- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Strings aren't implemented in C, null-terminated character arrays are. Any other implementation of strings would result in large, invisible overhead, which is completely against the design philosophy of C.
gets() is part of the POSIX library, not C.
Both of your examples are simple consequences of the language, and I don't see anything wrong with them. If you're concerned about using = instead of ==, either use a compiler that will warn you, or do your comparisons with the literal on the left. The latter is fine, since prohibiting it would either require making ignoring return types illegal or eliminating the , operator, and I don't see why you'd want to do either.
Bad programming, not bad language. If you're going to define a fixed size buffer and accept variable length input, its your own stupid fault if you get a buffer overflow.
Admin
There is a WTF in this code that nobody has mentioned yet.
Admin
This is a bit irrelevant to the discussion, but if the system is running SELinux, that may not actually do much because cause a lot of errors to be send to the admin.
Admin
Gotta love the title of this php-ness:
"## Functions to perform the actions ##". So much insight, so much detail...Admin
If you're the one not doing any checking on the input that you recieve and just try to stuff a variable length input into a fixed length array, that's the fault of you, the programmer - not the language.
Yes, it's nice having a language where you don't have to worry (so much) about input size (C++ string class) or deleting anything you new'd (Java, VB - Garbage collection), but when it comes right down to it, you still have to know what you're doing with what you're working with or else you're going to have bugs, security issues, and just flaws in general.
Admin
Actually, reading your post, you must be joking! No smart person would write nonsense like this.
Admin
A overhead of one int (for the length) would be enough to make a lot of operations faster; add another int for the maximum length and you put an end to 97% of all buffer overruns.
gets() is part of the C standard library.
http://www.infosys.utas.edu.au/info/documentation/C/CStdLib.html
If you see C as a portable assembler language, ok.
It's an example where C invites you to do innocently looking hard-to-find errors. That's why I call C ugly.
What's the reason for the , operator to exist? The only case for using it is a for (i=0,j=0; i<x&&j<y; i++,j++) loop - but on the other hand, the , is also used to seperate function arguments, so it is kind of overloaded (not in an OO sense).
Ugly languages give the programmer two dozens of guns with easy-to-pull tiggers so you can shoot yourself and all your coworkers in both foots. Hardly any other high-level language makes string processing - on the the most common tasks for computer programs - so dangerous like C.
Admin
or...
But why would you need to do this in the first place without A) Discarding request parameters not know to our application B) performing a validation?
foreach( keys($_REQUEST) as $k ) { if( isKnown($k) && isValid($_REQUEST[$k] ) { unset($_REQUEST[$k]) //assuming $_REQUEST is not read-only(i can never remember) } } $_SESSION['VAR'] = &$_REQUEST;Admin
Developers are a security hole.
Admin
PEBKAC
Admin
Oh wait...that would be
foreach( keys($_REQUEST) as $k ) {if( isKnown($k) && isValid($_REQUEST[$k] ) {
unset($_REQUEST[$k]) //assuming $_REQUEST is not read-only(i can never remember)
}
}
$_SESSION['VAR'] = &$_REQUEST;
Admin
Blast...
foreach( keys($_REQUEST) as $k ) { if( !(isKnown($k) && isValid($_REQUEST[$k]) ) { unset($_REQUEST[$k]) //assuming $_REQUEST is not read-only(i can never remember)} } $_SESSION['VAR'] = &$_REQUEST;
Admin
Admin
A language standard with over 250 instances of the word undefined or unspecified perhaps?
Admin
"Two words: buffer overflow. C itself is a security hole."
I guess it just has been pointed out that you can write horribly insecure code in PHP as well (and in general, any language would do for that matter). The programmer is a potential security hole, not the language.
Use the right tool for the job. If the job is to shot yourself in the foot, PHP comes in handy.
Admin
Heh, with C and C++ you might foot yourself in the shot if you're not that used to the language.
Admin
I thought Java also only supported ragged arrays? I guess it could be new in 1.5. C# definately supports 2D arrays in any case.
Certainly when I first learned Java arrays (about 4 years ago now, I guess) it was onyl capable of ragged (array of array) arrays.
Admin
Sorry, that excuse doesn't cut it in the face of the incredibly number of and damage done by buffer overflows in C applications. Obviously such errors are too easy to make for the average programmer, meaning that no average programmer should write a security-relevant application in C. Considering that it's trivial to eliminate that kind of error at the language level, the statement is quite true: C is a security hole.
Admin
Name ONE language that has them and that is not an academic excercise. There is none, because memory in real computers is linear. There are merely different was of simulating a multidimensional array, either by multiple dereferentiation (array of arrays), or by pointer arithmetic (C-style normal "multidimensional" array).
How does the functionality differ?
Admin
That's the funniest statement so far in this thread. Funny because in the Java world, this became possible with JSP, and ever since, most effort in that area has been concentrated on undoing that mistake.
So you're above such widely accepted best practices? I pity your employers...
Admin
Well, obviously it is not PHP having problems with arrays but you. It is neither a problem having an n-dimensional array in a session nor does PHP have any problems with 2D arrays, nor are they "not really supported", what ever that may mean.
Admin
Now THAT is a WTF of it's own... C is ANSI standard, and how can a standard be a 'security hole'? That's like saying "Every SQL is injectable (even "select count (*) from table"), or better yet, every keyboard is security risk. So... The best way to code is without keyboard, monitor, programming language and even the computer? Now, please think about what you're saying next time :P
Admin
WTF does that mean?
Admin
I don't know any other language that has inherently unsafe functions like gets() in their standard library. Of course many languages allow you to use functions unsafely in some way, but gets() cannot at all be used safely. Some of the nearly never used formats of *printf are responsible for a whole type of security holes (format string errors). String processing requires much more care than in any other language except assember code.
Admin
You can qualify for thedailywtf no matter the language, but saying that php itself is "just too easy of a target" is something quite different. That's saying that the language itself is stupid rather than certain things people do with it are stupid.
On that account I'll have to disagree with you. Saying that variable variables is giving enough rope to shoot yourself with is like saying the same thing for pointers: it's stating the bleeding obvious. But that doesn't mean that variable variables are intrinsically a bad thing(tm).
Admin
I'd prefer if you used "beginner" instead of "hobbyist". Being a hobbyist doesn't imply being a bad programmer. Damned "professional" elitists...
Admin
Probably, but since Python enforces namespaces (with each module being an object/namespace in itself) crappy library at least can't pollute the global namespace unless you ask them to (with some "from module import *" crap)
Can you be sure that the second dimension will be length-consistant (aka that every sub-array will have the same length)?
You can, unless you do manual checks everywhere. A multidimensional array would just define all the boundaries (dimention sizes) and to hell with it. PHP doesn't support multidimensional arrays, but it supports nested arrays, which is very different (and much less memory efficient too)
Ever heard of mod_perl and mod_python?
Issue is that PHP has been tailored to be abusable, it calls for abuse, it has all the inconsistencies, the function duplications and the crappy mechanisms that just beg for being abused...
Yes you can write "good code" (or somewhat good) in PHP, but the language doesn't help at all, and the time you'll take writing that good PHP code is 3 times what you'd have spent with a cleaner language.
The PHP array is an abuse of hashmap structures period. Python's list, on the other hand, really is an array and a list (and a queue, and a stack). And not a hashmap.
I guess you never heard of that matrix thingie have you?
Let's repeat again: PHP has no multidimensional arrays, it has nested arrays, this is not the same thing at all for "true" multidimensional arrays enforce dimensional coherence, and allow for very specific and much more efficient multidimentional polling/positioning.. So you can feel better, Python doesn't have any native multidimensional array either. This is why people created Numerical Python which DOES implement a true multidimentional array type.
Nope, you can't just shoot yourself in the foot, you take out the whole leg from knee down. This is one of C++' awesomenesses.
