- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Well, the wikipedia isn't exactly "dead" wrong, the problem is that the Social Security Administration didn't always issue ALL of the Social Security numbers that are currently out there. At one time (a very long time ago) the Railroad Administration also issued a good many. (To railroad workers, many of whom are very much still alive)
Those numbers are quite different than those you are used to seeing, but they do exist, and they use numbers at and above 800. Sometimes you have to refer back to the history of this nation and remember that not every agency in power now had absolute power in that arena a long time ago.
There are even agencies today that have changed their original names, along with angencies that existed many years ago and don't now, and more than likely, nobody under the age of 50 would even know about or remember them.
Just because you've never heard of it doesn't mean it doesn't (or didn't) exist. Just because nobody you associate with ever heard of it, still doesn't mean it doesn't (or didn't) exist.
Yeah, it's off topic. A little. But not completely without educational merit.
Admin
You should all use Java + velocity.
With velocity there is total seperation between html and code. So you can write the code, and ask the html/javascript guy write the html, without beeing afraid that he might somehow make a small change that delete your database or compromise your security.
And I still don't understad the debate about escaping strings. If you use prepared statements(And you should) there is nothing the developer need to do, to avoid sql injection or handle wierd strings.
And as a Bonus question:
There is one case where you can't use a prepared statement(Without beeing a wtf candidate), and in that special case you need to build your as a dynamic string. (And remember to escape things). As long as you escape all arguments, there is no way to problems with sql injection, and escape is just a single call, for each input string).
What is the case, where buliding dynamic sql with string concatanation is the best solution.
Martin
Admin
Yes, they are.
Admin
This is a problem with a wider scope than your precious (and, as I discovered recently, still stuck back in the last decade) web platform. It applies to any app using a SQL engine.
The simple and correct solutions are:
a) Use a stored procedure (true, not always so friendly for RAD)
b) Use prepared/parametered queries.
b) means the SQL part of it is parsed and tokenised already, and so you CAN'T inject, because the SQL server is NO LONGER READING SQL. Anything you pass it must be data, because the SQL has already been parsed.
Why people can't grasp such a simple concept is... well.. I guess this is TDWTF... idiots abound, as we all know.
Admin
As a professional web developer I've found Cold Fusion to have serious limitations.
Specific example: I created a site for a client in ASP.NET recently. The site required a number of charts and graphs. After showing the customer screenshots from the plethora of .NET charting options, he chose the one he liked the best, we purchased the package, and (almost) literally point and clicked our way to very attractive graphs.
There was one hangup however. The graphs (line graphs) needed a datatable with a row for each line on the graph. Each of a variable number of columns contained the data for the y point of a particular point along the line. The database however simply one record for each score.
Example, we needed data to look like (commas separate columns):
1) 10, 20, 30, 40
2) 10, 10, 30, 60
(this would graph two lines, each with 4 points)
but the data would have been stored in many different rows (with additional data about the datapoint), like
1) 1, 10, 2004-01-01
2) 1, 20, 2004-01-02
3) 1, 30, 2004-01-03
4) 1, 40, 2004-01-04
5) 2, 10, 2004-01-01
6) 2, 10, 2004-01-02
7) 2, 30, 2004-01-03
8) 2, 60, 2004-01-04
where the first column is the line on the graph the data belongs to, the second is the value, and the third is a date that translated into the x axis information (obviously this is grossly simplified.).
The solution is easy. In ASP.NET create a class that selects the data into datatables (since you can't write a query to return the data in the format we needed). Then, run through the datatable and load the values into another table as necessary. We even stored the final results in the Session to speed up reload times. Just a few lines of C# were needed in all, and the problem was solved.
I am curious Russ, how would you have approached this problem in CF?
PS. We had control of the database, we could alter the schema if necessary. However, the customer would be providing us data bi-monthly in the previous format, so if your solution involves changing the schema, you would also need data transformation logic somewhere to put the data into the new schema.
