• noname (unregistered) in reply to Russ
    Anonymous:
    merreborn:
    Anonymous:

    Actually the best way of doing it is to use a real web programming language like ColdFusion, which will do all the escaping for you.


    Ew.  PHP optionally does that, it's called "magic_quotes_gpc", and any application that relies on it is considered crap.  Run escaping functions in appropriate places, or use parameterized queries.  Don't rely on the language to escape every piece of input for you, and then run a stripslashes()-esque function on the data that shouldn't be escaped.  That's just disgusting.  Although I guess we should expect terrible advice like this from a coldfusion "developer".


    Magic quotes is totally different.  ColdFusion only does automatic escaping inside queries, not on all your data.  Therefore there are no problems with having to un-escape things.  So you've proved my point, CF is better then PHP.

    Isn't that kinf of like winning the special olympics?

  • deltreme (unregistered) in reply to Russ

    Anonymous:

    Magic quotes is totally different.  ColdFusion only does automatic escaping inside queries, not on all your data.  Therefore there are no problems with having to un-escape things.  So you've proved my point, CF is better then PHP.

    Magic quotes were added to PHP because ColdFusion "wannabe-programmers" like yourself kept screwing up the firm.

    You also said PHP didn't fit CF's category, but you do say CF is better than PHP. You are trying to imply that CF can do ALL that PHP can, and more!

    I'm quite OK with scriptkids like yourself staying at CF, just don't lower yourself more by trying to say any RAD is better than a real platform.

  • mrsticks1982 (unregistered) in reply to richleick
    richleick:
    Anonymous:
    Bus Raker:
    richleick:
    Alex Papadimoulis:

    When developing an application that uses in-line SQL queries, it's essential to protect against "SQL Injection", i.e. the insertion of SQL code as a result of a string concatenation. For example, if productNum comes directly from user input, it might contain a malicious string, such as "'; DROP DATABASE --"

    myQuery = "SELECT Prod_Name FROM Products WHERE Prod_Num='" + productNum "';";

    The best way to do this is through "parameterized queries," which lets the database libraries take care of it. The next best way is to write your own escaping functions. And the next best way is to replace all instances of "O'Reily" with "O''Reily".

    Close.  Add the use of stored procedures and I'm all for it.  Oh wait, that would mean if you are using an earlier version of MySQL you probably never heard of these.

    Uh ... I think parameterized queries = stored procedures.  Is there another kind I don't know about?

    uh?...

    parameterized queries != stored procedures

    At least someone (i.e. BlackTiger) knows what the $%$# they are talking about.  I think we have stumbled upon one of the main reason's this site exists.  Instead of teaching basic principals (e.g. data structures, object oriented principals, database fundamentals, etc.) programmers (if they can call themselves that) today are taught a language like VB, Cold Fusion, or whatever.  Languages have become so advanced that one thinks they are meant to do everything when in fact they should simply make our job a bit easier.  Objects within the lanugage are created so that we can access the database faster and easier (e.g. connection or recordset objects).  Isn't the language really supposed to act as an interface between the data and the UI or end user?  Maybe this is oversimplifying things a bit, but the fact that there are people out there who believe using paramaterized queries is the same as using a stored procedure just infuriates me.  GET A CLUE!  It doesn't matter if it's Cold Fusion, VB, .NET, Java, whatever.  Learn the basic principals and fundamentals and then choose a language that works for you.

    SERENITY NOW!


    ditto ... You will be amazed at the huge differences in performance you can accomplish by using the standard techniques such as quicksorts or binary searches. Whether you do web or desktop the principles move across language and platform boundaries. I try to stress that people know the core fundamentals because once you know those the only other thing you have to worry about is learning the libraries and the syntax of the language you like.

    Oh, and RUBY ON RAILS daddy would kick ColdFusion's Daddy's A$$!!
  • (cs) in reply to Russ
    Anonymous:
    GrandmasterB:

    Anonymous:
    Name one other programming language that even comes close to CF in terms of RAD. 

    ASP & PHP

    I can develop apps 20 times faster in either than in Cold Fusion

     

    'Course, I've never used Cold Fusion.  Nor do I give a rats ass if something is buzzword-compliant ('RAD') or not.

     

     



    Lets see... How about a small example.  Get a list of users from the database and output firstname, lastname and username.  Here is the code in CF
    <cfquery name="qryUsers" datasource="#request.mydsn#">
    select firstname, lastname, username from users
    </cfquery>
    <cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>


    Now lets see how long and convoluted a similar example in php/asp is going to be. 


    Now that's a real-life problem :)

    Come on, most of the time spent on development of web applications is debugging html and css. I've been developing webapps for 5 years using various java frameworks and the quickest part was always the glue code between sql and java.. (Except for some really craptastic frameworks.) Figuring out why that damned page is totally mangled under IE or Firefox took more than ten times longer.
  • (cs) in reply to Russ
    Anonymous:

    Lets see... How about a small example.  Get a list of users from the database and output firstname, lastname and username.  Here is the code in CF
    <cfquery name="qryUsers" datasource="#request.mydsn#">
    select firstname, lastname, username from users
    </cfquery>
    <cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>


    Now lets see how long and convoluted a similar example in php/asp is going to be. 


