Opinion: Developers, silently swallowing errors is not OK

I don't know if it's considered some sort of modern trend, but what is it with applications now that just swallow errors instead of dealing with them? Is there an edict within these companies that errors should get shown, so they can argue their app doesn't have errors?

I'm working with a SaaS app right now. It does editing. Sometimes when I save, it just doesn't save. No error, just nothing saved. Or every now and then, I find the order of what I've entered just gets changed. Again, no error, but the order was changed.

Worse, sometimes when I then try to correct the order, it shows it as done, but next time I go back to that screen, the order is back the way it was in the first place.

On many occasions, if I close my browser, open it again, and log in, it all works OK again for a while.

But it's not just these types of applications. I've lost count of the number of sites I've been to, where supposedly serious applications are being developed, yet the code is full of try/catch blocks but the catch blocks are empty ie: silently ignoring any errors that occur.

How did we get to the point that this is what passes for application development now? Apps that mostly work and fail silently?

Sorry, but this is not OK.

Happy new year from SQL Down Under and from me

Hi Folks,

Just a short note today to wish everyone a happy new year. I know that new year is a time when many people make resolutions, with the intention of changing something about themselves during the upcoming year. It makes it a time full of hope for fresh starts.

I don't tend to make too many resolutions as I think that needs to happen on an ongoing basis rather than once per year, but I understand why people do.

From a company point of view, these are things you are likely to see from us this year:

  • Many new online and on-demand courses. (I know that many of our customers like in-person courses better but this is the low-cost and fast way to learn some topics, compared to waiting for us to run them in-person. And we've put a lot of effort into making sure the experience is as close to the in-person experience as it can be, with hands-on labs, quizzes, etc.) You'll find them at http://training.sqldownunder.com
  • New podcasts. I try to create a number of podcasts when a new version of SQL Server is about to appear. That gives me a chance to discuss the concepts behind the product features with the people who know about them, right while they're still finalizing them. You'll find the first SQL Server 2019 podcast with Argenis Fernandez here: https://sqldownunder.com/pages/sql-down-under-podcast
  • More in-person classes. Most will be in Melbourne, but it depends upon demand. Query Performance Tuning and Advanced T-SQL is one of our all-time favorites. It's running in Melbourne early next month. Early bird pricing is available now. Would love to see you there. If you can't make the full 5 days, you can do 2 days of Query Performance Tuning or 3 days of Advanced T-SQL separately. You'll find more here: https://sqldownunder.com/pages/sql-server-query-performance-tuning-and-advanced-t-sql-5-days, here: https://sqldownunder.com/pages/queryperformancetuning, and here: https://sqldownunder.com/pages/sql-server-advanced-t-sql-3-days
  • New eBooks. I have a couple of these planned. We'll see how many get out the door this year but if you don't have the current SSMS Tips and Tricks one, you'll find it here: http://ssmsbook.sqldownunder.com
  • Many more of our free developer and DBA tools: SDU Tools. Even if you aren't wanting a full set of tools, these are great examples of how to do things in SQL Server using T-SQL. If you don't have them yet, look here: http://sdutools.sqldownunder.com Version 13 is out now, and we've already got some great additions coming in Version 14.

Regardless, I hope you are all safe and well, and have an awesome new year!

 

Never lose hope – it's all around you

It's that time of year again when people look philosophically back at the current year, and start to think about how they'll improve their situation in the new year. But for many, this is a very hard time of the year.

I've had a few friends this year who seem to have almost lost hope when they've ended up in poor situations.

I just wanted to make a short post to encourage you all to never lose hope. Alexander Pope said:

Hope springs eternal in the human breast: Man never is, but always to be blest.

No matter how bad you think your situation is. There is hope. It's in you and all around you. I loved the awesome image from Stephen Walker that I've used above. You just need to recognize it.

In many cases, you really just need to talk the situation through with others. Don't be afraid to do so. We're here to listen.

Opinion: Get used to reading traces and logs before you need them

I used to do a lot of work at the operating system and network level. I was always fascinated watching people use network trace tools when they were trying to debug a problem. The challenge was that they had no idea what was normal activity on the network, and what wasn't.

The end result of this is that they'd then spend huge amounts of time chasing down what were really just red herrings.

When you don't know what normal activity looks like, everything looks odd.

