2020 – My Year in Books 📚

I don’t think there has been a better year than 2020 to read. With most of us confined to our homes at some point during the year due to pandemic, books (and Netflix!) have become more popular than ever.

In this post, I’m reviewing all the books I have read in the year. Hopefully you’ll enjoy these quick reviews, plus I’ve also added a favorite quote from each.

In no particular order- let’s go!

Atomic Habits

Atomic Habits by far is the best book I’ve read in this year (hardcover). Author, James Clear, makes the argument that it’s the systems, not goals, that we should focus. Here’s his explanation “In professional sport both winning and losing teams usually share the same goal (to win!), however it is mostly about the system (routine) that each team follow, that makes the difference between winning and losing”. Here are my key takeaways

  • The concept of improving by 1% every day
  • Four laws of behavior change – make it obvious, make it attractive, make it easy, and make it satisfying
  • There are 3 layers of changing habits – changing outcomes, changing process, changing identity

As for me, I’m a huge believer in philosophy of “making tiny changes, for big results” and James Clear’s ideas made a lot of sense to me. I would 100% recommend this book to almost anyone, who wants to change their life without feeling overwhelmed.

“If you can get 1% better each day for one year, you’ll end up 37 times better by the time you’re done.”

Make Your Bed

Make Your Bed is a book based on General McRaven’s commencement speech in 2014 at University of Texas. While the the rules shared in the book are simple, short, clear, and straight forward, what’s captivating are the stories Admiral shares, including the anecdotes from his Navy Seal training that left me in awe. He narrates some key lessons from his life, learned the “hard-way” during seal trainings that almost anyone can apply to face challenges in their life. Also, if you haven’t seen the YouTube video of the speech, you can watch and listen it here. Overall, great stories on military training, coupled with excellent life lessons.

“Start each day with a task completed. Make your bed.”

Tribal Leadership

Tribal Leadership explains the various ways people function within an organization and teaches you how to lead change and improve your company’s culture. This book has an interesting take on social interactions and relationships. The premise is simple, there are 5 stages in which people exist, as follow:

1. Life sucks
2. My life sucks
3. I’m great
4. We’re great
5. Life is great

Overall, it’s great read on leadership. It’s crazy how accurately the 5 stages given in the book, reflect a lot about the companies I have worked. The author also shares practical tips that one can use to create successful teams and when the time comes you’ll know exactly how to motivate them. A must read.

“You don’t have to be in charge or powerful or pretty or most-connected to be a leader. All you need is to be COMMITTED.”

The Phoenix Project

Some people are lucky to find books that change their life. While I’m yet to find my life-changing novel, I do come across books that make me think, question my beliefs and push me to learn. The Project Phoenix is one such book for me.

Written by Gene Kim, George Spafford, and Kevin Behr, the book is about a large company’s transformation into a DevOps culture. Transformation driven not just to look cool, but as a necessity for the survival of the company. The Phoneix project is a gripping read that captures brilliantly the dilemmas faced by the organizations that depend on IT, and offers real-world solutions. The authors reminds us, ‘It is necessary to change for survival.’

“Improving daily work is even more important than doing daily work.”  

The Unicorn Project

The Unicorn Project is a sequel to The Phoenix Project (actually it’s not). Although, the two books fit together on the premise of digital transformation, they aren’t necessarily to be read together. The story this time dives deep into the developer’s world—Maxine, who’s a talented lead developer and architect, blamed for an outage and exiled on the Phoenix project. Throughout her journey, she partners with a team of corporate rebels, and together they confront their legacy and change-averse processes and apply the five ideals to lead a positive and lasting business, technology and cultural transformation. Not that the book is all about developers, debugging, continuous integration or unit tests, but it is very much the focus, at least for the first good half of the book. In the DevOps age, the core development topics were earlier left to developers are now in the center of discussion up to CIOs and sometimes CEOs. Gene Kim’s relatable writing style keeps the pages turning quite easily.

“Like all engineers, she secretly loves hearing disaster stories … as long as she doesn’t have the starring role.”

I must admit, these two books “The Project Phoenix” and “The Unicorn Project” had a profound impact on me during this year. I picked them while being stuck in abrupt travel ban (clearly the lowest point for me in the year). I read over #1000 pages in a week, that’s averaging 150 pages per/day, way above my usual reading rate. Also, these aren’t typical motivational books either, but for some reason, they just helped to stay focused on my work and reminded me, ‘This too shall pass‘.

Software Developer Life

Software Developer Life  is a refreshingly honest and personal book – pretty simple and to the point. This book offers good advice on how to be a good engineer in the real world. Author (David) shared technical and non-technical stories that his friends and he encountered in the past, and through these stories he proves that that only acquiring technical skill is not enough. One also needs to work on non-technical skills, such as collaboration, communication and empathy. He also shares real world tips on learning fundamentals, avoid arrogance, choosing your workplace, handling mid-career crisis and managing your boss. Overall, fun easy read and worth it if you’re considering a field as a software engineer.

“For any field, the people at the highest level are the ones who deeply understand FOUNDATION; that’s why they can break it sometimes.”

the Self-taught programmer

the self-taught programmer is the ideal book for anyone new to programming. I’ve read a few books on self-learn programming including Java & Python, even through with a decade long experience in technology, I would sometimes struggle to wrap my head around the code samples and exercises. Cory (the author) went above and beyond in providing examples throughout all the lessons and their real world application to complement the reading. His technique in breaking down complex technical topics in simple terms that anyone can understand, is what really makes this book shine. I highly recommend this book to anyone wanting to learn to code or looking for a great starter to Python.