Admin
LOL!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Admin
C++
No seriously. I do R(web)AD in C++, and it's great.
CAPTCHA = shizzle to my nizzle
Admin
Isn't that Jenidatabasefer's last name?
Admin
I don't think you understand how utterly RAD it is to encapsulate business logic in your web tier.
Admin
sprocs are more secure, but they are not guaranteed to be faster. The optimizer can make bad decisions, especially if your sql is not "optimized" for the optimizer (bad structure of if statements). Large parameterized search queries with optional parameters are typically faster when you don't use a sproc. Also in-line SQL with parameters is compiled and optimized in the database just as sprocs are.
Admin
I know you guys get some undeserved crap sometimes, but...
When they told you it was a C like language, only double plus good, that wasn't what they ment.
Admin
Gaah! But that would be even more convoluted!
Also, it bears mentioning that, strictly speaking, there's no real CODE here. There's no C#, no VB, no J#. This is totally language-agnostic .NET markup.
Admin
I agree to some point (and I've made several web apps in similar ways), but in some cases, this approach simply doesn't get the job done.
There are several reasons to dynamically build the string, but you should use parameters instead of literal values anyway.
Those reasons include:
- interactive query builders (aka QBE), especially if some search options require joins or subqueries
- table names and/or column names are determined dynamically (in most cases a WTF in itself, but such things happen)
Admin
Well, that really depends now doesn't it. There's the "classic" MVC pattern in the GoF book. The principal is sound, but it's not particularily well-suited to web development. So, MVC II came along, plus several dozen other off-shoots / MVC-like / MVC-in-name patterns. Martin Fowler's latest pattern book (patterns of enterprise application architecture) has an excellent section on the various MVC patterns one might encounter in today's programming landscape... including an excellent chapter on a front-controller in JSP and a discussion of ASP.NET implementation as a page controller.
But, regardless, you very likely were dealing with someone who learned a pattern name and decided that it had to be the silver bullet for everything. Unfortunately, they probably didn't understand the pattern, were overapplying / misapplying the lessons of the pattern to the wrong domain, or were simply still learning and hadn't made it past the excitement stage.
A pattern isn't magically created, it's generally based on lots of research into real-world solutions to the same type of problem. A pattern is, in a sense, a meta-solution. If used correctly, you should see a pattern as a huge time saver and you would be thanking the person for simplifying things so much. If used incorrectly, you would be where you're at now... on a message board complaining about the MVC pattern.
Admin
Funny. I recently completed a rewrite from a ColdFusion site to ASP.NET 1.1. The hardest part of the entire contract was the graphing piece... and it wasn't because of the difficulty in drawing graph points (the problem / solution was much like you show above), the biggest issue was in making the new chart on the newest version of ChartFX look exactly like the ancient version of ChartFX; along with debugging the logic in ColdFusion that drew the chart (reams of bizarre logic). I'll withold judgement on ColdFusion, though, it was written against some wacky database structures (I normalized one table from 126 columns down to 3). The CF code certainly wasn't the easiest to follow... HTML interspersed with code all over the place, reminded me very much of classic ASP development before we figured out how to approach that in a sane way...but, again, I'm guessing the fault was more with the implementer than the language.
Admin
Really? In my copy of the GoF book, the MVC design is mentioned, but not explained in detail like the other design patterns.
Admin
Please.. I see this kind of thing more than enough on the WoW -forums..
"Than" is used when comparing things, and "then" is used when ordering things. They shouldn't even sound similar enough to confuse them, and a native speaker really, really should be able to use the correct one in a sentence.
And separate is not spelled "seperate".
Admin
O'God
O'my God
Admin
In C++
<FONT size=2>actually has the output 6 on my system, kindof like I though it would.
</FONT>Although, isnt using post increment with other operators like that undefined behavior in c++? (Im not quite sure on this point actually) Oh well.. ;) You said java so I guess this is moot.</FONT><FONT size=2>
Admin
like spelling.
