RE: [PHP] A Review Request
-Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: 22 May 2011 22:33 At 5:50 PM +0200 5/22/11, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: On Sat, 21 May 2011 09:26:02 -0400, tedd wrote: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. It might do that, but don't bet your horse on it. http://se.php.net/manual/en/function.strcmp.php /Nisse It works that way for me. Are you absolutely certain about that? echo strcmp('These are nearly equal', 'These are almost equal'), \n; echo strcmp('different', 'unequal'), \n; echo strcmp('b', 'a'), br /\n; Result: 13 -17 1 The description of the function merely says that the result is 0, 0 or 0 -- it makes no promises about the actual value when it is non-zero. Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507 City Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 5:50 PM +0200 5/22/11, Nisse =?utf-8?Q?Engstr=C3=B6m?= wrote: On Sat, 21 May 2011 09:26:02 -0400, tedd wrote: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. It might do that, but don't bet your horse on it. http://se.php.net/manual/en/function.strcmp.php /Nisse It works that way for me. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 2:49 PM -0400 5/19/11, Joshua Kehn wrote: On May 19, 2011, at 2:44 PM, Andre Polykanine wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion No idea about the first, and I've never used strcmp() before for an equality check. If there is something I'm missing I would love to know. Regards, -Josh -Josh: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Yep, and it comes in handy, especially in school, lol, in advanced algorithms and datastructures, I once submitted a project assignment that was 5 lines long, and instead of figuring out anagrams, strcmp was very helpful :) Sent from my Verizon Wireless 4GLTE smartphone - Reply message - From: tedd tedd.sperl...@gmail.com To: Joshua Kehn josh.k...@gmail.com, PHP General php-general@lists.php.net Subject: [PHP] A Review Request Date: Sat, May 21, 2011 9:26 am At 2:49 PM -0400 5/19/11, Joshua Kehn wrote: On May 19, 2011, at 2:44 PM, Andre Polykanine wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion No idea about the first, and I've never used strcmp() before for an equality check. If there is something I'm missing I would love to know. Regards, -Josh -Josh: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 11-05-21 09:26 AM, tedd wrote: At 2:49 PM -0400 5/19/11, Joshua Kehn wrote: On May 19, 2011, at 2:44 PM, Andre Polykanine wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion No idea about the first, and I've never used strcmp() before for an equality check. If there is something I'm missing I would love to know. Regards, -Josh -Josh: The function strcmp() simply evaluates two strings and reports back -1, 0, or 1 depending upon their alphabetical relationship. And therein lies it's advantage over a a direct comparison. This feature makes it great for sorting callbacks since you can just return the result of strcmp(). Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] A Review Request
On 20 May 2011 at 04:03, Alex Nikitin niks...@gmail.com wrote: but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } Not to me it doesn't. I find such usage incomprehensible. tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] A Review Request
On 19 May 2011 at 23:47, Adam Richardson simples...@gmail.com wrote: You did make several other great points (session hijacking, multiple login attempts), but to be fair to Tedd, there are many levels of security, and I doubt he's trying to educate PHP developers with your background. In the same way that someone's first foray into the world of database access using PHP likely avoids a 20 table database with complex transactions for atomic operations and in-memory queues for eventually consistent data where performance is a must, I see this as a reasonable first exposure to the general principles of how one might use the features of PHP to password protect a group of pages in a site. I think this is the salient point. Provided the example is correct in itself, is marked as being aimed at the novice, and at the same time lists some of the areas that deliberately haven't been addressed in the example provided, then that should suffice. The difficulty IME is finding more advanced examples, which would help the transition from learning mode to preparing for a production environment. tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] A Review Request
