Re: The Trouble with Ruby

12Aug06

Sim says:

I like Ruby but I don’t see it becoming a mainstream language soon. The biggest strength of Ruby–the OO nature of the language and some of its cooler constructs–are its greatest weakness. Consider continuations, for example. How many people in the world would know how to implement something with continuations without screwing up?

By definition, the vast majority of developers out there have average skills. They need tools and programming models that are safe more than they are powerful. We learned this in spades at Allaire. ColdFusion became one of the most widely used Web development platforms because it created a rubber room where hackers, non-professional programmers and many others could build apps without the thinking too hard. Were they the best architected, most scalable apps? Absolutely not. But they came out quickly and they worked. (Hey, MySpace was built on ColdFusion initially and it served them well.)

Sim is one of the smartest guys I have met but I have to disagree with this post. He seems to think he is talking about danger vs. safety but I think he is actually talking about having a shallow learning curve.

Continuations are not dangerous

Continuations are so hard to understand and use that average programmers don’t even try to use them. Even if they do try, they’re extremely unlikely to stumble upon a dangerous solution, that is, one that looks right but is subtly and perniciously wrong. Go ahead, try it; if you’re an average programmer, or even a pretty good one of the C++/Java/VB persuasion, take a look at this and this and then try to picture where and how you would use them. And then, ask yourself if you actually would.

(Contrast that to a really dangerous feature, like C macros. They look seductively simple, but the pitfalls are legion, just waiting for the right conditions.)

ColdFusion is not a rubber room

In fact, ColdFusion has a few pitfalls of its own. ColdFusion was groundbreakingly innovative in its heyday, and continues to be (IMO) the single easiest way for web designers to wade into the programming pool. But that is different than being “safe” or a “rubber room”, which implies that it’s hard for users to hurt themselves. For example, the following three snippets all look like canonical examples of CFML (circa 1998, at least–I haven’t kept up) to the casual eye, but they are all actually showstopping bugs:

<!--- SQL injection vulnerability! --->
<cfquery ...>
INSERT INTO users (email, password)
VALUES '#url.email#', '#url.password#'
</cfquery>

<!--- XSS vulnerability! --->
<cfoutput>Error: #url.errormessage#</cfoutput>

<!--- Failure to use CFLOCK, causes crashes in CF5! --->
<cfset session.hitCount = session.hitCount + 1>

You can get things working in CF without thinking too hard. To get them working right, you have to think about as hard as you do with any other half-decent language*–you just might not know it.

* not including languages that lack automatic memory management



9 Responses to “Re: The Trouble with Ruby”

  1. 1 Charles Teague

    SQL injection can be handled via cfsqlparam (though it makes the sql syntax look crappy).

    The failure to lock session variables by itself wouldn’t cause a crash, though reading and writing them in multiple places without the protection of a lock, could.

  2. Re SQL injection, yup, I know there is a right way to do it but the wrong way is the obvious way and works.

    Isn’t that what my example does? Or by “multiple places” do you literally mean from different .cfm files rather than different threads?

    I don’t blame CF for the SQL injection or XSS vulnerability, none of us knew about those back in the wild wooly days of the web. No other web scripting language does a significantly better job either… they’re all about the same, which was really my point.

  3. 3 nanas

    sql injection is not something that is being taught in school except if you take a wowowoww class which I do not know about. Programmers will tend to go for easiest ways which point Joe Cheng example. If a mature forum software like invision power board which have version v0.0.0.0.0 could make such vulnerabilities go to securityfocus.com there are abunch out there then what about the web applications in the WWW that are not mature yet ?

  4. nanas, totally agree. I didn’t mention it in my post but there are a couple of ways DB APIs can minimize the temptation to insert unescaped strings. For example, the PreparedStatement class in JDBC (Java) leaves you with little excuse.

  5. 5 Charles Teague

    Nope- you’re right about the session example, sadly. Of all the non-rubber room aspects of CF, this one hurts the most.

    Though starting with CFMX its a non-issue🙂.

    -c

  6. Nice post. Good to see others are out there paying attention to what MIGHT be a problem. Because once something becomes a problem, then its too late.

    Um, where’s your trackback link?

    You may want to check out my post on
    The Top 5 Open Source PHP Software Security Holes!! – With video instructions.

    Perhaps we can trade hacks sometime??

  7. Continuations are only hard to understand if you try to learn via a CS-oriented article on Wikipedia, or by looking at Ruby’s Kernel documentation. Do you know how to use the Enumeration#each method? Then you know how to use continuations.

  8. Mike, there’s a world of difference between using a library that is implemented using continuations, and actually implementing something using continuations yourself. We are talking about the latter (although I see now that I didn’t make that explicit).

    (And just to nitpick, Enumeration#each uses blocks/closures, not continuations…)

  9. One thing that jumps to mind as a use for continuations would be in game programming. Of course the irony is that I’m not quite sure Ruby, Lisp, etc. are really up to the task of coding the next great XBox 360 game but there are some nice bits of logic you could implement with continuations.



%d bloggers like this: