Don't Put the Cart Before the Horse

April 2nd I made this undiplomatic statement (funny how Twitter practically encourages being provocative):

#ZF 2.0 is a great example of second-system syndrome.

Matthew Weier O'Phinney and I have a good working relationship. I think his work on the Zend Framework project has been amazing, both from a technology perspective and a marketing perspective. So when Matthew asked me to clarify my Tweet, I was happy to reply, in the spirit of constructive criticism. These thoughts apply to many projects--not just ZF--so I thought they would be of general interest. Here's the content of my reply:

When I've reviewed project proposals or business plans, one thing I often advise people is that you can't describe the value of a project in terms of how you implemented it. Users don't want to hear about how you used XML, or dependency injection, or unit tests, or agile methodology, or whatever. They want to hear what they can do with this product.

After reading the roadmap for ZF 2.0, I observed that a great majority of the planned changes are refactoring and internal architectural changes. These are worthwhile things to do, but the roadmap says very little about the feature set, or the value to users.

What I'm saying is that implementation does not drive requirements. That's putting the cart before the horse.

I admit that for a developer framework, this line is more blurry than in other products. Your users do care about the architecture more than they would for a traditional application. But that still doesn't account for the emphasis on implementation changes in the roadmap, and the lack of specific feature objectives.

For instance, some goals for the controller are described in a list of four bullet items: lightweight, flexible, easy to extend, and easy to create and use custom implementations (which sounds close to easy to extend). Then it jumps right into implementation plans.

So how flexible does it need to be, and in what usage scenarios? What does lightweight mean? How will you know when it's lightweight? Are there benchmark goals you're hoping to meet?

Another example is namespacing. Yes, using namespaces allows you to use shorter class names. Is that the bottleneck for users of ZF 1.x? Do you need to create a namespace for every single level of the ZF tree to solve this? Would that be the best solution to the difficulties of using ZF 1.x?

The point is that the way to decide on a given implementation is to evaluate it against a set of requirements. You haven't defined the requirements, or else you've defined the requirements in terms of a desired implementation.

My view is that requirements and implementation are decoupled; a specific implementation should never be treated as one of the requirements, only a means of satisfying the requirements.

Regards,
Bill Karwin

Sql Injection Slides Posted

I gave a presentation today at the MySQL Conference & Expo 2010, titled SQL Injection Myths and Fallacies. Thanks to everyone who came to my talk! I appreciate your interest in learning to develop more secure applications. SQL Injection is a serious threat to web applications, and it's only going to get worse. It's incumbent on you as software developers to learn how to write secure code!

My slides are now online in two places: on the MySQL Conference website, and at SlideShare.net/billkarwin.

I also handed out cards for a 20% discount on my upcoming book, SQL Antipatterns. One chapter in my book is devoted to SQL Injection risks and methods for defending against them. You can pre-order the hardcopy book and receive it as soon as it ships. You can also get the downloadable beta e-book right away, and receive an update when the editing is done.

I left a stack of the leftover discount cards on the collateral table in the hallway. If you didn't get one, you'll have another chance when I talk at the PHP TEK-X conference in Chicago in May!

Announcing Awk on Rails

Awk on Rails is a new kind of web application development framework, with a distinction that no other framework has: Awk on Rails is fully POSIX compliant.

Awk on Rails brings the best practices of modern web application development to the ALAS stack (Apache, Linux, Awk, Shell). This stack is entirely new to the field of web development, yet already brings decades of maturity.

• Installation is a breeze -- in fact, it's unnecessary, because Awk on Rails uses commands and tools already provided by your operating system.
  
  
• Develop web applications that leverage the power of high-speed interprocess I/O pipelining, utilizing POSIX regular expressions to optimize request routing through common gateway interfaces.
  
  
• Generate your Awk on Rails application code--using awk! A sophisticated script-based front-end called wreak takes care of it for you.
  
  
• You get unlimited flexibility to customize the base application scripts, using your choice of development environment: vi or emacs.
  
  
• SQL? We got NoSQL! We don't need no stinking SQL! Tired of being confused by relational databases? Manage your data in an "X-treme" non-relational data store exclusive to Awk on Rails. It's called Hammock, and it's based on the POSIX key-value system NDBM. To initialize your data store, it's as simple as running the command: wreak hammock.
  
  
• Design and render application views using the simple and popular M4 language. We all know we need to keep application design separate and free from logic. Awk on Rails can make sure this happens!
  