Admin
Gah, to hell with these uneditable posts
was of course supposed to read
Admin
An example where 2D arrays in PHP were useful and worked fine. I think this is a jagged array. Authors and revisers got different messages for the same state of a document, and the states in the array were the only states allowed. I have translated to from spanish while keeping the word order in some places to see the aligning, so some phrases may sound weird:
This array was extensively used by almost every single page and function in the website.
This array, of course, should have been dumped into a database, with a form in a page to allow the manager to change the messages text directly. Infortunately, there was a very harsh timeline and couldn't do it :(
Admin
Goddamn, PHP is popular because it's TOO easy to start using (i.e. any idiot now has a new tool to fuck things up with), and a lot of free web hosting has support for it, not due to it actually being a well designed language.
I don't agree with this "too easy" crap. There's so much of it going around. By the same token, you could just download DevC++ and start fucking away. The problem with PHP is that it's horrible to look at. Granted, most of the PHP I've seen has been through DailyWTF, so perhaps I'm not seeing the best of the language, but there just seems to be so much that the language likes to make more complicated and unreadable (though I've said the same thing about T-SQL before now).
Admin
It is indeed.
Admin
And were you honest with yourself, you'd realise that by "just starting fucking away" in dev-c++, you'd get a compilation error 9 times out of 10 at first, and then random runtime error and crashes. You can't code in C/C++ without knowing anything about the language in PHP you can.
Admin
If you had taken the time to read what was meant by 'popular' you'd find that it's "based on the world-wide availability of skilled engineers, courses and third party vendors" ... In other words, the number of "professsional resources" available for a given language, and not at all based on "free web hosts" providing support for it, nor for the amount of "idiots" using it.
IHBT. I will now HAND.
Admin
And were you honest with yourself, you'd realise that by "just starting fucking away" in dev-c++, you'd get a compilation error 9 times out of 10 at first, and then random runtime error and crashes. You can't code in C/C++ without knowing anything about the language in PHP you can.
Well, if runtime errors are what you want to see in your application....
It's true that PHP isn't a compiled language, but that makes it harder, not easier. I wasn't defending PHP, far from it, I was attacking the assumption that an easy language makes a bad language.
I take the point that, while a compiled language will generate a compilation error in a lot of cases while a non-compiled language will just die, but this doesn't come under the heading "easy to start with", it comes under the heading "an absolute sonofabitch to debug". The two headings are very different, and should never, ever be confused. In some interpretations (such as mine) they are actually mutually exclusive.
People don't start learning a language to just start fucking about (which was my original point - maybe it was too subtle?) they learn it to either perform a particular task or gain a particular skill through performing particular tasks. For example, I've been working (with another guy) on a bug tracking system for use at work. It's done using ASP.NET. I've been doing this partly to pass time because I was bored, but mostly partly because I wanted a decent system to use, and because I wanted to boost my ASP.NET/C# skills.
I would describe C# and ASP.NET as relatively easy to get started in. That's because if I do something wrong, the languages, as well as the VS.NET IDE, make it easy for me to find out what I did wrong. They do this through debuggers, intellisense, object browsers, documentation and, yes, the fact that most of the complex stuff is handled by compiled code (meaning it yells at me for doing something wrong). This fact means it's easier for me to get my initial task done (whether that was learning the language or writing the application). Definitely not perfect, but a big step in the right direction.
I wonder what makes you classify PHP as an 'easy' language? Is it the non-compiled aspect? I don't think this makes a language easy. Is it the free availability of tools? Most mainstream languages have free tools (C++ and C#, for example) available. I think 'easy' is entirely the wrong term here. Perhaps you're right, and maybe I actually agree with you, and it's just that you're using the wrong terms.
Admin
Agreed. Though nothing stops you from writing your own string implementation if you want. It is rarely done, but it isn't all the hard either.
