Lazycoder

31Aug/101

Why Rails and Django are successful.

How I would fix ASP.NET.
I agree with the idea of using real-world dogfooding to refine ASP.NET.

Disagree slightly about the reasons that Rails and Django are successful. They are successful not because they were written first by application developers, but because they were extracted from real-world applications. That is, the frameworks both grew organically as the appDevs saw the need rather than trying to anticipate the need. Both are also very opinionated in terms of convention over configuration.

The fact that ASP.NET MVC leaves a lot of the decisions up to the developer has been one of my criticisms of the framework since it was launched. It does mean that you can apply your own conventions to it, but you have to do a little more work. Work that, I believe, could be better spent working on the hardest part of the application.

Tagged as: , , 1 Comment
8Oct/075

What do you want out of a framework?

Had an interesting discussion with blowmage (Mike Moore) over Twitter. I said that having the “param1/param2″ pattern in the ASP.NET MVC made me itchy from a security standpoint. He replied.

Eh, just don’t add them to the URL. The ASP.NET MVC assumes you know what you are doing. I’m sick of frameworks babysitting me.

I replied:

and yet you use a managed language that holds your hand and cleans up your memory for you. ;)

Which came out a little harsher than I meant. But my gist is, isn’t a GC system babysitting you already? How much abstraction do you want out of a framework?

Bottom line is: a web application, is basically an abstraction for sending and receiving headers and HTML to/from a browser. You can dress that process up with domain models and other abstractions. But you *can* build a web application strictly using sockets if you really don’t want to be babysat.

Now that’s absolute crazy talk. No one wants to build an eCommerce site by sending packets over a pipe. That’d be a crazy as writing an operating system today using 32-bit/64-bit x86 assembly. So we accept some levels of abstraction. In fact, we embrace abstraction. Hunting down errors in a memory dump is no fun. Neither is making sure all of your string buffers are properly allocated and sized. We don’t want to have to malloc() and free() char buffers when we want to concatenate strings, so we make a StringBuilder class that handles all the nastiness for us.

It’s also not fun to get stuck in a framework that is so opinionated that when you stray from it’s primrose path you are assaulted by rabid dogs. Opinionated software is good, but a framework should allow you to inject your own opinion.

So what do you really want out of a framework. Ultimately, I think developers really want a framework that will nerf the sharp corners of the underlying hardware for us. We want to be babysat.But we also want the freedom to rip things out and route around the hard parts. And frankly, we want frameworks that work for us, not against us. It’s when the framework is working against us that we rail and rant and cry out for change.

Me? I want the full on Star Trek-Computer:write-me-a-program-that-will-let-me-sell-my-”My Little Pony”-collection-on-eBay” framework.

Feel free to leave your own thoughts below. Difficulty: No Linking to Spolskys “Leaky Abstractions”

Filed under: .NET, General, Languages, PHP, Rails, Technology 5 Comments
8Oct/075

member variable values in the querystring == security risk?

There is a lot of emphasis in the web development world on making urls “pretty” and, more importantly, discoverable. While there isn’t anything wrong with wanting urls that human beings can read and understand, web developers need to understand that the querystring is an entry point into your application if you are passing values in it and therefore is an attack vector.

So, say you have a querystring that looks something like this.

http://lazycoder.com/people/delete/1242

What does 1242 stand for? Why are you passing it in the query string? What happens to the value when it gets assigned to a variable inside your code? Are you sure you have all of your authorization checks in place to make sure that the currently logged in user has permission to edit whatever 1242 represents? The W3C mentions not including sensitive data in the querystring.

Authors of services which use the HTTP protocol SHOULD NOT use GET based forms for the submission of sensitive data, because this will cause this data to be encoded in the Request-URI. Many existing servers, proxies, and user agents will log the request URI in some place where it might be visible to third parties. Servers can use POST-based form submission instead.

I personally get itchy anytime I see PK values in a web interface. It means if an attacker does somehow gain access to my database, they already know a PK value and could possibly pass it in through a security hole.

Encoding or encrypting the values before putting them into the querystring doesn’t completely solve the problem. In fact, it makes the URL ugly again.

What I would suggest is this:

  1. Encrypt sensitive values (userID, values used in edit/delete actions)
  2. Place those values in hidden form fields. These can be created on the fly if needed
  3. Only pass sensitive values using a POST verb.
  4. Include a secure site/session token in a hidden form to help foil cross-site attacks.

Ideally, I’d like some way in the framework to mark variables as “secure” to prevent any part of the framework from putting them in the querystring. Perhaps raise some kind of warning.

My point isn’t to indict pretty URLs, it’s just to raise awareness of the querystring and it’s potential security risks.

There are also other possible problems with passing params in the querystring. They mainly involve changing data on the server. The W3C explicitly states that HTTP GET is only to be used when no data will be changed on the server.

GET considered harmful.
Get Considered Harmful; Sometimes.
Securing forms with POST isn’t enough

Filed under: .NET, Rails, Tutorials 5 Comments
17Apr/072

Language performance doesn’t matter when a database is involved

All of the latest Rails/Twitter performance bruhaha made me think about some advice I got a long time ago and that I dish out whenever someone asks me about some performance concerns they have with their code.

Nothing else matters once you hit the disk. Once you do any kind of activity that involves reading/writing to a hard disk, that activity instantly becomes your greatest performance drag. No matter how slow any language is at interpreting/JITing/compiling, it’s still orders of magnitude faster than interacting with a hard disk with physical, moving parts.

Filed under: Database, General, PHP, Rails, Technology 2 Comments
26Jul/060

OSCON Ruby and .NET

Jon Lam has done some interesting work integrating Ruby and .NET using interop. I asked him about being able to put a Ruby/Rails front end onto an existing asp.net framework. What I meant was calling your existing .NET business logic assemblies from a Rails app, but he rightly raised the threading issue. .NET does threading, Ruby doesn’t. I liked his Writeroom clone.

You can pick it up here.

Technorati Tags:
,

Filed under: .NET, General, Rails No Comments
24Jul/060

OSCON tutorial: Ruby Guidebook

I went to the Ruby Guidebook tutorial by Dave Thomas and Mike Clark this morning. It was pretty dull. They just went through their slide deck, sometimes they would talk ahead of their slides. They did have a companion manual to use during the class. It was just a printout of their deck. I was really under-whelmed. Most of the information they gave us could be found in “Ruby in a Nutshell”. I was hoping for more insight into Ruby. What makes the language really tick. I’m at this weird, in-between place with Ruby. I know enough that the “intro to Ruby” courses are boring, but I don’t really know enough to make Ruby really sing yet.

Technorati Tags:
,

Filed under: General, Rails, Technology No Comments
   Older Entries »

The Lounge

TwitterCounter

120x60-1

What I'm Doing...

Powered by Twitter Tools

Books I’ve worked on

Contributors

Links

Delicious  FriendFeed  Last.fm  LinkedIn  

RSS Herding Code Podcast