- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
phargoth's country may not be your country.
Admin
Congrats on not understanding what directories do and what challenges large companies face. Separate users in every application? Separate passwords? Separate user access administration in every application (and we've got literally thousands)? Thanks, but no thanks.
AD, like other LDAP compatible directories, provides central user identities, coordinates authentication and provides information data which can be used by applications and infrastructure (e.g. databases, web servers, portals) to make authorization decisions.
Admin
Mmmmmm twinkie.... drools
Admin
~~ third try ~~
<sarcasm>Maybe linux doesn't do LDAP?</sarcasm>
Admin
Admin
It is possible to write good code in php, but examples of this are few and far between.
I developed using php for a few years, but switched to java and it's various MVC frameworks and have since learned the error of my ways :)
Admin
Hey, what am I doing working on these complex, time-consuming modules for accessing a database of users in a secure manner. Today's WTF has shown me how a truly efficient developer does it. I'll code it up right away (but maybe in perl or python, because we all know that those are better languages). I'll really impress the clients with how quickly I can get such things working.
Thanks for showing me a Better Way.
Admin
A poor craftsman blames his tools. However, even a good craftsman is limited by truly bad tools. Am I poor at searching if I give up SSDS, and try something inferior such as slocate instead?
Admin
I currently work on a side-project with a guy somewhat like Bim Job (or maybe it is Bim Job himself).
This is typical behavior from a delusional C# "programmer" (although he may use some other similar language, I would wager it is C#). The guy I currently work with doesn't realize C# and C are not the same language (thinking C# is the C programming language). He rants about his mastery of C despite is lack of pointer knowledge.
Guys like Bim Job are extremely difficult to work with because they have no idea how ignorant they are of the computer science field. They can repeat vocabulary words from college (e.g. "Turing Complete") without understanding the meaning of said words.
My current C# colleague (again, possibly Bim Job) wonders why he is not allowed to work on the difficult projects despite "a mastery of the C programming language" as a C# "systems programmer". I just laugh and pick a competent programmer for the difficult projects.
Admin
I do, since you ask. Now, who wants my shit?
Admin
Yeah, looks like I missed the point. If the point was "most developers (~80% according to your post) aren't good enough to do this", then you're right. It's also true that most developers aren't good enough to levitate or shoot snow from their rears; those things aren't possible.
If that was your point, then your point is, well, pointless. If you were being serious, then you're wrong.
If I've missed it, please enlighten me.
Admin
TRWTF is that you think you can use JavaScript - a client-side language that can be completely ignored or rewritten by the client - to restrict users from doing something bad.
Admin
Really? After you saw
You thought that was a serious post?
Admin
Admin
What you all seem to be missing, is the question of who exactly this 'security' was intended to keep out.
If it's intended to keep out any serious hackers, then it's very very bad. If it was intended to keep out your average script kiddie, it might possibly work, as they'll never try a username with "**" in it.
However, if it was on a system which was only accessible internally, and it was intended to keep out the pointy-haired-boss, and no-one else, then it's fine.
I've designed stuff like this; there's some crappy 'security' on the front-end, when infact anyone other than the boss could work out that the server's sharing it's /www dir with no password! But the boss can't work that out. In fact, the boss can't work out which day it is without looking at his socks. But he might fiddle with something on the 'admin' page that he doesn't understand (which would be any of it). Hence adding 'security' to the system.
TRWTF in my case? The pointy-haired-boss, and his boss who's not fired him yet.
Admin
They, like, totally blew it.
They should have included the password check, so that using ** would not only allow you to be an admin, but also to be an admin as any user you want.
if(strstr($username, '**')) { $admin = 1; $username = str_replace('**', '', $username); $_SESSION['admin'] = 1; password_okay = 1; } else { $admin = 0; password_okay = password_check($username,password); }There's nothing like being able to give yourself more money and blame it on the CEO.
Admin
This is not a language-specific problem, but an architectural one. Almost every system of relevance that is supposed to run continuously w/o interruptions (.ie. a transactions processor, a web site, or a hardware monitoring/control system) has administrative requirements.
Every system that has administrative requirements must implement reliable and secure administrative interfaces (ranging from command-line scripts to cute and cuddly web pages, depending on who or what will use those interfaces and how.)
Everything that must be implemented must be taken into account from the get go - it can't be an afterthought (not if people want to have a degree of confidence they won't develop a WTF.) That is, it must be noted in the architecture, in the design, it must be included as part of the deliverables.
