Nerderati

One trick that seems to be all the rage these days is to show off fancy results from functional languages in their imperative counterparts. Now, I love functional languages; OCaml/Haskell/Erlang give me a programmer hard-on that imperative languages can only dream of. In that vein, I present to you a very clever implementation of the y-combinator in PHP 5.3 that Nate Abele came up with a few nights ago while we were discussing fixed-point combinators over instant messenger:

(see the original Twitter post)

Sexy, right?

If you’re keen on fooling around with the gist, your first challenge is to implement a memoized-version of the above y-combinator. Your second (which will take you significantly longer), is to come up with a valid reason to actually use this in in production code.

When a programmer takes his/her first steps in a new language, the first example program he/she codes (or skips over) is usually the prototypical “Hello, world”, or a variant thereof. I thought I might run through a few of the classical “Hello, world” examples from programming languages that I find interesting.

This first example is from Factor, an example of a concatenative (as opposed to applicative) language:

I’m trying to find more reasons to toy with Factor, simply because it is such a huge departure from the programming languages I’ve used in the past. Some of the interesting features:

• A postfix syntax
• Stack-based
• Classes can be predicate and union based

The next is from Haskell, my favourite functional programming language:

My favourite Turing-complete joke language, LOLCODE:

As a crazy side note, it appears that the Turing completeness of LOLCODE was in part proven by using it to create a Brain Fuck interpreter (where BF has already been proven to be Turing complete).
That’s fairly mind-blowing to me, especially considering that BF is pretty much as incomprehensible as it gets (by design), and LOLCODE syntax is based off of subtitles from funny cat pictures.

Fortran which is still heavily used in high performance computing, benchmarking and scientific analysis (e.g. computational physics) due to it’s extremely stable and robust floating point arithmetic and floating point exception handling. I still wouldn’t touch it with a ten-foot pole these days, however.

Got any favourite languages that aren’t “mainstream”? Let me know in the comments.

In democracies, power is held by the citizens. The problem with this (at least in terms of open source software) is that, by and large, people are dumb.

The root of the problem lies in the fact that many people approach code in a selfish, rather than Utilitarian, manner. Of course, this is a non-issue in circumstances when you are writing code that will never be released to the public. But for those of us that do work and contribute to open source codebases, utilitarianism is a smart (and thankfully prominent) modus operandi. If the core developers of some popular web frameworks started adding classes and methods in their respective codebases to properly parse Flickr LOLCODE, I’m sure a few concerned voices would be heard.

Open Source is not a Democracy. It’s a Meritocracy.

Plato seemed to have addressed this issue in his famous Socractic diaologue of The Republic, suggesting that the ideal form of government was one formed of philosopher-kings. If we disregard the pompous title of ‘philosopher-king’, Plato’s idealized form of government is quite similar to how most open source projects are managed. Core members are not elected by the community. Rather, they are appointed to their position based on their qualifications, and are tasked with governing in such a manner that will yield the greatest good for the greatest number of people. This resembles most open source organizational methods quite well¹.

As such, I’ve come to this conclusion: Open Source is not a Democracy. It’s a Meritocracy. There are no political parties, campaigns or lies and promises. Instead, a person is judged entirely by the code that they write, and the relative usefulness of the later to the community at large. No one is ‘elected’ into an open source team. You get invited, usually (and hopefully) on the basis of your individual merit and perceived dedication to the project.

And the crazy part? This actually works. Open source produces some fantastic software. Much of the internet and the web runs on open source stacks, and those numbers don’t seem to be dropping anytime soon. Add to that the incredible advances that have been made in the last decade in open source desktop and so-called ‘enterprise’ software, and the above conclusion is undeniable.

Is a Meritocracy the best philosophy under which we should write code? Perhaps not. But I can’t think of anything better.

If it ain’t broke, don’t fix it.

^[1] The only exception that I know of is FreeBSD, where they hold elections for the core team every two years. This (surprisingly) seems to work extremely well for them.

After attending & speaking at CakeFest 2009 in Berlin, Germany, I decided to take a week off and explore the city. Since the hotel that I had been lodged in for the conference had free Wifi, I assumed that this was the norm in mid-range to high-end hotels in and around Berlin. And, as you may have noticed from the title of this post, it seems as if I was mistaken.

