Keep it Simple… and Safe

Ikken Hissatsu is a philosophy that is a part of Shotokan Karate and other martial arts.  It translates to something similar to “Kill with one strike”.  It is not a complicated idea.  Basically, it means execute every strike (or kick) with the intention of ending the fight.  In other words, don’t get fancy.  In software development, there is a similar saying…  Just do the simplest thing that can possibly work (if you’re not sure what to do yet).  The other day, I came across a coding problem called “looksay”.  Consider the following sequence.

1
1,1
2,1
1,2,1,1

The challenge is to come up with the next line in the sequence.  The pattern is derived based on “saying” what is on the previous line.  For instance, the second line is “1, 1”, or “one one” because there is one “1” on the previous line.  The third line is “2, 1” because there are two ones on the second line.  You can see my solution here:

https://looksay.herokuapp.com/

My solution is not the only way to way to solve this problem.  There is a way to solve this with a regex expression all in one line.  The problem with that solution is that most developers would have a heck of a time figuring out what the regex did.  One line of regex is an elegant solution…  but absolutely NOT the simplest thing that could possibly work.

Now, consider the opposite problem…  I was talking to a fellow developer just the other day about a job candidate he had just interviewed.  One of the questions my co-worker asked the candidate was “How do you avoid SQL injection in Java?”  The answer my co-worker was looking for was “with prepared statements.”  The candidate he was interviewing didn’t know the answer.  He also didn’t get the gig.

A little closer to home, I came across some code where I was seriously tempted to leave something too simple.  Consider the following method from the EKG Field Monitor project.  This is from a DAO that saves strips to the database:

public List<Strip> getStrips(UUID monitorId){
    jdbcTemplate = new JdbcTemplate(dataSource);
    String sql = "select * from strip where monitorid = ?";
    List<Strip> stripList = jdbcTemplate.query(
            sql, new Object[] { monitorId },
            new RowMapper<Strip>() {
                public Strip mapRow(ResultSet rs, int rownumber)
                        throws SQLException {
                    Strip s = new Strip();
                    s.setMonitorId(UUID.fromString(rs.getString("monitorId")));
                    s.setUploaded(rs.getDate("uploaded"));
                    s.setID(UUID.fromString(rs.getString("id")));
                    return s;
                }
            });
    return stripList;
}

This code uses a prepared statement to help prevent a SQL injection attack.

I could potentially have problems if the code looked like this:

 String sql = "select * from strip where monitorid = '" + monitorId + "'";

For more information about SQL Injection, check out this great resource:  https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

OWASP is a wonderful resource on security issues related to software development, and I.T.

So, back to the main point of this post.  I believe that we should always strive to keep our code as simple and readable as possible.  As developers, we need to balance that simplicity with safety.  Using prepared statements for SQL calls is not the absolute simplest thing that can work…  however it is the safest thing that can work.  Furthermore, it really isn’t all that complicated.  Using regex to solve complicated parsing problems can result in elegant solutions.  Unfortunately, it is often not the simplest thing that can work.  As my friend likes to say… “You solved it that way?  Great.  Now you have 2 problems.”

In software development, like Shotokan Karate, the prettiest solution may not be the right one.  A simple solution may not get the job done either.  Solving problems completely, and in an understandable way leaves you in a good spot…  just in case you (or the next person to come along) need a second or third attempt to end the battle.

Advertisements

Author: Miles Porter

Miles Porter is a senior consulting software engineer in the Minneapolis, MN. He is interested in pragmatic software development practices, embedded software, and cloud computing. In his free time he likes to travel with his family, play upright and electric basses and study Taekwondo.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s