SQL injection: I didn't know you could do that!



  • So one of my two bosses (we're a three person shop) just wide-eyedly pointed me to the PHP manual page for mysql_real_escape_string, a soon-to-be-deprecated function for making string values safe for MySQL queries. The guy seemed genuinely surprised, as if he'd just had a revelation, at the second SQL injection example the PHP folks provide on that page. Look, they just enter ' OR ''=' and then the query becomes SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''!

    TRWTF here, is that this person is not only my boss, but has been a professional PHP/MySQL developer for over six years, maybe seven. This man wrote a real large chunk of our code base. I've been thinking about leaving for a while now; maybe it's time I started drafting a resumé.



  • Jump ship before it sinks? It doesn't hurt to update your CV and start getting in touch with agencies (although the number of phone calls might get annoying... first world problems).



  • @toon said:

    but has been a professional PHP/MySQL developer for over six years, maybe seven.
     

    FTFY. Professionals generally won't make amateur mistakes repeatedly for that length of time. @toon said:

    I've been thinking about leaving for a while now; maybe it's time I started drafting a resumé.

    Offer to QA his code to see where other vulns may be lurking. He'll be receptive to the idea, and then you can add "PHP/MySQL Testing and Hardening" to your resumé.

     



  • @Cassidy said:

    @toon said:
    but has been a professional PHP/MySQL developer for over six years, maybe seven.
    FTFY. Professionals generally won't make amateur mistakes repeatedly for that length of time.
    You mean professionals only make professional mistakes repeatedly?

     



  • @Cassidy said:

    @toon said:

    but has been a professional PHP/MySQL developer for over six years, maybe seven.
     

    FTFY. Professionals generally won't make amateur mistakes repeatedly for that length of time. @toon said:

    I've been thinking about leaving for a while now; maybe it's time I started drafting a resumé.

    Offer to QA his code to see where other vulns may be lurking. He'll be receptive to the idea, and then you can add "PHP/MySQL Testing and Hardening" to your resumé.

     

    Well, by "professional" I guess I just meant that he makes his living being a full-time PHP/MySQL developer. And uh, knowing the person involved: receptive? I don't think so. It's a nice idea though: I could probably already add "query optimization" and "data modeling", I suppose.



  • @toon said:

    a professional PHP/MySQL developer

    ITT: things that don't exist.



  • @Cassidy said:

    @toon said:

    but has been a professional PHP/MySQL developer for over six years, maybe seven.
     

    FTFY. Professionals generally won't make amateur mistakes repeatedly for that length of time.

    You are using that word but I don't think you know what it means. Professional and skill quality are orthogonal characteristics.



  • @toon said:

    mysql_real_escape_string, a soon-to-be-deprecated function
     

    Again? What's next, mysql_real_real_escape_and_encode_safer_string?

    I know it's a done-to-death joke-- but the only reason the function has a stupid long name to begin with is becuase they kept deprecating escaping functions to make them "better". How is the next iteration going to be betterer?



  • @Lorne Kates said:

    @toon said:

    mysql_real_escape_string, a soon-to-be-deprecated function
     

    Again? What's next, mysql_real_real_escape_and_encode_safer_string?

    I know it's a done-to-death joke-- but the only reason the function has a stupid long name to begin with is becuase they kept deprecating escaping functions to make them "better". How is the next iteration going to be betterer?

    The mysql_real_escape_string function is part of a relatively old MySQL API. In the mean time, they (not sure who "they" are but I assume it's PHP folks with MySQL folks) made a mysqli_* set which is a lot better than the mysql_* set. That, and PHP has a PDO layer now, which can talk to MySQL and supports query parametrization etc. So all the mysql_* functions will be deprecated in a few weeks in favor of the PDO and the mysqli_* functions.



  • @Anonymouse said:

    You mean professionals only make professional mistakes repeatedly?
     

    Of course. The more expensive the contractor, the better quality of mistake. It takes years of training and experience to produce a monumental cockup.

    @toon said:

    Well, by "professional" I guess I just meant that
    he makes his living being a full-time PHP/MySQL developer.

    I once knew someone who called himself a "professional rock-climber" because he'd been paid to do a job and thus he could call himself "professional". It wasn't his day job (and his climbing grade wasn't particularly high either).

    @toon said:

    And uh, knowing the person involved: receptive? I don't think so.

    Ah, okay. I mistook his surprise (and potential revelation) to mean that upon learning something new he'd want to act upon it (rather than be in denial about its effects).

