
Journal Journal: Affirmative Rationality
I have also been playing with a fun site called AboutUS.org (Sample Page). This is wiki style directory with entries on all of the domains on the internet.
I just moved my blogger blog from yintercpt.blogspot.com to the domain yintercept.com.
The blog was removed from Google with the last index update.
That happened because I did something rather foolish. Earlier this year, blogger added a feature that allowed people to add keywords to their posts. You can see all of the posts with a particular keyword by going to the URI
I used the keywords as if they were categories and changed all of the inbound links to the site to go to the keyword pages.
Recently Blogger decided to exclude the
This same story is probably happening to all blogspot bloggers who used the keyword feature.
Of course, the real lesson of this story is that it is a waste of time to write a blog that is under the control of a third party, even if the third party is one that does no wrong.
So, I figured that since the blogspot url was excluded from Google, I would start the process of completely removing the blog from blogger.
It is actually a bit ironic that a site owned by Google does not have an XML sitemap and does not do the best practices touted by Google.
My web host upgraded some of the programs on my account. During this change, they toggled the Magic Quotes settings on the account. That meant that I started getting the dreaded \"slash effect\" for all the quotes and apostrophes used on the page.
Of course, had things toggled the other way. I would have been in a much worse shape. If I had programmed with the expectation that magic quotes were on, and the magic disappeared, I would be having crashing SQL queries and would be suffering from an exposed system.
To be a good PHP programmer, one has to design the system so that it can handle both settings. Since PHP is a scripted language, this type of garbage wastes a lot of computer resources. This is why I am so angry with PHP's decision to add MAGICQUOTES.
The register globals issue has similar problems. The reason register globals was a security issue is that PHP programmers are often sloppy when initializing variables. A web site that has register globals off is slightly more secure than one with it on.
Problems arise when sloppy coders write with the assumption that register globals is off. A foolish program who writes as if register globals off were a security feature is more likely to deliver buggy code than one who knows that uninitialized variables are the security hole. A program that depends on RG Off for security will become insecure the moment that an network admin turns RG On.
The following code might appear in a program written with the expectation that RG is off:
if ($_POST['button'] == 'Login') {
if ($_POST['password'] == 'theITguyRules!') {
$access = 1;
} else {
$access = 0;
}
}
if ($access == 1) {
echo 'The company bank account is '.$account;
echo 'There is '.$balance.' dollars ready for transfer.';
}
Since register globals is off, the IT guy would not catch the fact that he failed to initialize $access. The code is secure with RG On, but is insecure with it off.
The security hole is not register globals, but the fact that the programmerr failed to initialize variables. RG Off helps protect from bad programming.
The RG toggle is easier to deal with than MagicQuotes. If you code as if RG were off and initialized all variables, your code would work for both settings. It also makes checking for unitialized variables easier.
Anyway, I am going to waste a whole day recoding a site so that it can handle the different settings of Magic Quotes. The end result of my day's work will be a site that is just a little bit slower than it was before.
XML has always made me feel sick to the stomache. It sits right there with the Windows Registry in garbage technology forced on the masses.
Anyway, I was looking around for an XML validators. Unlike simple delimited files or even CSV, you have to use a program to figure out if the XML is coded right.
Anyway, I am looking at the official XML.com list of validators. Not, surprisingly, the list is not informative. I broke out laughing. Each entry has errant <name> tag appended to it. The bastards who stuff this second rate technology down our gullets can't even program their own site.
Seeing errors on the pages coded by the XML gurus is not all that surprising. XML has never been about getting a job do. It has been about academicians and industry gurus hyping the new hype.
The site is not as pretty. I enjoy XML Sucks. They seem to have a better understanding of what XML really is.
The HTML select tag numbers among the most awkward data structures ever conceived. The select tag lets you present a list of options on a form. You open the tag with a <select> tag. You then send the data for the options in tags of the form <option value="id">display value<option>. Yes, the close tag is required in HTML 4, which does not recognized single tags. You cannot close the tag with a
I think the mistake of the HTML designers was that they thought of each item in an option list as an item for display, when in practice it is only the selected one.
On analyzing the bandwidth of Community Color, I found that the select tags make up about half the bandwidth consumed by the site. I would not be surprised if a full tenth of all HTML traffic coursing through the net was simply open and shut option tags. The option list containing the ISO database of countries is 10k.
