Coding 101 13 (Transcript)
Shannon Morse: Today on Coding 101 your Python list example, we’re going to explain Heartbleed with jelly beans? And a while loop.
Father Robert Ballecer: Om nom nom nom nom.
Shannon: Om nom nom.
Netcasts you love. From people you trust. This is Twit.
Bandwidth for Coding 101 is provided by Cachefly. At C-A-C-H-E-F-L-Y dot com.
Shannon: This episode is brought to you by lynda.com, learn what you want when you want with access to over 2400 high quality online courses and training videos, all for one low monthly price. To try it free for seven days, visit lynda.com/c101. That’s L-Y-N-D-A dot com slash C one zero one.
Fr. Robert: Welcome to Coding 101 it’s the Twit show where we introduce you to the wonderful world of the programmer. I'm father Robert Ballecer.
Shannon: And I'm Shannon Morse and I am eating jelly beans. They're stuffed in my mouth right now and I can barely talk but we’re going to teach you all about coding for the next thirty minutes so that you can become a Python code warrior.
Fr. Robert: Now right now Shannon in the last couple of weeks there's been a big thing that’s erupted throughout the interwebs and that’s all about Heartbleed, right?
Shannon: Yeah, yeah they broke my heart.
Fr. Robert: They did, so later in the show we’re actually going to give you an in-English honest to goodness, easy to understand example of how the Heartbleed bug works. But before we get there, you know what we always start the show off with some examples, yeah.
Shannon: That’s right we do. So last week we covered lists and lists are surprisingly easy to write and kind of fun actually.
Fr. Robert: Yeah.
Shannon: So I had a lot of fun writing mine. I’ll go ahead and pull up my example so you can see how I wrote it and what it does. So if I click on it, double click and you’ll probably have to zoom into this because it’s a little small. And it basically says who doesn’t like Star Trek right? My Star Trek captains are, my favorites in order Picard, Janeway, Kirk, Sisko and Archer. And my favorite Star Trek series in order are The Next Generation of course, Voyager Deep Space 9 and Enterprise.
Fr. Robert: By the way, awesome code but totally inaccurate list.
Shannon: What? What, please.
Fr. Robert: Totally inaccurate list. Seriously, that you would put – you know what, no. We’re going to take those offline.
Shannon: First off, Picard, he’s number one.
Fr. Robert: Okay, I will give you Picard but Janeway? Janeway?
Shannon: Oh come on, she speaks to me, she speaks to me.
Fr. Robert: Um-hmm.
Shannon: She’s a woman in power and I like that.
Fr. Robert: Um-hmm.
Shannon: Kirk, not so much, he’s total man, he’s a womanizer.
Fr. Robert: He’s a womanizer, he really is.
Shannon: That’s exactly what it is. And then Sisko and Archer they were kind of, they're kind of equal to me.
Fr. Robert: Now last week, you flipped that. You had Archer ahead of Sisko and I was like “No, no, no, no, no, no Sisko can’t be at the bottom”.
Shannon: Well I like Deep Space nine more than Enterprise.
Fr. Robert: Right, right.
Shannon: So it made more sense.
Fr. Robert: I’ll give you props for that.
Shannon: Yeah so that was my example and for the code, this is how I wrote it. So I had print who doesn’t like Star Trek and that’s just a simple print screen. And then I made my first list—
Fr. Robert: There’s your list.
Shannon: …which is Star Trek, Picard, Kirk, Janeway, Sisko, Archer. Now you’ll notice that this list is a little bit different. This is in order from the original series all the way to the end. So when I printed that, I had to shift it around just a little bit to make it from my favorites to my least favorites. So I started with zero, which was Picard, number two which was Janeway and then once I scroll over, you’ll see one, three and two. One, three and four.
Fr. Robert: There we go and actually that’s a great example of one of the powers of list which is once you have your data in there, you don’t have to follow the stream of the original data.
Shannon: That’s true.
Fr. Robert: You just give it the index for what position you actually want to use.
Shannon: Exactly, I did pretty much the same thing with series so I named this list series equals and then I put The Original Series, Next Generation and so on and so forth. And then I printed my favorite Star Trek series in order are, starting with series number one, which was TNG, series zero the original series because it’s so awesome and so on and so forth. And then at the end since I am on a Microsoft computer, I put raw input press enter to exit.
Fr. Robert: And that’s just so it maintains the terminal window until you actually want to exit.
Fr. Robert: Now something else – I love this, I love that you did this, you used a descriptive name.
Shannon: I did.
Fr. Robert: And this is one of the things we really need to hammer in our audience, which is you can name your variable anything. You can name your lists anything so why not give it a meaningful name. In your case, you called series so people can say “Oh yeah the variable name, the index name, the list name actually makes sense”.
Shannon: Exactly, it made sense so that’s why I decided to name it that. Now we also got a really excellent example of a list from Darryl Medley. So this is called a shopping list, if I double click on it, it simply says “Enter the name of item one”, so this is going to be my shopping list. So I’ll say I need to buy milk, how many in quantity, just one because it’ll spoil because I’ll never go through it. Number two, of course I need cereal and I'm going to buy five boxes. I go through that like crazy. Number three I need some towels for my downstairs guest bathroom.
Fr. Robert: Always have a towel.
