Hacker News is the DeviantART of developer side projects
-
Somebody announced some tutorials site on there recently, aimed at "new web developers". It got a fair bit of attention and lots of great feedback about the quality of the articles. Here's the thing: it's a deeply flawed site, little more than another face in the crowd of "babby's first website" tutorials sites full of terrible code and advice.
In How To Implement Pagination, for example, check out this bad boy:// SQL Query $sql = 'SELECT * FROM `articles` LIMIT ' . $startArticle . ', ' . $articlesPerPage;That's right, it's yet another PHP/MySQL tutorial that teaches new developers how to write code that's vulnerable to SQL injection attacks. In 2013, no less. Maybe this will be the new SQL injection vulnerability on the block that finally topples the dreadful "freewebmasterhelp.com" from the top spot on Google for "php mysql tutorial. Also less than impressive is the early frontrunner for Least Helpful Comment 2013 there, in the form of "// SQL Query". Almost all the example code on the entire site is littered with this kind of comment.
Here in PHP Tips & Tricks, there's this shining example of redundant naming:
<?php class TimeClass {I can well imagine working in a codebase created by this type of developer. I'd open codefile.php to edit TimeClass, changing the value of $tableVariable in runMethod() so that changes are saved to time_database_table2 instead of time_database_table1_old_do_not_use. Of course, I'd be sure to take the time to read through all the explanatory comments along the way and update any that are out of date as a result of my changes.
These are just a couple of examples, but the example code on the whole is generally quite scruffy. The problem with all of this is that even if the code examples succeed in demonstrating the functionality being discussed, the net effect is negative if they simultaneously teach the target audience three new bad habits. The English prose isn't much better either, and looks like it hasn't been proofread or edited for clarity at any stage. And yet HN fawns all over this with nary a critical remark in sight. I noticed that I felt discouraged from saying anything myself lest I be branded a "hater", and this was when I realised: HN is the DeviantART of developer side projects.
-
@GNU Pepper said:
that changes are saved to time_database_table2 instead of time_database_table1_old_do_not_use
wtf is wrong with you? Don't you know anything? If you want to stop using a table, don't append _do_not_use! You're just going to cause confusion by doing it the old way.
Everyone knows you rename the table to z_time_database_table
That way everyone knows you can delete the table (well, someone can at some point during maintenance), and the z makes it go to the bottom of the list!
What a old school noob you are.
-
You should really copy the entire code snippet:
// Calculate the starting number $startArticle = ($_GET['page'] - 1) * $articlesPerPage;
// SQL Query
$sql = 'SELECT * FROMarticlesLIMIT ' . $startArticle . ', ' . $articlesPerPage;
Tell me one way that you could inject any SQL string into an integer (the result of subtraction/multiplication).
In an earlier code snippet, the input is validated properly:
// Check that the page number is set. if(!isset($_GET['page'])){ $_GET['page'] = 0; }else{ // Convert the page number to an integer $_GET['page'] = (int)$_GET['page']; }There may be safer ways to use SQL, but raw SQL can still be coded securely, and this is definitely an example of that, assuming $articlesPerPage is not user input.
-
He's not using PDO.
The code is wrong.
End of story.
-
@GNU Pepper said:
HN is the DeviantART of developer side projects.
So there's quite a lot of really awesome code on it?
-
@blakeyrat said:
He's not using PDO.
How the heck am I supposed to know what PDO is? I'M NOT A MINDREADER! Stupid developers these days, can't even define their random acronyms so that other people can actually READ what they wrote.
-
@Sutherlands said:
@blakeyrat said:
He's not using PDO.
How the heck am I supposed to know what PDO is? I'M NOT A MINDREADER! Stupid developers these days, can't even define their random acronyms so that other people can actually READ what they wrote.Er, dude, it's blakeyrat. You understanding (or even reading) what he posted isn't the point. And may actually conflict with the point.
-
@taustin said:
@Sutherlands said:
@blakeyrat said:
He's not using PDO.
How the heck am I supposed to know what PDO is? I'M NOT A MINDREADER! Stupid developers these days, can't even define their random acronyms so that other people can actually READ what they wrote.Er, dude, it's blakeyrat. You understanding (or even reading) what he posted isn't the point. And may actually conflict with the point.