Whether you work on PHP, RoR, Java or C, getting it right or missing it completely is the result of architectural and design decisions. Getting it right, or missing it completely, that is not language specific.
Admin
Do you realize how impossible it is to make that kind of assertion. Either that or LAMP-land operates under different rules of computability in complete isolation from the rest of the universe.
For some systems, it is ok to have the roles stored and executed by (and within) the database. This is ok when the roles and the operations assigned to them are data/database-centric.
This also implies that the bulk of business logic is also in the database, and that is a can of worms. Like anything else in software, you can get it right, or you can get it wrong.
It is certainly not a universal solution, and this is predicated by having control of the database. What you do when you do not (which is usually the case in large enterprise systems).
What do you do when your data is not from a relational database that lets you perform application-specific permission checking (.ie. data from a mainframe or a real-time data distribution service)?
In many cases (in particular in the health and defense industry) you must have a decentralized role facility that is external and independent to both the data and the data store. In many cases, roles are assigned to tasks that don't logically map to data transactions or stored procedures.
In fact, you seem to confuse access control (which could be done in some but not all instances from within the database) with role assignment.
In very specific cases the solution that you propose makes sense. But in the large scheme of things, it is a very silly thing to propose. I'd suggest you get learn a thing or two about software/systems engineering before you climb your activist soapbox.
Admin
You really are a bit of a delusional prat, aren't you?
Admin
If it's small (say circa 10 pages) and unlikely to expand -- ie it's a shop-front with jazz like shopping carts, et al -- go with PHP. PHP is designed for that.
If you want something out quick, and plan on learning lessons and building V2.0 with something else -- go with PHP.
If you've programmed before, go with the language you're comfortable in. Might be Perl (typically), might be Python, might even be a .NET language.
The choice of technology is, in fact, irrelevant -- right up to the point where you need to hire somebody else to fill in the gaps.
At that point, you're pretty much fucked if you chose PHP and want to continue with PHP. Then again, you're pretty much fucked with Ruby on Rails.
It's a harsh world out there.
Admin
Don't kill me for this comment, but if and that's a big IF, he prevented just anyone to put "**" to their username and if he checked for those magics starts after the username and password verification, then it could actually be a bit safer than it looks. But considering someone was as "brillant" as that, I think it's quite possible that that peace of code was the first thing that checks the username.
Admin
Serious answer: It depends on the environment.
.. and so on and so on.
Also, there is the question - how large is the app expected to be?
I really don't see Bim Job's points against PHP, but I'm not going to go there. You can take my opinion with a grain of salt as well. However, based on experience, this is how I would answer your question.
If there is an existing code base (or apps ecosystems), I would try to use a language related to the technology family in use.
If it's a Java shop, I'll stick with Java for the heavy back-end lifting, for user-facing sites on the public Internet or for anything that needs to handle large volume of requests. In particular I'd stick to that if it is a large web system where you have dozens of developers involved.
In the same Java shop, I'd opt for Groovy or JRuby (or some other dynamically typed language) for internal web apps, for the mom-and-pop store web page or as front-ends for Java back-end doing the heavy lifting. On web sites that require constant change and malleability more than anything else, I'd go with Groovy or JRuby or Jython.
Similarly, on a .NET shop, C# would be my equivalent to Java, and VB or VFP as the Groovy/JRuby counterparts.
The reason for choosing to stay within a technology family is that applications never live in isolation. They need to be maintained, and for that you need to leverage the knowledge possessed by the existing development and infrastructure teams.
PHP, I'd use it in bare-bone places where either:
Using PHP will assume that 1) I like it, and 2) I don't suck at development, but that is true of any technology I end up choosing.
The most important things are not the exact programming languages, but understanding the architectural needs of web development (sessionless or near sessionless, malleability, fault-resiliency, good web UI design principles, security.)
Other things that you need to know, and which many web developers are painfully ignorant off, are the characteristics of networks, of the internet and on how things between your app and your client like firewalls, caching servers and the like might affect users' experience.
I'm a Java guy, so I'm biased. I'd say if you want to learn web development, and assuming you possess good (or at least acceptable programming and engineering , learn both Groovy on Rails as well as the JEE stack for web development (Spring+Spring MVC or Spring+Struts/Tiles).
I bet there will be people are going to groan and moan that these choices are ugly and this and that. Whatever. They exist and people use them. Knowing them will make you marketable.
If you choose a .NET platform, then learn how to develop web apps in C# (or VB, but I'd go with C#) as well as Ruby on Rails on the .NET platform.