    <font><font size="3">
        <font color="blue"><</font><font color="blue">asp:GridView ID="GridView1" DataSourceID="SqlDataSource1" runat="server" <font color="blue">/></font></font>
    <font color="blue"> <asp:SqlDataSource ID="SqlDataSource1" runat="server"
    SelectCommand="SELECT [au_id], [au_lname], [au_fname], [phone], [address], [city], [state], [zip], [contract] FROM [authors]"
    ConnectionString="<%$ ConnectionStrings:Pubs %>" />
    </font>
    </font></font>


    <font><font size="3">
    <font color="blue"><font color="#000000" face="Courier New">How about you shut the hell up now?</font></font>
    </font></font>
  • Anon (unregistered) in reply to noname

    I think the Anonymous user who started this debate went to WTF University.


  • (cs) in reply to GrandmasterB
    GrandmasterB:

    Sean:
    Anonymous:
    Simple, ban the Irish and the Scots.


    And the Vulcans.

    And the Jaffa.  In fact, most extra-terrestrials wont be able to use that system.

     

    Well, they wouldn't be able to use it anyway, because their SSN's start with "800-".

  • (cs) in reply to Russ
    Anonymous:
    GrandmasterB:

    Anonymous:
    Name one other programming language that even comes close to CF in terms of RAD. 

    ASP & PHP

    I can develop apps 20 times faster in either than in Cold Fusion

     

    'Course, I've never used Cold Fusion.  Nor do I give a rats ass if something is buzzword-compliant ('RAD') or not.

     

     



    Lets see... How about a small example.  Get a list of users from the database and output firstname, lastname and username.  Here is the code in CF
    <cfquery name="qryUsers" datasource="#request.mydsn#">
    select firstname, lastname, username from users
    </cfquery>
    <cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>


    Now lets see how long and convoluted a similar example in php/asp is going to be. 


    $res = mysql_query("SELECT firstname, lastname, username FROM users");
    while($row=mysql_fetch_assoc($res))
        echo "$row[firstname] $row[lastname] $row[username] <br />";

    good work finding an CF example that's shorter and more readable in PHP.
  • Anon (unregistered) in reply to mhughes
    mhughes:
    Anonymous:


    Name one. 

    And I didn't say it's a real programming language.  I said it's a "Real Web Programming Language".  It has not much use outside the web world, but in the web world it's one of the most robust, RAD platforms out there.  Seriously.  I dare you.  Name one other programming language that even comes close to CF in terms of RAD. 


    I haven't used CF in a long time... is the following still true?

    Cold Fusion is to (Ruby On Rails | PHP | JSP) what Visual Basic is to (C++ | C# | Java)


    YES!  That's the best explanation of it I have ever seen.  Cold Fusion is basically just about making it easy to shunt data between web pages and a database.  If you ever have to do anything more intensive than that it fails horribly.
  • Russ (unregistered) in reply to Kazan
    Anonymous:
    hehe anonymous doesn't realize ColdFusion the web application shit is just as functional as the other ColdFusion

    ColdFusion is a clusterfuck of shit with no redeeming value what-so-ever

    if you want to use java server pages, use java server pages, not java-server-pages-lite (aka Coldfusion)

    either way - JSP and CFM are 100% lossage  


    I would say the same thing about ASP, ASP.NET and PHP. 

    There are a plethora of languages and development platforms out there.  CF is the only one that's mature, has good community support (apart from actual provider support), lets you develop applications faster then most of the languages out there, and although it not free or open-source, there are free alternatives (BlueDragon, Railo), has a ton of OO frameworks (Mach II, Model-Glue, to some level FuseBox 5), has free CMS systems (FarCry). 

    It's true that it's so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes. 

    Any language allows people to write bad code, and we've yet to see a single CF wtf here, and all we see is ASP, ASP.NET and other .NET code here.  Either ColdFusion is not prevalent enough, or maybe bad code written in CF is just not as monstrous as bad code written in ASP/PHP/.NET
  • Me (unregistered) in reply to John Bigboote

    Just because you can develop something quickly doesn't mean you should. What happens when you change a tablename and you've embedded something like that within 500 pages?

    Some languages promote badly designed apps and call it a feature..

  • Maliburro Man (unregistered) in reply to JR
    <font color="#ff1493" face="Verdana" size="6">"O'Please you can't expect this poor developer to imagine all the possible places that don't work b'cause of single quotes."</font>

    <font color="#ff1493" face="Verdana" size="6">*duck*

    Captcha = Woah Nelly!
    </font>
  • (cs) in reply to Russ
    Anonymous:
    Anonymous:
    hehe anonymous doesn't realize ColdFusion the web application shit is just as functional as the other ColdFusion

    ColdFusion is a clusterfuck of shit with no redeeming value what-so-ever

    if you want to use java server pages, use java server pages, not java-server-pages-lite (aka Coldfusion)

    either way - JSP and CFM are 100% lossage  


    I would say the same thing about ASP, ASP.NET and PHP. 

    There are a plethora of languages and development platforms out there.  CF is the only one that's mature, has good community support (apart from actual provider support), lets you develop applications faster then most of the languages out there, and although it not free or open-source, there are free alternatives (BlueDragon, Railo), has a ton of OO frameworks (Mach II, Model-Glue, to some level FuseBox 5), has free CMS systems (FarCry). 

    It's true that it's so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes. 

    Any language allows people to write bad code, and we've yet to see a single CF wtf here, and all we see is ASP, ASP.NET and other .NET code here.  Either ColdFusion is not prevalent enough, or maybe bad code written in CF is just not as monstrous as bad code written in ASP/PHP/.NET


    Yeah, escaping single quotes is a very tedious work indeed. If my project manager asks next time why did the coding take so long, I'll answer 'You see, we had to escape single quotes.'
  • Shepherd (unregistered) in reply to Russ
    Anonymous:
    Anonymous:

    I have sort of a problem with stored procedures.  You can't keep them in subversion.  At least it's not easy.  With coldfusion, you can create parametized queries, which come very close to stored procedures, and can be stored in an svn repository. 

