Why Is Escaping Data Considered So Magical?

[Rami Chowdhury]

Doesn't seem to, sorry. Using Michael Torrie's code example, slightly
modified...

char *buf = malloc(512 * sizeof(char));

Again, you misunderstand the difference between a C array and a pointer.
Study the following example, which does work, and you might grasp the
point:

ldo@theon:hack> cat test.c
#include <stdio.h>

int main(int argc, char ** argv)
{
char buf[512];
const int a = 2, b = 3;
snprintf(&buf, sizeof buf, "%d + %d = %d\n", a, b, a + b);
fprintf(stdout, buf);
return
0;
} /*main*/
ldo@theon:hack> ./test
2 + 3 = 5

I'm sorry, perhaps you've misunderstood what I was refuting. You posted:
With my code example I found that, as others have pointed out, unfortunately it
doesn't work if v is a pointer to a heap-allocated area.

 

[David Cournapeau]

I don't think it was as stupid as that back when C was
designed

Actually, strncpy had a very specific use case when it was introduced
(dealing with limited-size entries in very old unix filesystem). It
should never be used for C string handling, and I don't think it is
fair to say it is stupid: it does exactly what it was designed for. It
just happens that most people don't know what it was designed for.

David

 

[Lawrence D'Oliveiro]

I'm sorry, perhaps you've misunderstood what I was refuting. You posted:

With my code example I found that, as others have pointed out,
unfortunately it doesn't work if v is a pointer to a heap-allocated area.

It still correctly passes the address and size of that pointer variable. It
that’s not what you intended, you shouldn’t use it.

 

[Lawrence D'Oliveiro]

http://www.sqlalchemy.org/docs/sqlexpression.html

Still full of very repetitive boilerplate. Doesn’t look like it can create a
simpler alternative to my example at all.

 

[Lawrence D'Oliveiro]

It's not hard per se; it's just repetitive, prone to the occasional
mistake, and, frankly, really boring.

But as a programmer, I’m not in the habit of doing “repetitive†and
“boringâ€. Look at the example I posted, and you’ll see. It’s the ones trying
to come up with alternatives to my code who produce things that look
“reptitive†and “boringâ€.

 

[Lawrence D'Oliveiro]

HTML is a data format. The sane way to construct or manipulate HTML is via
the DOM, not string operations.

What is this “DOM†of which you speak? I looked here

And what about regular expressions?

What about them? As the saying goes:

Some people, when confronted with a problem, think
"I know, I'll use regular expressions."
Now they have two problems.

They have some uses, e.g. defining tokens[1]. Using them to match more
complex constructs is error-prone ...

What if they’re NOT more complex, but they can simply contain user-entered
data?

The main reason why everyone recommends subprocess over its predecessors
is that it allows you to bypass the shell, which is one of the most
common sources of the type of error being discussed in this thread.

How would you deal with this, then: I wrote a script called ExtractMac, to
convert various old Macintosh-format documents accumulated over the years
(stored in AppleDouble form by uploading to a Netatalk server) to more
cross-platform formats. This has a table of conversion commands to use. For
example, the entries for PICT and TEXT Macintosh file types look like this:

"PICT" :
{
"type" : "image",
"ext" : ".png",
"act" : "convert %(src)s %(dst)s",
},
"TEXT" :
{
"type" : "text",
"ext" : ".txt",
"act" : "LineEndings unix <%(src)s >%(dst)s",
},

The conversion code that uses this table looks like

Cmd = \
(
Act.get("act", "cp -p %(src)s %(dst)s")
%
{
"src" : ShellEscape(Src),
"dst" : ShellEscape(DstFileName),
}
)
sys.stderr.write("Doing: %s\n" % Cmd)
Status = os.system(Cmd)

How much simpler would your alternative be? I don’t think it would be
simpler at all.

 

[Rami Chowdhury]

What is this “DOM†of which you speak? I looked here
<http://docs.python.org/library/>, but can find nothing that sounds like
that, that is relevant to HTML.