Shannon: So I press enter, press enter when finished. And it takes my list, it takes these things up here and outputs them to me so I have milk, quantity one, cereal five, towel quantity three, press enter to close.
Fr. Robert: Now this is pretty good but I’d say if it was going to be customized for you it would have to be a coupon list.
Shannon: It would have to be.
Fr. Robert: It really would have to be.
Shannon: It would have to have some math in there for me.
Fr. Robert: There we go.
Shannon: I should do that.
Fr. Robert: I like this one, this is great.
Shannon: So if we look at the example, I'm going to edit it with IDLE. Now I'm zoomed in to this because we had a little problem, I'm seeing all of it last week so if I scroll down you’ll see—
Fr. Robert: First of all, I love the comments, thank you for the comments. We love that.
Shannon: Yes, excellent comments, thank you so much Darryl. So once I scroll down you see shop list and then we have case list item count. So first it prints shopping list, prints the other information and then we do a loop. So this is pretty interesting, he added a loop in there.
Fr. Robert: Mmm, yay.
Shannon: How fun, now we’re going to get more into loops in just a few moments, I think so but—
Fr. Robert: Shhh, you're spoiling it.
Shannon: Oh I already told them in the code a little bit, gosh.
Fr. Robert: Calm down, okay fine.
Shannon: And then we have some if and whiles in here, some options. So a lot of this is looks a little bit confusing but it won’t soon.
Fr. Robert: Right.
Shannon: So we’ll explain all of this but this is an excellent example.
Fr. Robert: But obviously he knows beyond what we’ve shown on this show.
Fr. Robert: But none of this is really beyond anything we’ve given them.
Fr. Robert: There’s a little bit on the conditional modifiers here, the conditional operators but beyond that, this is just a print, this is just a loop, this is just a list.
Shannon: It’s so pretty.
Fr. Robert: It is pretty.
Shannon: It’s very easy to understand and we made lots of comments in here so I decided to show it.
Fr. Robert: Very well done, by who was this again?
Shannon: Darryl Medley.
Fr. Robert: Darryl give yourself a pat on the back, this is definitely the program of the week.
Shannon: Thank you Darryl.
Fr. Robert: Thank you Darryl.
Shannon: So that was my example of a list and Darryl’s example of his own list with loops, yay. Now I know that we have tons of explaining to do.
Fr. Robert: Yeah, we have to do some explaining. Okay, so we do want to go back into loops. Now I'm assuming that many of you watched our C# module and if you have, you know what a loop is. A loop is just a really simple way to repeat a section of code. Now the reason you want to repeat sections of code is, well if you're doing the same operation over and over and over again. Like for example, if you just wanted to print a series of numbers, you don’t want to have to do print variable one, print variable two, print variable three.
Shannon: Yeah it would take too long.
Fr. Robert: It would just take – and that’s just silly right, because it’s always the same line, the only thing that changes is the name of the variable. Well what a loop allows us to do is it allows us to minimize the amount of coding that we have to do by saying repeat this with this difference.
Shannon: Ah okay.
Fr. Robert: Right, so just keep doing the print but change the variable.
Shannon: Is sounds similar to the list but in this case you're changing the variables up at the top.
Fr. Robert: Right, right and it allows us to just keep doing the loop until we want to stop.
Shannon: That’s cool.
Fr. Robert: It’s a very good way to be efficient with your code and also it’s pretty much the only way to do a modern programming. If you don’t loops, you can’t write a modern piece of code because otherwise your code would be just pages and pages and pages long. And we don’t want that.
Shannon: With no comments.
Fr. Robert: With no comments. So that’s what loops do, now let’s take a look how loops actually work in Python. One of the things you have to remember is looped – while loops in Python actually aren’t all that much different from the while loops we did in C#.
Shannon: Ah okay.
Fr. Robert: Now they use some sort of counter because you need some way to determine whether or not the loop is going to continue to run right?
Fr. Robert: So you need a condition, you need something that says “When you check this, if this is true continue to run the loop. If it’s not true, break the loop”.
Shannon: Break the loops the loop yeah, cancel it.
Fr. Robert: Right, yeah and do you remember from C# what happens if you don’t have that in there.
Shannon: It just keeps going and going and going.
Fr. Robert: It just keeps going, right. Exactly, if there is no way to change that condition, that true or false condition then either the loop never runs or the loop runs forever.
Fr. Robert: So we have to have some sort of variable, some way, something that changes in the processing of the loop that allows us to change the condition of whether or not the loop can run. Does that make sense?
Shannon: That does make sense.
Fr. Robert: Okay, so let’s actually look at some code. Bryan if you go ahead and switch to my screen, I've got – this is probably the easiest—
Shannon: Oh that’s a simple one.
Fr. Robert: This is a super simple while loop, okay. So all I do is I have a counter, I have a variable, it’s set to zero.
Fr. Robert: So counter is equal to zero, that’s a number. Now the while loop itself is counter less than five. That’s my condition, that’s my relational condition.
Shannon: Ah, I see what you did there.
Fr. Robert: Yeah, exactly so counter is set to zero right?
Fr. Robert: So while zero is less than five, is that true?
Fr. Robert: Okay, exactly so it’s going to run.
Shannon: So it’ll run.