    @OzPeter said:

    You are using that word but I don't think you know what it means.

    No, I know what a profession is. I was simply alluding to the implied experience or skill level.

    @OzPeter said:

    Professional and skill quality are orthogonal characteristics.

    That, put better than I did.



  • @Cassidy said:

    @toon said:

    And uh, knowing the person involved: receptive? I don't think so.

    Ah, okay. I mistook his surprise (and potential revelation) to mean that upon learning something new he'd want to act upon it (rather than be in denial about its effects).

    No, you're right, he wants to be good at what he does; it's just that he's got a real hair up his ass about being told how to do his job. So whenever he gets the perception that that's the case, he gets very defensive in an offensive sort of way (if that makes sense). He can't help it, but of course that doesn't make much of a difference to me. One of the reasons I'm considering leaving.



  • @OzPeter said:

    You are using that word but I don't think you know what it means. Professional and skill quality are orthogonal characteristics.

    Yeah. I can't speak for other cultures, here in the US "professional" just means the person works with their brain and not their body. i.e. a guy who drives a truck = not a professional. A guy who fills out forms = professional.

    Saying "professional" doesn't imply anything about skill or competence.



  • @Lorne Kates said:

    I know it's a done-to-death joke-- but the only reason the function has a stupid long name to begin with is becuase they kept deprecating escaping functions to make them "better". How is the next iteration going to be betterer?

    They already have a working, safe, DB interface API-- PDO. You know it's safe because they ripped-it-off wholesale from Microsoft's ADO.

    All they need to do is literally deprecate everything database-related that isn't PDO. But they haven't done that in the last 5 years, I wouldn't hold my breath for it to happen in the next 5...



  • @blakeyrat said:

    @OzPeter said:
    You are using that word but I don't think you know what it means. Professional and skill quality are orthogonal characteristics.

    Yeah. I can't speak for other cultures, here in the US "professional" just means the person works with their brain and not their body. i.e. a guy who drives a truck = not a professional. A guy who fills out forms = professional.

    In the UK, "professional" just means you get paid for doing something, as opposed to an amateur who does something for free because they love it. 

    @blakeyrat said:

    Saying "professional" doesn't imply anything about skill or competence.

    That bit is the same in both cultures!




  • @blakeyrat said:

    All they need to do is literally deprecate PHP
    FTFE



  • @Cassidy said:

    @toon said:

    but has been a professional PHP/MySQL developer for over six years, maybe seven.
     

    FTFY. Professionals generally won't make amateur mistakes repeatedly for that length of time. @toon said:

    I've been thinking about leaving for a while now; maybe it's time I started drafting a resumé.

    Offer to QA his code to see where other vulns may be lurking. He'll be receptive to the idea, and then you can add "PHP/MySQL Testing and Hardening" to your resumé.

     

    Computer programming is not a profession. A profession has a code of ethics and barriers to entry. Also, programmers don't get sued, and aren't licensed by the state. Generally, both of these things ARE true of real professionals (physicians, accountants, lawyers, and such). I see people misuse "professional" in amusing ways (e.g. professional golfer), and I see people misuse the word to mean "in conformance with [one's own] preconceived notions of correctness." These usages are plain wrong.



  • @bridget99 said:

    Computer programming is not a profession. A profession has a code of ethics and barriers to entry. Also, programmers don't get sued, and aren't licensed by the state. Generally, both of these things ARE true of real professionals (physicians, accountants, lawyers, and such). I see people misuse "professional" in amusing ways (e.g. professional golfer), and I see people misuse the word to mean "in conformance with [one's own] preconceived notions of correctness." These usages are plain wrong.
     

     

    Webster's dictionary would disagree with you on this:

    Definition of PROFESSIONAL


    1 a: of, relating to, or characteristic of a profession
      b: engaged in one of the learned professions
      c (1): characterized by or conforming to the technical or ethical standards of a profession (2): exhibiting a courteous, conscientious, and generally businesslike manner in the workplace

    2 a: participating for gain or livelihood in an activity or field of endeavor often engaged in by amateurs <a professional golfer>
       b: having a particular profession as a permanent career <a professional soldier>
       c: engaged in by persons receiving financial return <professional football>

    3 following a line of conduct as though it were a profession <a professional patriot> 

    And one of their definitions of Profession:

    4 a: a calling requiring specialized knowledge and often long and intensive academic preparation 

    So you assumptions that there has to be a code of ethics and barriers to entry is pulled from what dark hole? And programmers can get sued, just like anybody else.