Even worse than the bandwidth waste, I found that over half the database activity was consumed populating option tags. I often do complex joins to show just the right option list and to put the silly little SELECTED attribute next to the selected option.
I can't do anything about the bandwidth consumed by the tags. I think I might be able to reduce the load on the server needed to generate the tags by buffing them in include files. I hadn't done this in the past because I figured I would still have to look through the data line at a time to determine the selected option. What I am trying right now is to buffer the data in a file, then to do a str_replace() to replace the code value="xxx" with value="xxx" selected. My new way for handling select lists is essentially:
//$name is the name of the select variable
//$val is the current value.
//str_replace checks for $chk and replaces with $rep.
$chk='value="'.$val.'"';
$rep='value="'.$val.'" selected';
echo '<select name="'.$name.'">';
echo str_replace($chk, $rep, file_get_contents($file_nm));
echo '</select>';
Reading the buffered file should be faster and take less memory than the database queries. The big question will be to see if it reduces the load on the database server.
It is strange. As I try to upgrade my programs to new standards (UTF-8, XML, HTML Strict), I feel that the signal to noise ratio is increasing exponentially. I so much preferred the days when people gave some thoughts to efficiency. Deep in my heart, I think efficiency is the height of elegance.
I admit, I am one of those programmers who became addicted to the register globals feature of PHP. This feature was defaulted on in PHP 4. I moved to a new host and PHP 5 where it is off, and all my programs are broken.
The register global feature made it so all of the GET and POST elements would appear in a PHP program as variables. Hackers quickly learned that you can sometimes break into a site simply by hitting the site with random variables
My way around this security threat was to put everything in functions. My hope was that the parameter list for the function would filter out any hacks. If you pressed a submit button on a form with inputs "one", "two" and "three"; the data would simply go straight into a function with parameters ($one,$two,$three). Any additional variables thrown by a hacker would be ignored.
Because I feel comfortable that the parameter list does a sufficient job of filtering out additional variables. I might consider running extract($_POST,EXTR_SKIP) to simply simulate Register Globals On. All of the pages I read say that this is a very bad idea.
I also thought about running the following code:
$varList = array('one'=>'int', 'two'=>'str', 'three'=>'int');
foreach($_REQUEST AS $key => $value) {
if ($varList[$key] == 'int') {
${$key} = (int) $value;
} elseif ($varType[$key] == 'str') {
${$key} = strValidation($value);
}
}
It seems that the above code would let me specify what elements I want in the program's symbol table. Of course, I am also thinking about just using the data directly from $_POST and $_GET. It is a hassle.
Having register globals off is a hassle. I am not sure if I am gaining any additional security by going through all the brain damage needed to handle this change.
BTW, in reading different pages on this issue, I've found several people who seem to have the illusion that POST data is somehow more secure than GET data. All a hacker needs to do to play with POST data is save your form to a disk then put whatever they want in the input fields. People can change the data in cookies. Anything that comes from the web is a security.
I have to admit, one of my biggest enemies in life has been transcendentalism. Transcendentalism has been the rage since Kant.
Transcendental philosophies generally push the illusion that there is an elite group that has a higher way of thinking about things. For example, in math, we are given the illusion that transfinite theory is a higher way of thinking than classical discourse. Psychology produced a series of philosophies that were posited as a higher way of thinking.
In programming, Object Oriented Programming was positioned not simply as a technological improvement, but as a higher way of thinking. There are many technical advantages of using a OO design. Design decisions, however, are best made on the technical requirements and not on the sense that one technology is more elite than another.
For small clients, I generally push the idea of using PHP rather than Java Servlets. I would have preferred to work with Java, but the client was better served by PHP.
I think that when people get too caught up in the elitist allure that they are thinking at a higher level than the rest of us mortals, that they some times end up making very profound mistakes in their design.
Deep inside, I've always wanted to be that person working on the extreme edge of technology and science. I think the truth in life is that the edge is an illusion and we serve the people around us best by looking at their needs and designing for their needs and to skip the view of programmers as people living on a higher plane.
Once you develop the view that there is one person, or a group of persons who think at a higher level; you immediately find yourself in a world where who a person is is more important than what they say. The best world is one that accepts input from a diversity of points of view.
Ignorance is bliss. -- Thomas Gray Fortune updates the great quotes, #42: BLISS is ignorance.