On 20 May 2011 11:20, Tim Streater t...@clothears.org.uk wrote: *snip* [...] is marked as being aimed at the novice, and at the same time lists some of the areas that deliberately haven't been addressed in the example provided, then that should suffice. Apart from the above that would make great additions, would also be great to see some links of where to get info on the subjects that are not covered (such as security) so that people could find out more on those topics. Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On May 20, 2011, at 4:41 AM, Tim Streater wrote: On 20 May 2011 at 04:03, Alex Nikitin niks...@gmail.com wrote: but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } Not to me it doesn't. I find such usage incomprehensible. tim I understand what you're doing, and I think it's a bad shortcut to be taking. Make a dedicated class for logging and handle all this there. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 11-05-20 09:14 AM, Joshua Kehn wrote: On May 20, 2011, at 4:41 AM, Tim Streater wrote: On 20 May 2011 at 04:03, Alex Nikitinniks...@gmail.com wrote: but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); If you're going to use ugly little shortcuts why not simplify the logic? DEBUG error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } Personally I prefer the above use of an if conditional. It make it that much easier to understand what you are doing. Not to me it doesn't. I find such usage incomprehensible. tim I understand what you're doing, and I think it's a bad shortcut to be taking. Make a dedicated class for logging and handle all this there. That I think is the better idea... or for the procedural types a wrapper log function that performs the DEBUG check. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Absolutely agree with logging function or class (i ofcourse prefer the latter) for persistent logging that is to be present in the end product; however its is not the best of ideas to spend time developing logging code and using it for debug purposes that will only be used during the initial development cycle of the said code. I can define debug just before or in the beginning of a method or class, say one that i suspect is using up too much memory, and throw a couple of these debug lines in there to avoid further obfuscating code. Needless to say that there is only one line to remove before publishing that code to production, say i do this 15 times in a block of code, the oh this is much more clean version would mean that i would have to go back through and remove 60 lines of code, and I, for one, am lazy and dont like to do extra work. I never said it was a good coding practice to use this kind of logic, infact the if is on average about 20% faster, so i would recommend an inline if, all i said is that it reads much quicker and cleaner, that said i would normally write it as: if(DEBUG) ... Works just as well, actually better, i just like to improvise, figure out new ways to do something, that kind of spans my approach to thinking about programming in general, but i wont go into that as i doubt its interesting to anyone, and certainly to some extent, i like to confuse people with crazy code so that they dont stare over my shoulder, especially code that i know i am going to remove. Oh and in terms of performance, a callout to a function is about 40% slower then my crazy code, and about 75% slower then an if check. Calling out to a logging class is about 2 times slower then my logic, and almost 3 times slower then an if. Actually i accidentally left the debugs spanning from tracing through memory use issues in someone else's code *caugh*PHPExcel*/caugh* in my class linked above, so Adam (and/or others if you were looking at it) new pastebin link: http://pastebin.com/2qg4qJRh Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) P.S. I like to play around with programming concepts, actually just gave up of playing with a radix sort implementation in PHP, that deals with both positive and negative numbers as well as floats, which are a pain in the butt in php when you are dealing with binary operations, amongst other things i had to write my own dec2bin that deals with float. It's mostly working, still a couple of quirks that would need to be fixed, but its slow in PHP as opposed to C++, where it can be many times faster then library-provided sorting functions, so it's not really worth any more of my time, but it was kind of fun to figure out how to do all of that, especially converting signed ints and floats to positive ints and back :) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 9:14 AM, Joshua Kehn josh.k...@gmail.com wrote: On May 20, 2011, at 4:41 AM, Tim Streater wrote: On 20 May 2011 at 04:03, Alex Nikitin niks...@gmail.com wrote: but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } Not to me it doesn't. I find such usage incomprehensible. tim I understand what you're doing, and I think it's a bad shortcut to be taking. Make a dedicated class for logging and handle all this there. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] A Review Request
At 11:11 AM -0400 5/20/11, Alex Nikitin wrote: Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) Well... that's where I intend to go, namely, start with the basics and continue with progressive disclosure. However, there is lot to address here. As I often explain to my students, a web site is like a house: 1. There's the foundation, flooring, walls, and roof, which is the structure -- that's HTML; 2. There's the outside covering (paint, bricks, siding) and the inside covering (paint, carpet, wallpaper), which makes the presentation -- that's CSS; 3. There's the inside works, such as the plumbing, furnace, air conditioning, and electrical, which provides functionality -- that's PHP; 4. And there's the light-switches that turn on/off, doors and windows that open/close, rheostats