Shortcomings of Flash to overcome (HTML comparison)

By , May 27, 2009

1. UI Navigation. This should have been Flash strength but somehow seems to be one of the common traps for new application developers.

Horrible UIs deserve a volume in my upcoming encyclopedia and modal dialogs will definitely be one of the first chapters. Coincidentally, this seems like one of the most abused UI concepts in Flash applications that I observed. Open up a detail page and do not let a user navigate away from it without pressing Cancel or Save… Why would anyone want to see two detail pages side by side? Work on few things at once? Why would anyone want to open tabs? Just because the dialog is semi-transparent it does not mean it ventured far from its green screen ancestor.

The special award goes to pop-under modal dialogs (AKA “click me if you can figure out that I am there”). Second place is taken by Windows 3.11 style cascading errors that seem to be popular with a bunch of sample Flex applications.

Simple browser option to right click and open new window or tab goes a long way in making applications easier to use.

2. Text search and selection. HTML and good browsers spoiled most users, people do not often even read the page – they just start typing the search word to jump directly to the sentence containing their search term. In addition, text on the screen is normally selectable and can be easily copied into other documents. This trivial common behavior is not so common in Flash – takes special effort to create UIs behaving in data-friendly ways.

To catch up to HTML a good UI framework needs to build good search capability that includes labels, text, form fields. Also have to provide a way to select just about any text in the application.

3. HTTP GET (and bookmarks). Sending, saving and posting links is one of the most common ways of sharing information on the web and the support for this in Flash per initial review is limited to very few 3rd party libraries that I do not see in action. That means that absolute majority of the applications out there offer no way to share anything except the main entry into the application. A good Flex UI framework should provide a way to export the current UI location as URL path.

The Ostrich Security Model by Adobe (being adopted by MS Silverlight too)

By , May 15, 2009

Adobe introduced crossdomain.xml file to control whether Flash application can read data from servers. In a nutshell, the crossdomain.xml file must be present on the website and explicitly grant access to clients originating from other domains for anyone to read data/make calls to this server. Excerpt from Adobe Flash player security white paper (

… if the site serves private documents or anything that requires some form of authentication (such as a password), or if the server is behind a firewall where only certain users can access it, it is risky to put a public policy file on that server. Doing so would enable Flash applications to download documents from the server whenever they run on the computers of users that the server trusts. These applications could potentially reveal private data from the server to people whom the user or website administrator does not trust.

This is just about as dumb as it gets with server security. It essentially shuts down your polite flash clients from accessing data but it won’t prevent anyone reading the same data via their own proxy server (trivial to write/configure), JavaScript, etc.

So we established that the servers are not protected by this. Would this limitation protect clients? Not likely – any “man in the middle” attacker would not be lazy to put crossdomain.xml file to fool clients into reading data. The only remaining questions is who can protect the society from the idiots who designed this “security” mechanism and made life more difficult for developers of internet mashups?

getSynergy(Oracle,Java) = ‘timestamps do not work’

By , May 14, 2009

The excitement about the news of Oracle acquiring Sun is prompting me to write an entry about their synergy.

Let’s take one of the developers’ favorite topics – working with dates in different time zones. Why would anyone ever do that to themselves?!?

Understandably, Oracle decided to not worry about making timezone calculations work properly in their .NET and Java drivers. Calls to function getTimestamp() backing TIMESTAMP WITH TIME ZONE columns return stored time with timezone thrown away for any timezone. For example, if one stored ‘May 13, 2009 15:05:25 -0700’ then resultSet.getTimestamp(colNo) returns ‘May 13, 2009 15:05:25’ ignoring the client timezone. I.e. it is right only in Pacific timezone. This is true for both Java and .NET functions – remarkable bug consistency!

The only seemingly sane way to read timezone info into java.sql.Timestamp is via retrieval of date column as a string that then has to be parsed. Of course, to make matters worse Oracle returns timestamps in the format that neither Java nor .NET can parse using any possible date parsing configuration (2009-5-13 -5:00″)

Below is a snippet of custom code for Java that performs this conversion.

I am not completely sure why Oracle cannot fix their driver. I suspect that they know that people have already built all sorts of hacks that will only work based on their original buggy behavior. I contacted Oracle about similar behavior for .NET – they call this a feature…

However, if it all possible – think through your time zone design first. The old and proven UTC times-only everywhere approach works…

 * Oracle TIMESTAMPTZ, when converted to string, contains six extra digits, all zeroes,
 * tacked on the seconds field.  This is unparseable by the formats used by the DateFormat
 * class.
 * The timezone offset consists of an optional + or - sign, the hours offset, a colon, and the
 * minutes offset, e.g., -5:00.  This is similarly unparseable (we need it to be of
 * the form "-0500").
 * This method massages the given timestamp string, removes and converts the problem data
 * described above, then parses it into a true Timestamp, taking the timezone into account.
public static java.sql.Timestamp convertOracleTimestampTzStrToTimestamp(String dateStr) {
// six trailing zeroes (seconds) followed by the timezone offset: an optional +/-
// sign, one or more digits (the hours), a colon, and one or more digits (the minutes).
  Pattern oracleDateStrPattern = Pattern.compile("(.[0-9]*) ([-\\+]?)(\\d+):(\\d+)$");
  Matcher m = oracleDateStrPattern.matcher(dateStr);
  if (!m.find()) {
    throw new RuntimeException("Invalid date format received: " + dateStr);
  String datePart = dateStr.substring(0, m.start(1));
  String msPart = dateStr.substring(m.start(1), m.start(2)-1);
  int ms = (int) (1000*Float.parseFloat("0" + msPart));
  String signStr = dateStr.substring(m.start(2), m.end(2));
  if ("".equals(signStr)) signStr = "+";
  String hoursStr = dateStr.substring(m.start(3), m.end(3));
  String minsStr = dateStr.substring(m.start(4), m.end(4));
  StringBuffer sb = new StringBuffer(50);
  String msStr = Integer.toString(ms);
  appendZeroPaddedString(sb, msStr, 3);
  sb.append(" ");
  appendZeroPaddedString(sb, hoursStr, 2);
  appendZeroPaddedString(sb, minsStr, 2);
  String javifiedTzStr = sb.toString();

  DateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd Z");
  java.util.Date d;
  try {
    d = dateFormatter.parse(javifiedTzStr);
  } catch (ParseException e) {
    throw new RuntimeException("Invalid date format received:" + dateStr);
  java.sql.Timestamp retval = new java.sql.Timestamp(d.getTime());
  return retval;

private static void appendZeroPaddedString(StringBuffer sb, String str, int desiredLength)
  int len = str.length();
  for (int padz = 0; padz < desiredLength - len; padz++ ) {


By , May 14, 2009

This is an inaugural post on this blog. I am writing an encyclopedia of brain damage in software development where I will share wonderful coding experiences from various areas. Stay tuned for marvels of Java, C#, PHP, JavaScript, Ruby, ActionScript, etc. Feel free to add your own experiences and comments.

Panorama Theme by Themocracy