Fr. Robert: Um-hmm, and then the next line is counter equals counter plus one.
Shannon: And then it equals two.
Fr. Robert: Well first it equals one and then it equals two and then it equals three, right because it starts with zero right? So we’re starting at zero and yeah that’s just an increment. So all it does is it adds one of the counter every time it runs. And then that third line there is print, and all it does is it prints. Now let me show you really quickly there is an indentation. You see this right here, this is actually imported. This is not a throw away thing.
Shannon: Yes, I do see that.
Fr. Robert: This is how Python, if you remember from last week, this is how Python knows that this code, this counter equals counter plus one and print counter belongs to the while loop, it’s because I’ve indented it.
Shannon: So can I just hit tab whenever I'm—
Fr. Robert: Yes, yes.
Shannon: …a code.
Fr. Robert: Absolutely, you can tab it. Right, and this goes for every other – if you would’ve put a while loop within a while loop or an if L statement inside that loop you would also have to indent it.
Fr. Robert: So just remember it’s like old school math where you just go one column over every time you have one operation nested within another.
Shannon: Okay, that makes sense. It keeps it organized too.
Fr. Robert: Right, so let’s go ahead and run this and what we get is this. One, two, three, four, five.
Shannon: Cool, yeah that’s super simple and very easy.
Fr. Robert: Exactly, so it’s going to – it runs it until I get to the end. And at the end, it gets to five and it’s going to say if five less than five and the answer is no and it stops and that’s it.
Fr. Robert: Okay, so very, very simple program that’s how a while loop works, that’s what we’re going to be doing for the rest of our time today.
Shannon: Perfect, okay.
Fr. Robert: However, we gave you the while loop.
Fr. Robert: There’s a little something else we want to talk about.
Shannon: Yeah there is, it’s kind of going a little crazy on the Internet lately.
Fr. Robert: Yeah it’s going a little crazy on the internets. We got Heartbleed.
Fr. Robert: Yeah.
Shannon: I don’t have any Heartbleed.
Fr. Robert: No you don’t, you're good, you're good to go. But what we want to do is we want to talk about Heartbleed because it actually addresses something very, very basic in programming and something that’s very important. It’s all about sanitizing inputs. It’s about—
Shannon: Sanitizing your comments.
Fr. Robert: …your comments, sanitizing your code.
Shannon: Yes your code.
Fr. Robert: You have to make sure that the data you receive is what you expected.
Fr. Robert: But unfortunately the writer of the piece of code in open SSL that is responsible for the Heartbleed bug didn’t do that. Now Bryan, you actually have a link for the Guthub that has all the open SSL code. While you get that up, let me really briefly state what’s going on in the Heartbleed bug. So what we’re talking about is the Heartbleed beat, anytime I establish a secure connection, so Snubs let’s say that you're Facebook. Okay, you're the Facebook server, I'm talking to you, you know that little, you get that little padlock in the upper corner of you browser.
Fr. Robert: It tells you that you're secure right?
Shannon: Yeah, it tells me I'm using HTTPS.
Fr. Robert: Exactly, secure sockets layer or TLS, which give me and encrypted tunnel between the client and the server. You're the server I'm the client. Now that’s a good thing because without that anyone can just snoop in on our conversations and they could read everything that I'm sending and everything that you're sending back to me.
Shannon: Especially if they have a Wifi pineapple.
Fr. Robert: Brought to you by Hack five. No but see here’s the thing, I can’t just keep those open.
Fr. Robert: Right, once I've established one of those connections, I need a way to tell the server that even when I'm not using it, let’s say I'm reading something that’s on my page and I'm reading it for three minutes, my client, my computer’s still needs to be able to tell the server I'm still connected, I still need you don’t shut off the connection.
Shannon: So this is the Heartbeat that’s going between us.
Fr. Robert: This is the heartbeat, right. It’s just – it’s a nonsense piece of data, it’s a minimal data set. It’s a very small handshake, very small packet essentially saying keep me alive.
Fr. Robert: Keep me alive, keep me alive and it does that every once in a while.
Shannon: So why do we have these jellybeans up here?
Fr. Robert: Okay so this is your system memory, you're the server right?
Shannon: Oh yeah.
Fr. Robert: Don’t eat you memory.
Shannon: I won’t eat my memory.
Fr. Robert: Oh man I'm just going to eat all my memory. All right so you—
Shannon: My hard drive just failed.
Fr. Robert: Now this, this one jelly bean, this is my Heartbeat packet.
Fr. Robert: Okay, so what I have to do is I have to send you two things, I have to send you my payload and the payload is the jelly bean, right. But I also have to send you a description of how big this is.
Shannon: Ah, okay.
Fr. Robert: So in all non-open SSL implementations of all the SSL, of the secure sockets layer of the encryption, whenever I the client sends something to you the server you check what you received against what I told you I sent.
Shannon: Ah, okay.
Fr. Robert: So, let’s say I do this, I go ahead I say “I’m sending you one jelly bean”, I give it to you.
Shannon: I just received one jelly bean.
Fr. Robert: Right and that’s it and so you said that you told me that you sent me on jelly bean, I read that—
Shannon: It looks like a jelly bean.
Fr. Robert: It looks like a jelly bean and now you send back to me.
Shannon: I'm sending you one jelly bean.