Crazy prices

There’s no way in hell I was going to pay 69€ for the five days that I was staying at that hotel. So, like any good free loader, I first checked the other available networks that I could connect to.

The Intrigue

After a bit of recon on signal strength with iStumbler, I tried to connect to the only other moderately strong network that wouldn’t make me stab my own eyes out.

Available networks

It turned out to be another managed Wifi from the hotel across the street, but these guys offered a ‘Free’ connection in addition to their ‘Business’ connection (which was about as crazily priced as the one I was trying to desperately avoid paying), the difference being some bullshit options like not actively blocking VPN ports and prioritized traffic. Oh well, free is still better than nothing. Plus, I thought, I could always just tunnel whatever ports & services I needed.

The Turn

Of course, that would have been too easy. To actually use their free Wifi, you needed to input your room number, as well as the name of the person who registered the room in the first place. Seems that this particular establishment didn’t like the idea of letting people not actually staying at the hotel using their ‘free’ wifi.

After trying a few random room numbers and gibberish names to verify that data validation was actually being performed on the server-side, I figured I had nothing to lose by trying a few standard SQL injections to see if I could bypass the whole process.

On first blush I thought that this error message meant that my attempts were in vain, since the application seemed to be escaping my input and determined that no relative of Bobby Tables was currently in room 228.

The Revelation

However, I know how developers can sometimes be lazy, and this lazyness sometimes manifests itself in slightly incorrect error messages. So I tried a different room number.

And lo and behold, success!

I wasn’t going to be downloading torrents with a 200mb/50mb daily transfer limit, but it was good enough to check emails and do the occasional

on some projects.

It Shouldn’t Be This Easy

Sometimes I wonder how any web developer worth his salt can overlook such a simple SQL injection vulnerability, especially one that is both well documented and easy to protect against. Worse, I’m pretty sure that this application was developed for multiple hotel locations, which means this brain dead attack vector exists in all of those spots.

Now, I only tried this attack on the ‘Free’ wifi, but you can see all the trouble that could be caused by performing this same process on the ‘Business’ wifi option, which would have billed the room occupant at the end of his stay. I wouldn’t like to be the desk clerk when that person checked out of the hotel.

With tools like SQL Inject Me available at the click of a button, it’s never been easier to test (and hack) forms for a variety of simple injection vulnerabilities. Couple that with any half-decent developer who can figure out a few details about the internal structure of your application, and you’re just asking for trouble by not sanitizing your input.

But at least I didn’t have to pay for wifi.

From March 4th-5th 2009, I was lucky enough to attend the annual PHPQuébec conference, right here in Montréal. Well, I guess it’s not so much luck as it was foresight to ask my employer for the time off & to buy me the conference ticket, which he graciously accepted to do.

To say that the conference was a shit-ton of fun would be an understatement. I had the pleasure of meeting Jeff Loiselle (@phishy), Andrei Zmievski (@a), Chris Shiflett (@shiflett), Chris Hartjes (@chartjes) and Sean Coates (@coates), as well as a few others throughout the duration of the 3-day conference. It was nice to finally be able to associate names with Twitter/IRC handles.

For those of you that could not attend, the slides from (nearly) all the talks are available from the PHPQuébec Conference website; I would suggest the PHP 5.3 slides (if you haven’t already read the related RFCs for closures, lambdas and traits) for a quick run-through of the new features being introduced in PHP 5.3. If you dislike Magento or WordPress and would like to see how Sebastian Bergmann tears them apart for sub-par code & pattern choices, PHP Code Review is for you. Sebastian didn’t publish any of his comments, but the code on the slides should speak for itself.

If you’ve got some C chops, the PHP Extension Writing slides by Marcus Börger might be of interest, if you can make it all the way through without crying for mercy from the C gods. However, everyone at the conference recommended the Extending and Embedding PHP book by Sara Golemon, which seems to be the definitive guide for writing PHP extensions at this time. I’ve already ordered my copy, so where’s yours?

In addition to the slides posted, I would suggest looking over Andrei’s Regex Clinic for some real PCRE gems, and his VIM for (PHP) Programmers to understand why Real Programmers™ use Vim, and those who do not are little girls. Myself included.

All in all, #phpquebec was a blast. I’ll be attending next year, even if I have to pay the ticket price myself. It’s worth every penny, especially if the registration form for 2010 is as hackable as it was for 2009 ;-).