that go up/down, faucets that turn on/off, and door bells that remain silent or ring, which allows behavior -- that's JavaScript. You put all of these items together and the entire house can do more than any one of them can do by themselves, namely make a home. Additionally, how you arrange and combine these things together and have them interact with each other is a topic of study that far exceeds the knowledge of any one of them. Furthermore, if you include these things with how people react with web sites (what makes people do things) then you'll have an excellent introduction into problems in creating a good web site -- and that's my ultimate goal. However, my first step is to put various things up for peer review and listen/adapt to the feedback. That's what I'm doing. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Hello tedd, Oh, I liked what you've said about a website like a house. May I translate this into Russian and quote you in my blog? I'll place the copyright :-). Actually, what I would like to learn is how to break things. No, I don't gonna be a hacker (I don't want to go to a jail!), but as a web developer, I would like to know how a really bad guy can break my sites and prevent him to do this :-). Thanks! -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: tedd tedd.sperl...@gmail.com To: PHP General Date created: , 9:12:06 PM Subject: [PHP] A Review Request At 11:11 AM -0400 5/20/11, Alex Nikitin wrote: Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) Well... that's where I intend to go, namely, start with the basics and continue with progressive disclosure. However, there is lot to address here. As I often explain to my students, a web site is like a house: 1. There's the foundation, flooring, walls, and roof, which is the structure -- that's HTML; 2. There's the outside covering (paint, bricks, siding) and the inside covering (paint, carpet, wallpaper), which makes the presentation -- that's CSS; 3. There's the inside works, such as the plumbing, furnace, air conditioning, and electrical, which provides functionality -- that's PHP; 4. And there's the light-switches that turn on/off, doors and windows that open/close, rheostats that go up/down, faucets that turn on/off, and door bells that remain silent or ring, which allows behavior -- that's JavaScript. You put all of these items together and the entire house can do more than any one of them can do by themselves, namely make a home. Additionally, how you arrange and combine these things together and have them interact with each other is a topic of study that far exceeds the knowledge of any one of them. Furthermore, if you include these things with how people react with web sites (what makes people do things) then you'll have an excellent introduction into problems in creating a good web site -- and that's my ultimate goal. However, my first step is to put various things up for peer review and listen/adapt to the feedback. That's what I'm doing. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 9:20 PM +0300 5/20/11, Andre Polykanine wrote: Hello tedd, Oh, I liked what you've said about a website like a house. May I translate this into Russian and quote you in my blog? I'll place the copyright :-). Sure -- a link back would be fine. I plan on placing that analogy on my web site sometime soon. I have given it considerable thought -- and that's difficult for me. :-) Cheers, tedd - Actually, what I would like to learn is how to break things. No, I don't gonna be a hacker (I don't want to go to a jail!), but as a web developer, I would like to know how a really bad guy can break my sites and prevent him to do this :-). Thanks! -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: tedd tedd.sperl...@gmail.com To: PHP General Date created: , 9:12:06 PM Subject: [PHP] A Review Request At 11:11 AM -0400 5/20/11, Alex Nikitin wrote: Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) Well... that's where I intend to go, namely, start with the basics and continue with progressive disclosure. However, there is lot to address here. As I often explain to my students, a web site is like a house: 1. There's the foundation, flooring, walls, and roof, which is the structure -- that's HTML; 2. There's the outside covering (paint, bricks, siding) and the inside covering (paint, carpet, wallpaper), which makes the presentation -- that's CSS; 3. There's the inside works, such as the plumbing, furnace, air conditioning, and electrical, which provides functionality -- that's PHP; 4. And there's the light-switches that turn on/off, doors and windows that open/close, rheostats that go up/down, faucets that turn on/off, and door bells that remain silent or ring, which allows behavior -- that's JavaScript. You put all of these items together and the entire house can do more than any one of them can do by themselves, namely make a home. Additionally, how you arrange and combine these things together and have them interact with each other is a topic of study that far exceeds the knowledge of any one of them. Furthermore, if you include these things with how people react with web sites (what makes people do things) then you'll have an excellent introduction into problems in creating a good web site -- and that's my ultimate goal. However, my first step is to put various things up for peer review and listen/adapt to the feedback. That's what I'm doing. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 12:41 AM -0400 5/20/11, Paul M Foster wrote: As pointed out, there are security and other issues. But since I know what kind of code you can produce, I realize you left these issues in place because you were getting at a different point. Thanks for giving me my due. Often on a list, people are judged quickly by those who don't know any better. I know it's a physiological thing, but email is the worst form of communication there is. People have little tolerance for things they believe that are not proper. If they see something that is not absolutely correct (like I do often), then they respond with a criticism -- much like I did with the recent b discussion. I still believe in my perspective, but I understand others who don't. However, if you are thick-skinned enough to survive the initial onslaught, then you can learn from the exchange. Most people, while displaying little tolerance for things outside their belief systems, will help if the need is genuine. It's just getting over that initial hump that's the issue. And I agree with the majority that your bracing style is horrid. But I long ago despaired of turning you from the Dark Side(tm). ;-} I understand, but like my wife often says Bite me :-) Making professional coding techniques visible to others can only be a good thing. I've been doing this for a while, but I'm still interested in how other people do these things. I never know when I might learn something. I've never meet a person who I couldn't learn from. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] A Review Request
Making professional coding techniques visible to others can only be a good thing. I've been doing this for a while, but I'm still interested in how other people do these things. I never know when I might learn something. I've never meet a person who I couldn't learn from. A great chef will always share the recipe. They know that it takes more than a recipe to make a memorable meal. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] A Review Request
At 3:00 PM -0400 5/20/11, HallMarc Websites wrote: Making professional coding techniques visible to others can only be a good thing. I've been doing this for a while, but I'm still interested in how other people do these things. I never know when I might learn something. I've never meet a person who I couldn't learn from. A great chef will always share the recipe. They know that it takes more than a recipe to make a memorable meal. Tell that to Coke. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Just a comment on the building a house, a house is a page, but as programmers (at least decent ones) we are no longer building single pages, we build a house template and fill it with various elements to define what the house is and what it does, so in essense you actually are not building just one house, you are building a city, some of which needs to be protected by a fortress, a fortress to protect the houses that need to be accessible to a few, but not everyone. If you teach people to build houses, they will have no idea how to build a fortress, and actually vise-versa if you teach people to build the fortress, they will not know how to build a house. If you are building a website (completely or as an extension), you have to do everything, you have to think about the UI, you have to think about security, you have to think about performance, you have to think about function, without knowing how to do either one, you can not make a whole, but without knowing how the whole works, you can not build efficient ones, and pull them together... Also you left out a database, your basement/foundation (html is really only the flooring, the walls and the roof, the stuff that you can see), avoiding to tell people how to deal and build a proper basement (and oh god how many times have i dealt with horribly designed databases, i have nightmares sometimes) doesn't prepare web developers for any real-world tasks any more then negating to explain to soldiers how to reload their weapons prepares them for the battlefield... Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 2:12 PM, tedd tedd.sperl...@gmail.com wrote: At 11:11 AM -0400 5/20/11, Alex Nikitin wrote: Also to tedd, i would say that you should make it a series of tutorials of how to make simple user auth progressively more and more secure, i would say that would be a good learning experience for someone. Start with your basic code, introduce new concepts that will teach novice a little bit more about how the internet works, how sessions work, how it can all be exploited conceptually, and introduce ways to fix those issues with progressively more hardened code...? I think that that would be a great way of learning for a novice, i would say maybe 3 more tutorials, each progressively more secure; suggesting next one to introduce hashing, cleaning the code, and some of the initial concepts outlined above, then a system setup for