|
Internet Janitor posted:Do they specify a level of granularity? Public methods (easy and a good idea), Lines (arbitrary), Code paths (gently caress)? If you break up your methods into small logical pieces, it's normally not _that_ hard to test all the code paths for each small piece. I mean that's basically unit testing. If you have to have 100% code coverage on every code path that the app could possibly take then I don't know what the gently caress.
|
# ¿ Oct 16, 2011 21:22 |
|
|
# ¿ Apr 25, 2024 14:02 |
|
Contrived Example!code:
code:
code:
code:
code:
code:
|
# ¿ Oct 19, 2011 16:21 |
|
Frozen-Solid posted:
Emphasis mine. If you're attempting to sanitize input instead of using a prepared statement you are exactly the sort of person who should never be writing SQL manually. SQL is a lovely DSL that requires me to leave the language I prefer to write in, to write in another language. I use an ORM because I like writing in my preferred language and I like operating on objects. That being said anyone who thinks "Use the ORM Luke" is the only answer and you never need raw SQL (or that an ORM is always the answer at all) is an idiot. Any ORM worth using has a way of dropping to raw SQL and optionally populating the object(s) from that raw SQL. Because, surprise!, sometimes the ORM writes brain dead SQL and you need to write it your self if you don't want to bog your app down.
|
# ¿ Dec 12, 2011 13:49 |
|
Frozen-Solid posted:There's more to sanitizing user input than just escaping quotes to prevent injection. Every piece of user input should be checked for validity long before it even sees SQL. The fact that people think SQL injection is the only reason for sanitizing user input is the horror here. Now you're backpedaling, you explicitly said that you should sanitize input to prevent SQL Injections. There are other, valid, reasons to sanitize input but your statement didn't mention them, it only claimed that the "correct" way to handle App -> DB code was to sanitize input which it patently wrong.
|
# ¿ Dec 12, 2011 14:25 |
|
Janin posted:https://github.com/rails/rails/issues/5228 The best part about this is how this has been known for like 4 years, and time and time again Rails Core has basically said it's not their problem, end developers should know this etc etc. The very same day that Github gets exploited using it they commit a change to Rails so that new projects by default have a whitelist instead of a blacklist.
|
# ¿ Mar 5, 2012 12:40 |
|
tef posted:I can't wait for 'how secure is my credit card number' http://ismycreditcardstolen.com/
|
# ¿ May 24, 2012 02:31 |
|
Thermopyle posted:I love how this thread always comes back to PHP. Ender.uNF posted:PHP is a great example of mediocrity at work... Some dude created his own templating system, some other dudes hack on it, wanna-be coders everywhere adopt it en-masse. Popularity used as proof that it's great. http://otherwise-than-code.blogspot.com.au/2012/07/complex-made-easy-or-debate-over-php.html
|
# ¿ Jul 6, 2012 08:17 |
|
leterip posted:The point is that you have to assume that the fopen() call could raise a warning regardless of how much checking you do because by the time you get to actually opening the file the state of the filesystem could be different, so why bother doing the checking? It's a completely worthless function. There are other reasons to check if a file exists or is readable than to write (or read) from it. Sometimes you just want to know if the file exists and is readable.
|
# ¿ Jul 27, 2012 11:10 |
|
Cocoa Crispies posted:Where's the horror there? Global variables are great. Hope you didn't want to run a second copy in the same process.
