Thursday, April 15, 2010

Don't Put the Cart Before the Horse

April 2nd I made this undiplomatic statement (funny how Twitter practically encourages being provocative):

#ZF 2.0 is a great example of second-system syndrome.
Matthew Weier O'Phinney and I have a good working relationship. I think his work on the Zend Framework project has been amazing, both from a technology perspective and a marketing perspective. 
Matthew and Bill
So when Matthew asked me to clarify my Tweet, I was happy to reply, in the spirit of constructive criticism. These thoughts apply to many projects--not just ZF--so I thought they would be of general interest. Here's the content of my reply:

When I've reviewed project proposals or business plans, one thing I often advise people is that you can't describe the value of a project in terms of how you implemented it. Users don't want to hear about how you used XML, or dependency injection, or unit tests, or agile methodology, or whatever. They want to hear what they can do with this product.

After reading the roadmap for ZF 2.0, I observed that a great majority of the planned changes are refactoring and internal architectural changes. These are worthwhile things to do, but the roadmap says very little about the feature set, or the value to users.

What I'm saying is that implementation does not drive requirements. That's putting the cart before the horse.

I admit that for a developer framework, this line is more blurry than in other products. Your users do care about the architecture more than they would for a traditional application. But that still doesn't account for the emphasis on implementation changes in the roadmap, and the lack of specific feature objectives.

For instance, some goals for the controller are described in a list of four bullet items: lightweight, flexible, easy to extend, and easy to create and use custom implementations (which sounds close to easy to extend). Then it jumps right into implementation plans.

So how flexible does it need to be, and in what usage scenarios? What does lightweight mean? How will you know when it's lightweight? Are there benchmark goals you're hoping to meet?

Another example is namespacing. Yes, using namespaces allows you to use shorter class names. Is that the bottleneck for users of ZF 1.x? Do you need to create a namespace for every single level of the ZF tree to solve this? Would that be the best solution to the difficulties of using ZF 1.x?

The point is that the way to decide on a given implementation is to evaluate it against a set of requirements. You haven't defined the requirements, or else you've defined the requirements in terms of a desired implementation.

My view is that requirements and implementation are decoupled; a specific implementation should never be treated as one of the requirements, only a means of satisfying the requirements.

Bill Karwin

Wednesday, April 14, 2010

Sql Injection Slides Posted

I gave a presentation today at the MySQL Conference & Expo 2010, titled SQL Injection Myths and Fallacies. Thanks to everyone who came to my talk! I appreciate your interest in learning to develop more secure applications. SQL Injection is a serious threat to web applications, and it's only going to get worse. It's incumbent on you as software developers to learn how to write secure code!

My slides are now online in two places: on the MySQL Conference website, and at

I also handed out cards for a 20% discount on my upcoming book, SQL Antipatterns. One chapter in my book is devoted to SQL Injection risks and methods for defending against them. You can pre-order the hardcopy book and receive it as soon as it ships. You can also get the downloadable beta e-book right away, and receive an update when the editing is done.

I left a stack of the leftover discount cards on the collateral table in the hallway. If you didn't get one, you'll have another chance when I talk at the PHP TEK-X conference in Chicago in May!

Thursday, April 01, 2010

Announcing Awk on Rails

Awk on Rails is a new kind of web application development framework, with a distinction that no other framework has: Awk on Rails is fully POSIX compliant.

Awk on Rails brings the best practices of modern web application development to the ALAS stack (Apache, Linux, Awk, Shell). This stack is entirely new to the field of web development, yet already brings decades of maturity.
  • Installation is a breeze -- in fact, it's unnecessary, because Awk on Rails uses commands and tools already provided by your operating system.

  • Develop web applications that leverage the power of high-speed interprocess I/O pipelining, utilizing POSIX regular expressions to optimize request routing through common gateway interfaces.

  • Generate your Awk on Rails application code--using awk! A sophisticated script-based front-end called wreak takes care of it for you.

  • You get unlimited flexibility to customize the base application scripts, using your choice of development environment: vi or emacs.

  • SQL? We got NoSQL! We don't need no stinking SQL! Tired of being confused by relational databases? Manage your data in an "X-treme" non-relational data store exclusive to Awk on Rails. It's called Hammock, and it's based on the POSIX key-value system NDBM. To initialize your data store, it's as simple as running the command: wreak hammock.

  • Design and render application views using the simple and popular M4 language. We all know we need to keep application design separate and free from logic. Awk on Rails can make sure this happens!

  • Embedded source code documentation is easy using a custom macro package. Create ready-to-typeset manuals with one simple command: nroff -Mawkdoc.

  • Awk on Rails comes with example applications to get you started, including a blogging & content management platform AwkWord, and a syndication provider AWRY.

  • Does it scale? Of course! Thanks to the power of Moore's Law, you'll stay ahead of the curve over the long haul.

  • Development, deployment, and distribution are all powered by a convenient set of three distinct software licenses. No other framework supports this many licenses! Contributing back to the Awk on Rails project? You get to sign and submit a fourth license -- at no charge!
You will soon be able to download source for Awk on Rails and join its development community, at the social source repository As soon as we figure out whether the licenses allow us to distribute our own source code, you may be able to use it in your projects too!

Look for future Awk on Rails developments and announcements in 2010.* Also look for an innovative cloud computing extension to Awk on Rails, called VaporWare.

Awk on Rails: Not Really Rapid, Not Exactly Agile, More Like Dodgy.

* Awk on Rails comes with no guarantee of release dates or timeliness of announcements. Check your calendars.