Re: is there a problem with php script pulling HTML out of database as it writes the page??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/17/08, Stut <stuttle@xxxxxxxxx> wrote:
>
>
> On 17 Jul 2008, at 15:31, David Giragosian wrote:
>
> On 7/17/08, Stut <stuttle@xxxxxxxxx> wrote:
>>
>>>
>>> On 17 Jul 2008, at 14:10, tedd wrote:
>>>
>>> At 10:28 PM +0100 7/16/08, Stut wrote:
>>>>
>>>> Oh, and you'd be working for me so bear that in mind ;)
>>>>>
>>>>> -Stut
>>>>>
>>>>>
>>>> It's no wonder why you haven't found anyone.  :-)
>>>>
>>>>
>>> Thanks for that tedd.
>>>
>>> Seriously though, I'm wondering if my expectations are too high... I
>>> expect
>>> them to know that addslashes is not adequate protection against SQL
>>> injection. I even had one tell me "SQL injection? I can't remember but
>>> I'm
>>> sure I've used it before". And I won't even go into the guy who asserted
>>> that he's always worked with DB administrators who've dealt with security
>>> issues so he'd never needed to learn about it.
>>>
>>> Am I expecting too much?!?
>>>
>>> -Stut
>>>
>>
>>
>> Surely you're being rhetorical, Stut, but no, you're not expecting too
>> much.
>> However the guy(s) who worked in a larger organization likely did have a
>> very clear delineation of roles and responsibilities, as I am experiencing
>> in a new position, and therefore may not be current on best practices in
>> areas outside of their role. When my group leader instituted the current
>> policy regarding job functions, a number of the open source guys decided
>> their unused skills were eroding and/or they were not being exposed to new
>> learning, and they left the company.
>>
>
> There's no way I would ever hire anyone who says "security was somebody
> else's responsibility". I don't care what their previous managers have said,
> that's never a valid statement in my book. When you then add the fact that
> no DB admin no matter how good they are can implement adequate security to
> prevent SQL injection you get a developer who doesn't care about security
> issues much less know anything about them.
>
>        -Stut


Saying security was someone else's responsibility is not the smartest
statement to make in a job interview. Whether that correlates to someone not
caring about security is a different matter, I think. Of course, if the
applicant said, "Security was somebody else's responsibility" in a flip
and/or arrogant manner and clearly showed no concern about it, then sure, on
to the next candidate. But I can imagine an exchange where somebody said
that, but then followed up with, "But here's how I would handle it..."

It sounds like the guy you interviewed was in the former category.

--David.

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux