I was reviewing a coworker’s code the other day (he’s still in training) and I thought I’d test out some hacking techniques, the code didn’t even come close to preventing my petty scheme. A simple “ allowed me access to the page (and potentially a whole host of other things). Obviously the reason this attack works is that un-escaped form input is thrown right back into the form input field, but what I want to know is why languages can’t support this?

I understand that most languages have some escaping routine (in PHP, htmlentities()), but why can’t languages do this by default if they recognize the page as XHTML? PHP certianly knows this, so does Java. So the question is, why can’t the default for output from a scripting language be html escaped entities?

Yes, yes, I know… you’ll tell me that in that case you couldn’t do things like eval() in PHP or JS with form inputted code… and I say good! Besides, you shouldn’t be using direct input anyway, you should be filtering it and using the clean input! And I know that there are other output types that may need a different type of escaping (primarily, database injection)… So perhaps the real question is, why shouldn’t languages defualt the output type to escaped html entities for variables the language knows are inputs (in PHP, $_GET and $_POST; in Java: request.getParameter() [maybe, this one is hairy]) when it knows the output is XHTML?

Okay, I’m ready for the onslaught, let me have it.

What I don’t like about many applications (both web and desktop apps) is the sense that they need to do everything. Microsoft Word, for example, has thousands of built-in functionality to do all sorts of things that frankly a word processor shouldn’t be doing!

Perhaps the wording better fits my rage at those who talk on cell phones while in line at the video store, but I think it applies to our situations as well. Quite simply, developers (and the companies they work for) are doing too much at once.

There is beauty in simplicity, and that simplicity is what we all should strive for. A Standish Group study was presented at XP 2002 by keynote speaker Jim Johnson (see slide 13 of the PDF presentation) in which it was found that 45% of features in a typical system were not used at all - in fact, only 20% of the features were used frequently. So why were those features included int he first place? Because the developers (and/or their managers) were trying to do too much at once.

Its really quite simple people, if you’re planning to write an application (web, desktop, or really anything else), make it do what it needs to, what it is supposed to do. The end result will be much cleaner (in terms of bugs) and more beautiful (because it will be easier to use).

[Edit: I also don’t like that the comic strip extends off the edge of this Wordpress theme… Me thinks it is time to write my own…]

Here it is, my technology blog. It only seems fitting that I start this off by saying that I (for the most part) do not like technology blogs. I think the authors make themselves sound pretentious, overbearing, and omniscient. They are not, myself included. I do not like reading that the way I do things is utterly wrong, I’m obviously doing them for a reason. I don’t mind being told a cool new way of doing things, but don’t assume that what works for you will work for me.

Okay, with that out of the way, I’ll get back to customizing this wordpress installation and report back to you.