Fr. Robert: And there we go, so now the connection stays alive. If I did this, I am sending you five jelly beans and I give that to you, what do you think you as a server do?
Shannon: I only have one jelly bean.
Fr. Robert: That’s it, right.
Shannon: This is odd.
Fr. Robert: This is odd, it’ll kill the connection right or it’ll ask for the heartbeat again.
Fr. Robert: That’s simple checking right? That’s sanitizing your inputs, that’s making sure that you’ve actually received what you expected to receive. That’s good coding.
Shannon: That makes sense.
Fr. Robert: That makes sense. There’s a bug in open SSL.
Fr. Robert: And Bryan if you go ahead and bring up that Github, it’ll actually show you the code that goes behind SSL. Now go ahead and forward, what line was that, we need you to go to line 3,972. There, right there. See where it says read type and payload type first. These next four lines of code, actually three lines after the comment are entirely responsible for the Heartbleed bug. Now let me explain, this looks kind of crazy but let me explain what’s here. HB type is just setting the type of data, okay so that’s like from C# that just says this is the kind of data that I'm going to be receiving.
Fr. Robert: P plus plus, we've seen that, it just incrementing the counter so it’s P plus one, right?
Shannon: Ah yes, plus one yeah.
Fr. Robert: Now here’s the big line, N S two which is calling a function because we know it’s in parenthesis right? So it’s calling a function and it’s passing it to parameters. P is the location, it’s called the pointer of the payload, the jelly bean. So it’s telling it where the jelly bean is located.
Fr. Robert: Right. Payload is the length. That’s me telling you I'm passing you one jelly bean.
Fr. Robert: Okay, now a good piece of code would’ve had an extra line here that says “Is P, the length of P equal to the length of payload”.
Fr. Robert: Right, so if I told you—
Shannon: You would be sanitizing their code.
Fr. Robert: It’s sanitizing the code, sanitizing the input. It’s saying “If I told you I'm giving you one jelly bean, what is P? How long is P? Is P actually one jelly bean? If it is, allow it. If it’s not then X, kill the connection”.
Shannon: And since they didn’t do that, there is no line that says “If it’s this long then it should equal P”.
Fr. Robert: Right.
Shannon: That pretty much means that the payload could be as long as they want.
Fr. Robert: Or short. So this is how it works, if you come back to me, now we’re talking about this jelly bean all right. So I'm still talking to you in the server and I'm passing you this one jelly bean and I'm saying I sent you 64,000 jelly beans.
Shannon: It looks like 64,000 jelly beans.
Fr. Robert: That’s how open SSL works because it doesn’t check, it’s just going to trust me. And unfortunately, that’s not good.
Shannon: That’s not good.
Fr. Robert: So what it’s going to do is it’s going to say “Well he must’ve sent me 64,000 jelly beans, so I'm going to send him back the one jelly bean plus 63,999 he shouldn’t have received”.
Shannon: That’s so bad.
Fr. Robert: Which means I take your system memory and it’s all for me.
Shannon: Hello hacks. Oh that’s bad.
Fr. Robert: Hello hacks, exactly. And see the problem with that is they can do it over and over and over and each time they’ll get a different set of the memory until they can put it all together and they can essentially have everything.
Shannon: And from the server end, everything looks cool so nobody ever checks for any difference
Fr. Robert: Right, to the server end, if you're using open SSL the unpatched version all it knows is that someone is sending a lot of Heartbeats, and that’s normal because that’s how we keep the connection open. It doesn’t realize that it’s giving away the keys to the kingdom every time it send you that 64k.
Fr. Robert: Precisely, exactly we got a computer fault.
Fr. Robert: So that’s how Heartbleed works and go back to that code Bryan. This is the crazy part, this is what we’re trying to drill into you people, when you’re writing your code, you got to make sure to check for things like that. This was an innocent mistake, this was, again we know that this was submitted something like, what was it, an hour or two before midnight two years ago. December 2011.
Fr. Robert: So it was probably some guy staying up late, writing some code. It looked right, it worked right, but he never actually made sure that he was receiving what he was supposed to receive.
Shannon: That’s true. Ah man, I feel bad for that guy.
Fr. Robert: Simple mistake, I feel bad for him but you know, simple mistake that anyone can make.
Shannon: Yeah, it’s true.
Fr. Robert: Yeah.
Shannon: That’s unfortunate, but it’s a good example of what can happen if you don’t sanitize.
Fr. Robert: Very good example, yeah. Which brings us to this part of the show, where we’re actually going to bring someone in who has experience with sanitizing right?
Shannon: But before we do that, I wanted to tell you guys about a website that I really, really enjoyed and I've been using for years. It’s called lynda.com and they're our sponsors for today. So if you haven’t checked lynda.com yet, it is a website where you can get everything that you ever want as far as thousands of online video courses in software, creative and business skills. So whether you want to learn Python code or you want to explore the foundations of programming, or improve you photography, everything like that. With a lynda.com subscription, members receive unlimited access to thousands of high quality and engaging video tutorials across a wide variety of subjects. Now here’s a cool one, do you ever want to build your own IOS app but you're not a programmer. Well lynda.com has a new course called programming for non-programmers IOS 7. This is so cool. It’ll allow you to build your first IOS app in a single afternoon. You’ll learn the most important concepts in IOS and the app development process. By the end of the course you’ll have a finished app, that’s awesome.
Fr. Robert: Yeah I like that.
Shannon: Basic understanding of X code, the toolset for developing IOS apps. You’ll know the building blocks like variables and functions and conditional statements and interface design. And you can find links to this course in many more at lynda.com/c101. So I use lynda.com for years. I used it for everything from learning how to use Adobe Photoshop.
Fr. Robert: Yeah.
Shannon: Hey, photography. And even Premiere from when I was you know, Paul over at hack5 learning how to edit back in the day. Long time ago but you know what, all of those little tidbits that I learned from lynda.com still work today.
Fr. Robert: You know what I like about this is we get a lot of people who are asking us “Well, when are we actually going to get to do some app development?”
Shannon: That’s true.
Fr. Robert: We don’t need to do that because what we’re doing is we’re teaching people how to code. We’re teaching them the fundamentals and then they can go to something like Lynda and then they can look at the IOS development lessons and say “Oh yeah, this makes sense. Now that I know how to break down problems into computer code I can just follow these steps and make myself and app”.
Shannon: And you know, maybe you don’t want to learn Adobe Photoshop but guess what, there's 2400 courses online and more are added every single week so you're going to find something that you like, trust me. Lynda.com courses are produced at the highest quality and they're not homemade videos on Youtube so you're going to get good audio, good viewing of the people who are doing the show. Everything that you need is right there. The instructors are accomplished professionals at the top of their fields and they're passionate about teaching. So you're not going to get somebody who’s boring, which happens a lot.
Fr. Robert: Which is sad.
Shannon: You're going to get somebody who is excited about what they're teaching and that’s what I love about doing videos on lynda.com. Courses are for all experiences, whether you're a beginner, intermediate or you're advanced, and you can watch on your computer, your tablet or you mobile device. So if you're on the go, like I do, I'm commuting often, I can watch them via my cellphone, it’s perfect. Now whether you have fifteen minutes of fifteen hours, each course is structured so you can learn from start to finish. You can even search the transcripts to find quick answers or you can read along with the video, which is super helpful to me if I'm not paying that much attention. Lynda.com offers certificates of completion when you finish a course so you can publish to your LinkedIn profile, which is great if you're a professional in a certain field. That’s really fun. Now it’s only $25 a month for access to the entire lynda.com course library. Or for 37.50 a month, you can subscribe to the premium plain which includes exercise files that will let you follow along with the instructor’s project using the exact same project assets that they do. And you can try lynda.com right now with a free seven day trial, visit lynda.com/c101 to access the entire library. That’s over 2400 courses for free, for seven days. Have at it, I mean do this – go at it when you're on your spring break.
Fr. Robert: Do it now, go.
Shannon: Watch all of them.
Fr. Robert: This is a perfect summer project. You know if you're coming home from high school, if you're coming home from college, why not use Lynda to brush up on some of the things that you really, really want to learn.
Shannon: Exactly, and again that was L-Y-N-D-A dot com slash c one zero one. And of course we thank lynda.com for your support. We love you guys, thank you.
Fr. Robert: Woot, lots of woot.
Shannon: I think it’s time for some code warrior.
Fr. Robert: I think so now it’d be great if we had someone we could bring in right now and maybe have him explain how while loops and code sanitization and input sanitization works in the real world.
Shannon: Who could that be?
Dale Chase: What’s up guys?
Fr. Robert: Oh it’s Dale Chase from Discovery Digital Networks.
Shannon: Oh my god, it’s you. What up?
Dale: How are you doing?
Shannon: Doing good, how are you doing?
Dale: Yeah so – yeah heartbleed huh.
Shannon: Oh yeah no kidding.
Dale: Well I've got something here that will at least show you how to - well I've got a couple of examples here. One sort of simple one that will let you sanitize positive integers that you were just looking for.
Shannon: Ooh, okay this looks kind of complicated.
Dale: Um not so much. Really, I mean it’s really just a while loop. So let’s go through it, so I start here by saying clean equals false. Clean is what I'm going to be using to set up my while loop.
Dale: And just check the state of that. So I'm starting it off as false.
Fr. Robert: And I like that because you're assuming that the input coming in is wrong.
Fr. Robert: And you want the code to say it’s wrong until it prove otherwise.
Dale: Right, yes. So I'm saying while clean is false with the double equal here. Phones equals, so here’s the first set input, how many phones have you broken?
Shannon: You jerk.
Fr. Robert: Now we know from the ivory tower that because those lines are indented they belong to the while loops. So the while loops will continue to repeat everything indented over up to that print statement.
Dale: That’s correct. Then we go to how many laptops have you dropped, with another raw input command. Being assigned to assigned to a variable called laptops and then if phones.isdigits is digit this is a function that will now—
Fr. Robert: There we go, okay.
Dale: …assess what is in phones and make sure that it is a positive integer as essentially.
Fr. Robert: Okay, so that’s a function. So phones.isdigit means that I'm taking the variable called phones and I'm running the function isdigit against it and I'm assuming that since the makers of Python used functions with understandable names, all it’s going to do is look at the variable called phones and say is this a positive integer.
Dale: That’s correct.
