On Thu, 2008-07-17 at 17:32 +0100, Stut wrote:
On 17 Jul 2008, at 15:41, Daniel Brown wrote:
On Thu, Jul 17, 2008 at 9:55 AM, Stut <stuttle@xxxxxxxxx> wrote:
Seriously though, I'm wondering if my expectations are too high...
I expect
them to know that addslashes is not adequate protection against SQL
injection. I even had one tell me "SQL injection? I can't remember
but I'm
sure I've used it before". And I won't even go into the guy who
asserted
that he's always worked with DB administrators who've dealt with
security
issues so he'd never needed to learn about it.
1.) It's obvious that addslashes() is not protection against SQL
injection attacks. That's why God invented htmlentities() and
flatfile databases.
Yup, had that one.
While we're talking about God here... why bother escaping your data.
For
he who believeth in the Lordeth could telleth thisith mountain
hereth to
moveth over thereth...
Then again nevermind.
2.) No PHP programmer should ever be required to know anything
about databases, server management, mail, or anything. This is
because we all know that we'll someday all work in a Google-like
atmosphere with enough funding to hire other people to work with
databases, servers, HTML, and even a Senior JavaScript Engineer.
I have a ghostwriter who keeps me active on the mailing lists. Best
50p I spend every week!
3.) "SQL injection" is just a buzzphrase. I already know where
baby databases come from.
The big Daddy database spends lots of CPU cycles on the big Momma
database and she eventually lets him put his SQL client into her
console and their SQL statements intermingle until something magic
happens. At least that's what my Daddy told me when I was a little
regex.
No, no, no... you got the semantics wrong... SQL injection is when an
imposter performs an insert on Momma database thus corrupting the
data.
Sometimes big daddy doesn't know about the corruption until he
performs
a select query on baby database. Unfortunately we're not yet
technologically advanced enough to perform a repair under these
circumstances.
4.) Any web programmer worth his or her salt knows that PHP, while
a great language, is not compatible with all browsers. Especially
Microsoft. For people using Windows, you'll need to have an ASP
website.
Indeed. And PHP can't be used for foreign language sites, only US
English. It makes a complete mess of British English sites.
You should see what happens when you have to manage Canadian English
and
Canadian French on the same site. PHP is the 5ux0r5.
5.) Never sanitize input. It takes too long, and unless you're
dealing with credit cards, no one will ever want to hack your
website.
If you are taking credit cards, store them in a firewalled database.
You say this, but the person I just did a phone interview with did
tell me that security is a cost-benefit calculation in terms of both
development time and runtime resources. He said he never bothers
escaping input in Intranet sites. True story!
I've been reading your email... hope you don't mind.
6.) If you need to copy files from one server to another, make
sure you use FTP over HTTP. It's more secure.
I use an Oompa-Loompas - much more reliable!
7.) register_globals is your friend.
And I hug her, and kiss her and squeeze her tight. *pop*
8.) The best, most-scalable way to create an expandable website is
to use a switch page. Just tack on a ?page=faq.php query to your
GET
request, and have PHP automatically `include($page)` (see point
#7) in
your switch file.
*hahahahaahah* What a clever person... what other sites did he/she
work
on? Post links please >:)
Ooh, dangerous. I worry about relative paths, so when I do this it's
always with an absolute path... i.e. ?page=/var/www/mywebsite.com/
somedir/faq.php
Absolute paths are much faster to resolve. Good for him, efficiency is
paramount on a heavy traffic payment gateway where every cycle can
contributes to squeezing in another credit card payment.
9.) NEVER store passwords in a PHP script. Instead, store them in
a file named `inc/config.inc` in the web directory, and include
them.
I prefer to use .txt as the extension. Makes opening them in Notepad
so much easier.
Don't use a .htaccess file either to secure the directory. Apache
needs
to read that... cycles, cycles, cycles... things of the baby
databases.
10.) If running a picture- or file-sharing website, make things
easier on your users and yourself. Allow users to delete their
files
by using a simple link like:
http://www.example.com/delete.php?file=images/mygraphic.jpg.
Then, in
delete.php, have only one line: <?php unlink($file); ?> (again, see
point #7 --- see how much that's coming in handy now?)
Wow, that's handy. You can practically create a clean-site web service
using: wget -r
This works best if the web server is running as root. None of those
annoying error messages about not being able to open files that I
know
are there!
11.) The most important rule EVER: if you ever have the slightest
problem, DO NOT bother to search the #$@% web (STFW) or read the #@
%^
manual (RTFM). There is a mailing list for that. Please ask any
and
all questions there, including why your MP3's aren't streaming on
your
AnalogX webserver from your home PC to your buddies in Antarctica
after you turn your computer off. "But when I turn my computer off,
the rest of the Internet still works! Hlp me pls!!!1!" We are here
only to serve you. People on mailing lists are paid to write your
code and do your homework for you, and you should expect nothing but
the best, immediate answers, 24/7/365. If they don't respond within
90 seconds, please repost your message every 90 seconds until
someone
does. When in doubt, hijack a thread.
Why do birds suddenly go *poof*, every time, you are near?
Could someone send me a link for the above mentioned mailing list.
I've
had some itchiness in my lower regions recently for which I'd like to
get some expert opinions. I'm not in too much of a hurry fortunately,
there's only been a little bleeding and I've only started smelling
something foul since this morning.
Thanks,
Rob.
Ps. For noobs on the site who have read this far before trying some of
the advanced techniques mentioned above... this has been a satirical
post. DO NOT TRY AT HOME-- OR AT WORK.