Eric Butera wrote:
HI Nathan,
Sorry I soured your day. This is a public mailing list and it is my
Ahh it's okay - I think I may have read into it a little too much
anyways; likewise apologies.
position that people who commit code to it should really make sure
that it is reasonably sound. These emails get archived forever and
people can search them to find results, so what we put on here is
long-lasting.
Yeah that's half the reason why I took a little offense - although I
should remember it more myself aswell!
I was just trying to hammer home the fact I've seen people use code
as-is. Ask random people in the IT world what they think about PHP.
I bet you'll hear lots of FUD about it being insecure. Why is it
insecure? Because people don't handle data right. I'm guilty of it.
I was hoping by providing consistent examples on how data handling
should be done people would learn best practices. Even if it isn't
their thread lurkers may see something new and start using it from
here on out.
yeah I see that all too often, peeps taking code and posting it as there
own on popular forums, people google, c+p and it all get's in a big old
mess.
I really get irritated by the whole deferring security issues to
somewhere else. It isn't just Dan, but most how-to articles or
examples in general. Yes I realize that an example needs to be clear
and simple to show the idea and not the implementation. However, in
the real world if you have blatant holes in your code automatic bots
and other nastiness on the net is going to find it & exploit it.
Sigh, indeed, and php is the bot programming language of choice too!
I thought I was helping to raise the bar. I've tried talking to Dan
about this before and got more or less the same set of responses. At
the end of the day though, it will never sit right with me to see a
query on here that isn't escaped. Perhaps I'll try to be more civil
about it in the future. :)
civil : think we all can be a bit more civil, probably best to keep
names out of anything negative (unless there's an obvious need)
I couldn't agree more on the whole escaping thing, one of my biggest
gripes is the lack of if(function_exists('mysql_real_escape_string') +
magic quotes etc.
I hardly ever see any use of function_exists(), file_exists(), defined()
and really think that needs promoted more too!
All in what you wrote wasn't that bad, it just hit a nerve with me for a
time, for some reason no longer known to me!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