Sutherlands was making the point that blakey was using things and assuming that people knew what they were (something he yells at people for all the time). It was calling him on the hypocrasy (which of course doesn't matter as that is something blakey totally cops to using various quotes).
-
@locallunatic said:
Sutherlands was making the point that blakey was using things and assuming that people knew what they were (something he yells at people for all the time). It was calling him on the hypocrasy (which of course doesn't matter as that is something blakey totally cops to using various quotes).
Let's not even mention that he didn't specify if you should use the positive phase or just go all out and utilize teleconnections!
-
@GNU Pepper said:
Also less than impressive is the early frontrunner for Least Helpful Comment 2013 there, in the form of "// SQL Query". Almost all the example code on the entire site is littered with this kind of comment.
In production code these comments are obviously unnecessary, but this is a tutorial for beginners so I don't see anything wrong.
Hackernews is still a terrible "news" site though.
-
@locallunatic said:
Sutherlands was making the point that blakey was using things and assuming that people knew what they were
And my point is that I don't think he is assuming that, or cares. Nor does he care if it's hypocritical that he's doing what he bitches about. His entire point is to bitch. Not to be heard bitching, or to have his bitching understood, or to garner any sympathy for the heinous misfortunes that he bitches about. Just the act of bitching.
Maybe he likes the sounds of his keyboard keys clicking as he types. Or maybe he gets paid by the word.
-
@Zylon said:
@GNU Pepper said:
HN is the DeviantART of developer side projects.
So there's quite a lot of really awesome code on it?
No, it means it's filled with 95% of the code equivalent of anime, furries and creepy fan art.
-
The fun part about thie page in question: There's an article on there which explains that using "mysql_" functions instead of "MySQLi" functions is a foolish move to make.
-
@Rhywden said:
The fun part about thie page in question: There's an article on there which explains that using "mysql_" functions instead of "MySQLi" functions is a foolish move to make.
Which is absolutely true. If you are going to pick one of those, you should pick the latter.
-
@Evo said:
In an earlier code snippet, the input is validated properly:
// Check that the page number is set. if(!isset($_GET['page'])){ $_GET['page'] = 0; }else{ // Convert the page number to an integer $_GET['page'] = (int)$_GET['page']; }Why do people use the $_GET[]] hash as a read-write variable? I bet it was named $_GET[]] just to make it very difficult to type, so that the user would not type it four times in a row and instead use a convenient temporary variable.
-
@blakeyrat said:
He's not using PDO.
The code is wrong.
End of story.
Nope, Evo had it right. For the specific query being run, the only two variables being used in the SQL statement are validated well enough. But only this specific query, and I would hazard a guess at the rest of their code...
I do agree that PDO is better and should be used, but technically you can run pre-built string queries in PDO anyway, and without seeing the actual execution of this SQL statement, we can't know whether or not PDO is being used (playing devils advocate here, I would think it unlikely it's being used given the messy way the GET data is "validated", would be better to cast the value as an int in a clean variable and then use that from there on)
I think the sad thing is it can take an idiot the same time to bang out several crappy "tutorials" of this calibre that it takes a better person to write one good tutorial. That's why the Internet is full of cruft, idiots outnumber the rest of us.
-
@ASheridan2 said:
I think the sad thing is it can take an idiot the same time to bang out several crappy "tutorials" of this calibre that it takes a better person to write one good tutorial. That's why the Internet is full of cruft, idiots outnumber the rest of us.
Absolutely. People ought to read more programming books. When I mention this fact to the sort of person who might write a crappy tutorial like that, they look at me like I'm some sort of dinosaur.
-
@toon said:
@ASheridan2 said:
I think the sad thing is it can take an idiot the same time to bang out several crappy "tutorials" of this calibre that it takes a better person to write one good tutorial. That's why the Internet is full of cruft, idiots outnumber the rest of us.
Absolutely. People ought to read more programming books. When I mention this fact to the sort of person who might write a crappy tutorial like that, they look at me like I'm some sort of dinosaur.
Inb4: not so much "fact" as "opinion", of course.
-
@toon said:
@Rhywden said:
The fun part about thie page in question: There's an article on there which explains that using "mysql_" functions instead of "MySQLi" functions is a foolish move to make.
Which is absolutely true. If you are going to pick one of those, you should pick the latter.That's not the fun part. The fun part is when you compare the advice of the article I looked at and the article the OP is talking about.
