Re: redoing website after 7 years

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





________________________________
From: Jim Lucas <lists@xxxxxxxxx>
To: Robert Cummings <robert@xxxxxxxxxxxxx>
Cc: Nathan Rixham <nrixham@xxxxxxxxx>; Richard Heyes <richard@xxxxxxx>; lamp.lists@xxxxxxxxx; "php-general@xxxxxxxxxxxxx" <php-general@xxxxxxxxxxxxx>
Sent: Thursday, January 8, 2009 10:51:32 AM
Subject: Re:  redoing website after 7 years

Robert Cummings wrote:
> On Wed, 2009-01-07 at 16:16 -0800, Jim Lucas wrote:
>> Nathan Rixham wrote:
>>> Richard Heyes wrote:
>>>>> but, I'm more concern does client has to pay the changes/upgrade or 
>>>>> it's still "my obligation"?
>>>> Of course you charge him. Christ if I was expected to maintain stuff
>>>> gratis that I wrote 7 years ago I'd be mullahed.
>>>>
>>> concurred, personally I'd be tempted to offer to find or indeed resetup 
>>> on an old server if they could find one for free, but as for upgrading 
>>> certainly quote/charge.
>>>
>> If one was to go this route, then why not just use a .htaccess file and turn on register_globals and 
>> call it good?
>>
>> I mean really, the customer would be in no greater risk then what they had been for the last 7 years.
>>
>> Reason being, nothing else has changed about the script.  If their is an exploit in the script now, 
>> then their was an exploit in the past.
>>
>> I realize that I am going against what I preach here.  But really, the ISP isn't going to pay for 
>> it.  The own isn't going to want to pay for it.  Can't squeeze blood from a turnip...
> 
> What if the turnip is the programmer?
> 

In this case, it wouldn't be.

>> If the programmer designed an insecure web site 7 years ago then the programmer should be 
>> responsible for making the application secure.  That was part of his/her job in the beginning.
> 
> Nobody said it's insecure... only that register globals was used as a
> feature, a feature at one point touted as useful to the PHP language. As
> has been mentioned previously, register globals is not real culprit of
> insecurity in this context, the real culprit is poor programming while
> using register globals... unfortunately such programming was common thus
> requiring a strong antidote... namely the downstream removal of support
> for the feature.
> 

I didn't mean to imply that the programmer did build an insecure app.  I said "if the programmer designed and insecure web site".

If the designer didn't build an insecure app, then it wont hurt a thing to turn on register_globals and just go back to the way it was before the ISP
upgraded.

>> I mean, sure when I first started designing/building web sites I thought I was doing the right thing 
>> most of the time.  If two years down the road I had a moment of clarity and I realized that I had 
>> been doing something wrong or in-secure for the past two years (which I've done) then I would go 
>> back and tell the customer that I did something wrong or in-secure and I would fix it for free. 
> 
> Ahhh... but this presumes the programmer did something wrong. That has
> not yet been determined. All we know is that globals were used, not that
> they were necessarily used incorrectly.
> 

I didn't say that, nor did I mean to imply that.  I was talking about my experiences.

>> Thia is part of my responsibility as a designer
>>
>> With that said, I would image that over the past 7 years, if the site has not been exploited, then I 
>> would think that by turning register_globals back on would be of no concern.
>>
>> To me, all the above sounds logical.  If I am missing something, please point it out.
> 
> Duly pointed out ;)
> 
> Cheers,
> Rob.

So, here is how I would summarize all the above.

Whether or not the programmer used the feature register_globals isn't of concern.

Whether the programmer designed and insecure app is the concern.

<?php

$APP_SECURE = (app is secure?); // Boolean: TRUE, FALSE

if ( $APP_SECURE ) {
    print('Turn on register_globals and call the job done.');
} else {
    print('Fix, at no cost, what you designed insecurely.');
}

?>



-- 
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



sorry for top-posting in my previous email. errarer humanum est!
:-)

ll 



      

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux