True, php is not perfect

Everybody knows that php is not perfect. Other scripting engines (python, ruby, nodejs, perl …), however, bring their own brand of trouble.

Then, there is java, c#, go, and even c++ which are all based on grand ideas that are simply incorrect. The more they were going to save the world, the more they got it wrong. Php was not going to save the world (“my personal homepage”), and that is why it is still usable. Seriously, php only wins by default.

In php, people suspect that everything around them is wrong, and that is why things are actually not that wrong. If you visit another language community, you will usually find a congregation of heathens staunchly proclaiming their total faith in the one or the other false, pagan belief.

Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. If you tell them that their lightweight and efficient model is a callback hell, they will angrily reproach to you: You are insulting our religion!

Nowadays, I first do a shell script in bash, of which some parts get moved over to php because these parts use data structures that bash cannot handle (“lists of lists of lists”). Of this php code, I may move over small parts to C — preferably written by someone else — in order to make some of the innermost loops run faster. Php is not and has never been a problem. Php will indeed not save the world, but it works fine.


Facebook versus Reddit

Facebook communities have moderators. That is not a good system. Give the wrong person only a little bit of power and he will abuse it. The existence of moderator jobs will end up attracting the wrong crowd.

Of course, some posts should be banned because they are really unacceptable. The users should be able to report a post, but only for very specific reasons. For example:

[x] pornography
[ ] slander; (real) name of the person being slandered: [             ]

If enough users confirm this report, for exactly the same reasons, the system should remove the post altogether.

But then again, there are not that many valid reasons to report a post. For example, off-topic posts should just be ignored.

A user should even be able to ignore all posts by a particular author, by clicking an “ignore” button behind his name. In order to save time, a user should also be able to automatically ignore the authors that another, chosen user also ignores. The user should also be able to un-ignore an author recommended by another user.

Facebook communities use real names. That is a bad idea. You may not be able to speak your mind or be critical, because that will attract the same, wrong “moderator” crowd. They will inevitably even try to moderate your Facebook comments in real life. You do not want communist party officials running after you in the forbidden city.

Reddit allows for down votes.

Imagine that you create a new product. Initially, 3 000 people like and buy it, while 97 000 people do not see the point in it. Your startup is doing perfectly fine, but Reddit says that you have 94 000 down votes.

For anything innovative, it usually takes a bit of time before it spreads from the early adopters to the mainstream. A system like Reddit will destroy the new product or new idea long before that.

If real life allowed for down votes, we would still be living in caves.

Reddit also allows for no proof-of-work up votes. People are not forced to put their money where their mouth is. That is also not how it works. We do not care that someone thinks that the new product is cool. We only care if that person actually buys it.

An up vote (“a like”) without even a micropayment, is just spam.

In my impression, the correct way to organize discussion communities is:

  1. no moderators
  2. no real names
  3. “report this post” button, selecting a specific reason
  4. “ignore this author” button
  5. “ignore all authors” that a chosen other user also ignores
  6. “un-ignore authors” who are favourites of another user
  7. no down votes
  8. mandatory micropayment for up votes (“likes”)

I personally think that Reddit shows the best potential. It has all the seeds for fundamentally working better than Facebook. However, the whole system gets ruined by their unproductive approach on voting.

Voting should not try to mimic political elections but customer product appreciations in the open market.


The proxy war between Apple and the FBI

Apple has created something that gives them quite a bit of power over the users of their iphones and ipads. Apple has manipulated the situation very well. They have gained the ability to update the software on these devices without permission or even knowledge of the user.

Of course, Apple just made a beginner’s mistake. They thought that they would be able to hang on to that power by themselves. That is not how it works. As it turned out, they just did free research for the three-letter agencies that represent the real power in society, and which ultimately have total control over the corporations.

Three-letter agencies dealing with foreigner and foreign countries have full extralegal status. The NSA and the CIA do not need to ask permission anywhere for anything. The formal procedure says that the NSA and the CIA just ask a FISA court to rubber stamp whatever they want to do. Then, they tell Apple to update someone’s phone. Next, they just use a gag order to forbid Apple from revealing anything to anyone.

The FBI are envious and jealous. They ordinarily do not deal with foreigners but with residents. They also want this power. Unfortunately, residents and nationals could complain. Therefore, the FBI see themselves systematically being reined it. Traditionally, if the FBI want to use extralegal methods, they must go and kiss arse at the NSA or the CIA. Otherwise, they are being told to bugger off. The FBI seriously hate this.

It is not Apple that are fighting the FBI, because Apple have no say whatsoever in any of this. Apple are being told and instructed by others to snub the FBI. The FBI have been told that they are uppity. They should know their place. We know exactly which cartel does not want to share their extralegal powers. It is their monopoly. The FBI are simply not going to get anything.

The teenage girls in Trygve Reenskaug’s 1979 MODELS – VIEWS – CONTROLLERS

The original 1979 paper is a must read for people who are fond of MVC. They will immediately understand what Trygve Reenskaug really meant:

A view […] gets (GET) the data necessary for the presentation from the model by asking questions. It may also (POST) update the model by sending appropriate messages.

According to the paper, the View makes requests to the Model by sending messages, while the Controller is a separate program, common to all View->Model applications.

  • View = the browser
  • Model = the server
  • Controller = the windows start menu

Since nobody else seems to have read the original paper, the one person who did and misunderstood it, did a fantastic job in touting the virtues of MVC.

Ever since, the teenage girls have been copying what their friends are wearing!

The magical line that explains it all

In between the second and the third column, you can see the magical line that explains it all:

Dunning-Kruger Deep inside, you think that you are smarter than everybody else You know for a fact that lots of people are smarter than you
politics You are a nationalist You are an internationalist
About nationality You generally prefer people of your own nationality You generally prefer people of your own or similar professions
Immigration You see immigrants as a threat You generally don’t care but you believe that there are also interesting immigrants
Politics You are getting more statist with the day You are becoming more libertarian with the day
Government The government must protect you from competition The government must stop protecting hopeless cases from competition because it only makes them more hopeless
Knowledge You think that you know everything there is to know You know that there is much more to know than the little you know
Things you don’t know You dismiss everything you don’t know or understand as unimportant You are attracted by things you don’t know or don’t understand
Subjects You know nothing about the subject but you certainly still know better You like to listen and learn
Learning You don’t need to learn, because you know everything already You learn pretty much all of the time
Girls When you were young, the girls kind of liked you, but now not anymore When you were young the girls ignored you but now they run after you
Credentialism You may not have one, but you think that degrees are very important You probably have one, but you could not care less about anybody else’s degrees
Degrees You strongly believe that people with degrees should make more money You know quite a few poor people with degrees who probably still make too much money for what they do
Crisis In the slightest economic downturn, you lose everything You don’t remember the last economic downturn
Salaries For your job, local salaries are very different around the world Wherever you go, people doing what you are doing, make pretty much the same
Future outlook You are continuously afraid of losing your job You never worry about that kind of things
Applying You always have to apply and you usually get rejected You get asked quite often but you are already too busy
CV They ask you for your CV They know your CV
Adversity You blame others You blame yourself
Money You live from paycheck to paycheck and you cannot save anything You are sitting on savings that would allow you to carry on for years
Debt You badly need payday loans You may have a mortgage but that is only for tax reasons
Games If you cannot win, you start cheating You congratulate the winner
Envy You envy and therefore hate people in the other column You feel sorry for people in the other column
Racism You are racist and even supremacist and you feel superior as you always keep pointing to the achievements of people of your own race but from the other column You get along with other races, no problem; it does not make any difference to you
Attitude You easily attack or insult other people You are generally polite
Religion You insult other people’s religion You see the value in family life and the fact that religion encourages it
Islam You are afraid of Islam You see Islam as something quite similar to Christianity
Parents You only have a single mother and no father whose name you may not have been told Your parents are probably still married
Siblings If you have brothers and sisters, they are all from different fathers You get along quite well with your siblings
Women You are attracted to women who dress like prostitutes; they possibly even are. You are attracted to women who can at least eat with fork and knife
Life You think that life is unfair You enjoy life
Power If you have even only a little power — you probably don’t — you will abuse it It is in your nature that you desire to be fair to other people
Conclusion You are the archetypical loser You are the archetypical winner

The billion-dollars problem of token injection into insecure code can be solved with category theory

Why category theory?

Ever since I stumbled upon mentions of Voevodsky‘s “Univalent Foundations of Mathematics“, I realized that the man was digging very close in the area of the Holy Grail. The only question that I wanted to ask him is: “Are you also looking for the Holy Grail, because why else would you be here?”