    I'm assuming troll, but perhaps just someone with no access to a dictionary or just ignorance of the English language.



  • @bridget99 said:

    Computer programming is not a profession. A profession has a code of ethics and barriers to entry. Also, programmers don't get sued, and aren't licensed by the state. Generally, both of these things ARE true of real professionals (physicians, accountants, lawyers, and such).

    Professional != Licensed Professional, which is what you are describing.  "Professional" does have multiple colloquial meanings so both blakey's works with mind not body and the one implied by Cassidy of a specific level of competence are valid.



  • @bridget99 said:

    These usages are I am plain wrong.

    FTFY

    @bridget99 said:

    A profession has a code of ethics and barriers to entry.

    Of course, the barrier to entry is mainly just a racket for the participants to avoid competition.



  • @toon said:

    No, you're right, he wants to be good at what he does; it's just that he's got a real hair up his ass about being told how to do his job.
     

    I know the type. I was probably one once, until I understood people were criticising the code and not the author. After a bit I viewed all criticism as an opportunity to learn, grow and improve. @toon said:

    So whenever he gets the perception that that's the case, he gets very defensive in an offensive sort of way (if that makes sense).
    Yeah, it does. People that don't want you to step over the line feel more comfortable if they've pushed you back some ways from it to give them a safety margin. A manner like that also discourages future repeats.@toon said:
    One of the reasons I'm considering leaving.
    Don't blame you.



  • @sabbott64 said:

    I'm assuming troll

    Very much so, but at least this attempt is closer to their regular quality than some other recent posts.

    @sabbott64 said:

    just someone with no access to a dictionary or just ignorance of the English language

    The give away on what they are actually talking about is:

    @bridget99 said:

    aren't licensed

    So "licensed professional" is what they are talking about.



  • Guys we already know Bridget99 is always wrong, we don't need to get into the details.



  • @blakeyrat said:

    Guys we already know Bridget99 is always wrong, we don't need to get into the details.
     

    But it's so much fun, especially when it's a slow day in the office.



  • @sabbott64 said:

    @bridget99 said:

    Computer programming is not a profession. A profession has a code of ethics and barriers to entry. Also, programmers don't get sued, and aren't licensed by the state. Generally, both of these things ARE true of real professionals (physicians, accountants, lawyers, and such). I see people misuse "professional" in amusing ways (e.g. professional golfer), and I see people misuse the word to mean "in conformance with [one's own] preconceived notions of correctness." These usages are plain wrong.
     

     

    Webster's dictionary would disagree with you on this:

    Definition of PROFESSIONAL


    1 a: of, relating to, or characteristic of a profession
      b: engaged in one of the learned professions
      c (1): characterized by or conforming to the technical or ethical standards of a profession (2): exhibiting a courteous, conscientious, and generally businesslike manner in the workplace

    2 a: participating for gain or livelihood in an activity or field of endeavor often engaged in by amateurs <a professional golfer>
       b: having a particular profession as a permanent career <a professional soldier>
       c: engaged in by persons receiving financial return <professional football>

    3 following a line of conduct as though it were a profession <a professional patriot> 

    And one of their definitions of Profession:

    4 a: a calling requiring specialized knowledge and often long and intensive academic preparation 

    So you assumptions that there has to be a code of ethics and barriers to entry is pulled from what dark hole? And programmers can get sued, just like anybody else.

    I'm assuming troll, but perhaps just someone with no access to a dictionary or just ignorance of the English language.

    Anyone can publish a "Webster's Dictionary." That's a less meaningful citation than Wikipedia. If you're referring to a Merriam-Webster dictionary, that's a semi-respectable source for a high school paper, but the fact that it defers to colloquial usage does not change reality. I'm telling you what I was taught in college, which is a place where greater precision is required than can be found in Merriam-Webster. I could just as easily cite my accounting text, which backs me up.


    Besides, if computer programming were a profession, why would any foreigner with sufficiently large balls be allowed to walk off the boat and unilaterally declare himself a practitioner? The answer, of course, is that programming is not a profession. It's a well-paid trade. It's pure prostitution in my case. But it is not a profession, in the precise sense of the word, nor is it even close to one. It's at the same level as plumbing or auto repair. If you're doing it and you have a degree, the degree is just a coincidence.

    EDIT: And I agree: anyone can sue anyone. But I'd be very surprised if you could produce an example of an individual programmer getting sued for malpractice (and losing), unless he happened to be a Professional Engineer in some other discipline. Not even the guy who developed the Therac-25 firmware got sued.



  • @bridget99 said:

    The answer, of course, is that programming is not a profession. It's a well-paid trade. It's pure prostitution in my case. But it is not a profession, in the precise sense of the word, nor is it even close to one. It's at the same level as plumbing or auto repair. If you're doing it and you have a degree, the degree is just a coincidence.
     

    Incredible. That matches Blakey's definition.

    I guess it doesn't matter at all (no really. You tripe about "precise language" is just completely irrelevant and an insult to actual sciences with actual precise language), but we can just agree on the term and then go make a sandwich.



  • @dhromed said:

    @bridget99 said:

    The answer, of course, is that programming is not a profession. It's a well-paid trade. It's pure prostitution in my case. But it is not a profession, in the precise sense of the word, nor is it even close to one. It's at the same level as plumbing or auto repair. If you're doing it and you have a degree, the degree is just a coincidence.
     

    Incredible. That matches Blakey's definition.

    I guess it doesn't matter at all (no really. You tripe about "precise language" is just completely irrelevant and an insult to actual sciences with actual precise language), but we can just agree on the term and then go make a sandwich.

    There is such a thing as precise language outside of science. Law, Accounting, Theology, etc. all rely on precise language... and they don't use "Webster's Dictionary" as their reference (whatever that guy meant by that citation).



  • I found a better source. It's a book called "Morality and the Professional Life: Values at Work," by Brincat and Wilke, published 2000 (Prentice-Hall). These are the qualities of a profession which are not aspects of software development :


    *Requirements for admission

    *Adherence to certain values

    *Penalties for subpar performance

    *[It must be] used in the service of a positive social need



  • @bridget99 said:

    Computer programming is not a profession. A
    profession has a code of ethics and barriers to entry. Also,
    programmers don't get sued, and aren't licensed by the state. Generally,
    both of these things ARE true of real professionals (physicians,
    accountants, lawyers, and such).

    As much as I hate to do this, I agree somewhat.  It really depends on which definition of "professional" you look at. In terms of legal liability and educational standards, I think bridget99 is correct.  A judge or a lawyer would attach a specific meaning to "professional" which would imply a higher level of skill/education and also a greater legal and ethical responsibility.

    However, in the context of this discussion, the guy who originally used the word obviously didn't mean it in that sense.

    Under the doctrine of professional malpractice, one who is deemed a professional will owe the other party a duty to act not just as a reasonable person under the circumstances, as required by negligence law, but to meet a higher standard — that of a professional in that particular field of endeavor.  


    The concept of professional liability has generally been applied to those who by specific training and licensing are deemed to have a level of skills higher than those of non-professionals. Those persons falling within the realm of professional responsibility include doctors, lawyers, dentists, architects, accountants and similarly licensed workers.[1]

    To date courts have been reluctant to hold computer designers or programmers to the higher standard of professionals due to the lack of “established educational standards or regulations governing the performance of software programmers and developers, and they are not licensed as professionals.”[2] As noted in one early case:

    The novel concept of a new tort called “computer malpractice” is premised upon a theory of elevated responsibility on the part of those who render computer sales and service. Plaintiff equates the sale and servicing of computer systems with established theories of professional malpractice. Simply because an activity is technically complex and important to the business community does not mean that greater potential liability must attach. In the absence of sound precedential authority, the Court declines the invitation to create a new tort.[3]

    In Hospital Computer Systems, Inc. v. Staten Island Hospital,[4] the court refused to hold a computer programmer to a professional standard, stating:

    A profession is not a business. It is distinguished by the requirements of extensive formal training and learning, admission to practice by a qualifying licensure, a code of ethics imposing standards qualitatively and extensively beyond those that prevail or are tolerated in the marketplace, a system for discipline of its members for violation of the code of ethics, a duty to subordinate financial reward to social responsibility, and, notably, an obligation on its members, even in non-professional matters, to conduct themselves as members of a learned, disciplined, and honorable occupation.[5]

    Other courts have refused to recognize computer programmers and consultant as professionals, since “[t]o lift the theory of malpractice from its narrow origin of personal, professional services to a lay patient or client and apply it to the law of commercial contracts would obfuscate the necessary boundaries of these two areas of law.”[6]

    Note that as far as the law is concerned, the license is a property of the profession, as opposed to the idea in this thread of making the distinction between "licensed professionals" and "unlicensed professionals".   Not that it's wrong to do so, but in a legal context, apparently it would be.