|
# ¿ Jan 4, 2013 06:54 |
|
dexter posted:If it's the same process, shouldn't it share the same configuration variables? We don't use environment variables for configuration (outside of random hack day projects that get pushed to Heroku) but it's an idea we've thrown around to simplify the deployment of new applications without pulling operations in. Right now repositories have development-mode only credentials that are overwritten by our deployment processes with real credentials. Can you expand on why environment variables are a horror? The expanded reason is your application shouldn't rely on environment variables and instead your startup script (or wsgi file, or whatever) should accept those environment variables and feed them into a sane configuration method. A contrived/simple example would be a flask app that just simply serves a directory and takes the directory to serve as a parameter. If you have in the app the concept of loading config from an environment variable then if you want to serve 2 directories you need to either a) Modify the app to handle a list of directories, b) run 2 separate processes one configured for dir 1, one configured for dir 2, or c) use Application dispatching to run multiple instances of the same flask app in the same process with different configurations. (http://flask.pocoo.org/docs/patterns/appdispatch/). It might not even be 2 instances of the same app but just 2 different apps you want to live in the same process and both have a hardcoded reference to "DATABASE_URL". Another example of where you'll want to possibly run multiple configurations of the same app in the same process is with unit testing. Anyones whose used Django can attest to how much of a pain in the rear end it is to handle testing different configurations when unit testing a library. The bulk of this problem comes down to the massive amount of global state in Django, starting with DJANGO_SETTINGS_MODULE. The *right* way to do configuration from an environment variable is to do something like: Python code:
Python code:
Comrade Gritty fucked around with this message at 13:50 on Jan 4, 2013 |
# ¿ Jan 4, 2013 13:42 |
|
dexter posted:If it needs to connect to another database then it probably shouldn't run in the same process as this application. I think it's better to use a smart HTTP routing layer to handle dispatching requests to disparate applications instead of mounting them within a single application. The database url was just an example. splitting it into separate processes can make sense. It can also make sense to keep them in the same one. Hardcoding environment variables means you're forced to make them separate processes. Even if you think that there is never a reason to have the same app in the same process there's still the matter of testing and when you use process globals that makes running tests with different configurations involve lots of monkey patching instead of simply being to create another instance of your app with different configuration. Maybe a better real world example would be the boto library which will (optionally) pull the AWS credentials from an environment variable. This makes it easy to mistakenly use the wrong credentials in the wrong place. Forget to pass in the configuration to your second instance of boto (or stand up a new instance and forget to include the configuration for the second AWS account and boto automatically grabs your config for the primary account out of the environment variables). boto mitigates the inability to connect to a second account by allowing you to pass in the configuration and not pull it from environment variables but the behavior still has potential to turn a bug that would be easily caught and fairly "harmless" (e.g. it would exception because of missing creds) into potentially a very bad bug that has no immediately obvious consequences.
|
# ¿ Jan 4, 2013 23:29 |
|
Doctor w-rw-rw- posted:Sorry, this just sounds kind of nuts. Why not just make a config.py and do "import config", add it to .gitignore, then copy it sans credentials as config.py.example and add that to source control? A hardcoded or environment variable driven configuration file has all the same problems. It's a process global configuration source that makes it difficult or hard to run multiple instances of your thing in one process, and to test varying configurations without needing to resort to hacky monkeypatching.
|
# ¿ Jan 4, 2013 23:31 |
|
Doctor w-rw-rw- posted:What solution would you advocate, though? I think that as far as transparency and refactor-ability go, having a hardcoded file that is the single source of truth beats pulling variables in from the environment. Fully functional configuration management IMO gets in the way at small scale (well, for me at least), however essential it is at large scale. App class that holds configuration as an instance member. You can configure that class in the script_you_use_to_actually_start_your_app (in my example it was a simple python script that just ran app.run() from Flask). Your configuration can come from a file, or environment variables or what not but when you instiate your application/library/whatever you process that file and then pass the configuration into your app instead of your app itself looking for a file, environment variable, etc. Python code:
Comrade Gritty fucked around with this message at 03:50 on Jan 5, 2013 |
# ¿ Jan 5, 2013 03:48 |
|
dexter posted:What sort of configuration changes are you making between test runs? Shouldn't those changes be managed within the individual unit or functional test groups? Yes, but if your application assumes it's configuration is coming from the environment variable, or a particular file on the system then you need to patch the global state in your unit test to test those changes, instead of having your unit test just instantiate a new copy of your app configured a particular way.
|
# ¿ Jan 5, 2013 03:53 |
|
Passlib is excellent for password storage in Python FWIW
|
# ¿ Mar 1, 2013 05:56 |
|
|
# ¿ Apr 25, 2024 14:02 |
|
Steve French posted:Except that sorting an array of integers lexicographically is not sane. Maybe giving not-meaningful results when sorting a heterogeneous array when an explicit comparator is not given, as python does, is not sane either. In Python3 instead of a not-meaningful result you get a TypeError.
|
# ¿ Jan 10, 2014 12:37 |