php-general Digest 6 Feb 2010 11:20:43 -0000 Issue 6576
Topics (messages 301838 through 301842):
Re: Appalling Dreamweaver performance
301838 by: haliphax
Re: OpenID
301839 by: haliphax
301840 by: Nate Benes
Re: PHP generated HTML has submit button which picks up the wrong url.
301841 by: Robert Cummings
301842 by: Michael A. Peters
Administrivia:
To subscribe to the digest, e-mail:
[email protected]
To unsubscribe from the digest, e-mail:
[email protected]
To post to the list, e-mail:
[email protected]
----------------------------------------------------------------------
--- Begin Message ---
On Fri, Feb 5, 2010 at 3:59 PM, Lenin <[email protected]> wrote:
> Try the NetBeans then
>
Personally, I've found that Programmer's Notepad 2 is a pretty capable
editor, and has some nice features such as auto-closing elements when
working with markup languages (HTML, XML, XSL, XHTML, etc.).
http://www.pnotepad.org
// Todd
--- End Message ---
--- Begin Message ---
On Mon, Feb 1, 2010 at 9:54 PM, Michael A. Peters <[email protected]> wrote:
> Daevid Vincent wrote:
>
>>
>>
>>> -----Original Message-----
>>> From: Al [mailto:[email protected]] Sent: Monday, February 01, 2010
>>> 12:09 PM
>>> To: [email protected]
>>> Subject: [PHP] OpenID
>>>
>>> This is a bit off subject, but....
>>>
>>> What is your opinion on OpenID?
>>>
>>
>> Failed gimick. Tried to resurface again about a year ago. Still seems like
>> failure.
>>
>
> ++
>
> Session ID hijacking is bad enough, it gives the malicious user access to
> one resource.
>
> OpenID hijacking gives the malicious user access to a ton of resources.
> And what does a user do when their OpenID provider disappears?
>
>
I think Michael hit the nail on the head as far as my concerns are.. well..
concerned. :) Google's OpenID provider seems like it would be around forever
and whatnot, but if you're going to rely on one of the "big" OpenID
providers, then it would appear that OpenID itself is useless. Facebook's
OpenID, etc., are on shaky ground at best.
I use a few sites that leverage OpenID as their login process, and I've got
to say--it's very convenient. However, I only use my Google account for
OpenID logins, so to me, it's really just a Google connector.
I commend everyone involved for their effort, but I think the underlying
principles need to be re-examined. It feels like they rushed the whole
concept into production before too many of the fundamental issues had been
discussed and dealt with.
My 2c.
// Todd
--- End Message ---
--- Begin Message ---
There is a openID mailing list set up if anyone has any technical questions,
[email protected]
-Nate
On Fri, Feb 5, 2010 at 4:57 PM, haliphax <[email protected]> wrote:
> On Mon, Feb 1, 2010 at 9:54 PM, Michael A. Peters <[email protected]> wrote:
>
> > Daevid Vincent wrote:
> >
> >>
> >>
> >>> -----Original Message-----
> >>> From: Al [mailto:[email protected]] Sent: Monday, February 01, 2010
> >>> 12:09 PM
> >>> To: [email protected]
> >>> Subject: [PHP] OpenID
> >>>
> >>> This is a bit off subject, but....
> >>>
> >>> What is your opinion on OpenID?
> >>>
> >>
> >> Failed gimick. Tried to resurface again about a year ago. Still seems
> like
> >> failure.
> >>
> >
> > ++
> >
> > Session ID hijacking is bad enough, it gives the malicious user access to
> > one resource.
> >
> > OpenID hijacking gives the malicious user access to a ton of resources.
> > And what does a user do when their OpenID provider disappears?
> >
> >
> I think Michael hit the nail on the head as far as my concerns are.. well..
> concerned. :) Google's OpenID provider seems like it would be around
> forever
> and whatnot, but if you're going to rely on one of the "big" OpenID
> providers, then it would appear that OpenID itself is useless. Facebook's
> OpenID, etc., are on shaky ground at best.
>
> I use a few sites that leverage OpenID as their login process, and I've got
> to say--it's very convenient. However, I only use my Google account for
> OpenID logins, so to me, it's really just a Google connector.
>
> I commend everyone involved for their effort, but I think the underlying
> principles need to be re-examined. It feels like they rushed the whole
> concept into production before too many of the fundamental issues had been
> discussed and dealt with.
>
> My 2c.
>
>
> // Todd
>
--- End Message ---
--- Begin Message ---
Joseph Thayne wrote:
"What you maybe ought to consider is using several submit buttons, and
give each a name and a value. That way, your PHP script can check for a
specifically named variable sent from the form. That way, you keep many
people happy, and your site still works perfectly."
The problem with doing it that way is that IE is not happy with multiple
submit buttons in a single form.
I've never seen IE have a problem with multiple submit buttons. I'm
guessing you're doing something wrong. I often have multiple submit buttons.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--- End Message ---
--- Begin Message ---
Ashley Sheridan wrote:
Bit of advice though, don't use Javascript to submit a form. Firstly,
Javascript isn't available on all browsers, and on those it is available
on, not everyone has it turned on. The W3C has the stats for Javascript
being unavailable in a browser at about 5%.
Yup.
Just the other day a company lost my business because after registering
for their web site, the login form did not work w/o JavaScript.
Interesting that the registration form itself did.
A freaking login form that had nothing but an e-mail address, password
field, and a button that was not a standard submit button, but a html
button elements with a JavaScript event attached to it.
There was no valid reason for them to require JavaScript for that, I do
not mind allowing JavaScript for local server if the site is of value to
me but the fact that they used JavaScript for a submit button in a form
that had two very standard fields told me that they did not know what
they are doing, indicating they probably did not have their site
properly protected from XSS injection, and I'm not going to white list a
web site that I have reason to suspect may not have proper server side
protection against XSS injection.
My guess is they don't even have a web master but are using some cms
that autogenerates everything for them, which probably means any input
validation is rather weak.
Use JavaScript when it is the best tool for the job. It is not the best
tool for form submission. Client side form validation, sure - it's nice
for catching problems before the user submits so he doesn't have to
submit again, but not for the submit action itself.
--- End Message ---
