|
Had a fun time today trying to find the bug in my code until I finally distilled the problem down to the following abstraction:code:
code:
I couldn't find this documented anywhere as intended or a bug or anything like that. Am I crazy in thinking this should be a bug/misfeature?
|
# ¿ Sep 23, 2009 01:51 |
|
|
# ¿ May 4, 2024 01:05 |
|
Edit: forgot it's href's onclick, so just return the confirm like ^^^^^code:
|
# ¿ Oct 10, 2009 21:44 |
|
Before accepting it serverside you would still need to validate that the key from the client fits the constraints of userid/sessionid or whatever, on top of the normal sanitizing & escaping, otherwise it'll be a vector for shenanigans. But yes if you're going to have clients creating unique PKs then definitely come up with a seeding process for all ids that it's tied not only to the logged in user but the session/frontend instance that is running, and have some way to re-validate serverside.
|
# ¿ Sep 6, 2012 23:41 |
|
DreadCthulhu posted:Backbone question: do I actually ever need to remove events bound to children of a view if I delete the entire view each time I navigate to a different one? I keep reading that modern browsers do a good job at automatic recollection of dangling event handlers. Is that not really the case? http://lostechies.com/derickbailey/2011/09/15/zombies-run-managing-page-transitions-in-backbone-apps/
|
# ¿ Apr 1, 2013 21:16 |
|
I'm confused. Is this username/password specific to person A and B or is it a standard one for the company? If the login (whether it's one per user or a universal one) is so important I think javascript might not be the way to go because if they're on Computer 1 and the JS is running on Computer 1, someone clever/malicious enough will probably be able to extract it. This depends on what's at stake about the site being accessed outside of the company. Is it meaningless red tape that came out of policy (ie. managing the whole "kicking other users off" thing) but nothing is really too vulnerable and training/guidance/trust would be enough, or does it really offer a black eye for the company that escalates it to Not Even Once levels of security? If it's the former where the people can be controlled to some degree, depending on their trustworthiness, you can just provide some policy ranging anywhere from communicating "hey these logins have to be used here only so just use this widget and never log in from anywhere else" all the way to "if you're ever caught trying to obtain or otherwise misuse this login you'll be fired/expelled/beheaded please sign here to acknowledge" (though if it needs to be that extreme you might as well treat it as the latter). If it's in the Not Even Once category you might want to take the login stuff out of javascript completely and come up with a way that will prevent them from ever having access to the password, ie. someone can pick apart javascript or hidden form elements and so on but won't get anywhere. There's a wide number of ways to do that, some of the better ones depend on whether you can work directly with whoever runs that site. E:F,B Bhaal fucked around with this message at 23:48 on Apr 3, 2013 |
# ¿ Apr 3, 2013 23:44 |
|
That works for getting the gist of race conditions and stuff for the truly uninitiated, but to me the largest hurdle for people (esp. in a js context) isn't understanding that concept but rather having the sensitivity to notice when something is async or not. To me that is what trips people up far more than getting how a callback or promise works. They can follow a contrived example and get it, but in practice they are just misidentifying many non-blocking call as blocking. Typically that boils down to just learning to be vigilant to the specifics of what a function call is going to do, and breaking it down to either i/o or in-memory-only (a coarse but generally applicable guideline for determining if something is blocking or not). As for suggestions, if they get the fundamentals, maybe scour up some code snippets with some that correctly catch async behavior and some that do not (stackexchange should be rife with both) , and have them quiz themselves on being able to tell whether snippet B is correctly written or not, if not where is the race condition, how to fix, etc...
|
# ¿ Jul 29, 2015 20:02 |
|
Most recently I've seen it with file i/o and gulp, specifically. Like doing some stream/pipe/dest chain and then assuming the output file will be there and ready for usage downstream in the main execution line of the gulp task or wherever. On a local build you may not notice the problem because you aren't minifying and taking extra steps that a production build would, so the files ends up being ready in time just by chance, and/or a version of it already existed on your local so you don't get errors. Maybe what I mean is more that if you're a developer who isn't seasoned to think about async consequences all the time, and you're dealing with an async call that manipulates state in one area*, then it makes for an easy trap to forget/overlook that when trying to access the same piece of state in another area. * Or worse, have those calls wrapped such that no callback or .then is required to use the wrapper, probably due to another unseasonsed developer who thought they were being tidy and helpful by "containing" the async call
|
# ¿ Jul 29, 2015 21:32 |
|
Knifegrab posted:OK I will try to make up some assumptions about promises and the code I want to write, I will admit I am probably wrong. quote:- Promises only work when used with async functions already. The intention of a promise is to take your function, run it, and box up two things about it: (1) when it finishes and (2) what it returns. Then the promise object is attached to that metaphorical box and returned to the caller. The caller will then call things like .then which will attach further events of what to do with the your function's return value (and that's where the async part gets put in). When your function is ready (ie. that "box" has the when & what components of your function satisfied) the function in .then will be triggered to run. The fact that your a+b function will be ready immediately (because it already ran) is insignificant to the promise object. It still goes through all the motions and it just so happens that as soon as .then is ready it gets executed right away. Now, when a function you call returns the actual value you're looking for, a promise can wrap it directly like with a+b above. However when your function requires a callback of its own, in order to behave the same way, the promise object needs to attach its own callback (a deferred object, which has its own internal promise which is what gets returned in the main thread of execution). From the promise object's perspective, it is saying "Look, your function doesn't directly return the value you're looking for and it does not signify that it is completed. Instead it is the _callback_ that gets passed to your function that we're interested in, so let's give it my own callback and I'll now use that as my trigger for when you function is both finished and has a return value that we're interested in". This of course ends up being the most typical use case because wrapping a+b is generally pretty silly (but it can be done, and might be a helpful exercise in demystifying what promises are actually doing). quote:- However I also am under the impression that promises are a good way to keep a system from being bogged down by blocking requests (such as a slow SQL request). quote:I literally want to take a single file of code, connect to my database (a util file I already have) and just do one request to a table in postgres like this: "select * from config.chapters". But I want to do it in promises without using any extra extensions. code:
(EDIT: left some var declarations out, coffeescript is great but leads to bad habits) Bhaal fucked around with this message at 20:00 on Aug 10, 2015 |
# ¿ Aug 10, 2015 19:49 |
|
Honestly they take a 70/30 mixture of practice and reading to really have it all sort of click. Most of my "ah-ha" moments came from discovering & tracking down race conditions that snuck up on me after I thought I had done everything correctly. But to get there you have to build something big enough with all the little app-specific complexities and so on that your code ends up being more than just a handful example snippets cribbed from the internet. But that way you at least will have some substantial code to tinker and troubleshoot with.
|
# ¿ Aug 10, 2015 22:29 |
|
|
# ¿ May 4, 2024 01:05 |
|
Knifegrab posted:No I get that, but what I don't undertand is how writing: quote:The term "variable interpolation" is one of those smart words that I am too dumb to understand. Is it similar to parameterizing a sql query to prevent injection? Bhaal fucked around with this message at 01:45 on Aug 18, 2015 |
# ¿ Aug 18, 2015 01:28 |