There’s a flu running accross the Netherlands and yesterday it hit me. Fever, head ache, it’s not nice. However today I’ve been doing somewhat better, fever’s gone so that’s good.
It has been quite a while since I was really ill, must have been many years ago. I’ve had colds, but never bad enough to stay at home and having to SMS the people that I was supposed to meet with to let them know I couldn’t come…
RUP, the Rational Unified Process, is a methodology to develop software. It describes the software development process step by step.
In RUP there are four phases:
* *Inception phase:* figure out what your customer wants you to do.
* *Elaboration phase:* analyze the software requirements and come up with a design.
* *Construction phase:* do the coding, testing and documentation.
* *Transition phase:* install the software at the customer’s site and maintain it.
The reason that methodologies, such as RUP, exist is firstly to have a uniform way to take on a software project and secondly to provide guidelines on how proper software development should take place. There, however, are people who do not believe RUP is the true way to good software.
“This guy”:http://www.fysh.org/~katie/computing/methodologies.txt for example:
Every methodology I’ve come across has, at its kernel, a very small section labelled “do magic here”.
RUP is much the same. You draw the user interaction diagrams, you do the flow things, [magic happens here], you draw class diagrams with methods and stuff and then they get turned into code and the application falls out of the bottom of the process.
Reciprocity talks about something called “complexity smearing”. Which is where the class of people referred to as “packers” shuffle things around and write larger and larger documents, with the end result that the complexity is all broken up and spread out and no single page actually contains noticable complexity. It’s still there, but it’s hidden inside a lot of words.
And there’s something missing…
And at the core of RUP is a small area where you have to use OO design talents…. if you don’t have them, it’s like having a methodology for running the 100m.
“Step 1: write about running really fast. Step 2: Go and draw a plan of the racetrack. Step 3: go and buy really tight lycra shorts. Step 4: run really, really, really fast. Step 5: cross line first”
It’s that step 4 that’s the tough one. But if you put lots of emphasis on 1,2,3 and 5 it’s possible no-one will notice and then you could probably make a lot of money selling the methodology to would be athletes who think there’s some “secret” to being a 100m runner over and above being born with the ability to run fast.
I like version control systems. They are very useful, not only for keeping older versions of files, but also for easily keeping directories synchronized on multiple machines. The problem is that you have to run a server, such as subversion or CVS to be able to use it. However, not everybody has a machine to his/her disposal that is up 24/7. About “a year ago”:http://www.zefhemel.com/archives/2004/02/25/subversion-1-0-out I mentioned a simple solutions for this. Why not write a version control system in PHP? A host that supports PHP is very cheap these days. Why not run a webservice on PHP that acts as a backend server for your version control?
One guy e-mailed me back then and said he would start working on it. I haven’t heard of him since. This morning I felt like giving it a shot myself. I spent a couple of hours on it and got a basic system running. This is how it works and what it does right now:
It’s a single PHP script that takes advantage of the “IXR_Library”:http://scripts.incutio.com/xmlrpc/, which I use as an XML-RPC server implementation library for PHP. All I had to do was implementing the storing and retrieving of files. For this I use the file system. To set up a repository, all you have to do is create an empty directory and chmod it to 777. For the front-end (on your own computer) I wrote a simple client script in Python. It allows you to talk to the PHP version control script. It seems to work quite fine so far.
This is what works (at this moment it’s only about 300 lines in total, client and server together):
* Check-out
* Update (which check which files have changed on the repository and downloads the new versions)
* Check-in (uploads files that you have modified). On the server side all older versions of a file are kept.
What basically needs to be done is adding authentication (because everybody can do anything on the repository now), add security checks (it’s still rather insecure), add checks that warn people if they’re checking in a file that since has been checked-in by somebody else, allow to retrieve older versions of files and the usual diff and merge functionality.
I in no way intend to compete with products like Subversion or CVS. The idea is that it will be a light-weight, simple multi-user version control system so that everybody can enjoy the advantages of basic version control.
Exactly two years ago I made the very “first post to my blog”:http://www.zefhemel.com/archives/2003/02/10/welcome-to-my-weblog. And today I post my 1000th post. Such a coincidence. Happy blogging anniversary to me.
I started out with only myself as reader, but throughout the months, and in particular in the past few, many joined my reader’s club. I tried to find out how many people are actually reading my blog, but it’s hard to figure out. According to StatCounter I get about 500-600 pageviews per day. But that’s only website traffic and doesn’t count the different RSS feeds. My RSS2 feed is the most requested file according to my webalizer statistics. I wrote a little Python script to analyze my apache logs to see from how many different IPs these feed requests came. I looked at the number of subscribers at bloglines and I would estimate that there are in total roughly 150-200 people subscribed to my feeds now.
Without knowing that people would read what I had to say, I wouldn’t have kept doing this, so thank you. In particular people who gave feedback on my posts; it’s always encouraging.