Admin
While I don't agree with the 20 minutes thing, Rails is a huge supporter of testing as you go (unit and functional tests are embeded in the framework, the stubs are autogenerated and running your whole test suite takes a single line).
No you didn't, you asked for a list and he gave you a list (and if anything separating lines with
definitely doesn't create lists)
You're not a client, don't try changing the requirements post-facto
Scaffolding doesn't give anything even remotely close to production stuff. In fact, there is usually no scaffolding at all left ones a RoR app is done, Scaffolding is only good for getting started and avoiding the "blank page" writer syndrom.
I don't even understand why it's hyped that much.
(I find Django's user interfaces much more helpful)
gem install rails -y, and one more line to create the basic framework of any website:rails appname.Well they're not really competitors though, RoR more or less forces you to work in a somewhat MVC style, separate your logic from the way they're displayed... From what you posted CF doesn't really works that way...
Lisp's actually not that bad for web development, especially since you can build your site's structure in S-exps, use functions and macros (incl. simple expansion/replacement) to manipulate it and then display it.
Don't forget Haskell and Erlang you insensitive clod.
(i'd really like some good Fortran WTF though)
(Fortran4 puch cards, photographed on a wooden table)
What the frigging hell are you smoking? Ever heard of syntactic coloration? Hell, ever heard of XML-based templating language (hell, here's Kid for Python if you want one)
For heck's sake, Ruby's ERb even allows you to write your templates in raw Ruby, meaning you have all the power of the language and don't have to switch syntax between your model, your controller and your templates (everything is ruby period). What the hell's the weird syntax you're talking about?
Django too (although it's creator consider that it's not "true" MVC (they don't consider that it has controllers), it does heavily use a pattern of separating model, view and template)
That kind of things is usually a consequence from using an MVC pattern, you know...
Given the fact that you're using default model and controller, it is one line (let's just say 2 for writing "@user = User.find(:all) if you wish)
Admin
Well it is. Ask Paul Graham.
http://www.paulgraham.com/avg.html
Admin
Shouldn't that be
<cfoutput query="#qryUsers#"><p>#firstName# #lastName# #userName#</p></cfoutput>
or
<cfoutput query="#qryUsers#"><li>#firstName# #lastName# #userName#</li></cfoutput>
;)
Admin
Hang on, isn't the original poster missing the point of this WTF that John F sent in? I don't think it's got anything to do with preventing SQL injection.
Seems to me that the system was taking parameters and inserting them into a string like "SELECT something FROM something WHERE username='insertsomeusernamehere'" which would of course break once you tried using a name with an apostrophe. It must have been a bug reported by the user O'Reily that was fixed by adding the check if (username == "O'Reily") username= "O''Reily" in 23 different places. Nothing to do with preventing SQL injection imo (though that's obviously the bigger issue here)
Also to everybody who has been posting, my web development platform of choice is better than your web development platform of choice. So there.
Admin
If this is Java, Javascript, C# or the like, the REAL WTF is to compare strings by object identities (or references/pointers; "O'Reily" != "O'Reliy" since it's two distinct objects).
CAPTCHA: null
Admin
What do you mean, "fixed"? It wasn't broken to begin with.
Admin
*Uhm, forget about Javascript in the above post.... and C#... duh!
Admin
At least they allowed names with an apostrophe, I have lost count of the number of website that tell me I must enter a valid surname. There is nothing wrong with my name - these sites just employ invalid programmers !!
Admin
That's odd.... CF will always escape the characters for you? What would it do if you actually needed those characters unescaped?
Most web development languages I've dealt with (currently .Net platform) have classes that will handle escape characters and/or HTMLEncoding for you, so I guess I don't get what you mean by CF being a "real" web programming language (given that it's actually scripting like ASP).
Admin
Ruby on Rails?
PHP with something like the Cake framework? (which is a kind of php flavoured version of rails)
Admin
Python/Django, Ruby, arguably ASP.NET
Admin
You obviously have no idea.
I've had to work with code (group project) where the main loop was just a bunch of branches. Each branch target was a 'function' that would do something and branch back to the next instruction in the main loop (look like spaghetti yet?). The labels were all RP1 or so.
No register renaming was used, and worse, no list of what register meant what was in the code anywhere.
And the biggest part of the code was error-correction logic (just decoding a hamming code). Instead of using either the table lookup or decode logic (it's theoretically just a few bit operations, which I didn't bother working out because the table was easier), he implemented it as a giant switch statement. in assembly. With 300+ cases.
We used two 'frames' per output word (adding error correction meant we had to split the data in half), so naturally the error correction code has to be called twice. So... he duplicated the switch statement and changed the registers around a little.
He apparently spent 40 hours on it. I practically completely rewrote it in 2 hours.
And I'm at a top UK uni. In his first year he got a 2.1.
Of course, what you say applies to the good assembly hacker. It's just that I doubt learning assembly helps to instill 'goodness', just as half of the first years implement quicksort by searching Wikipedia, copy-pasting, and changing variable names so it vaguely works.
And they don't change the indentation (since they've just pasted it), so the bugs that they do have are hard to find.
Admin
But... but... prefix notation is so much more sensible...
and as I was reading somewhere - it isn't that lisp has too many ( ), (it is that english doesn't have enough!)
:-)
Admin
create-if-nonexistent and alter!
Or have a separate create-all-sprocs script, which just makes a bunch of no-ops.
Admin
an enterprise app?
you have guts mentioning the E word here ;)
Admin
In C#/.NET 2.0, the == operator is usually overloaded so a == b is equivalent to a.Equals(b) (if both of them have, say, the static type of string).
And it makes perfect sense for strings, since they're immutable. If you want to compare references, use ReferenceEquals(), or cast them to object.
And the only reason you'd ever want to compare references is to normalise your strings, and then it'd be useful to have a ReferenceCompareTo anyway.
Admin
Irish and Scots might need a set of 23 occurences for O'+(A-Za-z), but different nationalities and different languages make for different names, French has many D'+(A-Za-z) and L'+(A-Za-z), I would guess with other languages and nationalities, it's pretty easy to get (A-Za-z)'+(A-Za-z), or even put the apostrophe anywhere, not just the second character... You should never assume the nationality or culture of the end user.
Admin
It isn't valid XHTML1.1 I'm not much of a web person, so I don't know exactly what that implies, I was just told to close all my tags, and it seems to make the validator happy.
Admin
Erm.. yea.. it's supposed to print 6. The first code will throw a compiler error.. I'm pretty sure smbell meant to write:
int x = 2;
Which would have returned 5. He probably wanted to demonstrate the difference between that and this:int y = x++ + 3;
System.out.println(y);
int x = 2;int y = ++x + 3;
System.out.println(y);
That code would've returned 6.
But this is seriously a basic programming textbook test question and I think most developers would increment before adding.. right..?
You can try it in C++:
Admin
Really? In my copy of the GoF book the wax eloquently about the Observer pattern and then start off the "known uses" section by talking about how "the first and perhaps best-known example of the Observer pattern appears in Smalltalk Model / View / Controller". Granted, it's probably not as clear cut as you're looking for, and others have expounded much further (another great read would be Pattern Hatching by Vlissides), but I'll stand by my original statement in con text.
Admin
Uh, unless they knock CF up the power tree by adding macros and multiple inheritance (or mix-ins even), then there is no way CF on Wheels will compete with, much less improve upon, RoR. CF simply lacks the language features needed... I would imagine it would even be tricky if implemented straight in Java. And even if CF on Wheels comes close in functionality, it won't be near as succinct.
