On Thu, Feb 28, 2008 at 1:39 PM, Nathan Rixham <nrixham@xxxxxxxxx> wrote:
>
> Eric Butera wrote:
> > On Thu, Feb 28, 2008 at 12:38 PM, Daniel Brown <parasane@xxxxxxxxx> wrote:
> >> On Thu, Feb 28, 2008 at 12:36 PM, Eric Butera <eric.butera@xxxxxxxxx> wrote:
> >> > And I'd appreciate it if you kept all your posts about wearing dresses
> >> > to yourself but it isn't going to happen. :)
> >>
> >> Heh. It is a bad visual, isn't it? ;-P
> >>
> >> --
> >>
> >>
> >> </Dan>
> >>
> >> Daniel P. Brown
> >> Senior Unix Geek
> >> <? while(1) { $me = $mind--; sleep(86400); } ?>
> >>
> >
> > All my point is that I've been on this list for a while. I've posted
> > code and watched people just copy and paste it. I've watched other
> > people copy and paste their examples. I used to say sanitize your
> > data and watch the same exact thing in their new function coming back
> > at me without any sanity checks whatsoever.
> >
> > So my point is that people don't know how to do it. If you decide to
> > help people out with their issues you need to also help them
> > understand how to filter/escape their data. Otherwise keep in mind
> > those people are going to copy your code with the comment saying
> > sanitize it, and it isn't going to be escaped. Maybe that is okay
> > with you but I see that as a problem. I know Jason said he is doing
> > it elsewhere, but that is the rare case.
>
> Eric,
>
> You do make a valid point about people copy and pasting code, and that
> we should all take a bit more care; however we also have to remember
> that not all posts are going to "newbies", when a solid software
> engineer posts a short query on here, I'm sure they don't expect a fully
> santised application back, when a short snippet of code would more than
> suffice.
>
> One thing I don't understand, why did you go all out and personal on
> Dan? I'm not even going to go into it, you were bang out of order order
> and you owe the man an apology; no need to explain what you meant, we
> all got it the first time. Further, if you felt the need to challenge
> somebody or give them advice why do it public?
>
> Hell I'm not even involved and that kind of ill-mannered post even
> managed to put me in a bad mood.
>
> --
>
>
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
HI Nathan,
Sorry I soured your day. This is a public mailing list and it is my
position that people who commit code to it should really make sure
that it is reasonably sound. These emails get archived forever and
people can search them to find results, so what we put on here is
long-lasting.
I was just trying to hammer home the fact I've seen people use code
as-is. Ask random people in the IT world what they think about PHP.
I bet you'll hear lots of FUD about it being insecure. Why is it
insecure? Because people don't handle data right. I'm guilty of it.
I was hoping by providing consistent examples on how data handling
should be done people would learn best practices. Even if it isn't
their thread lurkers may see something new and start using it from
here on out.
I really get irritated by the whole deferring security issues to
somewhere else. It isn't just Dan, but most how-to articles or
examples in general. Yes I realize that an example needs to be clear
and simple to show the idea and not the implementation. However, in
the real world if you have blatant holes in your code automatic bots
and other nastiness on the net is going to find it & exploit it.
I thought I was helping to raise the bar. I've tried talking to Dan
about this before and got more or less the same set of responses. At
the end of the day though, it will never sit right with me to see a
query on here that isn't escaped. Perhaps I'll try to be more civil
about it in the future. :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