https, going over tls renegotiation, setting up rewriting rules, etc, and changing the code with securing the session code and introducing login limits, and finally perhaps how to take make all of this system a bit more web 2.0 with jquery, ajax, and perhaps use that as the introduction of the next set of tuts of how to do this same thing with a database back end with references back to this auth system? I would have certainly liked to read a tutorial like that when i was starting out... And, i'm up to help, i'm sure others as well would not mind chiming in their $.02 :) Well... that's where I intend to go, namely, start with the basics and continue with progressive disclosure. However, there is lot to address here. As I often explain to my students, a web site is like a house: 1. There's the foundation, flooring, walls, and roof, which is the structure -- that's HTML; 2. There's the outside covering (paint, bricks, siding) and the inside covering (paint, carpet, wallpaper), which makes the presentation -- that's CSS; 3. There's the inside works, such as the plumbing, furnace, air conditioning, and electrical, which provides functionality -- that's PHP; 4. And there's the light-switches that turn on/off, doors and windows that open/close, rheostats that go up/down, faucets that turn on/off, and door bells that remain silent or ring, which allows behavior -- that's JavaScript. You put all of these items together and the entire house can do more than any one of them can do by themselves, namely make a home. Additionally, how you arrange and combine these things together and have them interact with each other is a topic of study that far exceeds the knowledge of any one of them. Furthermore, if you include these things with how people react with web sites (what makes people do things) then you'll have an excellent introduction into problems in creating a good web site -- and that's my ultimate goal. However, my first step is to put various things up for peer review and listen/adapt to the feedback. That's what I'm doing. Cheers, tedd -- --- http://sperling.com/
Re: [PHP] A Review Request
On Fri, May 20, 2011 at 12:28 PM, Alex Nikitin niks...@gmail.com wrote: Also you left out a database, your basement/foundation . . . I liken the database to the sewer: it's where all the crap goes. :D Happy Friday! David
Re: [PHP] A Review Request
On Fri, May 20, 2011 at 02:32:42PM -0400, tedd wrote: [snip] And I agree with the majority that your bracing style is horrid. But I long ago despaired of turning you from the Dark Side(tm). ;-} I understand, but like my wife often says Bite me :-) OMG! She must be related to *my* wife! ;-} Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
@David Fair enough, then i have seen so many badly designed sewage systems, that the backed up sewage monsters come to me in my dreams... :) wait no the other one :( @Paul And my girlfriend, apparently -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Fri, May 20, 2011 at 4:00 PM, Paul M Foster pa...@quillandmouse.comwrote: On Fri, May 20, 2011 at 02:32:42PM -0400, tedd wrote: [snip] And I agree with the majority that your bracing style is horrid. But I long ago despaired of turning you from the Dark Side(tm). ;-} I understand, but like my wife often says Bite me :-) OMG! She must be related to *my* wife! ;-} Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 20 May 2011 19:32, tedd tedd.sperl...@gmail.com wrote: I've never meet a person who I couldn't learn from. Yep. You can always serve as a bad example. Richard. (Is it still Friday)? -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 3:28 PM -0400 5/20/11, Alex Nikitin wrote: Just a comment on the building a house, a house is a page, but as programmers (at least decent ones) we are no longer building single pages, we build a house template and fill it with various elements to define what the house is and what it does, so in essense you actually are not building just one house, you are building a city, some of which needs to be protected by a fortress, a fortress to protect the houses that need to be accessible to a few, but not everyone. If you teach people to build houses, they will have no idea how to build a fortress, and actually vise-versa if you teach people to build the fortress, they will not know how to build a house. If you are building a website (completely or as an extension), you have to do everything, you have to think about the UI, you have to think about security, you have to think about performance, you have to think about function, without knowing how to do either one, you can not make a whole, but without knowing how the whole works, you can not build efficient ones, and pull them together... Also you left out a database, your basement/foundation (html is really only the flooring, the walls and the roof, the stuff that you can see), avoiding to tell people how to deal and build a proper basement (and oh god how many times have i dealt with horribly designed databases, i have nightmares sometimes) doesn't prepare web developers for any real-world tasks any more then negating to explain to soldiers how to reload their weapons prepares them for the battlefield... Alex: A city is made of houses -- the more houses, the more you need a police department -- the analogy works. The database is where the people who live in the house keep their records, like in a filing cabinet. Also, some people keep their blueprint of the house in the filing cabinet and change it often (CMS). Other people keep physical items for sale elsewhere but the records of their items (i.e., pictures, purchases and sales) in a filing cabinet showing pictures of the items in a shopping-cart. You can expand the analogy as far as you want, but my point was that all web languages came together to create something greater than each of them could do individually. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r echo sha1(\pw\); +if (@strcmp($id, $_POST['user_id']) == 0 strcmp($pw, sha1($_POST['password'])) == 0) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 3:22 PM, tedd t...@sperling.com wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: PHP General Date created: , 9:29:35 PM Subject: [PHP] A Review Request I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r echo sha1(\pw\); +if (@strcmp($id, $_POST['user_id']) == 0 strcmp($pw, sha1($_POST['password'])) == 0) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 3:22 PM, tedd t...@sperling.com wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On May 19, 2011, at 2:44 PM, Andre Polykanine wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion No idea about the first, and I've never used strcmp() before for an equality check. If there is something I'm missing I would love to know. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
PHP_SELF requires no processing (i.e. there is no need to do basename()) strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value==not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } you can also use the exact comparator ===, as it compares types, it would work well as well. Infact if you dont need to determing anything about the string, i would suggest using the === operator as it is significantly faster: timed: 0m0.724s ?php for($i=0; $i=1000; $i++){ if(1 === submit) { continue; } } timed: 0m4.785s ?php for($i=0; $i=1000; $i++){ if(strcmp(1, submit)==0) { continue; } } -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 2:44 PM, Andre Polykanine an...@oire.org wrote: Hello Alex, Two (stupid?) questions: 1. Why PHP_SELF is better than SCRIPT_NAME? 2. Why strcmp() is better than just comparing? -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion Original message From: Alex Nikitin niks...@gmail.com To: PHP General Date created: , 9:29:35 PM Subject: [PHP] A Review Request I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r echo sha1(\pw\); +if (@strcmp($id, $_POST['user_id']) == 0 strcmp($pw, sha1($_POST['password'])) == 0) -- Alex -- -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Wed, May 18, 2011 at 3:22 PM, tedd t...@sperling.com wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On May 19, 2011, at 3:16 PM, Alex Nikitin wrote: PHP_SELF requires no processing (i.e. there is no need to do basename()) strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value==not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } you can also use the exact comparator ===, as it compares types, it would work well as well. Infact if you dont need to determing anything about the string, i would suggest using the === operator as it is significantly faster: timed: 0m0.724s ?php for($i=0; $i=1000; $i++){ if(1 === submit) { continue; } } timed: 0m4.785s ?php for($i=0; $i=1000; $i++){ if(strcmp(1, submit)==0) { continue; } } -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray I almost exclusively use ===. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
=== or preg_match for me, lol, unless its all just math :) -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 3:26 PM, Joshua Kehn josh.k...@gmail.com wrote: On May 19, 2011, at 3:16 PM, Alex Nikitin wrote: PHP_SELF requires no processing (i.e. there is no need to do basename()) strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value==not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } you can also use the exact comparator ===, as it compares types, it would work well as well. Infact if you dont need to determing anything about the string, i would suggest using the === operator as it is significantly faster: timed: 0m0.724s ?php for($i=0; $i=1000; $i++){ if(1 === submit) { continue; } } timed: 0m4.785s ?php for($i=0; $i=1000; $i++){ if(strcmp(1, submit)==0) { continue; } } -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray I almost exclusively use ===. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] A Review Request