The Document Object Model - I don't think the standard library has an HTML DOM
module but there's certainly one for XML (and XHTML):
http://docs.python.org/library/xml.dom.html

 

[Justin Smith]

Seeking industry expert candidates

I’m Justin Smith, Director of Tech Recruiting at Express Seattle. I
am currently seeking candidates to fill Tech Positions for multiple A-
List Clients:
• Quality Assurance Engineer,
• Senior Data Engineer, Search Experience
• Senior Software Development Engineer, UX / UI
• Software Dev Engineer
• Software Dev TEST Engineer
• Software Development Manager,
• Sr Applications Engineer – Strong Linux Systems Administrator
• SR Technical PM, -
• Web Designer/Developer – strong tech and art background
• Business Analyst,

Many of our Clients work within a Linux environment. For greatest
impact, on your resume highlight relevant skills and technologies used
in an environment supported by Linux, languages that show you
understand and know object oriented development, have experience with
high volume sites that are notable and are continually learning new
skills.

Hot List that gets our attention – LAMP Stack Experience, Linux, Perl
and Java/JavaScript Experts that are current in the use and show
expertise. Microsoft environment and dot net technologies are not
added attractors to many of our clients.

If you are interested in these roles, send me your resume, cover
letter highlighting noteworthy skills and projects with expected base
salary to (e-mail address removed) and I can submit it ASAP.
Justin(dot)Smith(at)ExpressPros(dot)com DO FEEL FREE TO REFER this
on to a friend or colleague with strong skills as well.

Qualifications:
- Computer Science degree or equivalent work experience (5+ years).
- Expert level fluency in at least one mainstream object-oriented
programming language (C++, Java, Ruby, Python).
- Proven coding skills in C++ and or Java on Unix/Linux platforms is a
must.
- Experience with MySQL or Oracle databases a plus.
- Linux or LAMP Stack experience preferred.
- Experience with HTML5, XML, XSD, WSDL, and SOAP and a history
working with web client software
- Experience with scalable distributed systems is a positive.

Added value attractors if the qualifications are available:
+ Experience with the iPhone SDK and Objective-C. – published app that
is stable, engaging
+ Experience with the BlackBerry SDK and/or J2ME. – published app that
is stable, engaging
+ Experience with the Android SDK. – published app that is stable,
engaging

If you are interested in these roles, send me your resume, cover
letter highlighting noteworthy skills and projects with expected base
salary to (e-mail address removed) and I can submit it ASAP.
Justin(dot)Smith(at)ExpressPros(dot)com DO FEEL FREE TO REFER this on
to a friend or colleague with strong skills as well.

 

[John Nagle]

Seeking industry expert candidates

I’m Justin Smith, Director of Tech Recruiting at Express Seattle. I
am currently seeking candidates to fill Tech Positions for multiple A-
List Clients:

Spammer detected.
Injection-Info: r27g2000yqb.googlegroups.com;
posting-host=63.170.35.94;
posting-account=XlBkJgkAAAC7JNUw8ZEYCvz12vv6mGCK
Reverse DNS: "franchisevpn.expresspersonnel.com"
Site analysis: Domain "www.expresspersonnel.com"
redirected to different domain "www.expresspros.com"
Site analysis:
From Secure certificate (Secure certificate, high confidence)
Express Personnel Services, Inc.
Oklahoma City, OK
UNITED STATES
Oklahoma corporation search:
EXPRESS SERVICES, INC.
Filing Number: 2400436307
Name Type: Legal Name
Status: In Existence
Corp type: Foreign For Profit Business Corporation
Jurisdiction: COLORADO
Formation Date: 28 Aug 1985
Colorado corporation search:
ID: 19871524232
Name: EXPRESS SERVICES, INC.
Principal Street Address: 8516 NW Expressway,
Oklahoma City, OK 73162, United States
Target coordinates:
35.56973,-97.668001
Corporate class: Franchiser

 

[John Bokma]

Spammer detected.

But did you report it? (If so, it helps if you state so).

Injection-Info: r27g2000yqb.googlegroups.com;
posting-host=63.170.35.94;

http://www.spamcop.net/sc?track=63.170.35.94 -> looks like abuse goes to
the spammer... A whois gives sprint.net, so you could contact abuse at
sprint.net (see: http://whois.domaintools.com/63.170.35.94 )

[snip address etc.]
Spammers don't care about that. Best course of action, based on my
experience, is to contact abuse at googlegroups.com (now and then it
actually works), and sprint.net.