On Thu, Jul 17, 2008 at 10:41 AM, Daniel Brown <parasane@xxxxxxxxx> wrote: > On Thu, Jul 17, 2008 at 9:55 AM, Stut <stuttle@xxxxxxxxx> wrote: >> >> Seriously though, I'm wondering if my expectations are too high... I expect >> them to know that addslashes is not adequate protection against SQL >> injection. I even had one tell me "SQL injection? I can't remember but I'm >> sure I've used it before". And I won't even go into the guy who asserted >> that he's always worked with DB administrators who've dealt with security >> issues so he'd never needed to learn about it. > > 1.) It's obvious that addslashes() is not protection against SQL > injection attacks. That's why God invented htmlentities() and > flatfile databases. > > 2.) No PHP programmer should ever be required to know anything > about databases, server management, mail, or anything. This is > because we all know that we'll someday all work in a Google-like > atmosphere with enough funding to hire other people to work with > databases, servers, HTML, and even a Senior JavaScript Engineer. > > 3.) "SQL injection" is just a buzzphrase. I already know where > baby databases come from. > > 4.) Any web programmer worth his or her salt knows that PHP, while > a great language, is not compatible with all browsers. Especially > Microsoft. For people using Windows, you'll need to have an ASP > website. > > 5.) Never sanitize input. It takes too long, and unless you're > dealing with credit cards, no one will ever want to hack your website. > If you are taking credit cards, store them in a firewalled database. > > 6.) If you need to copy files from one server to another, make > sure you use FTP over HTTP. It's more secure. > > 7.) register_globals is your friend. > > 8.) The best, most-scalable way to create an expandable website is > to use a switch page. Just tack on a ?page=faq.php query to your GET > request, and have PHP automatically `include($page)` (see point #7) in > your switch file. > > 9.) NEVER store passwords in a PHP script. Instead, store them in > a file named `inc/config.inc` in the web directory, and include them. > > 10.) If running a picture- or file-sharing website, make things > easier on your users and yourself. Allow users to delete their files > by using a simple link like: > http://www.example.com/delete.php?file=images/mygraphic.jpg. Then, in > delete.php, have only one line: <?php unlink($file); ?> (again, see > point #7 --- see how much that's coming in handy now?) > > 11.) The most important rule EVER: if you ever have the slightest > problem, DO NOT bother to search the #$@% web (STFW) or read the #@%^ > manual (RTFM). There is a mailing list for that. Please ask any and > all questions there, including why your MP3's aren't streaming on your > AnalogX webserver from your home PC to your buddies in Antarctica > after you turn your computer off. "But when I turn my computer off, > the rest of the Internet still works! Hlp me pls!!!1!" We are here > only to serve you. People on mailing lists are paid to write your > code and do your homework for you, and you should expect nothing but > the best, immediate answers, 24/7/365. If they don't respond within > 90 seconds, please repost your message every 90 seconds until someone > does. When in doubt, hijack a thread. > > -- > </Daniel P. Brown> > Better prices on dedicated servers: > Intel 2.4GHz/60GB/512MB/2TB $49.99/mo. > Intel 3.06GHz/80GB/1GB/2TB $59.99/mo. > Dedicated servers, VPS, and hosting from $2.50/mo. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Bad day Dan? :-) Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