Hi Alex, Some nice conversation points, indeed. I do have a few follow-ups below: On Thu, May 19, 2011 at 3:16 PM, Alex Nikitin niks...@gmail.com wrote: PHP_SELF requires no processing (i.e. there is no need to do basename()) Actually, the way Tedd is using the info, PHP_SELF would potentially be unsafe (unless it's been updated to correct for this type of issue (you'll see the blog post has it's own security issues with some missing plugins): http://www.mc2design.com/blog/php_self-safe-alternatives So, it would require processing either where Tedd performed the processing -OR- at in the markup to properly escape it. strcmp is binary-safe, i prefer and recommend using string-safe comparison functions for strings... here is an example of why: $value = 0; if($value==not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } This, in general, is a sound practice, although I would certainly advocate the use of === as opposed to strcmp for performance reasons (as you pointed out.) To be fair to Tedd's code, though, I don't believe this would be an issue, as I believe that the global arrays store the values as strings, so for example: $value = $_GET['test_value']; if($value == not zero) { echo oopsie, how did this happen, lets see how this works with strcmp (or === which i would advise); if(strcmp($value, not zero) == 0) { echo You wont see this; } else { echo Because strcmp works correctly; } } else { echo Even if you enter a 0, I'll bet you see me.; } You did make several other great points (session hijacking, multiple login attempts), but to be fair to Tedd, there are many levels of security, and I doubt he's trying to educate PHP developers with your background. In the same way that someone's first foray into the world of database access using PHP likely avoids a 20 table database with complex transactions for atomic operations and in-memory queues for eventually consistent data where performance is a must, I see this as a reasonable first exposure to the general principles of how one might use the features of PHP to password protect a group of pages in a site. There are some forms of data I'd protect with an authentication scheme of this simplicity (maybe I just have a mileage app that I'm using to keep track of my weekly running, or maybe my wife has a todo list that she manages, etc.) However, as you pointed out, the code wouldn't merit use in situations where a higher security level is desired. Even your changes have security issues: - You're using a weak hash protocol, and not using a salt: https://www.owasp.org/index.php/Top_10_2007-Insecure_Cryptographic_Storage https://www.owasp.org/index.php/OWASP_Top_10_Threats_and_Mitigations_Exam - You don't mention using HTTPS, and session fixation, even if you use other techniques (session_regenerate_id after changing auth level, etc.) can't be prevented without this (let alone protecting the passwords from a man in the middle attack.) For developers who are first starting to think about a basic form of authentication, the code is a nice start. Perhaps Tedd could point out the shortcomings and provide some follow-up examples that provide progressively higher levels of security. That would be a nice, and I'm sure those on the list with your background would help on provide feedback on the more complex examples that progressively help new developers achieve higher levels of security. That said, you made some really nice points, and I'm hopeful Tedd considers them carefully. His site is a nice resource for many PHP developers already (especially those just starting out), and these changes can only make it better. Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
Re: [PHP] A Review Request
At 2:29 PM -0400 5/19/11, Alex Nikitin wrote: I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) I agree if I was creating a more secure script. I have scripts where the user enters a user id and password and the password is immediately hashed and stored in a database. The next time in, the user's input password is hashed again and compared with the stored encrypted password. That way the raw password is never stored anywhere. I even have people who ask me Look at your records and tell me what's my password? and I say that I can't answer them because the data has been one-way hashed. Instead, I have them use the forgot password routines. I also have a script that monitors how many times a user (via their IP) tries to log on and restricts those attempts to a certain number of times within a time limit. As for XXS, I'm not sure as to what the exposure is because I am not putting questionable data into the HTML document. Rather, the questionable data is compared to known data -- if there is a match then the user is allowed to continue -- if not, it fails. I don't use the user's data for anything other than that. If there is more to consider here, I would like to hear about it. In any event, for me to consider all those points and also make the demo simple enough for a novice user would be very difficult. I would like to introduce to the novice a way to protect their pages. But if I make it too complicated, then they simply won't understand. It is obvious that I should also tell the user that this is NOT the most secure way to make things private and that there are other security concerns. What say you? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