     As for the idea that the word "professional" doesn't imply any particular level of skill:

    The main criteria for professionals include the following:

    1. Expert and specialized knowledge in field which one is practicing professionally.[5]
    2. Excellent manual/practical and literary skills in relation to profession.[6]
    3. High quality work in (examples): creations, products, services, presentations, consultancy, primary/other research, administrative, marketing, photography or other work endeavours.
    4. A high standard of professional ethics, behaviour and work activities while carrying out one's profession (as an employee, self-employed person, career, enterprise, business, company, or partnership/associate/colleague, etc.). The professional owes a higher duty to a client, often a privilege of confidentiality, as well as a duty not to abandon the client just because he or she may not be able to pay or remunerate the professional. Often the professional is required to put the interest of the client ahead of his own interests.
    5. Reasonable work morale and motivation. Having interest and desire to do a job well as holding positive attitude towards the profession are important elements in attaining a high level of professionalism.
    6. Appropriate treatment of relationships with colleagues. Consideration should be shown to elderly, junior or inexperienced colleagues, as well as those with special needs. An example must be set to perpetuate the attitude of one's business without doing it harm.
    7. A professional is an expert who is a master in a specific field.

    I think it really depends on who you ask, and the context of the discussion.  However, I know doctors who would consider software developers to be "professionals" (at least colloquially speaking.)  It might have something to do with the fact that the doctors in question are family members, and I happen to be a software developer.

    I'm guessing the original meaning of "professional" has evolved a bit.  I do think that if anyone who gets paid to do a job can be called a professional (and this is often the case), then the word becomes almost meaningless. 

    IMO:

    Formal definition of "professional": bridget99's legalistic definition
    Less formal: "I do my job well!"
    Completely informal: "I have a job!"

     



  • CodeSimian, I'd say programmers fail utterly at #4 and #6 from that last listing you posted. The people here are excellent examples.



  • @bridget99 said:

    EDIT: And I agree: anyone can sue anyone. But I'd be very surprised if you could produce an example of an individual programmer getting sued for malpractice (and losing), unless he happened to be a Professional Engineer in some other discipline. Not even the guy who developed the Therac-25 firmware got sued.

    OTOH, in my experience, sometimes Professional Engineers such as computer engineers or electrical engineers end up doing the same or similar jobs as "non-professional" software developers.

    From a practical standpoint, I have noticed that P. Engs tend to have more expertise in hardware compared to someone who has a CS degree (for example), just because they were exposed to it more often in school, and may have got their career started in hardware.  Nonetheless, when I was an undergrad, several courses were cross-listed under both the Computer Science and Engineering departments, despite one department leading to a "professional" degree, and other, not.

    I do think that even colloquially, the word "profession" sometimes implies quality and certain standards of conduct.  The phrases "He's a consummate professional" and "Act like a professional!" are both understood to mean something other than "He has a job" and "Act like someone who has a job!".  Even the other suggested definition of "someone who works with his mind, not his body" doesn't exactly fit the bill here.  When a manager reprimands someone for "unprofessional conduct", everyone knows what this means.



  • @CodeSimian said:

    @bridget99 said:

    EDIT: And I agree: anyone can sue anyone. But I'd be very surprised if you could produce an example of an individual programmer getting sued for malpractice (and losing), unless he happened to be a Professional Engineer in some other discipline. Not even the guy who developed the Therac-25 firmware got sued.

    OTOH, in my experience, sometimes Professional Engineers such as computer engineers or electrical engineers end up doing the same or similar jobs as "non-professional" software developers.

    From a practical standpoint, I have noticed that P. Engs tend to have more expertise in hardware compared to someone who has a CS degree (for example), just because they were exposed to it more often in school, and may have got their career started in hardware.  Nonetheless, when I was an undergrad, several courses were cross-listed under both the Computer Science and Engineering departments, despite one department leading to a "professional" degree, and other, not.

    I do think that even colloquially, the word "profession" sometimes implies quality and certain standards of conduct.  The phrases "He's a consummate professional" and "Act like a professional!" are both understood to mean something other than "He has a job" and "Act like someone who has a job!".  Even the other suggested definition of "someone who works with his mind, not his body" doesn't exactly fit the bill here.  When a manager reprimands someone for "unprofessional conduct", everyone knows what this means.

    In the UK, I think that there is a PE track for Computer Science (vs. simply having an electrical PE track, that happens to often lead to work as a developer). So one could argue that CS is a profession in the UK, and an emerging profession elsewhere, with various tiers of practitioners (PEs, degreed non-PE engineers, vocational programmers, etc.) in different countries. No one here is quick-witted enough to frame the argument in these terms, so I'll give them a helping hand by doing it myself.


