bAdmArk - Blinklist beta bombs...

Thursday, July 13, 2006

Blinklist.com (beta)

"BlinkList is a social bookmarking service built on ajax. It is very buttoned up and has some excellent features. It also has an all-star team with deep experience." - TechCrunch 07/2005

Being an application developer, I pride myself on a deeper understanding that I have with web applications that I interact with daily. To a certain degree, I catch myself making assumptions about web apps and their implementation, overall due to the fact that I have witnessed major growth and advancement over the past decade. One point on which I expect from any decent sized membership based app, is that my password be encrypted. Simple MD5 will do, so long as it is not clear text. When developing any membership system, encryption should be one of the first considerations.

Unfortunately, today I was saddened to find that a site I frequent BlinkList(beta), did not feel the need to encrypt my password:

Not only do they not encrypt a users password, they are displaying in a debug statement. Not my idea of a solid application.

They also still tag on "Beta" to their name, I know some development shops have some drawn out development lifecycles, but a year, and still in beta?

Another major flaw which is quite glaring, is the fact that they are calling in-line SQL query from inside of code, stored procedures are there for a reason, use them!

I'll have to admit, although LAMP based web apps have become quite popular in the last few years, there is nothing like building applications using OOP in a managed environment like Microsoft.NET or J2EE.

social networking | technology

posted on Thursday, July 13, 2006 5:24:37 PM (Eastern Standard Time, UTC-05:00)

Comments [2]
Related posts:
The Application of The Scientific Method for social concern
Dell Inspiron 910 delayed yet again
Video Editing on Roids!
An injection that cures Alzheimer's in minutes?
Losing faith in AMD
Quake 3 on the iPhone! Now I gotta get one...

Saturday, July 29, 2006 3:11:39 PM (Eastern Standard Time, UTC-05:00)

Not trying to defend that application, as it's clearly a bit shoddy, but sometimes encryption of a user's password isn't a programming choice. Sometimes it's a decision that is made by people without a security background and imposed on those who are destined to implement this bogus approach. The reason is pretty simple, some people think that original passwords should be emailed and not reset. If you check around you'll find this is more common than you'd expect, equally common is membership without proper activation procedures.

Now, on to stored procedures, until fairly recently MySQL didn't do them. There's also a pretty strong argument against using them for web at all regardless of the platform, when you have a whole ever-growing bunch of cheap, identical application servers facing the customers and the back office with a big database server or two driving them do you really need to put computational stress on the database server?
What happens when you need to double the number of webservers due to a sudden boost in popularity? You need more CPU and memory in your database server, you need a new database server chassis eventually. Sure, if you've got a database server with enterprise level storage you can deal with this, but if the startup chose to use LAMP there's a fair chance that they're not cash rich and may just be out to test the market. They probably have the cheapest hardware around that can meet their performance demands.

A common way to make this class of LAMP application robust and easy to work with later on is to use a DB abstraction library and put all the calls to that library in a set of functions that are called by the business/page logic. The effect can be almost the same as stored procedures in terms of maintainability, the only loss is the performance gains of being able to optimise stuff within the database.

Philip Bragg

Saturday, July 29, 2006 6:28:29 PM (Eastern Standard Time, UTC-05:00)

You're right, unfortunately this situation is very common.
Regarding the stored procedures; in-line SQL that are called from within code, are compiled at runtime by the SQL server, hence more load on the server. Stored procedures are compiled when saved, along with an execution plan (some servers).
But yes, as you state, using a data abstraction layer is the right approach, no matter the development environment.

bAd mArk | badmarkAT NOSPAMbadmark dot com

Comments are closed.