Admin
I give up... you are certifiably retarded. One word for you: ActiveRecord
Admin
Indeed. Bus, a little example might help:
A parameterized query (called a prepared statement in the 'enterprise-y' world) is a reusable query with replaceable arguments. For example, in oracle jdbc a typical prepared statement would look like
"select name from emp where emp_id = ?"
the database can compile this statement once (and generate an execution plan) and the application can use the statement many times, passing in different values for '?' as required. The upshot of this is twofold:
1) The database only needs to compile and generate an access path for the statement once (when it is first encountered), and
2) It prevents sql injection (the value for ? is always interpreted as a parameter for the statement. even when it contains valid sql)
This is a big deal in Oracle at least (my main database), as a system that doesn't use prepared statements will not scale - period. I'm pretty sure it's a big deal in most non-trivial databases.
A stored procedure is simply a procedure compiled in the database. You can access procedures using bind variables as well of course.
Good luck to all my friends using Cold Fusion to code web-apps - enjoy the many years of maintenance hell you will incur.
Admin
I'm not so sure about that. Somehow there seem to be a couple billion programming languages too many out there for that statement to be true...
Maybe some folks just had to invent their own programming language for the sheer fun of it, or something like that?
Admin
Unless people are used to writing XML/XHTML, that is.
It makes perfect sense for mutable strings (such as Ruby's) as well, people just understand that "==" between two strings checks if they are "equal", not if they are "identic"
Python, for example, has a nice distinction between them: "==" checks for equality and "is" checks for identity, (equality defaults to identity in user-created classes, unless you overload it, which is a sensible default) and every native type has equality sensibly overloaded so that you can have things like:
Hey don't diss CF on Wheels, they perfectly replicated Rails' folders structure! (if that ain't penis envy, I wonder what it is)Admin
AAAAAHHHHH NO. Coldfusion is not a "real web programming language". Coldfusions is taking HTML and throwing in a few more functions.
ColdFusion is a horrible programming language. I know this because my job requires I program in it.
Coldfusion is great if you want to set up a quick and dirty GUI for a database over the web. But there are people who try to (or are forced to) make actual large applications with this. And since it's so easy, those unfamiliar with it manage to do a horrible job. In the five months I've been at this job, I've decreased the line count of many programs by at least 1/3, some by as much as 2/3. No, we're not paid by the line.
Coldfusion is a pain if you want to set up your own functions, and very limiting with what you can do since a lot of things are done for you (again, nice for setting up quick GUIs, but not for complicated stuff). It uses indiscriminate types, which I hate.
And the "auto escaping" thing? That's more of a pain than it's worth. I have functions written to modify data before inserting it, and I would like to include injection protection into those, but even if I do CF automatically doubles the number of quotes unless I use "PreserveSingleQuotes()". (speaking of long function names, they have a Increment() and Decrement() functions instead of a simple operator.)
In short, Coldfusion sucks.
Admin
Wow, they were lucky that it wasn't Mr O'Give Me A Million Pounds who applied there.
Note: I know that this won't work in a query, but imagine it does.
Admin
It probably doesn't hurt the bottom line if you can finish it quickly. However, just imagine they had used some other tool to build the site. Wouldn't the net result have been that they would have been able to build the site fast, and sell it for a lot of money, in good part thanks to <some other tool>?
Admin
(edit timeout on previous post)
Just watched the CF on Wheels introductory video... sweet mother of god, these guys don't try to compete with Rails, they try to redo rails in CF instead of ruby, they're replicating every single method name they can find to implement the same feature in CF as well as reimplementing the features found in Rails...
I must say it's the first time i've seen something that retarded in a long time.
Admin
No troll, serious question. I'm curious as to why people seem to dislike PHP so much? There have been a few anti-PHP posts in this thread.
I'm not a web person but I do use PHP for personal stuff. I'm not even a professional coder, but I do code asm and C(++), which is why I started using PHP, having a passing similarity to C and fairly easy to hack something together.
So why is PHP disliked?