WTF Bites
-
@Bulb So we're putting a Button (which will become an HTML button, I am familiar with the behaviours of React and JSX but it's fun to dunk on it anyway) on the client side, that will be wired 'somehow' between the user's browser and the server, and run the SQL command given.
While I get the argument you're making, I'm not sure it's quite the win that it might appear.
PHP rightly got dunked for mixing stuff destined for the client with stuff for the server stuff in one place. This is the same thing, and in the desktop paradigm that almost makes some sense because the lines between these things is much, much shorter.
It's got some very nice syntactic sugar, I guess, but it also implies a whole lot of voodoo that probably could do with the implementer understanding what it really involves: that button press triggers an AJAX request of some kind, which is not free, nor guaranteed.
The question then becomes: this is your minimal case of reproduction but in a real production environment you also need a lot more crap around it to handle failure states that you logically have to fail. Which you're going to end up jamming here as well, which means this 'lookit what we can do now' is going to become a cesspit of mixed behaviours, just like PHP did for the same reason PHP did and why PHP learned separation of concerns the hard way.
-
but it also implies a whole lot of voodoo that probably could do with the implementer understanding what it really involves: that button press triggers an AJAX request of some kind, which is not free, nor guaranteed.
I see that kind of shit happen all the time in Angular with strict separation between component template and code and proper API written in something else on the server—programmers simply forgetting that the roundtrip to the server takes time and is not reliable.
Hell, the application we happened to be releasing today has a list which opens details in the main pane next to it … and when you click another element, it commonly takes 3–5 seconds for the details view to notice and update itself.
Note that most of the code, except the bit with
use server, will be running in the client, so combining the DOM generation with the callbacks is equally appropriate to doing it in a desktop GUI library. It's theuse server“shortcut” to emitting server-side code from the same source that is a bit … well, it's good for prototyping … except we both know what usually happens to prototypes.
-
@Bulb Yup, they've reinvented RPC, in a way that makes it terrifyingly easy to forget it's an RPC and it will be used in prototypes and rot there forever in production until it goes bang.
-
@Bulb this looks like Next.js. If that's the case, then
Bookmarkis the entire page andslugis the trailing part of URL copied verbatim. SQL Injection is trivial here.
-
@Gustav something something React, something something DON'T YOU SEE THAT 'sql template' THAT MAKES IT ALL SAFE
-
I tried to debug some stored procedures with Pgadmin 4. JFC, what an abomination.
And I think I know how this abomination happened. It looks that EnterprisedDB outsourced its development to India. Practically all contributors are from Pune, India, raj'd by one Anglo, like in the old days. The result is entirely predictable:This is what happens when you add a server, quit the app and launch it again:
The only way to proceed is to remove the server and add it again, pasting address, credentials etc.And this - I don't even remember what I did. Probably closed a tab.
The debugging interface doesn't let you simply paste a query to call a function, you need to put all arguments (16 of them in this case) in a webform inside a modal. And once you do it, the debugger crashes randomly and needs to be reopened. And forget about debugging nested function calls, because it doesn't let you set breakpoints in more than one function for some reason.
Ah, and when you open a function, the title of the tab includes its FULL signature. If you open a particularly long one, you can't switch tabs without closing.
-
@Zerosquare said in WTF Bites:
its favorite pastime is reinventing the
wheelfootgun again and again
-
@Gustav something something React, something something DON'T YOU SEE THAT 'sql template' THAT MAKES IT ALL SAFE
It might be safe, or it might be very unsafe. It is a little hard to tell whether it is doing a prepared statement with neat binding, or string substitution. I've seen similar things in other languages that were entirely fine, but it is a very devil-in-the-details situation.
The other slides from the same presentation with the shell and inline C code were more interesting. The shell code really was horribly unsafe (by simple virtue of being shell code) and the C was doing a vastly unsafe operation (and would presumably need the page to be protected carefully, unless letting arbitrary users reboot your webserver is a good plan for you). I know exactly how to do such things in some other languages, and they're potentially very useful (their current C binding appears to have rough edges), but coupling that stuff with client-side JS still seems worrying.
I don't plan to help them. The ideas that they're discovering have been published for decades...
-
@sebastian-galczynski said in WTF Bites:
And this - I don't even remember what I did. Probably closed a tab.
At least we can immediately tell what language they used.
-
@dkf That's the thing, those defending this are shouting loudly BUT IT'S SAFE, in the same way that the guys from Clerks had a sign on the front of the store saying WE ASSURE YOU WE'RE OPEN. Very reassuring.
It might be safe in their React boilerplate, it might not. React syntax always feels damned twitchy to me to the point I'd absolutely not trust myself to get it right.
It feels a lot like the Mustache people and their 'just use
{{ variable }}and it's safe' except when you need to use{{{ variable }}}for unescaping that one time and you don't spot it etc...
-
@Bulb So we're putting a Button (which will become an HTML button, I am familiar with the behaviours of React and JSX but it's fun to dunk on it anyway) on the client side, that will be wired 'somehow' between the user's browser and the server, and run the SQL command given.
