On 28 Feb 2008, at 19:19, Per Jessen wrote:
Eric Butera wrote:
HI Nathan,
Sorry I soured your day. This is a public mailing list and it is my
position that people who commit code to it should really make sure
that it is reasonably sound. These emails get archived forever and
people can search them to find results, so what we put on here is
long-lasting.
Guys, I haven't been following your little rapid-fire exchange, so
apologies if I'm just repeating what's already been said.
IMHO, when somebody posts a snippet of code to a mailing-list it
should
essentially be considered pseudo-code only.
Most definitely. It's certainly worth noting that including adequate
filtering, error checking and escaping in a code snippet can be anti-
productive by making the snippet far harder to understand than it
would otherwise be.
Unless the filtering, error checking or escaping is fundamental to the
point being made IMHO it's best to leave it out and just make a clear
statement that it's missing but should be included for production
usage. The techniques involved are so fundamental to developing web-
based applications that IMHO everyone doing it should understand how
to do it before the write a hello world script.
I was just trying to hammer home the fact I've seen people use code
as-is.
Their problem, not mine. Anyone who blindly copies somebodyelses work
is asking for it.
Completely agree.
Ask random people in the IT world what they think about PHP.
I bet you'll hear lots of FUD about it being insecure. Why is it
insecure?
1) it's (mostly) interpreted
2) it's type-weak
There is nothing inherently insecure contained within either of those
features. Whatever language you're developing a web app in, from C to
C#, you will always get all variables you're passed from the user as
strings. Proper validation is always a requirement.
As for being interpreted I fail to see how that's a security risk so
long as you adequately lock down your servers, something that applies
regardless of the language you're using.
Stop adding to the FUD.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