    This has to be the most specious reason I've ever heard for not using stored procedures.  Granted, it's clunky to properly version them in any source code repository, but the benefits of using them (beyond just avoiding injection attacks) far outweigh this minor inconvenience.



    Such as?  I can write any stored procedure inside a CF query, and it will probably run in about the same time if I use parameters to call it.  Other then speed, what other benefits are there?


    three things.
    I agree, coding a certain way just to satisfy your versioning system is sort of a weak justification.  You have to store your sql create statements someplace too dont you ?  Or should I look in your code for those too ?

    Second if you're a programmer then you can do make your script do anything you like, hell you dont even need a database! you can use flat files, other then speed and stability and maintainability and not re-inventing the wheel what is the added benefit ?

    third, isnt ColdFusion just some sort of glorified XML based markup ?  CFML isn't a real language... or were you refering to the ColdFusion App server as a whole ? which then lets up consider things like  ... like ...serverside action script ? 

    you're wrong.
  • (cs) in reply to Russ
    Anonymous:

    Either ColdFusion is not prevalent enough, or maybe bad code written in CF is just not as monstrous as bad code written in ASP/PHP/.NET


    Maybe the bad code written in coldfusion is harder to find because it's indistinguishable from the "good code".
  • (cs)
    Anonymous:
    Anonymous:
    Anonymous:
    hehe anonymous doesn't realize ColdFusion the web application shit is just as functional as the other ColdFusion

    ColdFusion is a clusterfuck of shit with no redeeming value what-so-ever

    if you want to use java server pages, use java server pages, not java-server-pages-lite (aka Coldfusion)

    either way - JSP and CFM are 100% lossage  


    I would say the same thing about ASP, ASP.NET and PHP. 

    There are a plethora of languages and development platforms out there.  CF is the only one that's mature, has good community support (apart from actual provider support), lets you develop applications faster then most of the languages out there, and although it not free or open-source, there are free alternatives (BlueDragon, Railo), has a ton of OO frameworks (Mach II, Model-Glue, to some level FuseBox 5), has free CMS systems (FarCry). 

    It's true that it's so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes. 

    Any language allows people to write bad code, and we've yet to see a single CF wtf here, and all we see is ASP, ASP.NET and other .NET code here.  Either ColdFusion is not prevalent enough, or maybe bad code written in CF is just not as monstrous as bad code written in ASP/PHP/.NET


    Now you are talking about ruby on rails, but ROR is has newer features added to it. I can have a website up in 20minutes can CF do that? ... But more mature is a load of @#$%. The whole language was rewritten after macromedia purchase the company. So it is about as mature as ASP.NET and yet I see M$ following in the footsteps of newer languages .. one is they have to rework the language to be more like others. I see more similarities between ASP.NET 2.0 and Ruby on Rails than against any other dynamic web languages. Now who is more mature?


    Do the 20 minutes include thinking before coding and testing afterwards? (Not to mention writing HTML and CSS that works under both IE and Firefox.)
  • Russ (unregistered) in reply to Me
    Anonymous:
    Just because you can develop something quickly doesn't mean you should. What happens when you change a tablename and you've embedded something like that within 500 pages?

    Some languages promote badly designed apps and call it a feature..


    Which is why you abstract your datalayer, and if you need to change a tablename, it will usually be in 1 or 2 CFC's, and you can do a simple search and replace. 
  • (cs)
    Anonymous:
    Anonymous:
    Anonymous:
    Anonymous:
    hehe anonymous doesn't realize ColdFusion the web application shit is just as functional as the other ColdFusion

    ColdFusion is a clusterfuck of shit with no redeeming value what-so-ever

    if you want to use java server pages, use java server pages, not java-server-pages-lite (aka Coldfusion)

    either way - JSP and CFM are 100% lossage  


    I would say the same thing about ASP, ASP.NET and PHP. 

    There are a plethora of languages and development platforms out there.  CF is the only one that's mature, has good community support (apart from actual provider support), lets you develop applications faster then most of the languages out there, and although it not free or open-source, there are free alternatives (BlueDragon, Railo), has a ton of OO frameworks (Mach II, Model-Glue, to some level FuseBox 5), has free CMS systems (FarCry). 

    It's true that it's so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes. 

    Any language allows people to write bad code, and we've yet to see a single CF wtf here, and all we see is ASP, ASP.NET and other .NET code here.  Either ColdFusion is not prevalent enough, or maybe bad code written in CF is just not as monstrous as bad code written in ASP/PHP/.NET


    Now you are talking about ruby on rails, but ROR is has newer features added to it. I can have a website up in 20minutes can CF do that? ... But more mature is a load of @#$%. The whole language was rewritten after macromedia purchase the company. So it is about as mature as ASP.NET and yet I see M$ following in the footsteps of newer languages .. one is they have to rework the language to be more like others. I see more similarities between ASP.NET 2.0 and Ruby on Rails than against any other dynamic web languages. Now who is more mature?


    I can install FarCry in about 10 minutes, and have a fully functional website with a content management backend and proper CSS/JS use in about another 10 minutes including content. 

    It all depends on what you mean by a website. 