The way I understood this is that they thought it was a good idea to run this whole thing server-side. For whatever reason, maybe because MVC is so 10s and mixing presentation and backend is the new shit. The voodoo is what happens in the
sqltag (sic) which can apparently magick the query into something that's parametrized and not what it looks like, i.e. a gaping orifice waiting for people to shove their SQL into.Ed
ofc
-
@LaoC the SQL part will be server side, the button on the client side and RPC
magic happens.There is, loosely, an argument to be made about encapsulation such that the component knows how to present itself and behave without bothering anything else but I’m not sure that holds up for anything remotely non trivial.
-
and would presumably need the page to be protected carefully, unless letting arbitrary users reboot your webserver is a good plan for you
Hm, I missed that aspect, but it's probably the best argument against this magic RPC—it does not provide a good way to specify the authorization checks.
-
@Zerosquare Sure, but it's like, could you just, for once, have a new problem that isn't some other language's brainfart, reheated?
They say to study history or find yourself repeating it.'
-
unless letting arbitrary users reboot your webserver is a good plan for you
What about letting arbitrary users reboot your @Tsaukpaetra?
Filed under: Asking for
a friendan arbitrary user
-
@HardwareGeek said in WTF Bites:
arbitrary users
I thought just @Zerosquare has the root password? Not sure about the mods, though.
-
@HardwareGeek said in WTF Bites:
unless letting arbitrary users reboot your webserver is a good plan for you
What about letting arbitrary users reboot your @Tsaukpaetra?
Filed under: Asking for
a friendan arbitrary userWhat if your webserver's password was
tsaukpaetrarebooted?
-
This morning a colleague was checking whether some query, generated by entity.framework against azure seequeal server, is efficient.
-
The query—and all queries emitted by that thing—was wrapped in
EXEC [sp_executesql]. It does use variables for parameter binding, but
doesn't it just send the SQL command‽ -
That wrapping means that if you just copy-paste the query from the log and ask for query plan, all you'll get is “execute stored procedure”. Yeah, helpful.
-
Extracting the query and asking for query plan on that resulted in … recommendation to create an index that as far as we could tell not only already existed, but was actually used in said query plan.
-
The query was a
count(*)over two low cardinality columns, with one value (given twice due to how the query is constructed) for the first, and a set of values (given negatively for
) for the other. In such case, I'd expect the optimizer to just sum the children counts in the nodes of the index, but the estimated cost looked rather high for that; either the optimizer can't do it (count is very special) or can't take it into account when estimating the cost.
Anyway, quite disappointed by the azure seequeal server.
-
-
-
The query—and all queries emitted by that thing—was wrapped in
EXEC [sp_executesql]. It does use variables for parameter binding, but doesn't it just send the SQL command‽I bet it's something to do with user identities or other thing like that. There's a whole load of extra ceremony around that sort of thing for stored programs that I typically ignore. (Especially as I don't knowingly use that family of DBs in the first place.)
-
@dkf Don't think so.
Stored procedures can be used to allow a user run only specific query – you can set the procedure to run under privileged account and grant the user to only that procedure – but this is a system procedure that does not run as a different user, so in this case it makes no difference.
The procedure exists so that if you assemble a query in the procedural extension to SQL (called T-SQL here), you can run it, but since this query is assembled in the client, there shouldn't be any difference to just sending that query directly.
-
there shouldn't be any difference
Doesn't it prevent the execution plan from being cached?
-
@Tsaukpaetra said in WTF Bites:
there shouldn't be any difference
Doesn't it prevent the execution plan from being cached?
The function says it does cache execution plans. And prepared statements should be cached too …
… unless this is how prepared statements are implemented, which would be a
, or the caching would have to be controlled explicitly by the client, which would still be a , but would be a reason for the framework to leave it up to that function instead. But it's Microclot after all.
-
@Tsaukpaetra said in WTF Bites:
there shouldn't be any difference
Doesn't it prevent the execution plan from being cached?
The function says it does cache execution plans. And prepared statements should be cached too …
… unless this is how prepared statements are implemented, which would be a
, or the caching would have to be controlled explicitly by the client, which would still be a , but would be a reason for the framework to leave it up to that function instead. But it's Microclot after all.Sorry I misspoke. It does cache it within the transaction, but doesn't store it in the more-permanent cache. I.e. the statements that call it will be cached inasmuch as they call the function, but inside the function does not get cached until it is compiled during execution and does not remain cached afterward. This is a feature I guess to help get some benefit of
OPTION RECOMPILEbut not having to recompile in the case you're doing multiple runs with parameters in one batch.
-
@Tsaukpaetra The way I understood the documentation is that the procedure does cache it in normally-permanent cache, but with Microsoft docudementation one can never be sure one understood it the way it was (de)meant.
-
with Microsoft docudementation one can never be sure one understood it the way it was (de)meant.
