This weekend Stephanie’s parents came up and we spent most of the day Saturday at the Renaissance Festival.  It was the first time I had ever gone, so I wasn’t quite sure what to expect, but it was a lot of fun.  There were a lot of people there in costume (i.e. not just the people that work there), which I was a little surprised to see.  I guess I just don’t get the whole costume-wearing thing.  I know some people really like to wear costumes, and they come to things like Renaissance Festival, Star Wars conventions, Rocky Horror Picture Show, comic book conventions, football games, etc.  I’m sure psychologists would tell you there is some reason like “my father didn’t hug me enough” behind it.  But I just don’t get it... but hey, it’s not bothering me, so... ya know... whatever floats your boat.

Something else that kinda surprised me was the content of some of the shows.  I mean, it wasn’t anything that you wouldn’t see or hear on primetime TV, but something about it being live with little kids present, in a place that is also considered somewhat educational, made it seem a little unusual.  Of course, they mark those shows in the program as LC (“Loose Cannon”), meaning parental discretion is advised, so it’s not like there was no warning.  I guess it was the Tortuga Twins’ tights that bothered me the most; that should be considered indecent exposure.  I mean, let’s just say that if it were on Survivor they would have to blur it out.

I brought my camera but didn’t end up taking too many pictures, even though there was lots of neat looking decoration.  I guess we just spent too much time running from show to show, since there were many things to see.

The other day I somehow ended being the best available option for being The Person In Charge Of Games Time for the kids in Awana Club at church.  This is kind of unusual, since I’m at best something like tenth in line.  Somehow everyone else was sick or had car trouble or had to visit a sick relative or something.  Now I am the only man in the church who does not have children, so I guess they were pretty desperate.  So there I am, basically being something like a P.E. teacher for little kids who I have no idea how to control or relate to, and I only know the names of like three of them.  Daniel (who would normally be doing this) told me the kids pretty much knew the rules to all the games, and that I could do dodgeball or relay race.  So I decided dodgeball was really simple so I’d have them play that.  I found out that they don’t normally play dodgeball the way I learned it.  I always played where you divide up into two groups, one group makes a big circle, the other is inside the circle.  Those on the outside of the circle throw the ball at those on the inside, and if you get hit you become part of the circle (but hits above the waist don’t count...  so that they don’t take each others’ heads off).  So we played the way I knew the game.

First up was the older group of kids (as in, third through fifth grade I think).  This didn’t go so bad, because there were two other adults out there, and the kids understood how to play dodgeball after I explained the game.  For the most part they took care of themselves.  After about 25 minutes they went in, and it was time for the younger kids (K-2ish I think?) to come out.  This time, there were no adults to help me out, so I was left alone to try to manage twelve kids.  Well they didn’t take as well to dodgeball.  They didn’t understand the rules, and soon got bored and started running around, basically playing tag.  My efforts to keep them playing dodgeball had little effect, and I don’t know their names and most of them didn’t know me.  I could go on, but the point is that it went pretty badly.  But no one got hurt or anything so I guess it could have gone worse.  After only about 15 minutes of the 20-25 minute game time, I sent the kids back inside for their teachers to deal with. :)

While I was watching these kids, I observed a few behaviors.  One of the kids went off to the side and sat down.  When asked why he wasn’t playing, he said he didn’t get to throw the ball.  I told him he definitely wasn’t going to get the ball if he was sitting off to the side.  Then there were some other groups of kids that just wanted to chase one another.  There were some girls that really just wanted to talk to each other, having no interest in the game.  Then there were the more competitive boys, who actually had an interest in winning the game.  I’ll call it a microcosm of society.

Now that this experience is behind me, hopefully I won’t be in charge of little kids again for quite some time.

Here is a database query that has a potentially huge problem:

1

select * from users where username = '$username' and password = '$password'

If you’re not a programmer, bear with me, I’m sure you can still follow the problem here.  In the line above, $username contains the value the user gave for their username, and $password contains the value given for their password.  Let’s say my username is “kip” and my password is “12345”.  That gives us:

1

select * from users where username = 'kip' and password = '12345'

So far so good, a database can execute that just fine.  But what if my password is “My dog’s name is spot”?  That gives us this:

1

select * from users where username = 'kip' and password = 'My dog's name is spot'

See the problem?  The database will think the password is just “My dog”, since there is a single-quote in the password.  It will additionally not know how to handle the rest of the statement and probably return an error, preventing the user from ever logging in.

Nothing I’ve said here of this should be news to a programmer.  In introductory programming courses, students are often asked to write a program where the user is asked for input (let’s say, a number from 1-10), and the program must not fail if the user enters something entirely different (let’s say, “judicious”).  What is happening in my example is in no way fundamentally different.

If you’re thinking to yourself, “Hey Kip... you’re not writing this post because you just figured this out... are you?”, rest assured that I am not.  I am writing this because (a) I like to pretend that my blog has more than a dozen readers; and (b) because I have seen several sites discussing this type of bug lately.  The implication is that many programmers—presumably the paid, professional types (not just amateurs)—would put user input inside single-quotes without entertaining the possibility that the user might enter text with single quotes in it.  It seems like one of those things that you shouldn’t need to be taught—you should logically know to validate user input, even if you have never received formal training in programming.

Thus far, I haven’t even talked about the security hole caused by this code:  someone could intentionally use a single-quote in their password to exploit this bad code.  For just one of many examples, giving a password of “‘ or ‘abc’ = ‘abc” will let you into any existing user’s account (this is called SQL Injection).  I can understand why a programmer might not see that security hole immediately.  But the security hole is just an abuse of a bug that a logical human being should have seen in the first place.