Posix specifies it, but recommends fgets instead. the Linux Stand Base http://lsbbook.gforge.freestandards.org/dont.html deprecates it complete. So if your program uses gets, it isn't linux compatible. (Though it will work - every linux implementation I know of still provides it)
In any case, any good compiler will throw a warning if you use gets. The evilness of this function has been known for at least as long as I've been programing C (~15 years).
So this is a valid criticism, but it should never be an issue in the real world because we shoot people who use it these days.
At least it is consistent. More complex forms of this are very useful:
if (a = doSomething() && b = doSomethingElse(a))
...
Of course you walk a fine line between making your code more readable because more of the function fits on the screen at a time, and making your code harder to read because you are doing odd things.
So you can do something illogical. There are logical reasons to use the above. Not allowing it would be a problem because it introduces inconsistencies for no gain.
It is a WTF if you do that, but it isn't a WTF that you are allowed to.
Admin
That's not how it works, "just fucking away" doesn't cut it with C/C++, it just doesn't work. While it does with PHP.
What makes it "easier" it that it accepts pretty much anything you throw at it and tries to make something out of it.
That's what makes it unreliable
Then don't use C/C++, for they are not easy language. Use Python or Ruby instead if you want.
I agree with you on that point though.
No for every question points
The reason why it is "easy" (to start with) is because, exactly as in VB, the dynamic + weak typing added to the ability to hide any annoying error (and having every warning hidden out of the box) on top of having a language trying to use whatever you throw at him instead of just ripping your head off and shitting in your neck (metaphorically of course) ensures that the initial learning curve is pretty much flat. You don't have to learn anything, and if you don't have the desire to you'll never have to learn anything.
Admin
On what kinds of grounds was this logic founded? I agree with Alex. PHP is useful.. almost _too_ useful; it attracts a lot of children and gets their brains implanted with nasty thoughts that will take years of writing bad apps to fix.
I don't think anyone touched on the fact that two years after PHP came out, JSP+Javascript became available and it's a "serious" platform to write web apps in and provides an out to those who still want to stay as close to OO principles as possible.
ASP.NET is definately NOT ASP. First of all, it is compiled software, you can use any language you wish, and my friend... you can write your ASP.NET apps in managed C++ if you want to show off your 'leet' coding skills. Shoot, if you want to... you can run over to Fujitsu's website and grab their COBOL.NET compiler and write ASP.NET apps with that if you want (again, why would you want to bother?)
Oh, and if you want to do C# on Linux or BSD, you can go right ahead and grab mono and install mod-aspnet to get ASP.NET working on Apache (so 'nyah!').
Granted, at the time PHP was available, it definately was a better alternative to VBS-based ASP websites since its interpreter was quicker than asp.dll and you didn't have to go through the pain of CGI/ISAPI/NSAPI to get performance, but that's old hat now.
And on the last statement... C# is not worthy for applications? PAH-LEZE tell me why that is so... since managed VC++ and C# produce nearly identical IL, and oh yeah... C# developers manage to kick out their deliverables in much shorter timespans than C++ developers.
BTW, FWIW... my favorite gripe from a C++ developer is "OMG... is that my object or a bitwise copy? GRR!!!"
Admin
That's not how it works, "just fucking away" doesn't cut it with C/C++, it just doesn't work. While it does with PHP.
Does it? Then why does this thread exist? Clearly just fucking away doesn't cut it in PHP...
Granted, but that's not an easy/hard distinction.
Then don't use C/C++, for they are not easy language. Use Python or Ruby instead if you want.
Actually, I prefer C#.
The reason why it is "easy" (to start with) is because, exactly as in VB, the dynamic + weak typing added to the ability to hide any annoying error
See? I told you! We do agree!
I personally don't agree that weak-typing makes languages easier. In fact, I think it makes them harder. I suppose you could say that you can do HelloWorld in one line, which makes it look easier. But I don't think anyone's learning programming with a HelloWorld app in mind. I'd say once you start to get onto serious applications, weak-typed applications actually make things harder.