    I've also been wondering about veterinarians. Are they professionals? If the positive good rendered to society is rendered to dog society, does that count? Can a veterinarian be sued for malpractice? If one accidentally butchers a Cocker Spaniel, can one not just go on with one's life? I'm pretty sure one can, and I think that's appropriate. I love my show cat Catty Purry, but I realize she's just a cat. It's awfully pretentious of everyone here, though, to call themselves "professionals" when a veterinarian cannot.



  • @bridget99 said:

    In the UK, I think that there is a PE track for Computer Science (vs. simply having an electrical PE track, that happens to often lead to work as a developer). So one could argue that CS is a profession in the UK, and an emerging profession elsewhere, with various tiers of practitioners (PEs, degreed non-PE engineers, vocational programmers, etc.) in different countries. No one here is quick-witted enough to frame the argument in these terms, so I'll give them a helping hand by doing it myself.
     

    Except for possibly the guy who implied that CS is on a similar (skill) level to Engineering, at least in the sense that CS grads and P. Engs sometimes end up doing the same jobs.  Of course, you could argue that it's just P. Engs "slumming it" to meet the "lower" level of CS majors, but I don't know any P. Eng who complains about being underpaid (or losing prestige) by doing the job of a software developer.  

    Since you explicitly made the argument that CS might be an emerging profession, I'll just point out that the idea of mandatory licensing of programmers has been floated for a long time (i.e. forcing software development to become a profession, in the legal sense), because many people have been concerned about educational standards (including "continuing education" throughout one's career) and accountability issues. i.e. A civil engineer's level of liability if his bridge collapses far surpasses any possible liability a software developer could incur, even in life-critical applications (unless it was something written in his contract, which is unlikely).

    Obviously, most people in the industry are opposed to the idea, because nobody wants the liability, and it would likely kill free/open-source/hobbyist development.  (You don't see a lot of doctors performing unlicensed surgery for fun.)  Some people feel that mandatory programming-as-a-profession would kill the whole industry, actually.



  • @CodeSimian said:

    @bridget99 said:

    In the UK, I think that there is a PE track for Computer Science (vs. simply having an electrical PE track, that happens to often lead to work as a developer). So one could argue that CS is a profession in the UK, and an emerging profession elsewhere, with various tiers of practitioners (PEs, degreed non-PE engineers, vocational programmers, etc.) in different countries. No one here is quick-witted enough to frame the argument in these terms, so I'll give them a helping hand by doing it myself.
     

    Except for possibly the guy who implied that CS is on a similar (skill) level to Engineering, at least in the sense that CS grads and P. Engs sometimes end up doing the same jobs.  Of course, you could argue that it's just P. Engs "slumming it" to meet the "lower" level of CS majors, but I don't know any P. Eng who complains about being underpaid (or losing prestige) by doing the job of a software developer.  

    Since you explicitly made the argument that CS might be an emerging profession, I'll just point out that the idea of mandatory licensing of programmers has been floated for a long time (i.e. forcing software development to become a profession, in the legal sense), because many people have been concerned about educational standards and accountability issues. i.e. A civil engineer's level of liability if his bridge collapses far surpasses any possible liability a software developer could incur, even in life-critical applications (unless it was something written in his contract, which is unlikely).

    Obviously, most people in the industry are opposed to the idea, because nobody wants the liability, and it would likely kill free/open-source/hobbyist development.  (You don't see a lot of doctors performing unlicensed surgery for fun.)  Some people feel that mandatory programming-as-a-profession would kill the whole industry, actually.


    That's a fair point... you did mention the PE thing. I've actually advocated for the sort of licensure you've described. I'm can't understand why anybody who knows their shit would be against licensure. It wouldn't put anybody out of a job... not all engineers in any discipline are PEs, and not all accountants are CPAs. Quite the opposite is true, in both cases. Licensure would help sort out the truly competent, and reward them. It would also nip a lot of stupid arguments in the bud... nobody competent is arguing for their own special, subjective version of Accounting or Mechanical Engineering. Would that my own quasi-profession were that straightforward.



  • @toon said:

    mysql_real_escape_string

    this reminds me of one question... I've never actually used this function because it's name seemed obtusely long to write all the time, so I was using html_specialchars with ENT_QUOTES instead. I've never found any way that could be circumvented/exploited and sql injected. Is there a way and am I TRWTF, or is it okay to use it?