    Captcha: paula  


    How many websites do you build a day?
  • Russ (unregistered) in reply to John Bigboote
    John Bigboote:
    Anonymous:

    Lets see... How about a small example.  Get a list of users from the database and output firstname, lastname and username.  Here is the code in CF
    <cfquery name="qryUsers" datasource="#request.mydsn#">
    select firstname, lastname, username from users
    </cfquery>
    <cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>


    Now lets see how long and convoluted a similar example in php/asp is going to be. 


    <font><font size="3">
        <font color="blue"><</font><font color="blue">asp:GridView ID="GridView1" DataSourceID="SqlDataSource1" runat="server" <font color="blue">/></font></font>
    <font color="blue"> <asp:SqlDataSource ID="SqlDataSource1" runat="server"
    SelectCommand="SELECT [au_id], [au_lname], [au_fname], [phone], [address], [city], [state], [zip], [contract] FROM [authors]"
    ConnectionString="<%$ ConnectionStrings:Pubs %>" />
    </font>
    </font></font>


    <font><font size="3">
    <font color="blue"><font color="#000000" face="Courier New">How about you shut the hell up now?</font></font>
    </font></font>


    I dont' remember asking for a gridview.  I asked for a simple output with <br> to separate the lines. 

    and I wouldn't say this is even close to as easy to read as ColdFusion.  And I'm having doubts as to the execution speed too.   
  • (cs)
    if (sLogin == "O'Reily") sLogin = "O''Reily";

    And the new user? His name was Robert O'Hare.

    <FONT size=-1></FONT>          if (sLogin == "O'Hare") sLogin = "O''Hare";

     

    There, problem solved.

  • Russ (unregistered) in reply to rev
    rev:
    Anonymous:
    GrandmasterB:

    Anonymous:
    Name one other programming language that even comes close to CF in terms of RAD. 

    ASP & PHP

    I can develop apps 20 times faster in either than in Cold Fusion

     

    'Course, I've never used Cold Fusion.  Nor do I give a rats ass if something is buzzword-compliant ('RAD') or not.

     

     



    Lets see... How about a small example.  Get a list of users from the database and output firstname, lastname and username.  Here is the code in CF
    <cfquery name="qryUsers" datasource="#request.mydsn#">
    select firstname, lastname, username from users
    </cfquery>
    <cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>


    Now lets see how long and convoluted a similar example in php/asp is going to be. 


    $res = mysql_query("SELECT firstname, lastname, username FROM users");
    while($row=mysql_fetch_assoc($res))
        echo "$row[firstname] $row[lastname] $row[username] <br />";

    good work finding an CF example that's shorter and more readable in PHP.


    I wuoldn't say it's necessarilty easier to ready in PHP.  And didn't you leave something out?  how does mysql_query know what database you're accessing?
  • (cs)

    First, a very important message (some have made similar statements, but IMO not clear enough):

    <font size="+3">Forget escaping. Use parametrized queries. Always.</font>

    Some database systems (e.g. Oracle) will hate you, really really hate you, and let you feel that, if you execute thousands of queries that only differ in the literal values. This hurts in term of performance, especially for very simple queries (like querying a single row by the primary key). Reason: The overhead for doing a hard parse is more relevant if the actual execution is fast.

    About Coldfusion: Using a proprietary language or tool (like ColdFusion, VB6, Delphi or Oracle Forms) inevitably leads you to a point where you have no other option than rewriting the whole project from scratch. Unless the project has a limited lifespan because of external circumstances, always use tools/languages that do not depend on the survival or goodwill of a single company. COBOL is really awfull, but you still get compilers for it.

  • Russ (unregistered) in reply to biziclop
    biziclop:

    How many websites do you build a day?


    I don't build websites... I maintain and develop one large enterprise app that hosts many client's websites. 
  • (cs) in reply to mrsticks1982
    Anonymous:
    richleick:
    Anonymous:
    Bus Raker:
    richleick:
    Alex Papadimoulis:

    When developing an application that uses in-line SQL queries, it's essential to protect against "SQL Injection", i.e. the insertion of SQL code as a result of a string concatenation. For example, if productNum comes directly from user input, it might contain a malicious string, such as "'; DROP DATABASE --"

    myQuery = "SELECT Prod_Name FROM Products WHERE Prod_Num='" + productNum "';";

    The best way to do this is through "parameterized queries," which lets the database libraries take care of it. The next best way is to write your own escaping functions. And the next best way is to replace all instances of "O'Reily" with "O''Reily".

    Close.  Add the use of stored procedures and I'm all for it.  Oh wait, that would mean if you are using an earlier version of MySQL you probably never heard of these.

    Uh ... I think parameterized queries = stored procedures.  Is there another kind I don't know about?

    uh?...

    parameterized queries != stored procedures

    At least someone (i.e. BlackTiger) knows what the $%$# they are talking about.  I think we have stumbled upon one of the main reason's this site exists.  Instead of teaching basic principals (e.g. data structures, object oriented principals, database fundamentals, etc.) programmers (if they can call themselves that) today are taught a language like VB, Cold Fusion, or whatever.  Languages have become so advanced that one thinks they are meant to do everything when in fact they should simply make our job a bit easier.  Objects within the lanugage are created so that we can access the database faster and easier (e.g. connection or recordset objects).  Isn't the language really supposed to act as an interface between the data and the UI or end user?  Maybe this is oversimplifying things a bit, but the fact that there are people out there who believe using paramaterized queries is the same as using a stored procedure just infuriates me.  GET A CLUE!  It doesn't matter if it's Cold Fusion, VB, .NET, Java, whatever.  Learn the basic principals and fundamentals and then choose a language that works for you.

