Book Review: Python 3 Web Development Beginner's Guide

I recently received a free review copy (eBook version) of




from Packt Publishing. I was looking forward to this book, because I haven't really done much Python 3 work yet, and I wanted to see how it could make my life as a web developer better. However, the book wasn't what I expected. Instead of covering the basics of web development and how Python 3 applies, it is more of an introduction to the sorts of concerns that come up when you build a web framework on top of CherryPy. The sample code just happens to be in Python 3.

The Good

The two best parts of the book, to me, were the coverage of writing a jQuery plugin, and growing an ORM that uses metaclasses to provide a compact, readable way to define the models.

The Bad

I have a rather long list of things I didn't like about the book, some of which are a function of the title setting misleading expectations, and some of which I think are just problematic in general.

In general, I didn't care for the examples. Some of this is personal preference: I find that many people (myself included) learn better when they must type in the examples instead of opening up the code and reading through a completed solution. While the book sometimes indicated that something had been left as an exercise to the reader, opening up the sample code showed that the exercise actually had not been left to the reader. This mismatch between what the text of the book says will be in the sample code and what is actually in the sample code occurs in multiple places throughout the book, and gives a sense that the book was sloppily edited.

I also felt the examples in general were too complicated. It's fine to build up a complicated example over the course of a book, but instead we got a task list, a wiki, a Customer Relationship Management (CRM) tool, a spreadsheet, and more. That's an awful lot to distract you from the beginner's principles that you would expect in a book with this title.

I also didn't care for many of the shortcuts taken in the book. In most instances, the book did acknowledge that the approach taken was not appropriate in the real world, but then proceeded with little or no justification for why it was done the way it was. The two examples that really leap out in this category are the password hashing scheme and the
failure to use a template engine.

When the book first introduces authentication, it explains that you should never store passwords in plaintext. This is absolutely correct, but the book then goes on to demonstrate a completely insecure password hashing scheme: UNSALTED SHA1. The author only provides a cursory link to explain what you should actually be doing. In this day and age, demonstrating anything less than a bcrypt-based solution is wrong. Read Enough With The Rainbow Tables and How To Safely Store A Password for a far better explanation than I can provide. There's really no excuse for
this: the added complexity of using py-bcrypt instead of writing your own (insecure) SHA1-based solution is trivial at worst; there's a strong case to be made that it would actually be simpler.

The failure to use a template engine (also a weakness acknowledged by the book) really makes the code harder to follow than it should be. Virtually any serious web development effort is going to take advantage of a template engine, and for good reason. This code gives me flashbacks to my days of writing Java servlets before the advent of JSP, and I saw where one other reviewer invoked the specter of PHP. The fact that this style of coding draws such comparisons should give you an idea of just how unpythonic it is. I would be sympathetic to claims of not wanting to add too many external dependencies if the book did not already rely significantly on the magic of jQuery UI.

My last major complaint is simply one of focus: the book spends substantial amounts of time growing an ORM and teaching Python metaclasses (and doing a good job of it), but spends little
more than the bare minimum required on CherryPy (which is at the core of the code), and essentially none on understanding HTTP. In fact, the few times it comes up is usually in relation to GET vs. POST, where the decision is usually made based on inane implementation details such as whether request arguments are logged by default instead of HTTP fundamentals such as idempotency, safety, or cacheability (although caching is mentioned elsewhere, in the context of how to prevent it). Also, the book does mention security, but it does not give it the sort of omnipresent emphasis that is necessary to write good web applications, given the hostile nature of the domain. XSS, CSRF, and SQL injection attacks all deserve much more attention than they were given.

The Summary

The book has some good content mixed in with the stuff I didn't like. Unfortunately, the good content is rarely specific to web development. For example, the chapter that uses metaclasses to clean up the ORM is one of the better resources on metaclasses that I've seen, but metaclasses are clearly not specific to web development. Furthermore, the impression of sloppy editing makes it hard to put as much faith in the content as it probably deserves. Given these flaws, I really don't think I'd recommend this book to a friend who was looking to get started with web development.

Back to flipping out...

Book Review: Python Web Development with Django

Disclaimer: I received a review copy of this book through the PyATL Book Club.

The stated goal of the book is "to help you get things done" (using Django for web development). As a relative beginner with 3 years of Python and coming on 1 year of using Django for web development, I figured that I would either be the perfect audience for the book or already too advanced to get much out of it (it's been a pretty obsessive year).

The book starts out with a nice introduction to Python. I thought that this was a great place to start because the Django documentation intentionally assumes knowledge of Python and the free online django book dives straight into the merits of web frameworks and the history of Django. So, already the book is setting itself apart a bit from the free online resources.

I remember feeling a sense of clarity while reading the introduction, a good compromise between trying to be comprehensive and terse at the same time. The intro does a good job of presenting what you really do need to know about Python and some common pitfalls. Interesting that nothing is said of the string.format() method which is somewhat unfortunate as the official python docs say:

This method of string formatting is the new standard in Python 3.0, and should be preferred to the % formatting described in String Formatting Operations in new code.

