On Thu, Jul 17, 2008 at 9:55 AM, Stut <stuttle@xxxxxxxxx> wrote:
>
> Seriously though, I'm wondering if my expectations are too high... I expect
> them to know that addslashes is not adequate protection against SQL
> injection. I even had one tell me "SQL injection? I can't remember but I'm
> sure I've used it before". And I won't even go into the guy who asserted
> that he's always worked with DB administrators who've dealt with security
> issues so he'd never needed to learn about it.
1.) It's obvious that addslashes() is not protection against SQL
injection attacks. That's why God invented htmlentities() and
flatfile databases.
2.) No PHP programmer should ever be required to know anything
about databases, server management, mail, or anything. This is
because we all know that we'll someday all work in a Google-like
atmosphere with enough funding to hire other people to work with
databases, servers, HTML, and even a Senior JavaScript Engineer.
3.) "SQL injection" is just a buzzphrase. I already know where
baby databases come from.
4.) Any web programmer worth his or her salt knows that PHP, while
a great language, is not compatible with all browsers. Especially
Microsoft. For people using Windows, you'll need to have an ASP
website.
5.) Never sanitize input. It takes too long, and unless you're
dealing with credit cards, no one will ever want to hack your website.
If you are taking credit cards, store them in a firewalled database.
6.) If you need to copy files from one server to another, make
sure you use FTP over HTTP. It's more secure.
7.) register_globals is your friend.
8.) The best, most-scalable way to create an expandable website is
to use a switch page. Just tack on a ?page=faq.php query to your GET
request, and have PHP automatically `include($page)` (see point #7) in
your switch file.
9.) NEVER store passwords in a PHP script. Instead, store them in
a file named `inc/config.inc` in the web directory, and include them.
10.) If running a picture- or file-sharing website, make things
easier on your users and yourself. Allow users to delete their files
by using a simple link like:
http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in
delete.php, have only one line: <?php unlink($file); ?> (again, see
point #7 --- see how much that's coming in handy now?)
11.) The most important rule EVER: if you ever have the slightest
problem, DO NOT bother to search the #$@% web (STFW) or read the #@%^
manual (RTFM). There is a mailing list for that. Please ask any and
all questions there, including why your MP3's aren't streaming on your
AnalogX webserver from your home PC to your buddies in Antarctica
after you turn your computer off. "But when I turn my computer off,
the rest of the Internet still works! Hlp me pls!!!1!" We are here
only to serve you. People on mailing lists are paid to write your
code and do your homework for you, and you should expect nothing but
the best, immediate answers, 24/7/365. If they don't respond within
90 seconds, please repost your message every 90 seconds until someone
does. When in doubt, hijack a thread.
--
</Daniel P. Brown>
Better prices on dedicated servers:
Intel 2.4GHz/60GB/512MB/2TB $49.99/mo.
Intel 3.06GHz/80GB/1GB/2TB $59.99/mo.
Dedicated servers, VPS, and hosting from $2.50/mo.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