-
Someone needs to write a WebForms-style designer for PHP. That'd be the code that ends the Internet.
-
@Soviut said:
@Zylon said:
@GNU Pepper said:
HN is the DeviantART of developer side projects.
So there's quite a lot of really awesome code on it?
No, it means it's filled with 95% of the code equivalent of anime, furries and creepy fan art.
Please tell how I can write anime, furries and creepy fan art in code. I'd be interested in a tutorial.
-
@PSWorx said:
Please tell how I can write anime, furries and creepy fan art in code. I'd be interested in a tutorial.
I don't know about a tutorial, but code art is a real thing:
-
@toon said:
they look at me like I'm some sort of dinosaur.
So they look at you like you are completely awesome?
-
@ASheridan2 said:
I do agree that PDO is better and should be used,
Then why the hell did you post that reply, dumbfuck.
You're saying when teaching someone new to programming what to do, you shouldn't give them the ideal solution, you should give them the extremely delicate solution that can easily expose security holes (even though in this specific case maybe it doesn't)? What the fuck is wrong with people on this forum?
@ASheridan2 said:
I think the sad thing is it can take an idiot the same time to bang out several crappy "tutorials" of this calibre that it takes a better person to write one good tutorial. That's why the Internet is full of cruft, idiots outnumber the rest of us.
He also didn't bother to enable comments, so there's no way to correct the tutorials on the same page as the mistakes.
-
@locallunatic said:
@toon said:
they look at me like I'm some sort of dinosaur.
So they look at you like you are completely awesome?
He left out a couple words:
They look at me like I'm some sort of dinosaur from the direct-to-video classic The Land Before Time V: The Mysterious Island.
-
@blakeyrat said:
Then why the hell did you post that reply, dumbfuck.
Because PDO is not the only secure solution. I'll leave this as an educational exercise for you to discover alternatives, but they exist and are in use on popular systems online (which should give you a big bloody clue)You're saying when teaching someone new to programming what to do, you shouldn't give them the ideal solution
-
@ASheridan2 said:
Because PDO is not the only secure solution. I'll leave this as an educational exercise for you to discover alternatives, but they exist and are in use on popular systems online (which should give you a big bloody clue)
You know if you had put that little nugget of information in your post instead of expecting the magical telepathic aliens to whisper it into my brain, I might not have insulted you. Dumbfuck.
Praytell, what is one of these alternatives?
Oh wait you're talking about ORM libraries? Ugh.
-
@blakeyrat said:
You know if you had put that little nugget of information in your post instead of expecting the magical telepathic aliens to whisper it into my brain, I might not have insulted you. Dumbfuck.
Wrong, you'd have just used a different insult. Besides, saying I should have put more information into a post is a bit rich coming from you.@blakeyrat said:
Praytell, what is one of these alternatives?
Well you failed the point of the education exercise. Well done. You've just provided further evidence that you have no inclincation to learn anything new. Good job.
-
@ASheridan2 said:
Well you failed the point of the education exercise. Well done. You've just provided further evidence that you have no inclincation to learn anything new. Good job.
Just say you were bluffing and I called it. It's ok. You can lose sometimes.
-
@blakeyrat said:
Just say you were bluffing and I called it. It's ok. You can lose sometimes.
Sure, I can lose sometimes, but unfortunately for you, today is not that day. I'm willing to take a bet that about 99% of everyone here either knows of an alternative to PDO, or has the smarts enough to Google for it if they want the answer. But like I said, this was your educational exercise.
-
Your educational exercise was "go google for better answers"? Guess it's a good thing you're not an educator.
-
@Sutherlands said:
Your educational exercise was "go google for better answers"? Guess it's a good thing you're not an educator.
Actually, it's called self-directed learning, and is a method whereby you are encouraged to actually look for answers yourself rather than be given them.
-
@Sutherlands said:
Your educational exercise was "go google for better answers"? Guess it's a good thing you're not an educator.
Possibly, but experience tells us that he could have spelled out the better answers right in his post without blakeyrat learning anything or even admitting they were there.
-
@ASheridan2 said:
@Sutherlands said:
Your educational exercise was "go google for better answers"? Guess it's a good thing you're not an educator.