Fr. Robert: Okay.
Dale: I'm also doing that for my laptop’s variable as well in the same if statement and I'm making sure that condition happens together with this end. I think in C# that’s like an ampersand ampersand.
Fr. Robert: Ampersand ampersand. So it’s saying if this and that are true.
Shannon: That’s cool.
Dale: In Python you actually can use the real word and. And so then that is now part of – so if that print statement, if that is true, if both of these are positive integers, clean becomes true and the loop stops.
Fr. Robert: Right, now let’s point out something else here, we did this in previous episodes but if you look at the while loop and if you look at if statement, both of them have a colon at the end of the line. Now we told you that Python only cares about whitespace, it actually looks at formatting, however anytime I'm doing one of these statements, one of these functions that use multiple lines, I have to have a colon there to tell it “Hey, you're about to get multiple lines”. That’s all it means so—
Shannon: I see, okay.
Fr. Robert: …yeah that’s why you—
Shannon: You're not done yet, here's the rest of the code.
Fr. Robert: I'm not done yet, right. Which is why for while it says “Continue to do the rest of the code that you're going to see indented” and then the if statement it’s going to say “Continue to do the rest of the code that you're going to see indented”. That’s all it means, that all it means.
Shannon: Oh okay, cool.
Dale: So since everything that you input with raw input is actually taken as a string, I still have to tell it that phones and integer and laptops is an integer for me to actually do this math, here where I'm going to add both of these together and then print out the total.
Fr. Robert: Right.
Fr. Robert: What you're saying is remember, because Python as we talked about in the first episode, the variables are dynamically assigned right?
Fr. Robert: In C# we had to tell it, this is an int, this is a float, this is a character, this is a string.
Shannon: Python you don’t have to do that.
Fr. Robert: Python doesn’t do that, you don’t have to do that except when you start doing – if you go back to his code, when you get to that line where you actually want to use numbers, you need to make sure that Python has converted that into numbers otherwise it’s just defaulting for a string.
Shannon: Okay, got it.
Dale: What it’ll actually end up doing is just concatenating the two numbers together to make a long number that you didn’t ask for.
Shannon: Oh no.
Fr. Robert: Right, right.
Dale: So let’s run this I guess.
Shannon: Yeah let’s do it.
Dale: Let’s see, do I have it here.
Fr. Robert: It’s here somewhere.
Dale: It’s a sanitizing input.
Shannon: Whatever I named it.
Fr. Robert: There it is, there it is.
Dale: Okay, how many phones have you broken?
Fr. Robert: That’s later, that’s later.
Dale: How many laptops have you dropped? Two.
Shannon: Really, wow.
Fr. Robert: Really, just two. That’s pretty good.
Shannon: Way to go Dale.
Dale: And my total is 14.
Fr. Robert: Okay and that’s basic, that’s simple.
Shannon: It gets expensive real quick.
Fr. Robert: But let’s run it again because what we want to check is we want to see if the program actually knows whether or not it’s been given the right information.
Dale: That’s right. So here we go again, how many phones have I broken?
Shannon: Jelly Beans.
Fr. Robert: Go, jelly beans, absolutely.
Dale: Jelly beans.
Shannon: Just like that.
Dale: How many laptops have I actually dropped?
Fr. Robert: Let’s actually give it a number, let’s say how about just five. Let’s see what happens, so we’re mixing inputs.
Fr. Robert: Oh.
Dale: How many phones have you broken?
Shannon: Oh so it just asks you again, it’s like “Um—
Fr. Robert: So remember back to the code, actually go back to the code Bryan. Oh actually I'm sorry, Dale if you could go back to your code.
Dale: Yeah uh-huh.
Fr. Robert: So what’s happening is it’s stuck in that while loop because it never cleared it right? Because in the if statement it says both of these have to be true. In the example we gave it only one was true and so therefore it failed the and statement and so clean was never set to true.
Shannon: So I guess one thing that I could do is if wanted to, under if I could add and else statement that says something like “If this is not actually a integer digit then I could say that’s wrong put in another”
Fr. Robert: Very good. Hey what are you doing? Get that out of here. Exactly, yeah I mean this is a simple program so we didn’t do that but you're exactly right. Yeah you could have an if l statement.
Fr. Robert: And an if else statement all it says is “If this is true then do this. If anything else, if it’s not true then do that”.
Shannon: Ah cool, okay I get it, I get it.
Fr. Robert: There we go, very nice Snubs.
Shannon: I'm learning.
Dale: How about print.
Shannon: So else, hey. So you're going to just print out a statement that says something like “Uh that was wrong”. Oh, so you also had to add that slash so it knows that the—
Dale: That’s it, I'm escaping the apostrophe.
Shannon: Yeah the apostrophe there is actually—
Dale: I could get around that by actually using double quotes instead.
Fr. Robert: Right, right.
Shannon: Oh okay.
Fr. Robert: There we go.
Shannon: That’s not a number, whatcha doing?
Fr. Robert: Go ahead, yeah go ahead and run that. Run that bad boy.
Fr. Robert: And now if we put jelly beans in there.
Dale: All right, jelly beans and tacos. Oh wait what happened, it didn’t—
Fr. Robert: No the terminal window was still running, it never—
Dale: Oh no, no it was – I ran it again it should’ve taken.
