14. December 2010 08:32
I’m pretty sure that every programmer would agree that good code is difficult to write. I think though that the C++ language makes this abundantly clear.
C++ is a compiled language frequently used for GUI applications and for games. It has a high barrier to entry due to the complexity of the language. However, this complexity is also what proves that good code is difficult to write. For example, the use of the ‘const’ keyword can be used to indicate that a member function does not change the class. It can mean that a parameter cannot be modified within a function. It can mean that a return value cannot be modified. And the list goes on. Remembering all these details and making sure they are applied correctly is very difficult.
Added to this, there are ways to take shortcuts that can have very detrimental effects down the road. For example if you take a shortcut with the use of ‘const’ you will most likely get a very confusing compiler message that could be very difficult to figure out.
Here at Worthwhile we mostly use interpreted languages. This means that translation of the source code to machine code happens when the program is run. C++ is a compiled language which means that a programmer must use a tool to generate the machine code before the program can be run. Interpreted languages in general are more flexible than compiled languages and make it less difficult to get the details right. However, if the programmer is not thinking about all of the possible ways his code might be used he will undoubtedly get burned later.
For example, consider a function that retrieves data from a database. The function accepts parameters that are used to filter the results down to what the user wants to see. The simplest way to do this is to use string concatenation. So if I am looking for people with the name of ‘Fred’ the query would look like: “SELECT * FROM people WHERE name = ‘Fred’”. If Fred is stored in a variable, the line would look like this in PHP: “SELECT * FROM people WHERE name = ’”. $variable .’”. So what is wrong with that? What if the variable that contains “Fred” is changed to contain “Fred; DELETE * FROM people;”? Well now you could have just inadvertently allowed the user to delete all the data you were trying to keep in the table. This is an example of a SQL injection attack technique.
Good code requires lots of thought. C++ makes you consider additional aspects of how code could be used. Scripting languages do not require that you do that. Lazy or partially thought out coding practices can lead to major security flaws! Have you ever been bitten by poorly written code?