  • The only reason I can believe this argument over what 'professional' means has gone on so long, is that here I am, adding to it.

    @bridget99 said:

    I found a better source. It's a book called "Morality and the Professional Life: Values at Work," by Brincat and Wilke, published 2000 (Prentice-Hall). These are the qualities of a profession which are not aspects of software development :


    *Requirements for admission

    *Adherence to certain values

    *Penalties for subpar performance

    *[It must be] used in the service of a positive social need

    bridget99: "a Profession" and "Professional" are not exactly the same thing.

    As any fule kno, 'professional' could mean:

    * belonging to a Profession

    * being paid for the task

    ... plus multiple other accepted definitions as per sabbott64 (or ANY OTHER FUCKING DICTIONARY ON THE PLANET).

    And I'm not sure what the "Requirements for admission, adherence to certain valies, penalties for subpar performance and positive social need" are for the Oldest Profession. I didn't know the reqs were so stringent.



  • @bridget99 said:

    Licensure would help sort out the truly competent
     

    This is not necessarily true.



  • @scruff said:

    And I'm not sure what the "Requirements for admission, adherence to certain valies, penalties for subpar performance and positive social need" are for the Oldest Profession.
     

    "Requirements for admission" = alternative options severely limited by current education, financial situation, etc.

    "adherence to certain values" = having some rudimentary cost-based framework to maximise income whilst still observing the supply/demand curve

    "penalties for subpar performance" = Pimp Daddy and his whip-totin' boys would like a word.

    "positive social need" ... there has been a recent news article about Hospices employing Sex Workers (not this article, but I couldn't find the recent one) - the Manageress pointed out that care workers could not "sexually enable" patients but Sex Workers could, and to ban this profession from care sites would impact upon patients' comfort and pleasure. I've also heard a statistic that countries with a more open and readily available attitude to sexual activities have lower reported rape/assault incidents than countries where sexuality is quite stifled - but this could also be due to cultural issues.

     



  • @dhromed said:

    @bridget99 said:

    Licensure would help sort out the truly competent
     

    This is not necessarily true.

    No, but from a practical standpoint, it's difficult for me to imagine otherwise. I think PEs and CPAs are universally considered more trustworthy than non-certified workers in the same profession. The only certifications that I really consider complete bullshit are the proprietary ones like the MCSE, and the PMP certification. A computing license would have to avoid the pitfalls that led to these bogus certifications. But the main pitfall there is just greed, and keeping licensure under government auspices would eliminate the profit motive.



  • @bridget99 said:

    But the main pitfall there is just greed, and keeping licensure under government auspices would eliminate the profit motive.

    This may be your best trolling yet.


  • Discourse touched me in a no-no place

    @boomzilla said:

    @bridget99 said:
    But the main pitfall there is just greed, and keeping licensure under government auspices would eliminate the profit motive.

    This may be your best trolling yet.

    No, this is better:


    @bridget99 said:
    The only certifications that I really consider complete bullshit are the proprietary ones like the MCSE, and the PMP certification. A computing license would have to avoid the pitfalls that led to these bogus certifications.
    The fact that any new certification would come from the same type of people responsible for PMP puts it over the top.



  • @PedanticCurmudgeon said:

    @boomzilla said:
    @bridget99 said:
    But the main pitfall there is just greed, and keeping licensure under government auspices would eliminate the profit motive.

    This may be your best trolling yet.

    No, this is better:


    @bridget99 said:
    The only certifications that I really consider complete bullshit are the proprietary ones like the MCSE, and the PMP certification. A computing license would have to avoid the pitfalls that led to these bogus certifications.
    The fact that any new certification would come from the same type of people responsible for PMP puts it over the top.

    I'm saying that the PMP is an example to be avoided, and I think it would be. The PMP was made up by some no-name institute that got lucky and stumbled onto a good idea. A licensing program for developers would draw on a much more diverse and capable set of people than the ones who came up with that PMP crap.



  • @boomzilla said:

    @bridget99 said:
    But the main pitfall there is just greed, and keeping licensure under government auspices would eliminate the profit motive.

    This may be your best trolling yet.

    The government isn't out to turn a profit. It is self-perpetuating, and it does enrich an insignificantly small group of people disproportionately, but it doesn't seek to make a profit. I'm sorry you don't like your government, but your decision to embrace right wing politics doesn't change the basic vocabulary of Economics and Finance.


    Christ; this place makes me sound like Richard Stallman sometimes. You've really got to wonder about a place where the voice of reason ends up sounding like Richard Stallman.



