On Thu, Feb 28, 2008 at 12:57 PM, Eric Butera <eric.butera@xxxxxxxxx> wrote:
> All my point is that I've been on this list for a while. I've posted
> code and watched people just copy and paste it. I've watched other
> people copy and paste their examples. I used to say sanitize your
> data and watch the same exact thing in their new function coming back
> at me without any sanity checks whatsoever.
Right, but my point is that the rules and spirit of the list
apply: we're not going to hold your hand and write your code for you.
If you want to be smart enough to put together a PHP page, you should
be smart enough to at least ask *how* to sanitize the code. I'm not
deliberately setting people up for failure, I'm taking into account
that - while it's not as common as it should be - the poster has
common sense. Quite honestly, we all learned the hard way, I'm sure.
It's what makes us better programmers: experience. If I had asked for
people to write things for me and blindly installed them and ran the
code, I'd never have learned anything. Plus, if you provide
immaculate code, you're potentially taking a chunk of time out of your
day, without pay, so that someone else can potentially (and I'd hazard
a guess at "likely") make a few bucks on your work.
> So my point is that people don't know how to do it. If you decide to
> help people out with their issues you need to also help them
> understand how to filter/escape their data. Otherwise keep in mind
> those people are going to copy your code with the comment saying
> sanitize it, and it isn't going to be escaped. Maybe that is okay
> with you but I see that as a problem. I know Jason said he is doing
> it elsewhere, but that is the rare case.
I agree completely.... and that's what I do. If I tell someone
that they have to sanitize their code, then I've done my job in that
respect. There is absolutely no reason whatsoever that I should feel
forced or even compelled to take an additional five minutes for a
one-minute post to explain that they should use
mysql_real_escape_string(), run an arrayed regexp for filtration,
and/or escape all single, double, and backtick quotes. When they read
my "sanitize input" string and ask about it, then I'm more than happy
to help, but presuming someone doesn't know how and writing a
dissertation on input sanity - while it is the safe road - is
redundant and potentially insulting to the person. Especially if it's
someone who's been on the list for a while (as is generally the case
anyway).
Summarizing, I'm not disagreeing by any means that you do have a
valid point; contrarily, I'm absolutely concurring. I'm just stating
that it's not entirely applicable to the posts to which you refer.
There is a time and a place to presume at least a small piece of
intelligence on behalf of the poster.
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