Admin
Ok tell me, without going to google, what this code does:
Admin
Can someone recommend a book that covers how to use PHP effectively? (Not just syntax.)
Admin
Doesn't play in the same league, Python and Ruby are much higher level than C#.
I never doubted it
Yes, weak typing makes writing big applications, and debugging them, a damn pain. But the learning curve of a weakly typed language starts awfully flat: as I said, you barely have to learn anything to start gettings "things done" (usually in the worst available way) in PHP, and it makes brainless copy/paste much easier too. That was my point: weak typing looks much easier to someone who has no knowledge of any language.
Technically, you can write Hello World one liners in stronly-typed languages too... example:
Admin
I imagined Arnold Schwarzenegger's accent when I read that.
"
Functions to perform the actions on the variables with the values"
Admin
What language was that? SQL? Ok, I'll give you that one, though most strongly typed languages (Delphi, C, C++, C#, Java) use a program construct or main function, which right away buggers up any dreams of a 'one-liner'. Just dropping in code at the top level isn't usually allowed.
However, I think where we differ is on this point:
<b>"weak typing looks much easier to someone who has no knowledge of any language."</b>
I agree with this wholeheartedly, but the key word here is "looks". Something looking easier isn't the same as it being easier.
Admin
Actually, you're statement is somewhat misleading. There was and always will be an effort to keep the business logic out of the presentation layer. A poorly written JSP contains scriptlets which often contain business logic. There are many application frameworks (Spring, Struts, JSF) out there that allow you to pass a single object, be it a Value Object or an XML document, to a JSP, where the JSP is responsible only for rendering the object. The problem you're inferring could exist in ASP, JSP, ColdFusion or PHP
Unfortunately, around here languages are always blamed for the work of the poor programmers who use them.
Admin
What?! You've never used the database for session management? haha
Admin
I felt like this not too long ago. But for my job, I learned ASP.NET and found that it is actually very good, especially as an upgrade to standard ASP code. Very clean structure, it makes writing web code feel like writing application code. It's so much better than the monstrosity that was VBScript/ASP. Of course, ASP.NET doesn't run (cleanly, mod_mono doesn't count) on anything but IIS, which rules it out completely for a lot of shops, and makes it 'not-good-enough' for a lot of other applications.
I agree that php can be well written, but I've seen too many poorly written php scripts to take offense when someone says that it's a hobbyist platform. Besides, when someone says hobbyist, I think GNU utilities and Linux, both of which sometimes have higher-quality software than the commercial competition.
As to C++ vs C#: they're really different tools to be used in different places. C# (and the framework, most people use them interchangably. In theory, you can have one without the other...) is good if you know that your client has a decently mid-end windows-based machine, you don't care about being cross-platform, you don't need to deal with low-level code, and modules built with it won't need to be called from other applications not necessarily under your control. For systems-level applications, you want to use C++ or C.
Admin
How ironic....
Admin
I once heard an old timer say in an interview a few years ago, "I liken C++ to a chainsaw. You can get a lot of work done with it, but you can also f yourself up with it." <yes, the interviewer dropped the f-bomb in the interview>
Admin
My own string implementation would come without literals and I would have to convert my strings to C strings every time I call a standard function. In other words: not a realistic option in most cases. They screwed it.
It's consistent within the language, but probably not with the expectations of anyone but a C programmer. E.g. Mathematicians hate the abuse of the = sign, it contradicts their meaning of =.
I see very little use for the , besides the
for (x=1, y=1; x<maxx &="" y=""><maxy ;="" x="" y=""> construct. If you a reason to use it, tell me. I'm always open to learn.
But since the , is used as a decimal seperator in some countries, including mine, you can make perfectly innocent looking bugs..
double pi = 3,14159265;Now spot that bug!
</maxy></maxx>
Admin
ouch, this forum software hurts... sorry for double-posting...
I see very little use for the , besides the
for (x=1, y=1; x<maxx && y<maxy; x++,y++)construct. If you know another reason to use it, tell me. I'm always open to learn.