|
Jonnty posted:Does that imply that there are programs that somehow rely on the buggy behaviour of that escape function, then? mysql_real_escape_string requires an active connection to MySQL. The potentially broken non-real one does not. This is a problem to some programs that were designed by newbies/idiots/idiot newbies. Again, though, real programmers use prepared statements / parameterized queries. This of course explains why everyone learning PHP does so from a ten year old guide that treats 5.0 as scary and new and uses mysql_ by default. Also, quote:If there's no sales tax then sweet! none will be added. However now our application is relying on undefined variables being permitted. Worse, your application may well be designed for PHP4 and register_globals. McGlockenshire fucked around with this message at 05:57 on Jun 11, 2010 |
# ? Jun 11, 2010 05:53 |
|
|
# ? May 14, 2024 09:59 |
|
Bhaal posted:So imagine a block of 8 similar lines of code, with one of the variables on one of the lines having a slight typo. Now imagine that adding in possibly undefined values is par for the course throughout the app, so error handling is set up to ignore that (and good luck lobbying to get that changed). Yes it requires a bunch of messing around to do something that really should be turned on by default in the first place, but that's PHP for you. quote:When I found the bug all I could think of is how dumb does your language have to be (and the people who adopt lovely paradigms with it) to let something as simple as a mistyped variable cause so much grief. Whereas in java or C++ or whatever, somewhere months and months into the pre-testing era a programmer would've hit compile, the compiler would've said "Hey jackass, wtf is $donkyballs?", and 5 seconds later it would've been a thing of the past.
|
# ? Jun 11, 2010 09:37 |
|
Found this minor one today:code:
|
# ? Jun 11, 2010 16:30 |
|
Modern Pragmatist posted:
Man I hate that backwards rear end poo poo.
|
# ? Jun 11, 2010 16:33 |
|
Ugg boots posted:Man I hate that backwards rear end poo poo. The only time I ever do something like this is when I'm in Java and I want to compare strings. Saying "foo".equals(str) instead of str.equals("foo") makes things a little more concise in the even that str could be null.
|
# ? Jun 11, 2010 16:41 |
|
Standish posted:Yes it requires a bunch of messing around to do something that really should be turned on by default in the first place, but that's PHP for you. quote:No because in C++ the same people who won't let you enable PHP warnings for undefined variables wouldn't let you turn on "-Wformat" so you'd make a typo "%n" where it should be "%d", have fun tracking that one down. Bhaal fucked around with this message at 19:07 on Jun 11, 2010 |
# ? Jun 11, 2010 19:04 |
|
Flobbster posted:The only time I ever do something like this is when I'm in Java and I want to compare strings. Saying "foo".equals(str) instead of str.equals("foo") makes things a little more concise in the even that str could be null. Yeah, in that case you're just avoiding the horror that is Java string comparison.
|
# ? Jun 11, 2010 19:41 |
|
Not really a horror, but the return at the end made me laugh.code:
|
# ? Jun 11, 2010 19:48 |
|
The horror is the && total > 999... lines - not only would it just be better to use else if, you don't even need to because the if statements return. I would love to see "Credits: wow" though.
|
# ? Jun 11, 2010 20:31 |
|
Alternatively, I feel like it would be a whole lot more readable with conditionals like: if (total >= 1000 && total < 10000) if (total >= 10000 && total < 1000000) etc.
|
# ? Jun 11, 2010 20:39 |
|
Ugg boots posted:Yeah, in that case you're just avoiding the horror that is Java string comparison. It's only horror if you consider the equals() general contract to be false (which doesn't make it any less annoying).
|
# ? Jun 11, 2010 20:55 |
|
I remember at my last job they used mysql_escape_string, since they didn't always have a connection when building queries. I guess the intention was to reduce load on the server, but I really have no idea. Or it was just poor design that would cost too much in developer time to fix. How much could doing it this way help to reduce load, anyway?
|
# ? Jun 11, 2010 22:53 |
|
zergstain posted:I remember at my last job they used mysql_escape_string, since they didn't always have a connection when building queries. I guess the intention was to reduce load on the server, but I really have no idea. Or it was just poor design that would cost too much in developer time to fix. How much could doing it this way help to reduce load, anyway? Even if somehow it magically caused queries to always take no time at all it would still be a horrifyingly terrible idea to use it because it is completely insecure.
|
# ? Jun 11, 2010 22:58 |
|
Ryouga Inverse posted:Even if somehow it magically caused queries to always take no time at all it would still be a horrifyingly terrible idea to use it because it is completely insecure. Prepared statements are faster than building queries from strings anyway.