    SERENITY NOW!


    ditto ... You will be amazed at the huge differences in performance you can accomplish by using the standard techniques such as quicksorts or binary searches. Whether you do web or desktop the principles move across language and platform boundaries. I try to stress that people know the core fundamentals because once you know those the only other thing you have to worry about is learning the libraries and the syntax of the language you like.

    Oh, and RUBY ON RAILS daddy would kick ColdFusion's Daddy's A$$!!

    This is why, IMO, all programmers should have to start with assymbly as their first language. They can then graduate up to higher level languages.

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.



    Of course this problem was solved when the UI was updated with the following (I hope this works)

    Please select your last name. <select name="Irish"> <option selected="selected" value="H">O'Hare</option> <option value="R">O'Reilly</option> </select>
    If you do not see your name please contact the help desk.



    Arrg. It was supposed to render a drop down. Would have worked with the old CS.

  • Russ (unregistered) in reply to ammoQ
    ammoQ:
    First, a very important message (some have made similar statements, but IMO not clear enough):

    <font size="+3">Forget escaping. Use parametrized queries. Always.</font>

    Some database systems (e.g. Oracle) will hate you, really really hate you, and let you feel that, if you execute thousands of queries that only differ in the literal values. This hurts in term of performance, especially for very simple queries (like querying a single row by the primary key). Reason: The overhead for doing a hard parse is more relevant if the actual execution is fast.

    About Coldfusion: Using a proprietary language or tool (like ColdFusion, VB6, Delphi or Oracle Forms) inevitably leads you to a point where you have no other option than rewriting the whole project from scratch. Unless the project has a limited lifespan because of external circumstances, always use tools/languages that do not depend on the survival or goodwill of a single company. COBOL is really awfull, but you still get compilers for it.


    yes, you should always use parameterized queries.  Now, it might be true that eventually you'll have to rewrite the project from scratch, but I don't see how ColdFusion is the cause for it any more then having to write the language in ASP.NET or anything else.

    Also dont' forget, one of the largest sites in the world, myspace, is built on ColdFusion.  
  • (cs) in reply to Russ
    Anonymous:
    biziclop:

    How many websites do you build a day?


    I don't build websites... I maintain and develop one large enterprise app that hosts many client's websites. 


    So how much does it count that you can build a page doing a simple query and displaying it in unacceptable format in 5 minutes, whereas doing the same in a normal language, with the environment already set up (we talk about maintenance, right?) can take as much as...20 minutes?
  • Russ (unregistered) in reply to smbell
    smbell:

    This is why, IMO, all programmers should have to start with assymbly as their first language. They can then graduate up to higher level languages.

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.



    Of course this problem was solved when the UI was updated with the following (I hope this works)

    Please select your last name. <select name="Irish"> <option selected="selected" value="H">O'Hare</option> <option value="R">O'Reilly</option> </select>
    If you do not see your name please contact the help desk.



    I'm not sure why you need to know assembly to understand that code... it's standard c++/java code, and has nothing to do with assembly.  It's the type of thign you learn in the first programming course.
  • Russ (unregistered) in reply to biziclop
    biziclop:
    Anonymous:
    biziclop:

    How many websites do you build a day?


    I don't build websites... I maintain and develop one large enterprise app that hosts many client's websites. 


    So how much does it count that you can build a page doing a simple query and displaying it in unacceptable format in 5 minutes, whereas doing the same in a normal language, with the environment already set up (we talk about maintenance, right?) can take as much as...20 minutes?


    So in general, it takes you 4 times longer to code the same thing in a different language then it does in ColdFusion, therefore, I'm 4 times more productive.    
  • (cs) in reply to Russ
    Anonymous:
    ammoQ:
    First, a very important message (some have made similar statements, but IMO not clear enough):

    <font size="+3">Forget escaping. Use parametrized queries. Always.</font>

    Some database systems (e.g. Oracle) will hate you, really really hate you, and let you feel that, if you execute thousands of queries that only differ in the literal values. This hurts in term of performance, especially for very simple queries (like querying a single row by the primary key). Reason: The overhead for doing a hard parse is more relevant if the actual execution is fast.

    About Coldfusion: Using a proprietary language or tool (like ColdFusion, VB6, Delphi or Oracle Forms) inevitably leads you to a point where you have no other option than rewriting the whole project from scratch. Unless the project has a limited lifespan because of external circumstances, always use tools/languages that do not depend on the survival or goodwill of a single company. COBOL is really awfull, but you still get compilers for it.


    yes, you should always use parameterized queries.  Now, it might be true that eventually you'll have to rewrite the project from scratch, but I don't see how ColdFusion is the cause for it any more then having to write the language in ASP.NET or anything else.

    Also dont' forget, one of the largest sites in the world, myspace, is built on ColdFusion.  

    Do you really want to point to MySpace as an example of a good web site?

  • (cs) in reply to Russ
    Anonymous:
    smbell:

    This is why, IMO, all programmers should have to start with assymbly as their first language. They can then graduate up to higher level languages.

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.



    Of course this problem was solved when the UI was updated with the following (I hope this works)

    Please select your last name. <select name="Irish"> <option selected="selected" value="H">O'Hare</option> <option value="R">O'Reilly</option> </select>
    If you do not see your name please contact the help desk.



    I'm not sure why you need to know assembly to understand that code... it's standard c++/java code, and has nothing to do with assembly.  It's the type of thign you learn in the first programming course.

    I don't think that particular example requires assembly, but (at least from my experience) 9 out of 10 Java developers will guess the wrong output, and not be able to understand why.

