On Thu, Jul 17, 2008 at 9:55 AM, Stut <stuttle@xxxxxxxxx> wrote: > > Seriously though, I'm wondering if my expectations are too high... I expect > them to know that addslashes is not adequate protection against SQL > injection. I even had one tell me "SQL injection? I can't remember but I'm > sure I've used it before". And I won't even go into the guy who asserted > that he's always worked with DB administrators who've dealt with security > issues so he'd never needed to learn about it. 1.) It's obvious that addslashes() is not protection against SQL injection attacks. That's why God invented htmlentities() and flatfile databases. 2.) No PHP programmer should ever be required to know anything about databases, server management, mail, or anything. This is because we all know that we'll someday all work in a Google-like atmosphere with enough funding to hire other people to work with databases, servers, HTML, and even a Senior JavaScript Engineer. 3.) "SQL injection" is just a buzzphrase. I already know where baby databases come from. 4.) Any web programmer worth his or her salt knows that PHP, while a great language, is not compatible with all browsers. Especially Microsoft. For people using Windows, you'll need to have an ASP website. 5.) Never sanitize input. It takes too long, and unless you're dealing with credit cards, no one will ever want to hack your website. If you are taking credit cards, store them in a firewalled database. 6.) If you need to copy files from one server to another, make sure you use FTP over HTTP. It's more secure. 7.) register_globals is your friend. 8.) The best, most-scalable way to create an expandable website is to use a switch page. Just tack on a ?page=faq.php query to your GET request, and have PHP automatically `include($page)` (see point #7) in your switch file. 9.) NEVER store passwords in a PHP script. Instead, store them in a file named `inc/config.inc` in the web directory, and include them. 10.) If running a picture- or file-sharing website, make things easier on your users and yourself. Allow users to delete their files by using a simple link like: http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in delete.php, have only one line: <?php unlink($file); ?> (again, see point #7 --- see how much that's coming in handy now?) 11.) The most important rule EVER: if you ever have the slightest problem, DO NOT bother to search the #$@% web (STFW) or read the #@%^ manual (RTFM). There is a mailing list for that. Please ask any and all questions there, including why your MP3's aren't streaming on your AnalogX webserver from your home PC to your buddies in Antarctica after you turn your computer off. "But when I turn my computer off, the rest of the Internet still works! Hlp me pls!!!1!" We are here only to serve you. People on mailing lists are paid to write your code and do your homework for you, and you should expect nothing but the best, immediate answers, 24/7/365. If they don't respond within 90 seconds, please repost your message every 90 seconds until someone does. When in doubt, hijack a thread. -- </Daniel P. Brown> Better prices on dedicated servers: Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. Dedicated servers, VPS, and hosting from $2.50/mo. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php