Order your checks

Mai 04

von Sebastian am 4.05.2012 um 22:25 in English, Perl

Dieser Post wurde aus meiner alten WordPress-Installation importiert. Sollte es Darstellungsprobleme, falsche Links oder fehlende Bilder geben, bitte einfach hier einen Kommentar hinterlassen. Danke.

Doing many checks may slow down a program, but sorting the tests may improve your program's speed a lot at a very low cost.

Let's look at some change-my-password function using a table of bad passwords within your SQL server. How do you check if a new password entered by the user matches your rules?

sub check_new_password {  my ($dbh, $new_password, $type_again) = @_;  return 0 if      selectrow_array($dbh, "SELECT 1 FROM bad_passwords WHERE word='$new_password'")      or $new_password =~ /^[^\w\.\-\:\;\!\$\%\(\)\/]+$/      or $new_password ne $type_again      or length($new_password) < 6;
  return 1;}

This function checks any passwort against the list of known weak passwords (123456, for example), checks for invalid chars, checks if the repeated password matches the first one and forces a minimum length of 6 chars for the new password. But it's slow.

There is a secret kept by develops for centuries and I'm going to share it with you and if this is my last blog post, other developers didn't like that I did. :-)

A database query is expensive!

I've seen many people using a database like a scalar or hash, but any SQL query is at least 1000 times slower than accessing one or two variables.

The return statement shown above will ask the database to check for any bad words (and has a SQL injection chance for free). Once the database confirmed the new password, simple checks are done for chars and length. But resorted conditions could speed up the check a lot:

sub check_new_password {  my ($dbh, $new_password, $type_again) = @_;  return 0 if      !defined $new_password or !defined $try_again      or $new_password ne $type_again      or $new_password !~ /^[\w\.\-\:\;\!\$\%\(\)\/]{6,}$/      or selectrow_array($dbh, "SELECT 1 FROM bad_passwords WHERE word='$new_password'");
  return 1;}

The checks are ordered roughly by processing time:

Did the user enter a new password at all? simple defined check
Did the user enter the password a second time for verification? simple defined check
Are both passwords equal? simple comparison
Does the password contain only allowed chars and does it fit the minimum length? fast Perl regular expression
Is the password on the badwords list? expensive SQL query

The most simple checks are done first. No "undefined value" will reach the next checks which further qualify the values. No invalid chars (suitable for SQL injection) will reach the SQL query and the database server will save a lot of resources by not searching for password values which won't match the badwords list because they fail other checks.

Both functions will do the job for few requests, but a thousand calls per day will make a difference - especially if your server has other things to do and doesn't have more CPU, memory and database resources than you'll ever need.