As usual, Richard shows the quality of his mettle! :-) I absolutely agree, some ideas: 1. have the mailing list automatically add a single line to the mailing list sig that promotes security/good-practice and points to phpsec.org? (I guess only someone like Rasmus could say whether this was even an acceptable proposition) 2. promote 'hacking ethos' in general - which starts with RTFM but goes further in that 'newbies' should be encouraged to broaden their understanding of a problem area beyond 'getting it to work' 3. dish out more praise to those 'newbies' that do go the extra mile to enrich their own skills beyond what is strictly necessary to get their job done. encourage research and problem solving. 4. conversely I do believe we can [keep] making it clear that certain attitudes don't cut it - I'm referring to the 'please do my job for me crowd' - (in the end you can't save the all ;-) - maybe we can 'nominate' certain experienced people to reply to messages which are blatantly bad questions (and/or show blatant signs of not being interested in the 'why's) encouraging people not to answer until the OP until he/she shows signs of wanting to expand their own understanding and researching their own problems. for instance the only reason I hardly ever have reason to ask a question on the list is because the information/answers I'm looking for have 99% of the time already been documented in articles/tutorials/etc on web - (i.e. I'm always saying 'how the **** does that work' and almost always someone 'out there' has already written something that explains it! it's a matter of finding it and taking the time to read/re-read) [quite probably point 4 does not come accross the way I meant - in which please ignore :-)] in short I stand by you notion and will try to do my part. [the kind is dead, long live php] Richard Lynch wrote:
Hey y'all... In the spirit of improving the mailing list, I'd like to suggest that we, as a group, attempt to not provide answers with Bad Practices, or at least always to point out that the Sample is Bad Practice for production sites? For example, an answer to a question about <?php echo $foo?> where it is clear that register_globals is "off" should either specifically sanitize the data, or make reference to the need to sanitize the data, or link to http://phpsec.org or something along those lines. Otherwise, we merely perpetuate the problems of Bad Code with our answers to newbies, who then run off and write insecure sites and cause us more grief down the road. Hmmm. Maybe this should be part of a Netiquette document "How to give good answers" right next to that "How to ask good questions" document :-^
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
