The mass amateurisation of everything, in code

March 7th, 2006, By Duncan Gough

This has been living as a draft post for as long as I can remember. It’s become a millstone when it was meant to be a look at how web coding seems to be getting (figuratively) worse and worse. Just as Tom observed in (Weblogs and) The Mass Amateurisation of (Nearly) Everything…, I had hoped to point out a similar ideal appearing for web programmers. Turns out I’m grumpier than that though, so this is more of a whinge than anything productive, sorry.

It’s taken me this long to get to a stage where I can see that this post will take ages to finish, so I’m just going to use it as a place to link to and briefly discuss some of the strange and good things that are happening. Easily the most popular posts on this website are the ones that discuss PHP and Ruby on Rails. Just like all those celebrity bloggers who only pull out Apple rumours when their traffic is slipping, I’m going to focus on PHP and Rails to pull the punters in.

So, here’s the list:

The real starting point. The rise of ‘worse is better’

37 signals think that 95% uptime is acceptable. Not sure that I do, that 5% is significant for other reasons, even if it’s not achievable for most of us.

This web 2.0 validator accepts delicious posts as code/rules for the validator. Surely this is vulnerable from a security perspective – great idea, do it in PHP and you’d be laughed at though.

Reuse is overrated? From DHH?

Now you can make ruby templates look like Smarty (erk). Why the fuck would you want to do that?

Turning log files into JSON formatted code to be eval’ed by a Python script (how insecure is that!). Again, do it in PHP and you be laughed at, deservedly.

On PHP, vs. the discipline of PHP.

Or is PHP4 the new Perl? Yes. Could be.

On PHP5’s slow adoptions, in comparison to Rails. Hint – it’s got nothing to do with slow adoption and everything to do with Rails making it easy to do the right thing. It’s easy to follow the MVC route, it’s easy to safely escape dangerous html content and it’s easy to upgrade. PHP isn’t.

And I thought Python produced human-readable code! Can the Zend PHP Framework do this? Huh? Can it? Can it?

Using with_scope to refactor Rails finder methods. Or this? PHP really isn’t designed for this level of dynamic introspection, which makes the inevitable Zend Framework somewhat hamstrung.

MVC frameworks are rubbish, but Yahoos’ Javascript framework is fine? It’s a ball of mud.

Since PHP5, PHP wants to be Java, but so does Actionscript, it would seem.

Grate! Another Python framework!. Isn’t OO and Agile development supposed to make swapping out the component you don’t like, and replacing them with ones you do like a solved problem now? I’m getting more and more hooked on creating a brain-dead-simple PHP-DSL real soon now..

Python Web Framework Statistics. In the time it took to write this, four more frameworks have been created. Please, just use Django for webapps and Twisted for event-driven stuff.

Rails is parsing the HTTP Accept header at a very high level, abstracting away the often hacky details from the business logic, whilst PHP6 is dropping features like Microsoft approaching a deadline, although in this case the revolutionary news is that register globals is gone. I’m not sure how you’ll be able to swing an upgrade to PHP6 past the proverbial pointy-haired middle management types though. Telling them that safe mode has been dropped as a reason to upgrade is just going to lead to a lot of confusion.

More about PHP6 here. Unicode support completes the carrot-and-stick approach. Lose register globals, gain unicode (something which a lot of languages lately have been missing out on). There’s a great comment in there taht really sums up the split in the developer community around PHP at the moment:

I read about the new php and was surprised; but the thing is, the more PHP becomes like a real OOP language, the less people will code with it. Maybe that’s why php4 has been around for so long.

True. Which is exactly why PHP should be developing a DSL purely for safely creating webapps that sits ontop of OO PHP. If the procedural PHP community want to use it, they can and get a whole bunch on libs and extensions that PHP is (in)famous for. The OO PHP community gets PHP6 and, ideally, acceptance from the majority of the community and the all-important shared hosts problem gets solved, since everyone wants PHP6.

Here’s a decent, and easy to follow article about PHP and Unicode, and here’s a decent Slashdot post about the complete lack of support for Unicode in Rails.

Please note that right now Rails basically knows nothing about Unicode and pretends everything is just bytes. It means that validates_length_of for multibyte characters will trigger errors at the wrong places, various kinds of Unicode whitespaces are not going to get trimmed and sometimes Rails will cut right into your characters. Absolute most of Rails internals makes no notion that multibyte text even exists, Rails just delegates all to the Ruby string handling code (which in current Ruby is all single-byte).

Another to the long list of ‘do it in PHP and you’d be laughed out of town’ – executable web pages, in Ruby this time.

This is a balloon. Balloons are web pages that double as Ruby programs. To run this page:

ruby -ropen-uri -e ‘eval(open(”http://balloon.hobix.com/anil”).read)’

Even in spite of everyone seemingly getting it all wrong, Ruby on Rails continues to abstract away the details and make doing the right thing, the simplest thing. I love REST, now it looks like Rails does too.

Person.new(:name => "Ryan").save

HTTP request:
POST http://api.myremote.com/people =>
Ryan
Location: http://api.myremote.com/people/1

And now it seems that I’m not sure how this post should be updated. Still, take a look at this little snippet of Ruby genius:

"runs".en.present_participle
# => "running"

2004.en.numwords
# => "two thousand and four"

"cow".en.quantify( 20_432_123_000_000 )
# => "tens of trillions of cows"

"ruby".en.plural
# => "rubies"

(via Ruby Inside).

And *another* thing. Actually, this is more like the anti-amateurisation of Ruby, given that it now has a decent looking UTF-8 library too.

Well, or maybe not. Lostlake.org has a good bead on some things that have been troubling me about Rails, the more I develop with it:

Rails also has a bunch of security vulnerabilities. The recent 1.1.4-1.1.5-1.1.6 3 day upgrade-o-rama fixed the ability for an attacker to execute arbitrary code on your server if they knew where the code was relative to the Ruby code. This is because files are included by creating paths to the files in the file system and sometimes URIs are merely appended to the paths… well you get the idea. Every Rails form submission can change any attribute on an ActiveRecord object unless the programmer has taken the affirmative step to filter out the fields returned from a POST based on the fields put in the form originally. This means that an attacker can change the primary key of an object by appending ?foo_id=44 to a web post and voila, the object has a new primary key and can over-write another object. There are other lurking vulnerabilities as well. But at this point in time, Rails is as insecure as PHP was 5 years ago.

One comment

« Turn on your magic beamPHP-DSL »