Why publish educational article with obviously buggy content
|
| Author | Content |
|---|---|
| shmget Jul 15, 2008 7:09 AM EDT |
length = strlen(binnumber);
if ( length < 8 ) {
difference = -(length - 8);
}
--> difference is never use anywhere in the program if ( binnumber[7] == '1' ) { total = total + 1; } --> binnumber is NOT initialized and the length of the input can most certainly be less than 8, hence binnumber[7] can have an undefined value. furthermore no input control is done, so input "My #1 OS" and you'll get a result of 8 !!! Clearly the idiotic algorithm used indicate that the intent was newbies education, which is fine, but then making sure that the example is exemplar should be the first concern of the author, and most importantly of the editor. |
| eggi Jul 15, 2008 2:10 PM EDT |
Hey there, You're most certainly on-target about the "difference" variable. It was a mistake on my part that I didn't strip out before posting (The actual program was a bit larger, but, as you state - and I stated in the post - I was trying to write for a less experienced audience and felt that the section of code that line was in made it appear too daunting). This has already been addressed, removed and pointed out (but won't post until tonight, in my ports to bash and Perl). To help you understand, my intent with these posts is to "introduce" folks to programming. Very basic concepts. It's been my experience that if you do everything at once (error checking, C memory allocation, more concise looping and statement constructs, etc) it scares people off, and if you just show them a sample of, for instance, an if-else statement it's harder for them to put the pieces together. I hope that doesn't sound haughty or snobbish in any way. About 12 years ago, when I began working as a Unix Sysadmin, I didn't know anything and am trying to get back to that place now, to, hopefully help others get used to writing programs and scripts (imperfect though they may be). I've found, over the years that, even when I made mistakes (like I'm still doing cranking out the blog nightly after work ;) I felt a sense of accomplishment that made me feel like I could do more, and then eventually I ended up at a point where I was more interested in what I "could" do rather than what I "couldn't" do. Thank you your feedback, and your constructive criticism is appreciated. Every once and a while the time-crunch involved in churning out the daily post can cause me to accidentally overlook an error every now and again, especially when I'm tearing down scripts and programs I write on-the-fly to try and make my deadline (obsessive/compulsive? Maybe ;) Again, thanks for the feedback, Best wishes, Mike |
| tuxchick Jul 15, 2008 2:11 PM EDT |
Small bites and baby steps are good things! shmget, there ain't any wise, kindly editors who review articles for technical accuracy. If you're lucky you get a fast proofread for obvious spelling and grammar errors. That's when you learn that kindly readers who politely point out errors are worth their weight in good beer and fine chocolate. |
| gus3 Jul 15, 2008 2:33 PM EDT |
The #1 thing I learned doing user documentation: Always test any script or code you put in. Someone, somewhere, is going to type it in verbatim, and it darn well better work. |
| shmget Jul 15, 2008 4:51 PM EDT |
eggi: "my intent with these posts is to "introduce" folks to programming." I got it, and I applaud your effort. "my experience that if you do everything at once (error checking, C memory allocation, more concise looping and statement constructs, etc) it scares people off," My experience is that there is no 'little quick program', any piece of code usually last much longer than intended.... So clean and correct are always a have to have. In this case, it is not so much about error checking, but about uninitialized variables, buffer overrun and other very basic things that are overlooked by so many coders, amateur and professionals alike, and which is a primary cause to the daily litany of 'security advisory' case in point: scanf("%s", &binnumber); That is your run of the mil buffer overun: as soon as you input more than 8 digits, you start to overwrite whatever n behind binnumber in memory... I don't think it would make the code overly more complicated to code scanf("%8s", &binnumber); (and increase the size of binnumber by 1 to allow for the final 0.) Again, this is not a refinement or an efficiency thing. it is about a bad security flaws and good practice - even reflex really -to try to avoid them. |
| TxtEdMacs Jul 15, 2008 5:05 PM EDT |
shmget, Maybe you could show us how to do it right, albeit on a more relaxed schedule than eggi uses. Or perhaps you just write follow up articles on the security issues missed in the pedagogical first pass? What do you say? It could go on LXer or eggi's site or even mine. Txt. |
| shmget Jul 15, 2008 5:47 PM EDT |
TxtEdMacs:
I have few challenges:
1/ I write in C fluently, actually much more fluently than I write in English. My spelling/grammar and general english-as-a-second-language rate of mistakes usually means that my prose is either painful to read or take me an enormous amount of time and effort to proof-read. 2/ I am not very pedagogue, nor do I easily empathize with the difficulties of an absolute beginner. Let me put it that way: just because I know how to read, doesn't mean I am capable of teaching efficiently a 1st grader how to. On the other hand, if eggi wants his C source proof-read before publication, I could be convinced to give it a try. |
| eggi Jul 15, 2008 6:18 PM EDT |