But, alas, I (not to mention the official Django docs and probably 99% of Django devels) have always used % formatting and will probably continue to do so for the near future. I will be interested to see how Django and Python move forward. Actually, checkout the Django source itself:

skylar@ABC255:~/svn/django-trunk$ grep -r % * |grep \' |grep -v svn|grep -cv dateformat
4596
skylar@ABC255:~/svn/django-trunk$ grep -r % * |grep \" |grep -v svn|grep -cv dateformat
12818
skylar@ABC255:~/svn/django-trunk$ grep -r '\.format(' * |grep \' |grep -v svn|grep -cv dateformat
0
skylar@ABC255:~/svn/django-trunk$ grep -r '\.format(' * |grep \" |grep -v svn|grep -cv dateformat
0

Well, perhaps the authors are right in not mentioning the string.format method after all.

A small correction that I can't pass on mentioning here (being a math nerd): the book states that list.sort() sorts numeric values from smallest to largest. If I may present a list that I believe is ordered from smallest to largest: [1,2,3, -100000, -9999999999]. I spoke to Wesley Chun and he said that he would probably change to "the most-left on the number line to the most-right on the number line." I think that is about as good as it can be phrased without opening an analytical can of worms that could erupt and engulf us all! Coming back to earth after my self-satisfied, math-degree-induced intoxication, I learned a little about generators, the finally clause, raise and other aspects of the Python language that I have mostly danced around. Almost everything presented in the chapter I already knew; but, perhaps rather than struggling for years to understand these concepts I could have just read these ~50 pages? I did get a nice sense of clarity and a feeling that I was consolidating what I already knew into a more cohesive force.

Chapters 2 and 3 are fair enough, "Django for the Impatient: Building a Blog" and "Starting Out". Nothing really stood out as exceptional. I could imagine that I have just worked my way through the documentation's tutorial and these two sections really helping to expand my horizons and to clarify a few things.

The next section "Django in Depth" gives an enjoyable read of the M, the V, and the T in Django (change the letters if you feel the need). At only ~60 pages I don't know if the authors were intending this to be Django's K&R . But, it seemed to be just about right for my particular skill level. I definitely came in with a lot of the information presented; a few of the sections definitely pushed into areas I hadn't bothered considering too deeply like abstract base classes, multi-table inheritance, extra() and fixtures (in the Models section). I enjoyed the authors' treatment of the request and response objects in Django and felt my understanding enhanced. I have been making things work but not necessarily seeing the forest for the trees. I'm not sure how the sections on forms and templates differ from the official documentation; although, it is nice to have a document that is intentionally ordered and requires no electricity.

"Django Applications by Example" had some fun examples with some real-feeling problems to overcome. We get a custom field, use the flatpages app, use generic views and custom views judiciously, implement a search request-handler, deal with users and the admin app's current insistence on mutual trust where users have the same permissions.

I like that the authors went ahead and made use of "AJAX" with jquery in their liveblog example app. I'm biased because I use jquery. But, this is something that you will never see in the official docs or djangobook: A JAVASCRIPT SNIPPET! It definitely got my juices flowing about how I can make my own JSON API views. Usually I have just rendered an HTML snippet with my view and the asynchronously inserted it into the DOM (actually preferable in a lot of situations) but it's nice to see how a JSON api would work. The pastebin example also had syntax highlighting with javascript which was nice. I even learned about the "pre" tag. And there is a little introduction to cron with the Django ORM.

The "Advanced Django Programming" chapter is kind of a hodge-podge of things that will probably be encountered eventually if you work with Django enough. Django's power by virtue of Python's power is shown with examples using the csv and pycha modules. External python modules might have been it's own chapter but these topics are presented alongside customizing the admin, custom managers for your models and extending/replacing the templating system. Then, in "Advanced Django Deployment" we talk about cron, caching, testing and other miscellany. These ~50 pages seem a bit like the authors were getting tired and so rather than properly organizing they kind of just tacked on some extra things that they felt were neglected or not properly treated in other chapters (reminescent of tacking on some css rules at the end to get your website out the door when you know it would be more proper to factor it in to various external files). Here I can cut them a break because I am feeling like cutting this review short and it is barely a page ;)

Overall, I don't know if this book will "help me get things done". Actually, I rather think that the online book and the django documentation are first choices in a pinch and trying to really "get things done". However, the book gave me prospective on quite a few things that are either lacking from the documentation or are just presented in a different order. I like the way that this book is logically ordered.

Most importantly the book allowed me to get out in nature and hang out with my girlfriend (sans computer) while still sharpening my Python/Django tools. Plus, your mind can get a little scrambled with 10 tabs of documentation up in your browser alongside 5 blog postings that you are reading simultaneously. Sometimes it's definitely nice to have a single source with a linear organization.