Wednesday, June 13, 2007

The dogmatic programmer - when software becomes religion

Do you believe that there is only one "right way" to do things? Do you ignore evidence that other solutions may also work? Do you dismiss the possibility that there are reasonable trade-offs to be made between the "right way" and some other way? (do you leave angry comments on my blog?)

Do you think I'm kidding? Read these comments about GET vs POST. There's no question that POST is the "right" way and generally safer, but sometimes it's annoying. Even though GET isn't "supposed" to work, it often can be made to. Don't believe me? Google does billions of dollars a year in GET based transactions in the form of CPC ad clicks (which can cost over $50/click). A lot of other things work this way too, including most non-ajax webmail (for changing read/unread state, at the very least).

If you're writing missile guidance software or something then, please, please, please do things the right way -- it's better safe than sorry, right?

However, if you're writing little web apps, then there's a good chance that you can bend a lot of the rules and produce a better product sooner. I'd rather have something imperfect but useful and popular than something "perfect" but unfinished and unused. Sometimes, it's better sorry than safe.

When is it safe to bend the rules? Just ask yourself, "What's the worst that could happen?" If the worst case isn't too bad, then you're probably ok. Minor bad things will happen no matter what, so it's often better to put your energy into general problem recovery, rather than imagining that you can simply avoid all problems. (this is especially true on the web)

9 comments:

Anil Philip said...

I found it ironic.
"...when software becomes religion".

There is another religious war that seems to have completely escaped you - Microsoft haters vs. M$ users/programmers/likers.

It is not hard to guess where you are :)

austin said...

When?

Software's been a religion for a while, last time I remember.

Unknown said...

The problem with "What's the worst that could happen?" is that most people taking a shortcut likely have no idea what the worst could actually be.

Ben Hoyt said...

Good points. I agree that you've gotta be pretty pragmatic on the web, and that was the aim of my blog post.

But I guess I've come away a bit scared of prefetching apps. If the GET is something non-mission critical like an upvote -- fine, be pragmatic. But if it involves a money transaction or something like that, be very careful.

Andrew said...

You can delete my ISP's bandwidth logs by using GET variables.

I can't remember the line exactly but its something like this..

checktime.php?username=admin&password=password&cmd=del&id=1067

Its suppose to be used to delete a row of data in case the login messes up and it thinks you're already logged in but what they have done is allowed you to also delete the row of data after you have finished and logged out. Awesome now I haven't used my internet connection at all!

Also because of the id= variable you can also kick other people off the internet by deleting their rows.

While we're on the topic of GET variables. Please don't use the MySQL column name as the get variable name.

If you're using uid as the colume name in MySQL then please please please don't use uid as your get variable too.

I was able to figure out how to login to a video sharing website as Admin with this technique.

Goldenrock said...

Another thing to consider is that many web servers try to get a cache hit for GET requests but process POSTs directly.

Paul Buchheit said...

Anil, there are many religious wars. What makes you think that I missed the MS one, or that am part of it? I don't use MS much, but I certainly don't hate them (and I worked there for a bit). I try to stay non-dogmatic about everything.

Austin, yes, for some people it is, but it doesn't have to be.

Charles, you are, of course, correct, but those people were going to break everything anyway...

Ben, that's very reasonable. I would be very careful with anything involving money.

Manoj said...

From the limited interaction I have had with web developers I find that they tend to be 'less dogmatic' and have the 'get the job done' approach. Perhaps that's why this industry is moving so fast.

Programmers working on traditional software compiler/OSes/desktop apps/comm software tend to be a little more dogmatic.

Unknown said...

There's nothing wrong with just one person bending a minor rule for one web app. Or two people, even. But when a lot of people are doing it (as is the case with the Internet), then it becomes a problem. It might never lead to a misguided missle, but when a lot of people ignore standards then it can lead to billions of lost dollars on an national scale. Consider how much money goes into making web sites work with the nonstandard quirks of each major browser.