  
• Embedded source code documentation is easy using a custom macro package. Create ready-to-typeset manuals with one simple command: nroff -Mawkdoc.
  
  
• Awk on Rails comes with example applications to get you started, including a blogging & content management platform AwkWord, and a syndication provider AWRY.
  
  
• Does it scale? Of course! Thanks to the power of Moore's Law, you'll stay ahead of the curve over the long haul.
  
  
• Development, deployment, and distribution are all powered by a convenient set of three distinct software licenses. No other framework supports this many licenses! Contributing back to the Awk on Rails project? You get to sign and submit a fourth license -- at no charge!
  

You will soon be able to download source for Awk on Rails and join its development community, at the social source repository SCCSHub.net. As soon as we figure out whether the licenses allow us to distribute our own source code, you may be able to use it in your projects too!

Look for future Awk on Rails developments and announcements in 2010.* Also look for an innovative cloud computing extension to Awk on Rails, called VaporWare.

Awk on Rails: Not Really Rapid, Not Exactly Agile, More Like Dodgy.

* Awk on Rails comes with no guarantee of release dates or timeliness of announcements. Check your calendars.

Rendering Trees with Closure Tables

I got a comment from a reader about the Naive Trees section of my presentation SQL Antipatterns Strike Back. I've given this presentation at the MySQL Conference & Expo in the past.

I'd also like to mention that I've developed these ideas into a new book, SQL Antipatterns: Avoiding the Pitfalls of Database Programming. The book is now available in Beta and for pre-order from Pragmatic Bookshelf.

Here's the reader's question:

I would like to ask if there's a way I can dump all the hierarchies in a single query using a closure table? For example I have a following tree:

rootree
- 1stbranch
- midbranch
- corebranch
- leafnodes
- lastbranch
- lastleaf

and I want to display it like:

rootree -> 1stbranch
rootree -> midbranch
rootree -> midbranch -> corebranch
rootree -> midbranch -> corebranch -> leafnodes
rootree -> lastbranch
rootree -> lastbranch -> lastleaf

The Closure Table is a design for representing trees in a relational database by storing all the paths between tree nodes. Using the reader's example, one could define and populate two tables like this:

drop table if exists closure;
drop table if exists nodes;

create table nodes (
node int auto_increment primary key,
label varchar(20) not null
);

insert into nodes (node, label) values
(1, 'rootree'),
(2, '1stbranch'),
(3, 'midbranch'),
(4, 'corebranch'),
(5, 'leafnodes'),
(6, 'lastbranch'),
(7, 'lastleaf');

create table closure (
ancestor int not null,
descendant int not null,
primary key (ancestor, descendant),
foreign key (ancestor) references nodes(node),
foreign key (descendant) references nodes(node)
);

insert into closure (ancestor, descendant) values
(1,1), (1,2), (1,3), (1,4), (1,5), (1,6), (1,7),
(2,2),
(3,3), (3,4), (3,5),
(4,4), (4,5),
(5,5),
(6,6), (6,7),
(7,7);

What we need to do is find all the descendants of the root node 1, then for each of these descendant nodes, list its ancestors in order, separated by an arrow. We can use MySQL's useful GROUP_CONCAT() function to build this list for us.

select group_concat(n.label order by n.node separator ' -> ') as path
from closure d
join closure a on (a.descendant = d.descendant)
join nodes n on (n.node = a.ancestor)
where d.ancestor = 1 and d.descendant != d.ancestor
group by d.descendant;

Here's the output in the MySQL client. It looks like what the reader asked for:

+-------------------------------------------------+
| path                                            |
+-------------------------------------------------+
| rootree -> 1stbranch                            |
| rootree -> midbranch                            |
| rootree -> midbranch -> corebranch              |
| rootree -> midbranch -> corebranch -> leafnodes |
| rootree -> lastbranch                           |
| rootree -> lastbranch -> lastleaf               |
+-------------------------------------------------+

I do assume for the purposes of ordering that all of a node's ancestors have a lower node number. You could alternatively use a pathlength column to the closure table and sort by that.