  • Jud (unregistered) in reply to smbell

    smbell:

    This is why, IMO, all programmers should have to start with assymbly as their first language. They can then graduate up to higher level languages.

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.

    Agreed (except for the declaring x twice part).

  • (cs) in reply to Russ
    Anonymous:


    I dont' remember asking for a gridview.  I asked for a simple output with <br> to separate the lines. 

    <font face="Courier New"><asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:SqlExpressConnString %>" ProviderName="<%$ ConnectionStrings:SqlExpressConnString.ProviderName %>" SelectCommand="SELECT [RoleId], [RoleName] FROM [vw_aspnet_Roles]"></asp:SqlDataSource>
        <asp:DataList ID="DataList1" runat="server" DataSourceID="SqlDataSource1">
            <ItemTemplate><%# Eval("RoleId") %> -- <%# Eval("RoleName") %><br />
            </ItemTemplate>
        </asp:DataList></font>

    And I'm having doubts as to the execution speed too.   


    You should really stop doubting things that you clearly don't understand.
  • me (unregistered) in reply to smbell

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.




    surely this is just understanding the difference between ++x and x++?  I don't know assembler, so have I missed something?
  • JR (unregistered) in reply to biziclop

    biziclop:
    It's about time to create a new mascot for kids: SQL Injection Panda.

    SQL Injection makes me sad... <leans>

  • (cs) in reply to Russ
    Anonymous:

    Now, it might be true that eventually you'll have to rewrite the project from scratch, but I don't see how ColdFusion is the cause for it any more then having to write the language in ASP.NET or anything else.

    Well, let's say MS drops support for ASP.NET in 2009 in favor of ASP.LIFE. If there was no other implementation of ASP.NET than MS', this would cause problems for exisiting ASP.NET applications. But since there is at least Mono's implementation of ASP.NET (I think DotGNU also made one but I'm currently to lazy to check that), ASP.NET users will have an option even if a security relevant bug found in 2011 makes it actually impossible to run ASP.NET on IIS anymore.


    Also dont' forget, one of the largest sites in the world, myspace, is built on ColdFusion.  

    MySpace is large, but not necessarily very complex. Because it's the users who create the content.

  • (cs) in reply to merreborn
    merreborn:
    Saarus:

    The use of 800-series SSNs is not restricted to illegal immigrants.

    When I was in the USAF I worked medical records, which are filed by SSN. On base would be foreign military members and family members, on exchange for training or layover, who had no SSNs. SSN is required for medical treatment in a military medical facility. For all such foreign nationals, they are assigned a SSN which starts with 800. the rest is determined by DOB. If two or more such people have the same DOB, the first three digits are incremented.



    Were people actually issued those SSNs?  Or is this just an internal policy for dealing with record keeping?

    Just 'cause you refered to these people by numbers that were in an SSN format at work, doesn't mean that those people were actually issued those SSNs.  So said 800 SSNs still wouldn't qualify as valid.

    mattwho:
    Those number's aren't SSN's but are Temporary ID numbers assigned by DoD and not by SSA.


    Looks like mattwho just confirmed my suspicions

    Good point. Didn't think of that... I suppose the DoD could use any unassigned range of SSNs in that case.

    A better term would have been "Identification Number."

  • Russ (unregistered) in reply to smbell
    smbell:
    Anonymous:
    ammoQ:
    First, a very important message (some have made similar statements, but IMO not clear enough):

    <font size="+3">Forget escaping. Use parametrized queries. Always.</font>

    Some database systems (e.g. Oracle) will hate you, really really hate you, and let you feel that, if you execute thousands of queries that only differ in the literal values. This hurts in term of performance, especially for very simple queries (like querying a single row by the primary key). Reason: The overhead for doing a hard parse is more relevant if the actual execution is fast.

    About Coldfusion: Using a proprietary language or tool (like ColdFusion, VB6, Delphi or Oracle Forms) inevitably leads you to a point where you have no other option than rewriting the whole project from scratch. Unless the project has a limited lifespan because of external circumstances, always use tools/languages that do not depend on the survival or goodwill of a single company. COBOL is really awfull, but you still get compilers for it.


    yes, you should always use parameterized queries.  Now, it might be true that eventually you'll have to rewrite the project from scratch, but I don't see how ColdFusion is the cause for it any more then having to write the language in ASP.NET or anything else.

    Also dont' forget, one of the largest sites in the world, myspace, is built on ColdFusion.  

    Do you really want to point to MySpace as an example of a good web site?



    No, MySpace is a horrible site, written by a bunch of cowboys that know nothing of good development.  However, they were able to build the site fast, and sell it for a lot of money, in good part thanks to ColdFusion.
  • (cs) in reply to Russ
    Anonymous:
    smbell:

    This is why, IMO, all programmers should have to start with assymbly as their first language. They can then graduate up to higher level languages.

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.



    Of course this problem was solved when the UI was updated with the following (I hope this works)

    Please select your last name. <select name="Irish"> <option selected="selected" value="H">O'Hare</option> <option value="R">O'Reilly</option> </select>
    If you do not see your name please contact the help desk.



    I'm not sure why you need to know assembly to understand that code... it's standard c++/java code, and has nothing to do with assembly.  It's the type of thign you learn in the first programming course.


    Leatning assembly helps in many ways:
    -you learn to think the way a computer works (handy while debugging)
    -you learn to get a quick global overview of many lines of code at a glance (the same as above)
    -you learn to organise and comment your code (otherwise you're dead)

    On the other hand, being the assembly feak I am, even I don't recommend anyone to start with assembly. It gives you very little feeling of success in the beginning. It's good to write a few things in assembly if you already know a bit of C or Pascal
  • Russ (unregistered) in reply to John Bigboote
    John Bigboote:
    Anonymous:


    I dont' remember asking for a gridview.  I asked for a simple output with <br> to separate the lines. 