Wow, Thanks for the support and exchange of ideas here. I get where everyone's coming from. Here's a fun fact: One of the reasons the code made it on the blog with that extra variable defined is that it compiled under gcc with no errors and ran. No question that I do that before I put something out there. I wouldn't dream of posting code that doesn't run (which is hard to do, sometimes, given the wide variety of Unix and Linux distro's - although I do provide patches and/or rewrites via email for people who need a program but just need it modified to run on their NIX OS) The output in the blog body was a cut and paste from the actual binary execution. I will probably post a mission-statement post one of these days now that people are actually reading my blog, since it covers everything from hardware to scripting/programming to OS and higher-level application management. I've been a sysadmin Unix/Linux for over a decade (almost 13 years now - including admining Windows, Cisco Networks and doing some programming -- fortunately, and no offense, I didn't end up being a programmer because I can't sit at a desk all day without going batty) so I've got a lot to write about but lack the energy to write a blog per niche. I understand the security concern, but that wasn't the point; just to make C, Perl, shell, awk scripting/coding seem as accessible as it is to anyone who can read a book. I didn't want to have to, essentially, write someting like "Hello reader who knows almost nothing about scripting or coding, let's talk about the difference between strcmp and strncmp, writing into the red and buffer over/underflows" (not specifically what the code lacked) I feel this would be counter to the theme of the post and the blog's intent. Seriously, while I would welcome a huge rebuttal that I could use as a post on my blog (give me a night off ;) I don't think is worth starting a war over. I'll admit when I read the initial reply, the words "buggy" and "idiotic" pushed a button or two and made me wonder if I just hadn't stated the fact that the code was imperfect in my blog clearly enough. As long as its civil, I'm always open to communication and criticism. Otherwise I take the salient points and ignore the invective. Let's all get happy now. Assuming we all live through the night, we can get upset about it tomorrow, for all the good it will do ;) Again, thanks for the further explanation and to everyone for posting the comments. TxtEdEmacs - Thanks for the support. And shmget, I've never corresponded with you before so I'm assuming you just have a blunt straightforward writing style. I believe, beneath it all, we're all above getting into a flame-war about an admitted mistake on my part. Apologies for future mistakes. Expect that I'll mistype something or miss something in haste from time to time. The blog's organic. I realize it's devoted to a subject that warrants more criticism than a blog about stuff I like to do when I'm not paying the bills, but I've decided to keep the original error in. Nobody's perfect and since my blog is free advice and explanation, it makes more sense to keep it scarred and just explain that I made an error in a future post. I'd spend the time to make sure everything was perfect if it was my day job (which is, actually 24x7 on-call most of the time). Peace, everyone, and thanks, Mike For everyone who wonders how I can write a post a day, this is how. I've got a post's worth of content right here and it's just reactionary - If I'd only directed the energy toward writing about process tracing ;) |
| eggi Jul 15, 2008 6:27 PM EDT |
shmget, you snuck one in on me there. If you're serious about your suggestion, I would welcome your proof-reading of my C code. As for the allegory, it's a bit off where I come from. While C may remain semi-static, shell scripting, etc, can vary widely. If we were to adhere to the protocol that "I can only post a shell script if I've worked on every version and flavour of Unix and Linux on the market today" I don't believe anyone would be qualified to write about anything here or anywhere. The word "teach" is heavy with connotation. For instance, if you visit a forum to answer scripting questions, 15 guys could reply with 15 valid answers, and sometimes all 15 are convinced they are the only ones who know what they're talking about. I understand that you may have derived teach from the word tutorial, and how-to is a scary word, too. Don't sweat this any more. It's no big deal. But, seriously (it only happens once every few months) if you really would be willing to offer me the service of double checking my C code before I publish it, I'm up for that and would appreciate it. My email is eggi@comcast.net -- If that get's stricken, just check out my blog. I put my email at the top of all of my scripts. Peace. Calm :) ,Mike |
| TxtEdMacs Jul 16, 2008 3:50 AM EDT |
shmget, Sorry if I gave offense, I was reacting to the perceived tone. I understand the issue of a second language being a hinderance, since I would claim English was my second language. When asked what my first was I would say "none". Moreover, I have become convinced that in part some of my difficulties stem from being, at least, partially dyslexic. I write, but I find it difficult. I compliment you on your offer to proof read eggi's C code. [all the above are enclosed in serious tags] Txt. |
| eggi Jul 16, 2008 10:27 AM EDT |
Actually, the length variable is unnecessary, too. That's the last time I revise and reduce code on the day-and-time-of-posting.... Maybe I need to take a break and just right some more tech opinion op-ed type stuff. Again, thanks for everyone's comments. This whole ordeal ended amicably and I learned a thing or two in the process (aside from slowing it down a little. There's only so much daily posting one guy can do before something bad gets through). I sincerely appreciate everyone's advice and pointers, both on and offline Thanks :) , Mike |
| tuxchick Jul 16, 2008 11:37 AM EDT |
??? No flames? Sheesh. Guess I'll go visit /. for my daily dose of ignorant, emotional ranting. *pout* |
| gus3 Jul 16, 2008 8:09 PM EDT |
Only an ignorant jerk would expect flames here by default. (There, is that better? ;-) |
| tuxchick Jul 17, 2008 7:06 AM EDT |
Luser! winduhs lover! Your mamma and your poppa! Thanks, I feel much better now :) |
| Sander_Marechal Jul 17, 2008 7:14 AM EDT |
My my, what language. Is this how it's going to be TC? Serious content on LW and rotten flames here? ;-) |
| tuxchick Jul 17, 2008 8:07 AM EDT |
Well Sander, that WAS my secret master plan. But now you've exposed it and it's all ruined. |
| azerthoth Jul 17, 2008 8:49 AM EDT |
Thats it TC, I vote that any comment made over there we first filter through our resident legalese guru so that they seem poignant yet say nothing, in as many words as possible. *nyah nyah* |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!