|
code:
|
#
?
Apr 10, 2011 22:17
|
|
|
|
| # ? May 25, 2024 00:37 |
|
|
clockwork automaton posted:
Tell me /dev/pi generates pi in binary.
|
|
#
?
Apr 10, 2011 23:40
|
|
|
fritz posted:Tell me /dev/pi generates pi in binary. The first hit for "/dev/pi" is this and clockwork automaton is from UoP, so yes, it's pi. 
|
|
#
?
Apr 11, 2011 04:30
|
|
|
I'm not the best with Java, but I think this counts, right?code:
|
|
#
?
Apr 11, 2011 17:18
|
|
|
Munkeymon posted:I'm not the best with Java, but I think this counts, right? It's not completely horrible, it just looks like a C programmer that's still stuck assuming everything needs a null-check or to be allocated manually. Also, concatting strings like that should be done with StringBuilder or something.
|
|
#
?
Apr 11, 2011 18:03
|
|
|
Geekner posted:It's not completely horrible, it just looks like a C programmer that's still stuck assuming everything needs a null-check or to be allocated manually. The real horror here is that they overloaded mathematical operators for strings and thus broke consistency.
|
|
#
?
Apr 11, 2011 18:26
|
|
|
HFX posted:The real horror here is that they overloaded mathematical operators for strings and thus broke consistency. Java strings are a confusing mess. Features like that += operator are designed around ease of use, not speed. Anyone who understands this mess well will avoid them like the plague. When you stare into the enterprise, the enterprise stares into you. That code snippet just shows that the programmer doesn't understand Java strings very well. Each += operation creates a new string, wasting memory and processing time. With StringBuilder, he could just append the string and generate the final string when he's done reading from input. zeekner fucked around with this message at 19:13 on Apr 11, 2011 |
|
#
?
Apr 11, 2011 18:46
|
|
|
Am I missing something, or could that whole thing be replaced with:code:
|
|
#
?
Apr 11, 2011 18:48
|
|
|
ToxicFrog posted:Am I missing something, or could that whole thing be replaced with: code:The code just opens/reads/concats a webpage or file into a string.
|
|
#
?
Apr 11, 2011 18:51
|
|
|
I read a great story of coding horrors this weekend: http://www.machine9.net/blog/?p=592 Apparently Eve Online changed their official forums, replacing their whole system with YAF. Not only could you manually change your cookie to post as anyone you want, but you could also put any javascript, html, and flash you want in your post signature. It's like a phisher's dream.
|
|
#
?
Apr 11, 2011 18:55
|
|
|
Geekner posted:Java strings are a confusing mess. Features like that += operator are designed around ease of use, not speed. Anyone who understands this mess well will avoid them like the plague. The further you look into the enterprise, the more the enterprise looks into you. I was talking about the language designers, and not the programmer who wrote that code. I know why the + and += is there, but I think it was a poor design decision to overload for strings even for ease of use and not allow any other overloading where it made sense (Integer, Float, etc before autoboxing). String overloading, the equal() method vs '==', and the protected keyword are the 3 features I loath about Java.
|
|
#
?
Apr 11, 2011 19:13
|
|
|
I remember reading somewhere that the Java compiler now actually detects cases where it seems a string is being built, and replaces String concatenation operations with a StringBuilder. But I wonder how the code above will perform if handed the URL of a binary file, I imagine it might end up performing newline transformations on the data. The main WTF is reading line-by-line instead of just a fixed-size buffer. Other WTFs: String output = ""; // ... no assignments to output output = new String(); No error reporting. Empty resource looks the same as any kind of error. But it isn't really a horror IMO.
|
|
#
?
Apr 11, 2011 19:20
|
|
|
Geekner posted:It's not completely horrible, it just looks like a C programmer that's still stuck assuming everything needs a null-check or to be allocated manually. 3/4 of the people I work with are C programmers no matter what language they're using. I figured there would be some way to do it that wouldn't involve looping on read. Hasn't Soracle added some utility method to move bytes from a readable stream to a string (or just any writable stream) since I stopped paying attention 6 years ago? I mean, I know Java developers have an unnatural love for watching their LoC count go up and all, but drat.
|
|
#
?
Apr 11, 2011 19:23
|
|
|
Thought this was kind of neat. ISC has the 'Application Security Streetfighter Blog'. They post a (closed usually) vulnerability each week from an OSS project every Friday, and then people figure out what the actual vuln was. I only found it today but I am going to keep checking back I think. Haven't checked if any true horrors are to be found there, but couldn't think of another thread that would appreciate it: http://software-security.sans.org/blog/
|
|
#
?
