Open Reddit

I'm a big fan of Reddit, particularly the programming subreddit, so I was excited to see that yesterday reddit went open source. I got a copy of the code and started poking around; I never realized that Reddit is written in Python, which automatically makes it good. I also hate the Reddit developers less now; they've had a problem for months now with their RSS feeds showing duplicate entries, and have thus far claimed they have no idea what's wrong. I don't know Pylons (the framework Reddit uses), but after my initial poking around I too have no idea what's wrong, so for the moment they're not idiots anymore, although I plan to look into it further. A comment calling something a hack appears 8 times in their code, which is fairly respectable; I particularly enjoyed this comment I noticed in /r2/r2/config/middleware.py:

#god this shit is disorganized and confusing

PHP doesn't kill people, shitty programmers kill people

I'm reading a thing about security, and I found the canonical PHP example of why register globals is the worst thing ever:

if (authenticated_user())
{
$authorized = true;
}
if ($authorized)
{
include '/highly/sensitive/data.php';
}
?>

I've seen that so many times I have it memorized. Now, I don't program with register globals on, and there's really no reason to have it on, but seriously, show of hands. Who would ever write the above code? It's so obviously specious and yet nobody seems to notice. Assuming authenticated_user returns a boolean, everyone would write this:

$authorized = authenticated_user();

And magically, the problem is gone. Why would you ever have two branches that come back together with different variables released into the global namespace, that's just awful. Almost as bad as storing the user's username in a cookie and trusting it blindly, but obviously nobody would ever do that. I'm very worried about this field.

Escaping quotes in SQL

You may have made this mistake in the past:

SELECT * FROM table WHERE row=$search

Silly you. See, what you should have done is escape the search parameter. To do that, you. . . I'm just kidding. This isn't really a blog post about how to escape quotes in SQL, or about how prepared statements are good. However, it does seem to be some sort of rite of passage that every technology-related blog must at some point post about the dangers of SQL injection, and when they do so they must pretend like they're breaking the news for the first time. We've known about SQL injection since about ten seconds after somebody exploited it the first time. When I said you "may have made this mistake in the past", by "past" I meant at least 5 years ago, and yet I constantly stumble across more and more blog posts warning about the dangers of taking raw user input and feeding it directly to your database. Can we all just agree as programmers that we all now know about this, and there's no need to continue informing each other?

WTF Tkinter?

I'm learning Python for my programming paradigms class. I've used Python before for scripting stuff, but I've never done anything with the graphics part of it, and the first assignment was to make an animation using it. I have a help dialog in my program, which I wrote in wxWidgets. It looks like this:



Oooo. The green border is my theme, btw. So, it turns out Windows doesn't have wxWidgets by default, so if the program can't find wx, it will use Tkinter instead. That dialog looks like this:



Tkinter -- for shame! WTF? The same problem comes up in Java, the default Java L&F is really ugly, so then people tend to think Java programs as a whole are ugly. That is seriously the worst dialog I have ever seen; you really can't get the full effect in this thumbnail version of it, but the text in the actual dialog is all pixelated like somebody took the thumbnail version from above and magnified it to be a normal dialog size. Here's a crop of the full-size dialog:



I'm tempted to not offer help at all if the system doesn't have wxWidgets.