AboutCarbon based humanoid lifeform that likes other carbon based lifeforms (most of these seem to be of the non humanoid variety and biassed toward furry or feathered ones). Natures joke: I'm allergic...
SkillsProgrammer proficient in most languages. prefer Go. Also a fan of Ansible and Linux/UNIX. Used to be a systems and network admin.
Joined devRant on 3/1/2017
Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple APILearn More
Fuck you haters, I'm not dying of corona so PHP dies with it.
PHP is an amazing language. It has evolved nicely has almost all high performing functionally you need build in. Has a good package manager eco system. It's insanely fast (since 7.0, older versions where just fast with opcache).
Most of the called out inconsistencies are actually because it is consistently following C/POSIX equivalent or people that don't understand dynamic typing (it doesn't mean any shit will stick).
Fuck off with your JS backend solution because it's faster...
This is a big thanks to all the amazing members of the PHP community that worked hard to make PHP the great language it is today!!!84
Hang on image selection dialog.
I'm on Android (MIUI 12) and for a long time I've not been able to select an image. Whenever I go into the picker it slows to a crawl. Even when cancelling the pick devrant is all but frozen. I have to kill it and start again to get back. Selecting an image will make it just show a black screen. Does anyone else experience this?
This is the last part of the series
(3 of 3) Credentials everywhere; like literally.
I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.
This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.
However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.
So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.
The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.1
I have quite a few of these so I'm doing a series.
(2 of 3) Flexi Lexi
A backend developer was tired of building data for the templates. So he created a macro/filter for our in house template lexer. This filter allowed the web designers (didn't really call them frond end devs yet back then) could just at an SQL statement in the templates.
The macro had no safe argument parsing and the designers knew basic SQL but did not know about SQL Injection and used string concatination to insert all kinds of user and request data in the queries.
Two months after this novel feature was introduced we had SQL injections all over the place when some piece of input was missing but worse the whole product was riddled with SQLi vulnerabilities.2
I have a few of these so I'll do a series.
(1 of 3) Public privates
We had a content manager that created a content type called "news item" on a Drupal site. There where two file fields on there. One called "attachments" and the other called "private attachments". The "private attachments" are only for members to see and may contain sensitive data. It was set to go trough Drupals security (instead of being directly hosted by the webserver) but because the permissions on the news items type where completely public everybody had access. So basically it was a slow public file field.
This might be attibuted to ow well Drupal is confusing. Howerver weeks earlier that same CM created a "private article". This actually had permissions on the content type correctly but had a file field that was set to public. So when a member posted the URL to a sensitive file trough unsafe means it got indexed by google and for all to read. When that happend I explained in detail how the system worked and documented it. It was even a website checklist item.
We had two very embarrassing data leaks :-(1
For me Jetbrains idea based IDE/editor in part does just about everything right. Only need to really change the redo shortcut. They provide a warning now so you don't lose your undo history on ctrl+y.
On console both Emacs and vim work for me. These days I prefer vim. Nano will work when I'm a pinch but the lack of undo is really annoying. Especially when the cat walks over the keyboard. You just need start all over unless you can see what he did.
Vim has vertical block so you comment/uncommented stuff real fast. The cange word and change till are also real time savers. Vi is to basic and annoying for me, rather use nano than.
Gedit works great for me when viewing or editting a file real quick.
So yeah the situation dictates what tool suites the best.
Idea is where I can spend my time the entire day so if I had to choice one that would be it.
Sure it's possible and the language develops at a fast pace since ES6 but JS like any other language just is not suited for everything. I think JS will stay in server side automation and as scripting language for customisation but not how it is abused now in electron or even node.js.
There will be better solutions if they are not already there.10
Not sure if it's the worst code review but it's a recent one.
We don't really do code reviews where I work unfortunately but my coworker used my framework for the first time (build some nice composer libraries for cmdline projects) and asked if I could make them do autoloading.
He never used namespaces before so I was glad to help him out.
What I saw was a dreadful mess. His project was called "scripts" so good luck picking a namespace...
Than it was all lose functions in the executable file. All those functions are however called by a class in another file (if they where not calling eachother as a cascading mess). That class was extending an abstract class from my library as instructed. However I never imagined my lib being raped like that.
The functions themselves are a horrible mess. Nothing uniform completely different style (our documentation states PSR's should be used).
Parameters counts higher than 5.
Variable names like Object and Dobject (in calling function Dobject is Object but it needs a fresh one.
If statements on parameters that need basically split it in two (should simply be to functions)
If else statement with return of same variable as a single line (sane people use ternary for that)
Note that I said functions. All of it should have been OO and methods. Would have saved at least some of the parameter hell.
I could go on and on. Do I think the programmer is bad yes (does not even grasp interfaces, dep injection, foreach loops). Is this his best work no. He said that for a one of script like this it just has to work. Not going to be used elsewhere. I disagree as it is a few thousand lines of code that others have to read too.2
TL;DR I'm fucking sick and tired of Devs cutting corners on security! Things can't be simply hidden a bit; security needs to be integral to your entire process and solution. Please learn from my story and be one of the good guys!
As I mentioned before my company used plain text passwords in a legacy app (was not allowed to fix it) and that we finally moved away from it. A big win! However not the end of our issues.
Those Idiot still use hardcoded passwords in code. A practice that almost resulted in a leak of the DB admin password when we had to publish a repo for deployment purposes. Luckily I didn't search and there is something like BFG repo cleaner.
I have tried to remedy this by providing a nice library to handle all kinds of config (easy config injection) and a default json file that is always ignored by git. Although this helped a lot they still remain idiots.
The first project in another language and boom hardcoded password. Dev said I'll just remove before going live. First of all I don't believe him. Second of all I asked from history? "No a commit will be good enough..."
Last week we had to fix a leak of copyrighted contend.
How did this happen you ask? Well the secure upload field was not used because they thought that the normal one was good enough. "It's fine as long the URL to the file is not published. Besides now we can also use it to upload files that need to be published here"
This is so fucking stupid on so many levels. NEVER MIX SECURE AND INSECURE CONTENT it is confusing and hard to maintain. Hiding behind a URL that thousands of people have access to is also not going to work. We have the proof now...
Will they learn? Maybe for a short while but I remain sceptic. I hope a few DevrRanters do!7
So yesterday I said to my private laptop update and shutdown...
Fast forward to this morning. Hell breaks loose. Have to fix it asap! We have downtime. But fucking windows update!!!
You fucking peace of shit should have done this yesterday. And why does it have to take so long.11
I have just thought of the perfect solution when support for fucking ancient IE versions creaps in the requirements (and asking the assholes to produce numbers to support the crazy does not help)
Just do browser detection and if IE < 9 Replace body with one of those winXP alert boxes that tell them there Computer is infected and that they can get a free scan (it's what they are used to anyway). Put a link to the installer of your favourite browser over the entire image.😎
Good news is 100℅ code reuse! Works on every outdated IE and every website that requires IE support.4
Every once in a while the flexibility of dynamic types comes back and bites you in the ars:
So I created method that returns the date significance (day, month, year) or null when no date is set.
I chose a class constant DAY with the value 0.
This is not a problem in if statements as I always use === but in this case a switch made more sense. And as you can guess no date set (NULL) was handled in the self::DAY (0) case... 😐😑😶 Silently resulting in wrong results when no date is given! #£#@$& (and other comic swearing symbols)
Even though php7 finally has decent type hinting resulting in much clearer defined API's we can still go very wrong.
More love to Go for less verbose static typing! To bad we can rarely use it at the office 😥2