That will be my take. As you start learning, you don't need to master all, but you need to be aware of how and when to use static and dynamic type languages. They are tools for specific types of nails, and you need to be able to work with both types.
-- edit --
I'd suggest to also know how to install and configure Apache HTTP server or any other *nix based http server. Play how to modify headers (such as timeouts and caching headers) and all that crap. It is ugly and it sucks, but people use it, it is a de-facto standard. Plus it doesn't take that long to learn it. Unless you have no knowledge of Unix, it should take you probably 16-48 dedicated hours to really get it.
Admin
It's all right. He'll be greasing his wang nuts.
Admin
I completely agree that roles and user membership must be handled outside of your applications. Like I posted before, in a .NET environment you would choose Active Directory (AD) or maybe the more light-weight Active Directory Application Mode(ADAM). I'm sure that when you develop on a LAMP stack, you have LDAP servers as well with nice management interfaces.
My point is: creating a user management tool for any application is NOT as hard as the article suggests. Just use the correct tool for the job.
Admin
Yeah, my sarcasm-o-meter is currently broken, and I certainly confused you with the poster you were replying to. My bad!
-- third try --
Admin
Admin
SSDS - now there's a piece of work. Legendary WTFery.Wonder what part of the web he's infecting with his insanity now?
Admin
No doubt it is in your country. The saying was from phargoth's country.
Admin
He's atually back here, trolling the forums. :) Go check it out. ;)
Admin
Just wanted to toss a word in here. Me myself Im a systems developer, and see plenty of wtfery in my line of work.
As far as PHP goes, my own knowledge is about on the level of what we see here on tdwtf. I also am not a great fan of the syntax in PHP, although, I guess I can get used to it if I had to. Nor am I fond of the utter lack of naming conventions in standard libraries, but again, thats what Google is for.
My point?
I've got a friend doing PHP work professionally, well, he does pretty much whatever the owner of a website wants him to, except that he never, ever backs down on code quality. He'd rather lose a job than leave crappy code after himself. I've seen code heäs worked on before and after, and the after code is a joy to look at, whereas the code before sometimes more resemble some shit some koprofag ate and then threw up again.
Point... Yeah... Point being, there are people out there that are good programmers that actually work with PHP. So you are not completely up the wrong creek without a paddle if you have to hire someone. Though, I guess your chance of hitting some random shithead that read "Teach yourself programming in 3 days!" is a lot greater with PHP than with, say, C/C++ and that whole family of languages.
Uh, I guess I should stop ranting now. Though, there is a point in there somewhere. I think. ;)
Admin
Oh, Patrick, better yet, hire some dumbass that reads the HTTP GETS and writes the response to the client in a text editor by hand, and no need of PHP or nothing else, just teach him HTTP...
Admin
To summarise: (1) For a simple website, you might very well be able to do it yourself -- in PHP, or possibly ASP.Net. Buy a Dummies book -- there's no shame in this -- and play around on your home machine before loading it up on a server. (2) Always start with a simple website. (3) Don't get distracted by loonies arguing over "frameworks." I could recommend one or two, and caution against one or two more. The signal-to-noise ratio on these things is pitifully weak. (4) If you insist on using a framework, buy a book on it first. If you can't understand the book, how the hell can you expect to understand the framework? (5) Always get a second opinion. And then a third. And maybe a fourth. (6) Point (5) is particularly relevant if you try to hire a second person to "help out."
Admin
this is so true. I was unfortunate enough to work for a self-taught PHP fanatic around 5 years ago. sadly his fanaticism didn't extend to actually learning the capabilitites of the language beyond having no methods, no encapsulation, zero code reuse, countless include files differentiated by suffixes like "003", referencing db query result columns by index, "saving columns in the database" by comma-delimiting multiple columns into one and paying no interest in the things that make PHP halfway usable like PEAR and PECL (they were too much to learn at once). when I asked him where he'd learnt how to program like that he proudly proclaimed:
Right here!
source control didn't come into it either. instead, I was instructed to perform a full ghost of my machine to tape every friday, taking up over an hour of development time, which he was paying. money for doing literally nothing seems appealing when you're stressed and under pressure - believe me, the actual appeal is short lived.
CAPTCHA: commoveo - commoveo and say that to my face (you need a Yorkshire accent to make it work)
Admin
this comment made my day :)
Admin
reminds me of an old story: some company gave their GUEST account Admin access! so ANYONE could get full access simply with Username "guest", Password "guest".
Admin
pharmacie en ligne livraison europe http://kamagraenligne.com/# Pharmacie en ligne livraison Europe