    <font face="Courier New"><asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:SqlExpressConnString %>" ProviderName="<%$ ConnectionStrings:SqlExpressConnString.ProviderName %>" SelectCommand="SELECT [RoleId], [RoleName] FROM [vw_aspnet_Roles]"></asp:SqlDataSource>
        <asp:DataList ID="DataList1" runat="server" DataSourceID="SqlDataSource1">
            <ItemTemplate><%# Eval("RoleId") %> -- <%# Eval("RoleName") %><br />
            </ItemTemplate>
        </asp:DataList></font>

    And I'm having doubts as to the execution speed too.   


    You should really stop doubting things that you clearly don't understand.


    The googles... they do nothing!!!

    Seriously, that's a lot of special characters jus tto print out a couple of lines from the db. 
  • UTU (unregistered) in reply to Russ
    Anonymous:
    rev:
    Anonymous:
    Lets see... How about a small example.  Get a list of users from the database and output firstname, lastname and username.  Here is the code in CF
    <cfquery name="qryUsers" datasource="#request.mydsn#">
    select firstname, lastname, username from users
    </cfquery>
    <cfoutput query="#qryUsers#">#firstName# #lastName# #userName#<br></cfoutput>


    Now lets see how long and convoluted a similar example in php/asp is going to be. 


    $res = mysql_query("SELECT firstname, lastname, username FROM users");
    while($row=mysql_fetch_assoc($res))
        echo "$row[firstname] $row[lastname] $row[username] <br />";

    good work finding an CF example that's shorter and more readable in PHP.


    I wuoldn't say it's necessarilty easier to ready in PHP.  And didn't you leave something out?  how does mysql_query know what database you're accessing?


    It uses the default connection (that can be defined in php.ini), of course. You didn't provide information on how the dataset on CF is defined either :)
  • (cs) in reply to dasgsdgsd
    Anonymous:
    Irrelevant:
    Anonymous:
    Anonymous:
    Name one... Seriously.  I dare you.
    Ruby.
    Excuse me sir, the maitre d' sent me over... he asked me to pass on this message... *ahem*

    YOU GOT SERVED!

    ...to be serious for a moment, I think the mistake was in saying "real web programming language" at all. IMO, ColdFusion looks more like a "templating language". It's advanced as those go, yes, but you can't expect calling an XML-based language a "programming language" to be taken seriously.
    It's not an XML-based language.  I don't think you know what you're talking about either, so don't even bother.
     
    ColdFusion is an impertive programming language that just has a weird syntax.  It also has some declarative elements to it, but for the most part you code impertively.
     
    The main problem I find with it is that it's bloody expensive, it's buggy as hell, it's a massive resource hog, and it ain't "robust" in any sense of the word.
     
    It's main failing is that it's one of those 80/20 solutions.  It does 80% of what you need, and the other 20% is going to kill you.
     
    Take threading.  There's no way for you manage threads.  Sure, most of the time you don't need threads.  But when you do, there's absolutely no way for you extend the language for you to use threads without jumping to Java.  Which totally defeats using the RAD language in the first place.

    WTF is an impertive language? Is this some language used to direct perverted imps in some infernal machine?

  • BrokenArrow (unregistered) in reply to Russ
    Anonymous:
    DZ-Jay:
    Anonymous:

    Actually the best way of doing it is to use a real web programming language like ColdFusion, which will do all the escaping for you.  The best, best way is to do it in coldfusion with parametarized queries, but even if the coder is not smart enough to use them, this kind of issue just wouldn't even come up.    


    ColdFusion, a Real web programming language? <font size="6">Hahahahahahahaahahahahahahahahahahahahaha!!!!</font>

    Thanks for that! :)
        dZ.


    About 10 times better then ASP or PHP.  Maybe ASP.NET or JSP can compete with it, but nothing can beat the RAD functionality of ColdFusion.


    You know. That is even funnier the second time you said it.
  • Kazan (unregistered) in reply to Russ






    Anonymous:

    I would say the same thing about ASP, ASP.NET and PHP. 


    hahahah you really are braindead. you must work for ColdFusion's marketing division.

    Anonymous:


    There are a plethora of languages and development platforms out there.  CF is the only one that's mature, has good community support (apart from actual provider support), lets you develop applications faster then most of the languages out there, and although it not free or open-source, there are free alternatives (BlueDragon, Railo), has a ton of OO frameworks (Mach II, Model-Glue, to some level FuseBox 5), has free CMS systems (FarCry). 


    CF is mature, as in geriatric.  PHP is mature - we have processed over a billion dollars in tax payments via PHP in the last two/three years.  Apparently your definition of "app" is "a web form that submits into a database, and occasionally gets out of it" - no extensive business logic, no reliability, no error checking, no quality,

    PHP has a ton of OO frameworks, we happen to have our own custom one, PHP is open source, PHP is actively supported, PHP doesn't cost an arm, leg and testicle to install, php has many free CMS systems

    Anonymous:

    It's true that it's so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes.