Actually, it's called self-directed learning, and is a method whereby you are encouraged to actually look for answers yourself rather than be given them.Generally it is implemented with some direction however. So you could have provided blakey with a name to google that would have gotten him started. There is a difference between self-direction and what you were doing which was more of a sink-or-swim method.
-
@Evo said:
In an earlier code snippet, the input is validated properly:
I know. That's not how security works though. You don't just downgrade some code to a less secure alternative on the basis that "it's okay just this once". Literally the only benefit from doing it this way is that it's slightly less thinking and typing for the developer writing the code. What happens with this approach to protection against SQL injection is that once safe code occasionally and randomly turns into a vulnerability because people don't have the time to audit all of each other's code every time they reuse it. So one day one of those variables becomes a parameter of the function it's in rather than being declared safely inside it. Later still somebody adds a new call to the function and assumes that its original author was a competent professional, so they don't hesitate to pass a value from the user to it as a parameter. Suddenly there's an SQL injection vulnerability, and it's the original developer's fault.
The fact that so many of us don't know how to think in this paranoid way is a big part of the reason why SQL injection vulnerabilities have made web developers a laughing stock in security circles. And this tutorials site teaches that exact complacent attitude: one moment it tells people to used prepared statements, and the next it says "Ah, but let's not bother in this case. What could possibly go wrong?". If they're gonna write tutorials aimed at new developers, they ought to take it seriously and try to teach properly.
Sorry if this sounds like a rant at you. Bit sick of these fucking sites lately.
-
@GNU Pepper said:
If they're gonna write tutorials aimed at new developers, they ought to take it seriously and try to teach properly.
That.
The tutorial looks unfinished to me. I would have left the existing methods, included other methods then offered a comparison between each technique to illustrate the benefits/cons of each - in particular drawing attention to how some could be susceptible to exploits, others promote maintainability and reusability, some creating library dependencies or an additional (initial) administration overhead in setting up interfaces correctly.
I realise there's a difference between coding and designing, but teaching someone the simple how-to without delving into why-to and why-not is partly why there's so much WTFey code around: coders are not designers and without being given decent architecture to work from, they'll build something completely flawed in design. But they'll build it excellently, mind you.
-
@MiffTheFox said:
Someone needs to write a WebForms-style designer for PHP. That'd be the code that ends the Internet.
Now that's a truly frightening image. The horror and lazyness of ASP.NET WebForms, with their bastardization of how the web works, and the ugliness/weirdness of PHP that encourages sloppy code.
-
@ObiWayneKenobi said:
with their bastardization of how the web works
I hate webforms as much as the next developer, but I'm curious of what you mean by this. Are you talking about viewstate?
-
@Soviut said:
@Zylon said:
Hi, welcome to Sturgeon's Law. I don't believe you two have met.@GNU Pepper said:
No, it means it's filled with 95% of the code equivalent of anime, furries and creepy fan art.HN is the DeviantART of developer side projects.
So there's quite a lot of really awesome code on it?
-
@C-Octothorpe said:
@ObiWayneKenobi said:
with their bastardization of how the web works
I hate webforms as much as the next developer, but I'm curious of what you mean by this. Are you talking about viewstate?90% chance he's talking about postbacks.
-
@MiffTheFox said:
@C-Octothorpe said:
@ObiWayneKenobi said:
with their bastardization of how the web works
I hate webforms as much as the next developer, but I'm curious of what you mean by this. Are you talking about viewstate?90% chance he's talking about postbacks.
Both. The whole way WebForms works is meant to ignore the way the web works and pretend it's a desktop app that runs in the browser. Viewstate, postbacks, the whole shebang. It encourages event-driven programming like VB6 where you wire everything up behind a button click.
-
@ObiWayneKenobi said:
@MiffTheFox said:
@C-Octothorpe said:
@ObiWayneKenobi said:
with their bastardization of how the web works
I hate webforms as much as the next developer, but I'm curious of what you mean by this. Are you talking about viewstate?90% chance he's talking about postbacks.
Both. The whole way WebForms works is meant to ignore the way the web works and pretend it's a desktop app that runs in the browser. Viewstate, postbacks, the whole shebang. It encourages event-driven programming like VB6 where you wire everything up behind a button click.
The irony is that newer technologies like Node.js or Vert.x actually work like this and manage to make it look halfway sane.