As a special treat for my readers I’ll end this post with some breaking news: there’s a way to prevent cancer. All you have to do is eat carrots, and lots of them:
Eat those carrots and you’ll never get cancer, isn’t that amazing? I think so. I wonder if it would work with donuts as well. I prefer donuts over carrots.
How does the law apply to the digital world? Is it legal to copy a music CD? Can I download movies and music through peer to peer networks, legally? Those are some of the questions that will be answered in a class I’m taking: Computer Law.
I had my first class today and it’s looking very interesting so far. Some things that I’ll learn more about:
* Intellectual Property
* Identity
* Privacy
* Licensing
* Contracts
* E-Commerce
* Taxes (in e-commerce)
* Liability (if a bug in your software causes the harddrive of a user to be cleared, can you be held responsible?)
In short: very intersting stuff.
Ever happened to you? You have a good idea for something, only to find out that it already exists? I’ve had that many times recently. It’s one of the drawbacks of modern society, so much has been done and thought of already. Hundreds of years ago all you had to do is drop a leaf into a cup of hot water to invent something new (tea). Now it takes a lot more to be innovative.
Example.
Universities have changed a lot since Plato started the first western one around 2392 years ago (yup, looked that up). Students who attended his acadamy were tought philosophy, mathematics and gymnastics. Not one of them; all of them. Today universities have dozens, sometimes even hundreds of different things you can study. Being good at “gymnastics” is in some countries just the easiest way to get into a good university.
With so many things to study, in so such a diverse range of subjects, there is no way that you’re going to learn it all. If you go study philosophy today, you’ll most likely won’t learn a thing about mathematics, computer science, social sciences, chemistry, physics, biology, German literature, French literature or business, to name a few. All these areas are so amazingly big that knowing everything from only one of them is impossible, let alone multiple ones.
Some areas have things in common of course. Computer science is founded on mathematics and engineering. Social sciences deals with social networks, computer science deals with networks a lot as well. A lot of knowledge and experience can be shared throughout many areas of science.
I often get the feeling that it would be good if every student would study a totally different area of science beside his/her own. I think there’s a lot to be gained by this. For example, people who have studied English literature learned to analyze books and texts and to put them into their historical context, looked at the evolution of characters and writing in general. What would happen if somebody like that would study computer science, would they come up with totally different approaches to solving problems that we currently do? Or vice versa. If you study something, you learn to think in a certain way, a way that may be very specific to your area of interest, yet that may be applicable on many others.
And then I realized that there’s already something to make this happen. Not every university has it, here in the Netherlands, but it’s coming. It’s the major/minor system. You choose a major, for example computer science which takes up most part of your study. You also pick a minor, which is smaller than the major, but can be totally unrelated. Say, literature.
Good to realize that it already exists, but a waste of brain activity on my part.
Maybe the most common way how websites get hacked today is through SQL injections. These kind of vulnerabilities are easy to find for people with too much time on their hands (and trust me, there are lot of those).
The idea is simple. A website uses SQL to retrieve data from a database. Queries are built dynamically to retrieve the data that the user requested. For example when a user requests article.php?id=123 the query to get the requested articles is something like SELECT * FROM articles WHERE articleid = 123;. Just simply inserting the id value from the request string into the query, though the obvious solution, is very dangerous, though. For example, what if I do this request? article.php?id=0;SELECT%20password%20FROM%20users%20WHERE%20isadmin=1. This results in the query SELECT * FROM articles WHERE articleid = 0;SELECT password FROM users WHERE isadmin=1; It very well may be that somebody just obtained your admin’s password. Not something that you want. You can avoid this kind of thing by checking all your input for valid values. Numbers should have numeric values, the apostrophes (’) in strings should be escaped before being inserted into a query, things like that. Many programming APIs provide support for this through parameterized queries.
Parameterized queries have two advantages. The first one is that they will handle any kind of escaping for you, they will simply not allow any SQL injection (as this vulnerability is called). The second advantage is that the query can be parsed once and not on every call. This make repeated use of a parameterized (or prepared) query faster. A parameterized queries looks something like this SELECT * FROM articles WHERE articleid = ?. The ? will be replaced with a value on execution. Some APIs use other ways to mark the places where values should be inserted. For example, some use named ones: SELECT * FROM articles WHERE articleid = @id, useful with many parameters.
Why I mention this now? Because somebody recently found an SQL injection bug in “KeyTopic”:http://www.keytopic.com. I know about SQL injections of course, and tried my best to make sure they cannot be used on KeyTopic, but apparantly forgot one place. On login you could login as me by using this as your username: Zef’ or 1=’1. As you can see, these hacks can be done really easily. I should have used parameterized queries in KeyTopic, but I didn’t really know of them when I wrote it.
You can find “a good article about SQL Injection attacks here”:http://www.unixwiz.net/techtips/sql-injection.html.
