Nathan Rixham wrote:
Richard Heyes wrote:
but, I'm more concern does client has to pay the changes/upgrade or
it's still "my obligation"?
Of course you charge him. Christ if I was expected to maintain stuff
gratis that I wrote 7 years ago I'd be mullahed.
concurred, personally I'd be tempted to offer to find or indeed resetup
on an old server if they could find one for free, but as for upgrading
certainly quote/charge.
If one was to go this route, then why not just use a .htaccess file and turn on register_globals and
call it good?
I mean really, the customer would be in no greater risk then what they had been for the last 7 years.
Reason being, nothing else has changed about the script. If their is an exploit in the script now,
then their was an exploit in the past.
I realize that I am going against what I preach here. But really, the ISP isn't going to pay for
it. The own isn't going to want to pay for it. Can't squeeze blood from a turnip...
If the programmer designed an insecure web site 7 years ago then the programmer should be
responsible for making the application secure. That was part of his/her job in the beginning.
I mean, sure when I first started designing/building web sites I thought I was doing the right thing
most of the time. If two years down the road I had a moment of clarity and I realized that I had
been doing something wrong or in-secure for the past two years (which I've done) then I would go
back and tell the customer that I did something wrong or in-secure and I would fix it for free.
Thia is part of my responsibility as a designer
With that said, I would image that over the past 7 years, if the site has not been exploited, then I
would think that by turning register_globals back on would be of no concern.
To me, all the above sounds logical. If I am missing something, please point it out.
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php