Apr 11, 2011 19:59
|
|
|
Reading that site just get me mad about PHP again. I swear to loving christ the PHP lead team has absolutely no clue the responsibility they hold. It needs to be built-in automatic into the language for safely escaping anything that comes from outside, not this huge crazy confusing as loving hell list of htmlspecialchars, strip_tags, htmlescape, add_slashes, strip_slashes, escape_string, real_escape_string. Any framework worth anything automatically safely encodes everything, so the PHP langage, which is only good for web work at best, should loving do it. Could even follow the idiotic PHP naming conventions and call them $_POST_REAL_USE_THIS_ONE_YOU_INDIAN_FUCKWIT, real_really_real_html_safe_this_string(), $db->cleans_your_query_you_filthy_fuck. Then depreciate and remove all the old unsafe ones. An entire loving class of errors would disappear overnight if the PHP team would just stop being absolute morons. Goddamn I'm mad about PHP.
|
|
#
?
Apr 11, 2011 20:37
|
|
|
The Reaganomicon posted:The first hit for "/dev/pi" is this and clockwork automaton is from UoP, so yes, it's pi. The true horror is that it's a decimal representation.
|
|
#
?
Apr 11, 2011 20:49
|
|
|
NotShadowStar posted:Goddamn I'm mad about PHP. I got the impression they were using http://yetanotherforum.net/ which would be C#, but I can see why you would assume it was PHP. edit: yup, my bad - I just skimmed the blog to read later and didn't see it was about PHP. also, I have no idea why I assumed he was talking about the CCP thing. Munkeymon fucked around with this message at 22:37 on Apr 11, 2011 |
|
#
?
Apr 11, 2011 21:18
|
|
|
Munkeymon posted:I got the impression they were using http://yetanotherforum.net/ which would be C#, but I can see why you would assume it was PHP. I think he is posting about the post directly above his, i.e. the one about PHP.
|
|
#
?
Apr 11, 2011 21:58
|
|
|
NotShadowStar posted:Goddamn I'm mad about PHP.
|
|
#
?
Apr 11, 2011 22:12
|
|
|
Frozen-Solid posted:I read a great story of coding horrors this weekend: For those who don't know, CCP is the company that accidentally deleted boot.ini during a routine update because they couldn't figure out how to change directories in an install script. They also released a "Linux version" of their game, which was slower and significantly less stable than just using the Windows version in Wine. Giving up on EVE was one of the best things I ever did for my life.
|
|
#
?
Apr 11, 2011 22:27
|
|
|
I just knew that'd be the first response. Java, C#, Python, Ruby et all are general purpose languages. The primary goal is not web development, but web development stacks have been added to them. Usually, at least the better ones, these stacks also give the developer easy access variables or classes that are automatically filter things for you. Almost always you can get the raw data out of these stacks, like if you really really wanted unescaped POST data or SQL queries, but you have to explicitly do it. Often these stacks are built on lower level access stacks that don't filter, like Django built on WSGI, Rails on Rack, etc. PHP is dealing on the lower level, unescaped input and output always. There is no reason for this. PHP is supposed to be a web development langage only, so they don't need the levels of abstraction that general purpose languages do. PHP's default should be sanitize input and output first just like the stacks built on other languages, with the ability to use raw data if you really, really need to. Most of the XSS and SQL injection attacks come from people who just don't loving know what can happen. You don't see nearly as many XSS or SQL injection from Spring, ASP.NET MVC, Django or Rails apps because they filter everything always. The PHP language more than anything needs to do exactly that. But they never will, because they're loving incompetent. GODDAMN I'M MAD ABOUT PHP.
|
|
#
?
Apr 11, 2011 22:31
|
|
|
Janin posted:Hahahahahahahahahahahahahahahahahahaha I liked looking through the client's codebase when it leaked, a bunch of modules were just named after pop stars instead of anything useful. They also don't know how to update the billboards, because nobody in the company understands how they work. quote:Giving up on EVE was one of the best things I ever did for my life. You and me both 
|
|
#
?
Apr 11, 2011 22:37
|
|
|
NotShadowStar posted:PHP's default should be sanitize input but they kind of tried that and it failed quote:because they're loving incompetent. Oh, you already knew the whole time 
|
|
#
?
Apr 11, 2011 22:39
|
|
|
Janin posted:For those who don't know, CCP is the company that accidentally deleted boot.ini during a routine update because they couldn't figure out how to change directories in an install script. gently caress I forgot about this. Why would you even put a boot.ini file in your own game to begin with? That's just asking for trouble.
|
|
#
?
Apr 11, 2011 23:27
|
|
|
I think for me, of course it's possible to do the same things in other languages. But from a development standpoint, it just seems harder to do so, as opposed to PHP which seems to encourage these shortcuts. I say "seems" because I'm more of a "solve the problem in front of me" kind of programmer than "hmm yes algorithmic approach A will provide x% of performance gain versus B". I'm just glad I stopped with PHP around 3.0 when I started realizing "man this getting pretty complex for a glorified scripting language; if I wanted this kind of heartache I'll stick with Perl."
|
|
#
?