If you just walk in the direction of where things get more beautiful and where a pleasant scent smells stronger, you will eventually run into Voevodsky digging there, and when you ask him, “Have you found it?”, he will say: “Not yet.”

We do not know what Holy Grail looks like, because it is virtual object and therefore if you know what it looks like, you have effectively found it. You will know, however, perfectly well that you are now holding it in your hand, because your senses will fail-safe confirm it.

There is some kind of tree over there, and if you shake it, there will be billions or even trillions of dollars dropping out of it. I conjecture that every possible security issue in computer source code amounts to a failure to respect structure-preserving category invariants. If you correctly describe the category, you will automatically have solved an entire class of security issues.

Notation typically used in category theory

Obviously, it is possible to formally describe category theory in obnoxious and inherently inferior Russell-Whitehead notation, but that would not help anything. You see, Russell-Whitehead notation is not executable. That means that it is not even unambiguous. Then indeed, what is the point? In other words, it is just a pagan depravity. It took Russell and Whitehead ten years to create the useless crap with which they still terrorize the entire planet. In the foot notes of this article, you can find lots of inane examples written in that pagan vernacular. The heathens love it. Their pagan rituals are full of it. They honour their false gods with it. It has always been the primary facilitator for Soviet pseudoscience. It is yet another false belief holding back the progress of mankind.

Example of token injection

I keep using examples from SQL, even though I have had many angry remarks from readers who said that I should pick another language or format, because they consider the SQL injection problem to be “solved” already (“just use library x or y”). The reason for this is, that I am not going to change my examples just to hear that other people consider the problem also “solved” in that other language (“just sanitize your templates with chewing gum”).

If the template is:

template = “select * from T where f1 = ‘{value1}’ and f2 = {value2}”

and we supply a map:

map = { “value1″:”anything'”, “value2”: “or 1=1 or f1=’whatever value2=5” }

then, the expansion looks like this:

expand(template,map) = “select * from T where f1=’anything’ or 1=1 or f1=’whatever’ and f2=5”

In a previous blog post, I already explained, also for this particular example, why it is trivially easy to detect the token injection. I will now clarify the invariants governing the solution category.


  • language, object, grammar: SQL
  • statement, expression, template: select * from t where x={y}
  • template variable: {y}
  • morphismsrewrite(sql,lisp_style_sql,”select * from t where x={y}”) == “(select * t (=x {y}))”

category:  { “objects”:[“sql”,”lisp_style_sql”, “euler_style_sql”, “sql_with_arbitrary_keywords1″,”sql_with_arbitrary_keywords2″],”morphisms”:[rewrite__lisp_style_sql__euler_style_sql, rewrite__sql_with_arbitrary_keywords2__euler_style_sql]}

The json table above represents a category with its objects and morphisms.

Detection of token injection

All literals in an expression may be replaced by template variables. The expression then becomes a template. Expansion takes place when the expand() function replaces in the template, a map between the template variables and actual literals:


The validation function isvalid() is a predicate function that returns true if the expression is valid in the target language, and false if not:

result=isvalid(SQL, expression)

If we consider two homeomorphic languages, HOMEO1 and HOMEO2 that can be rewritten to each other using the rewrite() function:


then, the following invariant holds true for any expression in HOMEO1:


This is the “round trip” requirement in homeomorphisms.

Token injection can always be detected, because the following invariants must hold true for any (template,map) tuple:

[1] isvalid(HOMEO2,expand(rewrite(HOMEO1,HOMEO2,template),map)) == true

[2] expand(template,map) == rewrite(HOMEO1, HOMEO2, expand(rewrite(HOMEO2, HOMEO1,template),map))

Token injection through the map will violate either or both invariants and therefore fail to preserve the structure of an arbitrary statement across objects (=languages). Therefore, it will be impossible to hide token injection from the category invariants.

The Achilles heel

Any programming language can be subdivided in semantic subsets of statements that are extensional. A simple example of such subset:

select * from t where a=5
select * from t where a=5 and 1=1
select * from t where (a=5 and 1=1) or (2<>3)

It is generally impossible to construct a predicate function extensional():


that will return true if both statements are part of the same semantic subset and false if not. If it were possible to do that, it would solve the halting problem, for which the impossibility to solve it has been proven.