|
# ? Jun 11, 2010 23:06 |
|
Ryouga Inverse posted:Even if somehow it magically caused queries to always take no time at all it would still be a horrifyingly terrible idea to use it because it is completely insecure. Well of course it won't speed up queries, I was just wondering if it somehow helps to connect run the queries and immediately disconnect. Like maybe to reduce the chances of the server throwing a 'too many connections' error. But aren't persistent connections the answer for this? As for security, I understand it's fine as long as you don't use multibyte strings. b0lt posted:Prepared statements are faster than building queries from strings anyway. I don't even remember if we were on 5 when I worked there. I'm sure the code dates back before mysql 5.0, and again, cost of programmer time. In an ideal world it would be fixed.
|
# ? Jun 11, 2010 23:49 |
|
b0lt posted:Prepared statements are faster than building queries from strings anyway. Provided your DBM is caching them properly. I had a Oracle DBM which reported that it was parsing the prepared statement every time I executed one. I only built the statement once and then used it over and over unless we lost database connectivity or there was a reason to close it. I worked with the DBA trying to figure out why it wasn't parsing for a couple days and we never could figure it out. Edit: Since the code was no longer bottlenecking on the database code after me implementing the reuse connection and all statements, I sort of gave up on it and went after other bottlenecks. HFX fucked around with this message at 00:21 on Jun 12, 2010 |
# ? Jun 12, 2010 00:18 |
|
b0lt posted:Prepared statements are faster than building queries from strings anyway. Is there something around that proves this? I'm curious, because I think that, in PHP at least, a prepared statement requires two trips to the MySQL server: one to prepare the statement and one to execute it. Which is fine if you're using a query in a loop with lots of varying parameters, but seems like overkill when you do lots of one off queries.
|
# ? Jun 12, 2010 00:27 |
|
b0lt posted:Prepared statements are faster than building queries from strings anyway. Fun fact: the author of the python-mysql library absolutely refuses to use parameterization in his binding because he insists that building queries from strings is always faster. (One of these days I'll finish/publish my benchmarks showing oursql blowing mysqldb away. )
|
# ? Jun 12, 2010 01:00 |
|
MySQL is a coding horror. Is it possible to use a subquery yet
|
# ? Jun 12, 2010 02:31 |
|
king_kilr posted:MySQL is a coding horror. Is it possible to use a subquery yet
|
# ? Jun 12, 2010 02:40 |
|
Janin posted:Uh, yes? Subqueries were added over 6 years ago. Oh sorry, I meant without using an on disk temporary table and killing all performance.
|
# ? Jun 12, 2010 04:46 |
|
king_kilr posted:Oh sorry, I meant without using an on disk temporary table and killing all performance. I prefer Postgres for reliability reasons, but it's not like the MySQL devs don't know how to optimize for performance.
|
# ? Jun 12, 2010 05:56 |
|
code:
I looked around more and every single function this guy wrote follows this form: code:
I think a bottle of scotch in the morning is needed. Ugh.
|
# ? Jun 12, 2010 08:57 |
|
Ugg boots posted:Yeah, in that case you're just avoiding the horror that is Java string comparison. Can you elaborate? I'm not trying to call you out on anything - I'm genuinely interested to hear how String.equals() breaks the equals() contract.
|
# ? Jun 12, 2010 16:17 |
|
Chairman Steve posted:Can you elaborate? I'm not trying to call you out on anything - I'm genuinely interested to hear how String.equals() breaks the equals() contract. I think he's referring to the problem with null strings in Java. If foostring is null, and you call foostring.equals("whatever"), then you get a null pointer exception. If you reverse that call, since "whatever" is guaranteed not to be null, you will never have that exception. It's due to java treating strings like objects, and building the equals() function into that object. e: The horror is that java includes the equals function into the string object, where most other languages handle it in a separate function that can handle null cases better. zeekner fucked around with this message at 16:35 on Jun 12, 2010 |
# ? Jun 12, 2010 16:32 |
|
The horror is having every user-defined type be a reference type and having all reference variables be nullable.
|
# ? Jun 12, 2010 17:34 |
|
Geekner posted:e: The horror is that java includes the equals function into the string object, where most other languages handle it in a separate function that can handle null cases better. At this point you're just saying "this is a horror because Java is not like some other languages".