</soapbox>

Today marks one quarter of one century that yours truly has graced this planet with his presence.  In honor of this momentous occasion, I will now discuss things that I pledge, as an aging person, not to say in the coming twenty-five years.

The problem with America today is ...
I do not believe that getting older means you’ve suddenly figured everything out.  Do you know how many topics have been identified as the problem with America?  Seven hundred and thirty four different topics, according to statistics I just made up.  I think it is plain to see that the world is very complex.  I won’t let myself fall under the assumption that the world is constantly degrading.  If anything I think they are improving (despite what the news tells you).

Kids these days have it too easy.
You may have also heard this stated like this:  “When I was a kid I had to walk to school.  In the snow.  Barefoot!  Uphill!!  BOTH WAYS!!!”  It is a tired cliché, and old people seem to jump on it left and right.  Political candidates have used it to win votes for a very long time.  Yeah, technology is making a lot of things easier (and isn’t that what we want anyway?), but there will always be new challenges to kids that their elders didn’t even have to worry about.  Like how my grandparents didn’t have to worry about getting germs from black people when using a public water fountain, but my generation is constantly assailed with negro germs.

The last good band was The Smashing Pumpkins, the last entertaining video game was Super Mario 64, and the last funny movie was Happy Gilmore.
This is a big one, and I refuse—I repeat: refuse!—to succumb to the notion that somehow I happened to be fifteen years old when all the best bands, movies, TV shows, and video games came out.  I’m not sure what causes people to think this way as they age, but I think we have all seen it time and time again.  I’m not saying I will be one of those old people who tries to pretend he’s one of the cool kids (like that guy who graduated high school two years before you, but he would still hang out in the parking lot after school, and as far as you know he still does).  I’m just saying I won’t act like I lived in some kind of magical golden age where nothing sucked.  I guess people only remember the things they like, and they replay those things in their mind over and over.  When these memories—ripened into nostalgia by years of rumination—are placed against fresh, unfiltered new media...  well, there is no contest.  In the coming twenty-five years I will attempt to be conscious of the fact that things might not have been as good as I remember them.  I have already started this process.  For instance, as much I would like to, I will not assert that Animaniacs is somehow more sophisticated that SpongeBob SquarePants, or that Teenage Mutant Ninja Turtles has a better premise than Pokémon.  I think only the eight-year-old me and a modern eight-year-old could take up that argument.  Presumably with nunchucks and Pokéballs.

Well there you have it.  Originally the list was longer, but there was a lot of redundancy.  Basically everything boiled down to “new stuff sucks” and “there is no hope for our kids.”  I will strive to keep these campaign goals, and in twenty-five years I will present a status report, evaluating my performance in achieving these goals.  Stay tuned!

Do not say, “Why were the old days better than these?”  For it is not wise to ask such questions.
—Ecc 7:10

A word of advice for the next time you go furniture shopping:  check your pockets frequently, to make sure nothing has fallen out while testing out a recliner or couch or reclining couch.

I learned that the hard way last weekend at Hickory Furniture Mart, which is kind of like a mall, except it only has furniture stores in it.  After I got home and realized I didn’t have my cell phone, I had to go back and look through dozens of stores.  After spending the better part of an hour searching, I found it buried deep within the cushions of a recliner.  The lady in the store said that this happens a lot.  So... don’t let it happen to you...

So I mentioned quite a while back that I had been reading The Daily WTF.  Well a little over a year ago I sent something in.  Not bad code, but a funny story about an interview experience I had.  Last Friday (on my birthday, ironically), Alex (who runs the site) decided to run my story along with four other interview stories.  He also decided to take a poll of which story was the best, and the submitter of the winning story would win a bean bag chair from Sumo Lounge.  Well my story won (seen here, the one titled “Are You An Astronaut?”).  Be forewarned:  the version of the story shown on the site has been edited a little bit from what I sent in (which will be faithfully reproduced at the end of this post).  I kinda feel bad that I stopped reading the site a few months ago because I got bored with it... but I got an e-mail this week saying that I won an Omni bean bag chair, I just needed to pick a color (I went with Charcoal Green).  These things are supposed to be pretty nice (and at $150, they’d better be!); I’ll be sure to let you, o faithful reader of my blog, know what I think of it.  Hopefully the blonde comes with it.

As promised, here is the original version of the story that I sent in:

Fresh out of college, I was interviewing for a junior programming job at a company that develops software for aerospace/automotive companies.  So far the day was going well.  I interviewed for about an hour with someone from HR, then interviewed for another hour with the person who might be my manager, and that interview went really well.  Then to close the day I interviewed with the project manager (the previous manager’s manager).  Again, things were going well.  There was a lull in the interview where the guy was looking up something on his computer, so I started looking at the things he had up around his office.  On one wall he had a collage of NASA stuff.  Without thinking, I guess to make conversation or something, I asked him if he was an astronaut!  It was one of those situations where I was regretting it even as it was coming out of my mouth.  He looked at me like I was retarded, then said “no, I was a project manager at NASA.”

As it turns out, I was somehow still offered that job, and it’s where I’m working now (a little over a year later).  I don’t know if the guy remembers me asking that or not, but he’s my manager’s manager so I don’t really see him that often.

We spent Thanksgiving in Williamsburg, Virginia with Stephanie’s family, and I just put some pictures up.  Most are either our new niece, Riley, or some kinda artsy pictures from Colonial Williamsburg like the one that can be seen to your left.