'll even get some flak" nonsense. You deserve flak. For being so pompous as to announce the "literal objective" truth that only amateurs use PHP.
PHP is not as elegant, as powerful or as properly OO as Struts, but fuck it. I don't want all that power at times. I just want a quick and dirty approach. And PHP is perfect for that.
ASP is fairly crap, platform dependant and server-dependant. So, please, if you're going to compare like with like, do so properly
Admin
The presence of a native compiler is a characteristic of an implementation, not a language. C is not a compiled _language_- there are C interpreters. There are quite a few languages that have both interpreted and compiled implementations. Some implementations contain both interpreters and compilers. I can think of more than one language implementation with an interpreter, byte-code compilation, and native compilation. Then there are just in time compilers.
No firmer definition is possible, at least on implementation-specific grounds. So-called scripting languages are so called because of the uses that they are put to, because of the environment that they are used in, and because of the people that usually put them to those uses. These distinctions are largely social, and thus ambiguous and subject to rapid change. One man's scripting language is another's non-scripting language.
Admin
you took money from my account i would like it put back in my bank,i tlod you i dindt have the money to pay for your line of crdit you offerd,so put my money back to my account and cancel this membership
thank you
gary burden
Admin
You gave me a giggle when you said ASP.NET and J2EE were "Compiled" they're run in an interpreter, y'know. Just because they include a fake compiler to keep you guessing and validate the syntax doesn't make them better.
Admin
โปรโมชั่น เกมสล็อตxo ต่างๆมากมาย ให้กับสมาชิกทุกท่าน มาพร้อมโหมด SLOT XO DEMO ที่เปิดให้บริการตลอด 24 ชม.
xoslot
Admin
pg slot เว็บตรง พวกเรา คือ เว็บหลักสล็อต ที่เปิดให้บริการ SLOT PG เป็น เว็บตรงสล็อต PG แหล่งรวมเกม SLOTPG มากกว่า 200 เกม เว็บพนันสล็อต ยอดนิยมอันดับ 1 ฝากเงิน ผ่าน ระบบ ออโต้ ช่วยให้ การฝากเงิน - ถอนเงิน ของท่าน ปลอดภัย รวดเร็วทันใจ ภายใน 1 นาที ร่วมสนุกกับ PGSLOT ได้อย่างไร้ขีดจำกัด สมัคร สล็อตพีจีเว็บตรง ตอนนี้ รับโปรโมชั่น SlotPg ต่างๆมากมาย มีโหมดทดลองเล่น PGSLOT ให้ทุกท่าน ได้ทดลองเล่น PG SLOT ก่อนวางเดิมพันด้วยเงินจริง เครดิตฟรี 10,000 บาท เปิดให้บริการ SlotPg บน สล็อตเว็บตรงPG ตลอด 24 ชม. ร่วมสัมผัสประสบการณ์ใหม่กับ PGSLOT ที่ เว็บสล็อตออนไลน์ กับทางทีมงาน เว็บตรงพีจีสล็อต ได้อย่างไร้ขีดจำกัด
Admin
ไม่ผ่านเอเย่นต์ เราคือ เว็บสล็อตออนไลน์ JOKER ที่เปิดให้บริการ เกมสล็อตโจ๊กเกอร์ มากกว่า 500 เกม 500 รูปแบบ เว็บเกมสล็อต JOKER ของเรา มีสมาชิก มากกว่า 5 หมื่นคน สามารถร่วมสนุกและทำกำไรจาก โจ๊กเกอร์เกม ได้อย่างไร้กังวล JOKER123 มาพร้อมโหมด ทดลองเล่นสล็อต JOKER สล็อตเครดิตฟรี 10,000 บาท มีสูตรเล่นสล็อต JOKER ฟรี และโปรโมชั่นอีกเพียบ เปิดให้บริการ ทางเข้า JOKER SLOT ตลอด 24 ชม. สามารถร่วมสนุกกับ jokerslot ได้อย่างไร้ขีดจำกัด สมัครสมาชิกใหม่ โจ๊กเกอร์เกม ตอนนี้ ฝาก10รับ100ล่าสุด และโปรโมชั่นอีกมากมาย ได้ที่ สล็อตเว็บใหญ่ JOKER ตลอด 24 ชม.