|
# ? Jun 12, 2010 18:23 |
|
Mustach posted:The horror is having every user-defined type be a reference type and having all reference variables be nullable. This isn't really a horror either, but I can see a certain elegance in your way of thinking. That is to always force a reference variable to be defined at time of declaration. A programmer could do this by declaring a subclass of String to use for such occurrences. You could even have it throw exceptions if need be for certain methods. You would then assign the value of say UndefinedString when you wanted null. I can just imagine the bitching now. Flobbster posted:The only time I ever do something like this is when I'm in Java and I want to compare strings. Saying "foo".equals(str) instead of str.equals("foo") makes things a little more concise in the even that str could be null. I'd have no problems with this if you define "foo" in a constant and then use the constant to do the equals test. It doesn't read exactly right, but it will work. HFX fucked around with this message at 19:29 on Jun 12, 2010 |
# ? Jun 12, 2010 19:26 |
|
http://en.wikipedia.org/wiki/Python_%28programming_language%29quote:While many programming languages round the result of integer division towards zero, Python always rounds it down towards minus infinity; so that 7//3 is 2, but (−7)//3 is −3. ??!
|
# ? Jun 12, 2010 20:37 |
|
qntm posted:??! Not sure what you're ??! about, but the bolded part is so that when rounding a large set of numbers, some will round down and some will round up, evening out, avoiding a bias of rounding all up or all down.
|
# ? Jun 12, 2010 21:02 |
|
Somewhat more questionable is that Excel rounds up, VBA for Excel rounds to even and some contractors we hired didn't quite get that distinction.
|
# ? Jun 12, 2010 21:08 |
|
qntm posted:http://en.wikipedia.org/wiki/Python_%28programming_language%29 http://en.wikipedia.org/wiki/Rounding#Round_half_to_even
|
# ? Jun 12, 2010 21:09 |
|
The only thing about Python that really annoys me is displaying floats as x.000...01. Maybe the lack of good information hiding in classes too, but having only written academic assignments that hasn't been a problem yet.
Shumagorath fucked around with this message at 21:06 on Jun 13, 2010 |
# ? Jun 13, 2010 17:28 |
|
Shumagorath posted:The only thing about Python that's really annoyed me is displaying floats as x.000...01. Maybe the lack of good information hiding in classes too, but having only written academic assignments that hasn't been a problem yet. This should be handled by a string output format. As to the information hiding, there is a lot of classical languages that have no information hiding. Just write yourself getters and setters to access them, and get in the habit of using the getters and setters even in your own code. There is quite a few people who recommend putting a _ in front of the private members.
|
# ? Jun 13, 2010 20:11 |
|
HFX posted:This should be handled by a string output format. As to the information hiding, there is a lot of classical languages that have no information hiding. Just write yourself getters and setters to access them, and get in the habit of using the getters and setters even in your own code. There is quite a few people who recommend putting a _ in front of the private members. It's not just 'a few people' - that's the recommended way of doing it. A double underscore actually hides attributes (well, it really scrambles the method name, but they're as good as hidden).
|
# ? Jun 13, 2010 20:17 |
|
php:<?PHP class Foo { var $bar = null; function GetBarSingleton() { if ($this->bar === null) { echo "Creating the Bar"; $this->bar = new Bar(); } return $this->bar; } } class Bar { var $sum = 0; function Add($value) { $this->sum += $value; } } $foo = new Foo(); $bar1 = $foo->GetBarSingleton(); // Prints "Creating the Bar" $bar2 = $foo->GetBarSingleton(); // Prints nothing echo $bar1 === $bar2 ? "true\n" : "false\n"; // Prints "true" $bar1->Add(3); $bar2->Add(5); // Here's where things get weird echo $bar1->sum . "\n"; // Prints "3" (Expected "8") echo $bar2->sum . "\n"; // Prints "5" (Expected "8") echo $bar1 === $bar2 ? "true\n" : "false\n"; // Prints "false" (Expected "true") ?>
|
# ? Jun 13, 2010 23:41 |
|
Having both assignment by value and assignment by reference in a language really isn't much of a horror.
|
# ? Jun 14, 2010 00:47 |
|
Php changed it from version 4 to 5. In php 4: $obj = $other_obj was assignment by value, in 5 they changed it to assign by reference and introduced the 'clone' keyword to effectively copy an object.
|
# ? Jun 14, 2010 19:46 |
|
Plorkyeran posted:Having both assignment by value and assignment by reference in a language really isn't much of a horror. I'd say having to change such a fundamental feature of a language from one revision to another definitely counts as a programming language horror.
|
# ? Jun 14, 2010 22:29 |
|
|
# ? May 14, 2024 09:59 |
|
Plorkyeran posted:Having both assignment by value and assignment by reference in a language really isn't much of a horror. It is when there's no way to check reference equality.
|
# ? Jun 14, 2010 23:15 |