

The myth of idiot proofing - silkodyssey
http://philosophtly.blogspot.com/2009/06/myth-of-idiot-proofing.html

======
scotty79
> Despite years of trying, making programming languages look more like English
> hasn't helped people become better programmers.

That's because human languages are geared towards interactive communication
not towards describing problems and solutions precisely. That's why computer
languages resemble rather precise math language.

I don't like idea that you should keep inconvenience in place to keep of
idiots. Idiots won't succeed anyway but inconveniences harm professionals and
novices.

Maybe PHP is too easy but mysql_real_escape_string() is too damn long. And
that's why web is full of SQL vulnerabilities.

~~~
weaksauce
I think the web is full of SQL vulnerabilities because lots of people do not
understand that there is a problem with using user submitted data without some
kind of tested sensitization method calls that are not homebrew. In all
reality they should be using stored procs with named parameters dynamic sql
queries are usually hard to do right(depends on the language, php makes it
hard).

If you use a stored procedure for user auth and the input comes in as x'; drop
table users;-- the system will not drop the tables because the parameters get
auto quoted.

~~~
scotty79
You could easily design language that would prevent most cases of sql
vulnerabilities.

It would only need SQL as first class datatype with it's own literals (let's
say sql""). It should not be concatenable with strings. Strings should not be
easily convertible to SQL datatype. Any other data should mix with SQL only
trough formatting operator (let's say %). Formatting operator should of course
provide proper escaping by default.

You'd had to write: mysql_query(sql"SELECT * FROM table WHERE id = ?" % $id);
instead of mysql_query("SELECT * FROM table WHERE id = ".$id); because
mysql_query() would require parameter of type sql (not string) and you could
not concatenate sql with anything else.

Similarly you could prevent XSS attacks by making HTML first class datatype.
You could even have native simple templating engine built into formatting
operator for HTML.

Stored procedures are bad because they are not straightforward. You can't
expect people to keep off the grass and walk around while the shortest path
leads directly through the lawn.

Guy responsible for PHP coming up and saying to PHP developers "The Web is
broken and it's all your fault." (<http://www.internetnews.com/bus-
news/article.php/3631831> ) pisses me off a bit.

------
overgard
One thing I disagree with in this blog post is the implicit idea that you
should know what you're doing before you try to do something. Unless you're
building rockets, often times the best way to learn is by just jumping in and
making something, even if your first attempt is poor.

~~~
shaper_pmp
This is true - doing is undoubtedly the best way to learn.

What I meant was that you shouldn't do something _for money_ , or to be _put
into production_ before you know what you're doing. ;)

------
electromagnetic
Idiot proofing? I thought in computing that was wrapping bubble wrap around
the sharp edges and praying they don't hit a button.

------
gnovos
anyone who says "fool proof" does not understand the ingenuity of real fools.

~~~
mattdennewitz
as douglas adams put it, "a common mistake people make when trying to design
something completely foolproof is to underestimate the ingenuity of complete
fools."