Fr. Robert: The else statement.
Dale: Oh did I not save this – oh I didn’t save this in the right spot.
Fr. Robert: Dale.
Dale: Got some explaining to do.
Fr. Robert: Now this is basic sanitizing. Now of course what the guy who wrote open SSL, that module, what he had to do was far more complicated than this but the theory is the same thing. You always need to make sure anytime you're dealing with any sort of input, any sort of data that it’s acting the way you want it to behave.
Fr. Robert: If you don’t put a check you can get bad things.
Shannon: And that’s what we get.
Fr. Robert: And that’s what we get.
Shannon: Okay so now it says print hey that’s not a number and then it asks you again and then it redoes the loop.
Fr. Robert: It’s looping through, right.
Fr. Robert: Because remember we told the loop to run until it got two valid inputs.
Shannon: Right, that makes sense, that’s awesome.
Fr. Robert: Yeah, now Dale let’s go back to your code for a second if you could. The pieces that our audiences need to know, the pieced that they need to learn because they're new for this episode is they need to know the while loop, they need to know the function to actually check the data. So isdigit and the need to know if else, we’re actually go more in depth on that next week but it’s actually not that difficult to figure out. And the last part is they need to know the function for int which actually turns that variable into a number, right.
Shannon: Int phone plus int laptops.
Fr. Robert: Now notice he has the int function to turn those into numbers. He has that after it’s already checked the strings to make sure that they are actually numbers.
Fr. Robert: Because you can’t actually run that if someone gave you a string. You can’t say turn jelly beans into a number. They will freak out.
Shannon: Ah, okay.
Fr. Robert: Yeah.
Shannon: Now I also noticed with isdigits, that can only work for positive numbers—
Shannon: …so is there an option there if you wanted to put in a negative number or something else.
Dale: There is if you want to – you actually kind of have to get into a little bit of a try accept, which is sort of error handling.
Shannon: Oh, interesting.
Dale: Yeah, so in Python there is no real easy way to sanitize without doing that. But yeah, so let’s pop this up here.
Fr. Robert: Yeah it’s not built in but you can sort of code around it.
Shannon: That’s cool.
Dale: So let me pop this up here.
Fr. Robert: Yeah, yeah now Dale while you're working on this, one of the things we’d love to talk about is obviously you have to do this sort of data checks, these sort of variable checks when you're coding in the real world. Do you have a good example of a time when people didn’t properly sanitize their inputs and it lead to some bad, bad things?
Dale: Oh yeah, well – or a situation where you definitely want to have your inputs sanitized, where if you're accepting email address and they put a comma in front of the dot coms instead of dot in front of the com for the email address. And then they won’t get their email notification. So you want to make sure that when they enter the email address, they are actually putting in a valid email address that you can then communicate with them with.
Fr. Robert: All right.
Shannon: I guess it could also be said that if you have a text field like that on the internet anywhere where they say enter an email address, and it doesn’t check to make sure it’s an email address they could put another line of code in there.
Fr. Robert: Yeah.
Fr. Robert: And actually we just had an example of that, you may have read that the quote on quote ATT hacker was let out of prison right? They dismiss the case. Well he didn’t really do any hacking, all he did was he took advantage of some very sloppy programming that didn’t check the input. It didn’t make sure that it was receiving any input that it couldn’t properly process or would process in a way that they didn’t expect.
Fr. Robert: So, I mean we see, it’s sounds really simple and you know when we look at that that the code that created the heartbleed bug we say “Oh god, why wouldn’t you do that”. But it happens over and over again folks, so all we’re saying is please, please, please even in the starting days when even in the starting days when you're just starting to pick up the compiler, make sure that you get in the habit of checking your code. And you know what, we’re going to say this, in future episodes when we have your user programs, we will favor the ones that have some sort of sanitization.
Shannon: Oooh yes, definitely.
Fr. Robert: Does that make sense?
Shannon: I’ll have to start checking for those when I'm looking over the code on the Google Plus community. Now, before we finish up Dale, I did want to check out that code that you just put in.
Dale: Yeah, yeah let’s take a look at it. So here, you know it’s pretty much the same up until we get to now where the, what was that. So now instead of isdigit, instead of an if statement asking if it’s a digit, we get a try, which is try to convert this string into an integer.
Fr. Robert: Right, right.
Dale: If it fails, it will throw and exception and the type of exception it will throw is a value error. So if that happens then we’ll print “Hey you didn’t give me a number”.
Fr. Robert: Right, so essentially, instead of running it through a function beforehand to make sure that it’s an integer that it can use, you just ran it through the integer conversion and if it gave you an error then you know that it wasn’t an integer.
Dale: Exactly, exactly.
Fr. Robert: Got it.
Dale: And I could’ve saved a step later in the print statement and just used phones if I had just decided to actually assign these integers to phone assign if decided to just say phones equals and phones.
Shannon: Ah okay.
Dale: I could’ve done that and saved having to do it down here. But I didn’t.
Shannon: But either way works the same.
Dale: So and if they do pass that test we go to else and clean becomes true and the loop stops.
Fr. Robert: Fantastic.
Shannon: That’s awesome.
Fr. Robert: Dale, thank you so very, very much. It’s always great to have you as our code warrior. Now Bryan our TD, can you give us a little bit of a groove so we could play Dale out.