The Closure Table design is nice compared to the Nested Sets (or Preorder Traversal) design, because it supports the use of referential integrity. By using indexes, the EXPLAIN report shows that MySQL query optimizer does a pretty good job on it (I've omitted a few columns for brevity):

+-------+--------+-------------------+--------------------------+
| table | type   | ref               | Extra                    |
+-------+--------+-------------------+--------------------------+
| d     | range  | NULL              | Using where; Using index |
| a     | ref    | test.d.descendant |                          |
| n     | eq_ref | test.a.ancestor   |                          |
+-------+--------+-------------------+--------------------------+

Speaking on SQL Injection at MySQL Conference

I'm speaking this year at the MySQL Conference & Expo 2010 in Santa Clara. Be sure to get your early registration discount by Feb 22! If you miss that deadline, get 25% off with this discount code: mys10fsp

I'm presenting a talk on SQL Injection Myths and Fallacies. This may seem like a topic that's been done to death, but it's important for all developers to understand it. This reminds me of a story:

My mother volunteers with the League of Women Voters. One of their activities is helping college students register to vote. So every year they set up a table on campus and help young people fill out the forms.

One day one of the women expressed frustration: "We've been doing this for ten years! When are these students going to learn how to register to vote for themselves?!"

The rest of the group looked at her blankly. Finally someone said calmly, "You realize that every year a new class of students becomes eligible to vote, right?

The woman who complained felt suitably embarrassed.

I'm going to cover the basics about SQL Injection, but I'll also show how much of the advice about SQL Injection (even advice from noted security experts) misses the whole picture. I'll also give some new techniques for remedies, that I seldom see in books or blogs. Come on by!

What is QEP?

In the context of database programming, QEP is an acronym for Query Execution Plan.

The database server analyzes every SQL query and plans how to use indexes and order tables to produce the result in the most efficient way.

You can get a report of the QEP for a SELECT query using the EXPLAIN command in MySQL. This is an important tool to analyze your SQL queries and detect inefficiencies.

Consultant Ronald Bradford uses the acronym QEP freely, but this term is not ubiquitous and doesn't appear in the MySQL documentation. Googling for QEP yields some confusing results:

• A manufacturer of carpet trimming and flooring installation tools.
• An educational bookseller in Texas and New Mexico.
• The Quality Enhancement Plan for institutional improvement from the Commission on Colleges of the Southern Association of Colleges and Schools.
• The Qualified Environmental Professional certification from the Institute of Professional Environmental Practice (IPEP).
  

Remember: if you are using an uncommon acronym in your writing, define it when you use it. Even if you have used the acronym in past blog posts, define it again in a new blog post. Or at least link to the original post where you defined it.

Free Software vs. Gratis Software

A lot of folks are unclear on the subtleties of free software and open source. Mike Hogan writes a blog article"Is Hybrid Licensing of OSS Hypocrisy?" to try to shed some light on this. With respect, I think he has missed part of it.

We're talking about two orthogonal things here. One is open-source versus closed-source, and the other is whether we charge money for software licenses or not. As Mike points out, the former is about development methodology. The latter is about business model.

There ought to be nothing wrong with charging money for open-source software. In fact, there isn't -- even the GPL permits this. This is related to the origin of open-source in the Free Software movement. "Free software" to them is about what the user is licensed to do with that software, not whether they paid anything to license it. In fact, some companies package free software and charge for it (presumably with some added value).

The marketing interpretation of "free software" is the "free chips & salsa" concept Mike mentions. It's a way of encouraging the market to adopt this product. It's a loss leader, usually followed by upselling the customer with other products or services.

There's also a case for no-charge versions of closed-source software. Typically these have either limited features ("crippleware") or they expire after a limited time (e.g. "demo").

Few companies have found a way to use open source methods to develop full products they then charge money for. But this could simply be because it's hard to drive adoption of any software product, regardless of whether it's open-source or closed-source.

On the issue of hybrid licensing, I see this as no hypocrisy; I see it as more freedom. If I develop some code, offer it under the GPL license, and you use my code as part of your project, then you are obligated to license your project with a GPL-compatible license. This is termed the "viral" nature of the GPL license, and it's clearly intended to promote the free software movement.

What if you don't want to adopt a GPL-compatible license for your project? Well, no one is forcing you to use my code. But my code is really amazingly good, and you want it. You want it so much that you're willing to give me money if I grant you a license to use it under different terms. If I'm willing to do that, now you have more freedom -- you can choose to contribute your own code to the body of free software in the world, or you can choose not to. But the latter choice may have a different price tag associated with it.

This should still promote the principles of the free software movement. It would be wrong to charge someone for their freedom. But in the hybrid license model, you can avoid paying for a license simply by joining the movement, by spreading the freedom. If you want to stick to your closed-source model, you can pay for the privilege of using my code in that way.

I don't see any hypocrisy in a software maker using a hybrid licensing model, as long as they are consistent and honest about it.