Today, I see the same thing with traces of SQL Server activity, either using SQL Profiler (and/or SQL Trace), and Extended Events Profiler. I also see the same thing with insights data sent to Log Analytics, and the outcomes of many expensive SQL Server monitoring tools.

For example, if you are looking at a SQL Server trace, and you see a large number of sp_reset_connection commands. Is that an issue? When would it be an issue, and when is it just normal?

If I see an sp_reset_connection executed on a connection followed by a number of other commands, I know that the application is using connection pooling. If however, I see a bunch of those on the same connection, without any commands executed in between, I know that the application code is opening connections when it doesn't need to. Perhaps it should be opening the connection closer to where it decides if it needs it.

The key point is that it's really important that you learn to use these tools before you have a problem. You need to be able to recognize what's normal, and what isn't.

 

Using the classic editor in WordPress 5.0

Well today WordPress on my blog site went up to version 5.0. I knew a new editor (Gutenberg) had been coming to replace the classic editor but I hadn't had time to try it. So when it did the upgrade, I happily let it go and install the new editor.

Then I tried to write a post.

Oh my goodness, that was just a horrid, horrid experience. I can see what they've tried to do but it literally took me about five times longer than normal to write a single post.

I actually like change. In fact I tend to thrive on it. I can even imagine how this might help build certain types of pages better. But for someone writing blog posts with a heading, a bunch of text and images, etc. I can't imagine what they were thinking.

Each paragraph has become a "block" and I kept finding the pop-up block headers getting in the way the whole time I'm editing. Perhaps the people who love this don't touch type, or they always write pages in order and don't jump around but I can't tell you how annoying it was.

Worse, it kept deciding that I needed new lines when I didn't ask for them. I'd put the cursor beside an open bracket on a line, click Control-V, and then find it had inserted a newline before the pasted data. I was endlessly editing out things that it pushed in.

And so on and so on.

I kept looking for the "how to get rid of the new editor" posts but the best option now seems to be to use the Classic Editor plugin. Let's just say that's been a godsend. And given the number of installs it already has, I don't think I'm alone on this one.

Recommended !

Opinion: Case sensitivity is a pox on computing

I've been in the IT industry a long, long time. One thing that I've never liked is case sensitivity in application development tools or in database languages.  And it's creeping into more and more places.

I know that will offend some people but hear me out.

I think we're stuck with case sensitivity in languages like C, C#, C++, Java, etc. because that was the easiest way to implement those languages in the first place. As soon as you decide that a language is case insensitive, you also have to decide the internal collation rules. For example, is the letter A the same as the letter a ? But then what about the letter á ?

I get that it's a hassle but humans just don't think in a case sensitive way, and that shouldn't be the basis of designing a language for humans to use. It might be computers that execute it but it's humans that write it, and more importantly, read it.

Now before I have people jump all over me, I'm not talking about case preservation.

It is important to me that if I write CustomerName or customerName, that when the system sends that value back to me, that it shows it the same way that I defined it. That's case preservation, not case sensitivity. I just shouldn't have to request objects or data in a specific case sensitive form. If it's a development tool, just automagically convert it to the defined case. If it's a database, just give me the data.

And I hear the C folk charging along in the background arguing that there's a common standard for backing variables (ie: someProperty) to have the same name as properties, with just a case change (ie: SomeProperty).

Sorry, but that was never a good idea either. There are other ways that we can solve that problem, and I've lost count of the number of times I've seen bugs in code where a property should have been accessed but a variable was accessed instead.

When you break it down to its essence, what case sensitivity does is allow me to have two objects in the same object scope, that differ only by the casing of their names.

You'll have a hard time convincing me that that was ever a good idea.

Opinion: Over-dependence on geolocation is a pest

One of the real beauties of the Internet is its global nature. But ever since we've had it, people keep trying to ring-fence certain locations, and make applications location-aware. While geolocation can be useful, over-dependence upon it is a real pain in the neck.

The first situation where this is painful is in media restrictions. Companies are still trying to enforce country and region boundaries for media licensing.

We need to get past this.

As an example, I'm forced to help pay for the ABC here in Australia through my taxes. I don't begrudge it. I really like the ABC and couldn't imagine the country without it. But what I don't love is that when I'm travelling, they refuse to show me the same content that I watch at home, and more importantly, they're refusing to show me the content that I'm paying for. If I'm watching it on broadcast TV, fair enough, but if I'm watching it on my laptop, how is that reasonable? They've geolocated my network connection and decided that I can't watch it.

