On Aug 15, 2007, at 4:28 AM, David Powers wrote:
Jay Blanchard wrote:
If there was a best practices book would you buy it?
I write books on PHP aimed at the beginner/intermediate level, and
have a considerable collection of PHP books written by others. Two
relatively recent books that struck me as being important are "Pro PHP
Security" by Chris Snyder and Michael Southwell, and "Essential PHP
Security" by Chris Shiflett. (I know there's also "php|architect's
Guide to PHP Security" by Ilia Ashanetsky and Rasmus Lerdorf, but I
haven't read it.)
The thing that struck me most about the books was that anyone thought
there should be a need for them. Of course, there is a need - that's
why they were written. However, surely security should be taught from
the very beginning? Every book on PHP (or any other language) should
be a "best practices" book.
The problem is that books are written by human beings, who are prone
to mistakes (myself included), and whose own view of "best practice"
might leave gaps in security. The other problem is that a lot of
people who use PHP just want to copy and paste a script that "works".
Even if the ready-made script has been designed with security in mind,
using it without understanding *how* it works can lead to unforeseen
problems.
By the way, I would welcome constructive criticism of the scripts in
my books. I have tried to incorporate what I perceive to be the best
practices at the time of writing, but I'm sure there's room for
improvement.
If I can add some stuff here;
I have done a lot of php/javascript programming from scratch and being
self taught, without
good texts on the subject in addition to the php manual, I would be at
a loss. Copying and
pasting code is kind of like being a commercial designer who never does
original art but
just use stock stuff and crams it into templates. That should be the
difference between
a pro developer and 'paste up' artist. Inevitably, even copied and
pasted code has to be
adapted for a particular use, other wise it boarders on theft. Even if
you do use open source
you do not have to be a charity (albeit, I have not made any money at
it to speak of).
I would like to think that the money I have spent on books, lining
authors' and publishers
pockets, the money I have spent on commercial software from Adobe,
Quark, etc, etc,
and the thousands of dollars I have spent on computer hardware over the
years has not
been in vain (even though I have no ' meal ticket' with student loans
that may take the
rest of my life to pay off and won't ever be guaranteed that that
investment would pay
for itself).
Just my two cents.
Jeff K
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