Apr 11, 2011 23:29
|
|
|
Fehler posted:I don't see how this is different from any other language. C/Java/Python let you build a query string from scratch too, so you can end up with exactly the same bugs. The problem is stupid developers who are still not using prepared statements, not PHP. nope. for why not, just read any of my posts on php. I hate to repeat myself.
|
|
#
?
Apr 11, 2011 23:49
|
|
|
Frozen-Solid posted:I read a great story of coding horrors this weekend: Thanks for the writeup. I did notice the cookies were readable, which is a big nono. You can easily encrypt them.
|
|
#
?
Apr 11, 2011 23:59
|
|
|
Fehler: php is a disgusting language and you should be ashamed of defending it.
|
|
#
?
Apr 11, 2011 23:59
|
|
|
We should all take note that CCP replaced YAF's stock user authentication mechanism with their own proprietary system, and thus they were the source of the problem, not YAF. (YAF has the usual anybody-with-an-email-can-signup system, while CCP wanted to automatically give accounts to their subscribers and nobody else.)
|
|
#
?
Apr 12, 2011 00:13
|
|
|
pseudorandom name posted:We should all take note that CCP replaced YAF's stock user authentication mechanism with their own proprietary system, and thus they were the source of the problem, not YAF. I thought that it was YAF's fault that you could put Javascript/HTML/whatever in your signature, no?
|
|
#
?
Apr 12, 2011 00:20
|
|
|
Oh, I'm not saying php isn't bad. There are many horrible things about it and when I have the choice I use something else. But expecting the language itself to magically guess the intent of the programmer and escape everything automatically seems a bit unreasonable. As I said, there are frameworks already that do all these things and "good" programmers use them. But if people choose to create their own SQL strings and echo out their HTML you can't really blame php for it. And yes, I should really get rid of this avatar...
|
|
#
?
Apr 12, 2011 00:21
|
|
|
Fehler posted:Oh, I'm not saying php isn't bad. There are many horrible things about it and when I But if people choose to create their own SQL strings and echo out their HTML you can't really blame php for it. yes you can for exactly the reasons NotShadowStar posted
|
|
#
?
Apr 12, 2011 01:19
|
|
|
PHP's echo, print functions/keywords should be default escaped like any sane web development. GET, POST, PUT should also be escaped. remove mysql_* and force to use PDO. There you've now removed an enormous part of the Internet that's insecure. That's ALL THEY NEED TO DO. It would still be a poo poo language but at least it cuts out on most of the injection and XSS errors.
|
|
#
?
Apr 12, 2011 01:44
|
|
|
Your argument doesn't make any sense whatsoever. Yes, it would have been nice if PHP had included these features from the start. But at a time when Perl/CGI was the only alternative, nobody was thinking about things like this. And now that you have this language you can't just suddenly start removing low-level features. If you break compatibility with pretty much every script ever written you might as well just switch to something like Ruby in the first place. php makes it slightly easier to be a bad programmer than other languages, but that doesn't mean that there is no way to work with it at all. And by the way, get/post/put is escaped by default, which is why you see all these random backslashes added on lovely php websites.
|
|
#
?
Apr 12, 2011 02:25
|
|
|
http://www.php.net/manual/en/security.magicquotes.php "Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed."  This feature has been DEPRECATED as of PHP 5.3.0. http://www.php.net/manual/en/security.magicquotes.why.php "Today developers are better aware of security"  These people are loving CLUELESS.
|
|
#
?
Apr 12, 2011 02:38
|
|
|
Magic quotes weren\\\\\\\\\\\\\\\\\'t ever a good idea hth
|
|
#
?
Apr 12, 2011 05:13
|
|
|
Otto Skorzeny posted:Magic quotes weren\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'t ever a good idea hth what the gently caress are you talking about they were awesome
|
|
#
?
Apr 12, 2011 05:45
|
|
|
anybody defending PHP is the coding horror
|
|
#
?
Apr 12, 2011 06:01
|
|
|
Fehler posted:Your argument doesn't make any sense whatsoever. Yes, it would have been nice if PHP had included these features from the start. But at a time when Perl/CGI was the only alternative, nobody was thinking about things like this. actually, your post doesn't make any sense whatsoever perl had tainted perl. these features are pretty easy to do with distinct types for sql statements, html and plain text. and implicit conversions that deal with escapes. it's not rocket science but somehow, doing even something remotely sensible seems like a sisyphean feat to someone who has had long term exposure to php.
|
|
#
?
Apr 12, 2011 09:08
|
|
|
|
| # ? May 25, 2024 00:37 |
|
|
this is what I mean by 'php gives you brain damage'. you lose the ability to distinguish between good and bad and what is actually possible in a language. no no you don't understand, my ignorance of the past work justifies my ignorance of the present problems tef fucked around with this message at 09:14 on Apr 12, 2011 |
|
#
?
Apr 12, 2011 09:10
|
|