I realize that it might not always be them making the restriction. They might have licensed content under similar silly laws. But they also won't let me watch local news, etc. that they produce.

They need to come up with a better way to enforce these restrictions. What does it matter where I am when I'm wanting to watch it?

Google G-Suite is another one that frustrates me with a passion that's hard to describe. The issue with it, is that every time I connect from a different network, even within the country, they block access to my accounts.

Eventually they send me an email telling me that "someone has your password" (I'm thinking No S*** Sherlock, that would be me), and proudly telling me that they've saved me, from myself. And then even though they check with me later "did you block you", and I say yes, they still keep doing the same thing.

And they never learn. Even if I go back to a location where I've been before, they don't remember that.

Worse, the ISVs often have different points of presence, even within the country. If I'm connected to TPG, I could appear to have connected in Sydney,

Awesome image by Dan Freeman
Awesome image by Dan Freeman

and then minutes later, I might appear to be connected in Brisbane.

Awesome image by Wilf Luck
Awesome image by Wilf Luck

Same with my Telstra mobile broadband. To them it looks like I'm suddenly in the Gold Coast.

Awesome image by Asif Aman

Bottom line is that I've often barely moved.

It's only the connectivity of the ISP that's changed. And Google offer no way to disable that, apart from things like 2FA based upon your phone. But then they don't have a good solution if I'm travelling out of the country with a different phone, or am unable to receive SMS messages.

I'm not sure what the answer is as yet, but I know that heavy reliance upon geolocation certainly isn't the answer.

 

 

 

 

Opinion: Banks and Councils cause potential identity theft problems

Banks, Councils, and Government Departments are often lecturing customers about protecting against identity theft, yet they often a indirect potential cause of that threat.

Sending to Old Addresses

This one really frustrates me. When we change the postal address for one of our accounts, they almost always send a letter to our old street address. I can imagine why they think that's a sensible idea, but if we've already left that address, what they are doing is sending our private details to whoever now occupies the house.

How can that be sensible from a security point of view, in any way?

PO Boxes

Over the years, we've had a post box for most of our mail. It just makes sense because:

  • We travel quite a lot
  • Mail hanging out of a street letterbox is a clear sign that someone's away
  • It's way more secure than mail that goes to a street letterbox

And yet banks and councils so often insist on sending things to the street address. How can a dodgy mailbox on the street be a better place to send things than an Australia Post PO Box?

Australia Post PO Box Image
Australia Post PO Box Image

In some countries, PO Boxes have been used to keep things anonymous but in Australia, you have to do all sorts of identity checks to get one in the first place, so that shouldn't be an issue.

All they do by insisting on sending to street addresses is open their customers up to more chance of identity theft.  It's way too easy to steal accounts and other mail from mailboxes outside houses or apartments.

That's often all an nasty person needs to start an attack, and it's the very people who should be helping to avoid it that are causing it. These same account documents are often then the required items for proving or establishing an identity.

This is not reasonable.

 

 

Opinion: Corporate Compliance Isn't Training

I spend a lot of time mentoring on client sites, and many of the clients are large organizations. Often these organizations require me to attend "training" on a regular basis, to satisfy their corporate compliance goals.

I don't mind doing this at all, even though the course on conflicts of interest, or handling private or sensitive data, at company A is invariably almost word for word the equivalent course that I do at company B, and company C.

The ones that I really don't like though, are the ones where the corporate IT security is spelled out like it's obvious, and yet I know that what they're pushing doesn't meet any of the current guidelines that have been created from serious research into the topics. For example, the NIST guidelines on passwords would be a good start.

Training should involve learning something.

The vast majority of staff at the organizations wouldn't learn anything from these "courses" and invariably, the questions that they need to get say 80% correct on, are so mind-numbingly obvious, that I see many staff not even paying attention when the videos are playing, and just quickly answering the questions at the end, to keep their managers happy.

But my biggest issue is that for many companies, almost all the corporate training budget is now going to these "courses". My take on this is that the cost of delivering this material should be in a "corporate compliance" budget, not in anything that pretends to be a "training" budget.