It is not the languages themselves that are homeomorphic, but the sets of semantic subsets. This is probably the stumbling block that is holding back Univalent Foundations too. But then again, we may not really be obliged to implement the function extensional(). It may be enough to declare it, and if it does not show up in any final conclusions (to implement), it should be a non-issue.

However, it is clear that there will always be conclusions that contain a mention to this function and that can therefore not be implemented. It is not possible to see what the damage is, without actually trying to reach such conclusion. It certainly turns these things into a mine field.

The impossibility to implement the extensional() function does not affect at all our ability to implement solutions for the token injection problem. Fully automated solutions are still perfectly attainable. In this case, we are lucky to be entirely exempt from the burden to attempt to solve the unsolvable.

An orthogonal language cannot exist

Based on the halting problem again, it becomes clear that it is not possible to create a programming language in which there is exactly one way to say what you want to say. There will always be other expressions that say exactly the same as you have just said, but in a different way. Furthermore, it is generally not possible to know if that second expression is really exactly the same (“extensional”) as the first one.

There is also no way to define a canonical element that could represent an entire semantic subset. Solving this problem, would also solve the impossible-to-solve halting problem.

“It looks different, but in reality it is the same” is a tricky form of ambiguity. It may lead you to the wrong conclusion that two things are different, while in reality they are not, while there is also no way for you ascertain that they are truly the same. Since the mapping between a language and its conceptually orthogonal variant is surjective, this relationship is not a homeomorphism.

A surjection represents a strategic decision, because you cannot go back. Entering the surjection commits you to dropping the information that you would need to revoke your decision. Backtracking is not possible. The true nature of surjections is that they force you to make up your mind. That is actually a signal to drop the formalisms and start thinking intuitively. You see, it is a possibility that it may simply not be possible to solve the real problem in the Univalent Foundations.

The true nature of programming skills

A “pure” programming language

In a “pure” programming language, a program would just consist of three types of expressions:

The literal expression; For example:

  • 5
  • 7.25
  • “hello world”

The function application expression; For example:

  • a=f(x,y)
  • x=a+3 [*]

The function definition expression; For example:

  • a=function(x,y) { return x+y; }

[*] note that x=a+3 converted to Euler notation looks like =(“x”,+(a,3)) or like assign(“x”,sum(a,3)) if you prefer. By eliminating the infix notation, it becomes much clearer that we are sitting on two function applications, that is, of the functions “=” and “+”.

Other types of expressions are just ideosyncracies in the language’s grammar. For example:

while(x<y) { x++, y–};

is in fact pretty much a set of botched function application -and definition expressions. It could perfectly be written like this:

while(x<y, function(){ x++, y– });

There is no good reason whatsoever why the while() construct is not just a function.

Skills in a “pure” programming language

According to the definition of a “pure” programming language, in order to be a programmer, you need three skills:

  • You must know what functions to apply. Therefore, you need to be able to Google for that. This is the lookup skill.
  • You must be able to define functions in terms of a list of function applications. That is the composition skill.
  • You must be able to find the bugs in something you or someone else wrote (by disambiguiting and enforcing consistency), that is, the debugging skill.

Therefore, we end up with the following skills tuple: look up, compose, and debug.

Concerning the quagmire of corporate recruiting

It is trivial to demonstrate in terms of category theory, and using the fact that all Turing-complete languages must necessarily be homeomorphic with each other [**], which is one of the many surprising results of Voevodsky‘s Univalent Foundations of Mathematics, that these skills must exactly be the same across all possible programming languages.

(Note: Yes, thanks, I know that it is only the orthogonal semantics that are.)

Therefore, there are no “javascript programmers”, “python programmers” or “php programmers”. There are no “front-end”, “back-end” or “full-stack” programmers. That terminology is invalid. In reality, that kind of things simply does not exist. These things only exist in the heads of corporate recruiters who do not understand what they are recruiting for.

Seriously, there is only one place where they invent that kind of nonsense, the corporate imbecilatron:




As usual, their way of thinking, in the context of anything that is non-trivial, is worthless. From where their predilection for Soviet pseudoscience?

Since I am only ever available for main founder -or co-founder rôles, similar to my current rôles, I am not much speaking from practical experience, but only from theoretical observations made from a distance about a particular type of indigenous fauna.

Seriously, I sometimes run into imbecilatii who reason in terms of that kind of irrelevant logic. My answer is always the same: Imbecilatius imbecilaturus est, meaning: With time, the idiot will only become more stupid.