Fr. Robert: Because Dale, we want to give you your time here. I mean you’ve yourself selflessly.
Fr. Robert: Fantastic, I can’t talk today. To our audience and where can they find you? Where can they find your art because you're not just a programmer, right?
Dale: I'm a musician too.
Dale: And yeah I've got a song with Shannon that you might know called SSH to your heart. Right now you guys have a coder girl remix which you can find at dchase.bandcamp.com among all my other stuff. What you got there is Love++ which is my most recent EP, which I released on Valentine’s Day.
Shannon: And you actually did several songs that one of the lovely ladies that works at Hack5.
Dale: Yes, yes Sarah she’s awesome
Fr. Robert: Who might that be.
Shannon: Yes it’s Sarah.
Dale: Yeah so Love++ is like a companion piece to my most recent full length Typedef which I released around this time last year actually. So yeah check me out on Bandcamp at dchase.bandcamp.com.
Fr. Robert: Yay, that’s right folks, he is a programmer, he’s a geek, he’s a musician, he is a renaissance man. Dale Chase, Discovery Digital networks, we’ll see you next week.
Dale: Thank you guys, I’ll catch you later.
Shannon: Thank you Dale.
Fr. Robert: Now Shannon, that was a lot right. I mean we—
Shannon: That was a lot. That was a lot of information but it was really good information to get out there, especially about sanitizing.
Fr. Robert: Yeah and you know it’s one of these thing that people always say “Oh I'm not going to get caught” but everyone gets caught by it.
Shannon: Right, exactly.
Fr. Robert: Everyone, I’ll say it right now, if you are not actively searching for values you did not expect you will be caught by this bug at some point in the near future.
Shannon: There’s somebody out there who’s fishing through all the websites looking for people who didn’t sanitize their code.
Fr. Robert: And they probably have a pineapple on their shirt.
Shannon: They probably do.
Fr. Robert: They probably do. Now we don’t want to just leave the folks thinking “Oh gosh, this firehose stuff is coming into my head”
Fr. Robert: We have show notes right?
Shannon: We do, they're over at twit.tv/code c-o-d-e, that’s where you can find the show notes for every single episode that we do, Even our old ones from C plus as well. And you can you can also find our Github link on there.
Fr. Robert: Which by the way I understand we are having an issue right now, I'm not sure exactly what’s going on but the revisions I'm making are not making it into the Github. I may have to recreate it so if you could, if you’ve bookmarked that Github, please go back into the show notes and get the new link to make sure you're getting the one that’s being updated.
Fr. Robert: Also, don’t forget that we’re on iTunes. Go ahead and jump into iTunes if you're an iCoder and help us spread the word about Coding 101. Believe it or not, we’re still one of the most downloaded, subscribed to podcast. We want to keep that going. We want people to understand the world around them and that means they're going to have to learn how to code. So go tell people.
Shannon: No wait, people are watching the show?
Fr. Robert: I know, weird right?
Shannon: That’s crazy. People are out there?
Fr. Robert: I know I've got a camera.
Shannon: That’s so weird. Well if you are out there, hi. We’re also on Youtube. You can find us over at youtube.com/twitcoding101 and that’s where you can find all sorts of information about us and all of our Youtube episodes.
Fr. Robert: That’s right and also, we’ve got a G Plus community and it’s vibrant. I am absolutely convinced we’re going to—
Shannon: I love the code that we’re getting on our show.
Fr. Robert: Yeah, that what where we pull this stuff so if you want your code featured, you got to go to out G Plus page. I know we’re going to break a thousand subscribers before we hit the end of this module.
Shannon: Where are we?
Fr. Robert: You could find us at gplus.to/coding101.
Shannon: Oh my gosh, we are at currently, where’s our numbers?
Fr. Robert: Boom, 815.
Shannon: 815, that’s awesome.
Fr. Robert: And you know what, if you are the thousandth code monkey, code warrior, code person that join our community, I will send you an autographed Python compiler.
Fr. Robert: It’s free so.
Shannon: We could send an autographed picture.
Fr. Robert: We could, we don’t have any.
Shannon: They printed pictures for us.
Fr. Robert: Wait, they did?
Shannon: Well I got some. I could send you an autograph.
Fr. Robert: I’ll sign one of Snubs’.
Shannon: You could sign one of me.
Fr. Robert: Also, if you're not into the G Plus group, you could find us on Twitter. We’re both on Twitter, we’re both pretty active and you can ask us questions there or you could ask us about guests that you might want on our wildcard episodes between modules. You can find me at twitter.com/padresj, that’s @padresj
Shannon: And I'm @Snubs.
Fr. Robert: Yeah and don’t forget you can watch us each week at Thursdays at 1:30 pm pacific time. If you come to live.twit.tv, you'll see the pre-show, you'll see the post-show, you’ll see all the foibles. It’s actually a lot of fun right?
Shannon: It is super fun and we also listen to you guys in the chat room. Hi everybody.
Fr. Robert: All the time.
Shannon: At irc.twit.tv so you can chat with us during the show if you have questions.
Fr. Robert: Until next time, I'm father Robert Ballecer.
Shannon: I'm Snubs.
Fr. Robert: End of line.