    "BASIC is so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes."

    and yet you STILL have to call a function to escape quotes, just like EVERY. OTHER. LANGUAGE.  PS: you can write query factories too that do all the for you in PHP, we have one in some of our apps

    Anonymous:

    Any language allows people to write bad code, and we've yet to see a single CF wtf here, and all we see is ASP, ASP.NET and other .NET code here.  Either ColdFusion is not prevalent enough, or maybe bad code written in CF is just not as monstrous as bad code written in ASP/PHP/.NET


    i'm sure we've seen CF wtf's - remember alex anonymizes them - or are you such a ColdFusion zealot that you ignore that fact.


  • pwm (unregistered) in reply to smbell
    smbell:

    If you understand the way the machine works, you understand the code you are writing. For example, take the following Java code.

    int x = 2;
    int x = x++ + 3;
    System.out.println(x);

    If you understand what happens under the covers you won't be surprised when it prints out 5 instead of 6.


    This doesn't have anything to do with knowledge about assembler programming or how machines work. It's just a question of how the semantics of the language is defined, and what priorities different operators are given. Knowledge about machines just gives a hint how the statements would be translated into machine instructions.
  • Kazan (unregistered) in reply to Saarus
    Saarus:
    WTF is an impertive language? Is this some language used to direct perverted imps in some infernal machine?


    Russ is some 13-year-old scriptkiddie who just read a coldfusion book and warez a copy of coldfusion server and is using/making-up suit buzzwords to sound intelligent

    kinda like my captcha: shizzle
  • (cs) in reply to Russ
    Russ:

    No, MySpace is a horrible site, written by a bunch of cowboys that know nothing of good development.  However, they were able to build the site fast, and sell it for a lot of money, in good part thanks to ColdFusion.


    MySpace isn't very innovative (IMO) and was launched in 2003, 7 years or so after the beginning of the .com bubble. I see no reason why they had to build it fast.
  • (cs) in reply to themagni
    themagni:
    Saarus:
    themagni:
    merreborn:
    Satanicpuppy:
    Stupid. Where there is one special case there are a million, so, unless you want to fix them all by hand, it's time to re-imagine your logic.

    I had the reverse problem once...I was working on a system where the system automatically threw out all SSNs that started with  "800". I got egg on my face because I told the user that that was impossible (I hadn't written the application, and I "knew" the guy who had hadn't been a MORON), and when she
    showed me that it was possible, I set forth on an quest to find the one line of code that declared all 800 ssns invalid.

    Sigh.


    "Currently, a valid SSN cannot have the first three digits (the area number) above 772, the highest area number which the Social Security Administration has allocated."

    http://en.wikipedia.org/wiki/Social_Security_number_%28United_States%29#Valid_SSNs

    Either wikipedia's dead wrong, or someone was feeding your system invalid SSNs


    They're using the 800 series for Illegal Immigrants.

    The use of 800-series SSNs is not restricted to illegal immigrants.

    When I was in the USAF I worked medical records, which are filed by SSN. On base would be foreign military members and family members, on exchange for training or layover, who had no SSNs. SSN is required for medical treatment in a military medical facility. For all such foreign nationals, they are assigned a SSN which starts with 800. the rest is determined by DOB. If two or more such people have the same DOB, the first three digits are incremented.



    Huh. I thought I was making a joke. I'm not from the US, so I don't see a lot of SSN. Come to think of it, I think that the Woolworth's example is the only one I've seen.

    You forgot the sarcasm tags, dude.

  • Kazan (unregistered) in reply to ammoQ
    ammoQ:
    Russ:

    No, MySpace is a horrible site, written by a bunch of cowboys that know nothing of good development.  However, they were able to build the site fast, and sell it for a lot of money, in good part thanks to ColdFusion.


    MySpace isn't very innovative (IMO) and was launched in 2003, 7 years or so after the beginning of the .com bubble. I see no reason why they had to build it fast.


    he used myspace as an example? oh that makes this even MORE hilarious!

    captcha: craptastic
  • Russ (unregistered) in reply to Kazan
    Anonymous:

    CF is mature, as in geriatric.  PHP is mature - we have processed over a billion dollars in tax payments via PHP in the last two/three years.  Apparently your definition of "app" is "a web form that submits into a database, and occasionally gets out of it" - no extensive business logic, no reliability, no error checking, no quality,

    PHP has a ton of OO frameworks, we happen to have our own custom one, PHP is open source, PHP is actively supported, PHP doesn't cost an arm, leg and testicle to install, php has many free CMS systems


    This explains why the IRS is so slow and inefficient.

    Anonymous:

    "BASIC is so simple that it allows people with very little programming knowledge to write bad code.  But it also allows people with more programming knowledge focus more on application design, then on actually sitting there and escaping single quotes."

    and yet you STILL have to call a function to escape quotes, just like EVERY. OTHER. LANGUAGE.  PS: you can write query factories too that do all the for you in PHP, we have one in some of our apps


    What does basic have to do with anything.  We're talking about ColdFusion.  Or is your ADD kicking in again?  One more time, CF automatically escapes single quotes in queries.  There are no functions that you need to call. 


    Anonymous:

    i'm sure we've seen CF wtf's - remember alex anonymizes them - or are you such a ColdFusion zealot that you ignore that fact.


    I knwo alex anonymizes them, but he wouldn't convert it from CF into another language.  It just doesn't translate easily.  To my knowledge, there HAVE BEEN NO CF WTF's on this site. 
  • (cs) in reply to Russ
    Anonymous:


    JSP I believe is more efficient then coldfusion, but a lot harder to code in.  Basically you are trading execution speed for development time.  And with the speed of the servers on the market today, do you really want to do that?


    I might.

Leave a comment on “Poor Mr. O'Hare ”

Log In or post as a guest

Replying to comment #:

« Return to Article