  • @bridget99 said:

    The government isn't out to turn a profit. It is self-perpetuating, and it does enrich an insignificantly small group of people disproportionately, but it doesn't seek to make a profit. I'm sorry you don't like your government, but your decision to embrace right wing politics doesn't change the basic vocabulary of Economics and Finance.

    The government might not, but the individuals involved sure are. And the people outside of the government who end up capturing the insiders. I'm sorry that your delusions cause you to ignore the obvious.

    @bridget99 said:

    Christ; this place makes me sound like Richard Stallman sometimes. You've really got to wonder about a place where the voice of reason ends up sounding like Richard Stallman.

    Now you're just sucking up to blakeyrat by being so wrong!



  • @boomzilla said:

    @bridget99 said:
    The government isn't out to turn a profit. It is self-perpetuating, and it does enrich an insignificantly small group of people disproportionately, but it doesn't seek to make a profit. I'm sorry you don't like your government, but your decision to embrace right wing politics doesn't change the basic vocabulary of Economics and Finance.

    The government might not, but the individuals involved sure are. And the people outside of the government who end up capturing the insiders. I'm sorry that your delusions cause you to ignore the obvious.

    OK, but how is anyone going to get rich off of some certification for developers? It's not like the state CPA board sucks up some huge portion of the economy. Don't you think having CPAs and PEs brings a net benefit to society? Or are you really ready to fully embrace jungle law?



  • @bridget99 said:

    A profession has a code of ethics and barriers to entry. Also, programmers don't get sued, and aren't licensed by the state. Generally, both of these things ARE true of real professionals (physicians, accountants, lawyers, and such). I see people misuse "professional" in amusing ways (e.g. professional golfer), and I see people misuse the word to mean "in conformance with [one's own] preconceived notions of correctness." These usages are plain wrong.
     

    I know lots of professional ladies in Bangkok and none of them are license by the state. They do have very interesting codes of ethics, however.



  • @bridget99 said:

    @dhromed said:

    @bridget99 said:

    Licensure would help sort out the truly competent
     

    This is not necessarily true.

    No, but from a practical standpoint, it's difficult for me to imagine otherwise.

     

    We have many schools, some are good, some are bad. The result is that we all know that the piece of paper is not a guaranatee of competence.

    @bridget99 said:

    The only certifications that I really consider complete bullshit are the proprietary ones like the MCSE, and the PMP certification. A computing license would have to avoid the pitfalls that led to these bogus certifications. But the main pitfall there is just greed,

    Agree.

     

     



  • @boomzilla said:

    This may be your best trolling yet.
     

    The greed bit or the government bit? Bogus certifications are just the exploitation of a market of bullshit and fabricated need (just like the iDevice market), so that part is true.



  • @bridget99 said:

    OK, but how is anyone going to get rich off of some certification for developers?
     

    MCSE costs a pretty penny, so I guess it's possible. :)



  • @boomzilla said:

    @bridget99 said:
    The government isn't out to turn a profit.

    The government might not, but the individuals involved sure are.

     

    Definitely in the UK - over 50 ministers claimed (at min) £20K on expenses for items that weren't serving the greater public.

    @bridget99 said:

    OK, but how is anyone going to get rich off of some certification for developers?

    Simple law of supply and demand. In the UK, at one point there was great demand for developers with MCSE/MCSD to their names, so many organisations (including mine) created courses to get them through these qualifications. We made quite a profit from it, as did people achieving the qualification since it carried an implied guarantee of a higher starting salary.

    After a few years of boot-camp certificates, Industry began to understand that the letters didn't necessarily indicate a level of skill or knowledge - if anything, they indicated a lack of experience. By then the damage was done, and some people had profited handsomely from the overall debacle.



  • @bridget99 said:

    I think PEs and CPAs are universally considered more trustworthy than non-certified workers in the same profession. The only certifications that I really consider complete bullshit are the proprietary ones like the MCSE, and the PMP certification.
    Except that unless you are supplying services directly to the public a PE license is a waste of time and effort especially given that a huge percentage of engineers never see the outside of their cube farm. There has been noises made for a while that all engineers in the US will be required to get a PE regardless of what their job entails but I can't see that flying.

    As for PMP .. I have considered it myself just because it is one of those things that companies like to have, and will hire based just on the strength of it. Personally I'd prefer to get formal Agile coaching certification, but the industry that I work in isn't structured to use Agile methods at the level I am working at.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.