“Life is too short to have insecurities about where we got our education. Your passion, curiosity and hard-work is all you need to be successful.”

If you made it this far, bravo! Thanks for reading through my reviews and I can’t wait to see you share what you’ve read. Leave a comment for your favorite books, podcasts, and reading goals for 2021.

So long 2020 😷

SQL Injection and Preventing them in your Golang app

SQL injection!… Is it really a thing?

SQL injection is a code injection technique that is capable of destroying your database. It is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. (e.g. to dump the database contents to the attacker)

How SQL Injection Works?

SQL injection is a hacking technique that’s been around since at least 1998. It takes advantage of two factors for success: First, web applications often ask users for data; Second, those applications tend to take the user-supplied data and pass it to the database as part of an instruction. Put them together with no code-based guardrails, and a criminal can run the application far off into the weeds.

(image from xkcd.com, with “copy and share” license described here:  License)

Like in above case, Bobby’s school lose all their student records when Bobby’s father decided to name their son as “Robert’); DROP TABLE students;” and used that as an input parameter in online school’s application form.

How can we avoid it in Golang?

In this post, we’ll learn how to avoid SQL Injection attack in our Golang code by sanitizing database inputs.

To be able to achieve our objective i.e. Avoid SQL Injection in Golang application, there are some prerequisites. Sticking to the core subject of this blog, I won’t cover them, however, I’m providing with some references

Install PostgreSQL, setup an instance and create a test database – https://www.postgresqltutorial.com/install-postgresql/

Install Go and configure workspace – https://www.callicoder.com/golang-installation-setup-gopath-workspace/

For this tutorial, I’m using Postgres 12 and Go 1.13.xx

Step 1. SQL Table definition

We’ll use test table EMP with some test data

-- create a sample table EMP
CREATE TABLE emp (  
  empno SERIAL PRIMARY KEY,  
  ename TEXT,
  sal INT CHECK (sal>0),
  email TEXT UNIQUE NOT NULL 
);

-- insert test data
INSERT INTO public.emp (ename, sal, email)
values
('Smith', 1400, 'smith@acme.com'),
('Allen', 2000, 'allen@acme.com'),
('Jones', 3000, 'jones@acme.com'),
('Blake', 4000, 'blake@acme.com');

Step 2. Basic select statement

Let’s just assume that we want to SELECT employee record from table EMP by passing EMPNO column filter in WHERE clause.

q := fmt.Sprintf("SELECT ename FROM emp where empno=%s;", "7")
row := db.QueryRow(q)

The empno WHERE clause is substituted with value 7 and all rows relating to that employee number are returned. No big deal. But what happens if someone like Bobby’s Father inputs 7); TRUNCATE TABLE emp;--sql_injection as variable input value.

q := fmt.Sprintf("SELECT ename FROM emp where empno=%s;", "7; Truncate Table emp;--sql_injection!")
row := db.QueryRow(q)

Here:

  • Since empno contain  ); the VALUES argument is closed
  • And postgres continues executing the next line i.e. the text that follows TRUNCATE TABLE emp and truncates the whole table emp
  • Finally the — at the end comments out the remaining SQL, essentially ignoring the rest of the original code and making sure no error occurs.

Step 3. How to deal with this in Golang

The database/sql package from the standard library provides methods for executing parameterized queries either as prepared statements or as one-off queries. For example, you might want to have code that looks roughly like this:

// this is for Postgres driver
// querying for a single record using Go's database/sql package
sqlStatement := `SELECT ename FROM emp WHERE empno=$1;`
row := db.QueryRow(sqlStatement, 7)

The key distinction here is that we aren’t trying to construct the SQL statement ourselves, but are instead providing arguments that can be easily escaped for us. The underlying driver for database/sql will ultimately be aware of what special characters it needs to handle and will escape them for us, preventing any dangerous SQL from running.

Step 4. Putting this all together

package main
// querying for a single record using Go's database/sql package
import (
"database/sql"
"fmt"
_ "github.com/lib/pq"
)

const (
	host = "localhost"
	port = 5432
	user = "postgres"
	password = "****"
	dbname = "connect"
)

func main() {
	psqlInfo := fmt.Sprintf("host=%s port=%d user=%s "+
		"password=%s dbname=%s sslmode=disable",
		host, port, user, password, dbname)

	db, err := sql.Open("postgres", psqlInfo)
	if err != nil {
		panic(err)
	}
	defer db.Close()

	var ename string
	sqlStatement := `SELECT ename FROM emp WHERE empno=$1;`
	row := db.QueryRow(sqlStatement, 46)
	switch err := row.Scan(&ename); err {
		case sql.ErrNoRows:
			fmt.Println("No rows were returned!")
		case nil:
			fmt.Println(ename)
		default:
			panic(err)
	}
}

Conclusion

You should always use the database/sql package to construct prepared statements. These prepared statements have parameters that will be passed while executing the statement. This is much better than concatenating strings (Avoiding SQL injection attack). In PostgreSQL, the parameter placeholder is $N, where N is a number. In MySQL it is ?. SQLite accepts either of these. For more best practices on preventing SQL Injection, please refer https://bobby-tables.com/go

If you find this post helpful, I’d be very grateful if you’d help it spread by emailing it to a friend, or sharing it on Twitter or Facebook. Thank you