QFT
-
To avoid regulation, Apple said it had three Safari browsers
And with a straight face, too. Brussels didn't buy it
Apple tried to avoid regulation in the European Union by making a surprising claim – that it offers not one but three distinct web browsers, all coincidentally named Safari.
Never mind that Apple itself advertises the sameness of its Safari browsers when pitching its Continuity feature: "Same Safari. Different device."
Cupertino also claimed it maintains five app stores and five operating systems, and that these core platform services, apart from iOS, fell below the usage threshold European rules set for regulating large platform services and ensuring competition.
Nice try, .
-
@Zerosquare said in WTF Bites:
And with a straight face, too. Brussels didn't buy it
Apple tried to avoid regulation in the European Union by making a surprising claim – that it offers not one but three distinct web browsers, all coincidentally named Safari.
Never mind that Apple itself advertises the sameness of its Safari browsers when pitching its Continuity feature: "Same Safari. Different device."
Cupertino also claimed it maintains five app stores and five operating systems, and that these core platform services, apart from iOS, fell below the usage threshold European rules set for regulating large platform services and ensuring competition.
Nice try, .
That’s rookie numbers. Why not count every single device individually? Certainly, the browser on my phone isn’t the same as the browser on yours, right?!
-
@Zerosquare well, on the 5 OS front, it has MacOS, iOS, watchOS and tvOS. And at one point in time, iPadOS was a distinct entity from iPhoneOS so it’s not that hard to get to 5 OSes (and I’m not sure how far iPadOS really is from iOS) But I wouldn’t suggest they’re that different, in many ways the differences are on the scale of, say, between certain major versions of Windows.
The diminutive versions for the Watch and Apple TV are least like the big versions, and iOS and MacOS have been on a convergence path for a while now.
If I had to really categorise it, I’d suggest that it’s like the Watch and TV platforms are somewhere in the WinRT camp, you can use UWP and that’ll also work on the bigger platforms but you have other choices on the bigger platforms, and they’re all sort of cross compatible if you squint.
That could conceivably extend to Safari, but it really shouldn’t. At most I could see the argument for Safari on MacOS (where it sits in its corner) and Safari on iOS (where it’s everywhere unshackled), but I don’t really see why the iOS and iPadOS versions are that radically different?
-
I don’t really see why the iOS and iPadOS versions are that radically different?
They aren't. That's just lawyers lawyering as usual.
-
@Zerosquare there are some differences, I think the multitasking handling is different and the tabs-side-by-side is a bit of a thing on iPad.
But that's getting almost into the "Windows has different SKUs for Europe because they're not allowed to bundle certain things as core" territory.
-
@Arantor it’s macOS and iOS, the rest is the same shit.
ETA: Steve Jobs himself lied that iOS is OS X.
ETA2: back when OS X used the DirectX logo.
-
status: the reason I pay to get rid of ads on this game is because if it shows them to me, the browser window it creates to interrupt my play never gets killed, which results in this cacophony:
Fucking programs....
-
So this image has been doing the rounds on Twitter.
<snip>
And shots have been fired.
-
@Arantor I look forward to when someone puts a JS interpreter inside there, just for
reasons...
-
@Arantor I look forward to when someone puts a JS interpreter inside there, just for
reasons...Looks like there's integration:
Which you can probably chain with this:
-
@Zerosquare said in WTF Bites:
Apple tried to avoid regulation in the European Union by making a surprising claim – that it offers not one but three distinct web browsers, all coincidentally named Safari.
Which shouldn't have mattered in the first place, because for applications each OS is a separate market, but EU still didn't understand that.
-
Safari on iOS (where it’s everywhere unshackled)
In Soviet iOS, Safari shackles you!
-
@Arantor I love the FAQ
-
-
@LaoC I guess there could be situations where you need it as a callback. Should be a lambda though, if rust supports those.
-
@PleegWat Maybe be they reuse that particular kind of lambda a lot?
But I like to think the Rust compiler is smarter than that and will inline such simple logic anyway.
-
@LaoC at least call the function
not, as that doesn’t appear to be a keyword.
-
@LaoC It isn't as ugly as the Javascript version...
-
@LaoC I guess there could be situations where you need it as a callback. Should be a lambda though, if rust supports those.
Yeah, it's something to do with functions automatically called by the serialization library that determine whether to serialize an element or not.
-
-
@PleegWat Maybe be they reuse that particular kind of lambda a lot?
Too small for even that, given uncertainty about lying function names.
-
@LaoC It isn't as ugly as the Javascript version...
_
Well played. (If you don't get it, view raw).
-
@LaoC I guess there could be situations where you need it as a callback. Should be a lambda though, if rust supports those.
It does support lambdas, but lambda is an object with a call method, and while I'm sure there was a proposal that a lambda that does not actually capture anything should be convertible to a function reference, I'm not sure it was actually implemented.
-
I wonder what java developers would do.
Probably an apache util for that.
quiet you.
PHP: V8js - Manual