Hey Adam :) I devoted entire 3 minutes to glimpsing over the code and showing simple ways to fix them, you make excellent points, i simply didnt even look into them. You are absolutely correct in saying that sha1 a weak way to do this (though it is wy better then md5), ofcourse the propper way to go about this is a sha256 hash with a solid salt, however if the salt is stored in clear text in code, and it would have to be in this case, granted someone gets the said code, the having used the salt adds no security to the hash. The whole idea behind is to add a little bit more at each level, so for example on your typical php/database setup, salt may be stored in code while the hash is stored in mysql, having the hash from the database and not having the salt makes it nearly impossible to reverse the hash, but if you could get both the salt and hash out of the database or in our case the code, it is no more secure then a hash by itself. Hmm that is an interesting bit about php_self, while my implementations (while still using php_self) are not exploitable in this fashion, its still an interesting concept, no this has not been locked down, as far as i can see from a couple of tests just did (briefly). Hmm, i have to reconsider how i approach PHP_SELF now, i will have to wrap it in htmlentities or something, i'll ponder that for now... In the meanwhile, i think it would be interesting to bounce some of this code to have someone else look at it, especially security-wise, it's been a bit of a project of mine when i get a few mins, i had to do something about it for our Amazon boxes that use rds, as you cant just use b64d, because you cant add any mysql modules, so i came up with this idea, but i'm not 100% satisfied with it atm: http://pastebin.com/tK5tBuiU Yeah https was going to be my next suggestion, actually why i got back into email before heading home and possibly forgetting, however you have to make sure you set up the server to be decently secure with it too, disable weak crypto there, fix tls renegotiation, etc. To be honest, at least with session fixation, i didnt look at the secured page code at all, but yes, a very good suggestion, i usually make a point of making it when someone asks me to glimpse at their code that uses sessions too, bah, it's been a long day at work, lol. Also i figured that Tedd would hopefully start by addressing the first set of things i threw at him, and then we can progress into more and more secure solution :) Tedd, yes you do have to worry about xss, yes with unescaped PHP_SELF you can inject code into the form here form name=my_form action=?php echo($self);? method=post Also a bit of a pep talk. You can make your code a lot more secure with a little bit more work. It would be wrong to stop and not worry about security, simply because code splits into two categories, secure and owned, there is no grey area, if someone can bypass your security, then no matter how simple your code was, it did nothing to stop the attacker, and thus did not fulfil its primary duty, in today's web world some security is not any better then no security, protecting against regular users is pointless as they are not the ones who will try to break your system ;) Just my $.02 -- Alex The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 8:18 PM, tedd tedd.sperl...@gmail.com wrote: At 2:29 PM -0400 5/19/11, Alex Nikitin wrote: I will try to respond to the original question. Note: this is constructive criticism, so i wont do much in terms of praising the good parts It works, its very primitive, in some ways its pretty insecure, for example it provides no session hijacking protection, it's not written with the better of standards in mind, for one if you do store your password in code, you shouldn't store your password in clear text, that way if say i was able to bypass php execution and dumped that file out, i would still not have a useable password, so use a hash. There is no timing out or attempt management, for example i can write a 5 line-long brute script that will just pound your script with user ids and passwords, you should make it at least somewhat difficult for me to do that ;) I agree if I was creating a more secure script. I have scripts where the user enters a user id and password and the password is immediately hashed and stored in a database. The next time in, the user's input password is hashed again and compared with the stored encrypted password. That way the raw password is never stored anywhere. I even have people who ask me Look at your records and tell me what's my password? and I say that I can't answer them because the data has been one-way hashed. Instead, I have them use the forgot password routines. I also have a script that monitors how many times a user (via their IP) tries to log on and restricts those attempts to a certain number
Re: [PHP] A Review Request
At 2:29 PM -0400 5/19/11, Alex Nikitin wrote: Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: I object. First of all 'needless' is in the eye of the beholder. I've seen ton's of 'needless' comments about how programmers waste precious space by declaring needless variables because they can do things more cryptic. I've also heard in the past how programmers should be cryptic and even shorten their variable names, not use indenting, and do all sorts of other nonsense to save space and make their code run quicker. However, they forget a couple of important considerations. 1. Code running tomorrow will run-faster and cost-less to store than today. That's a fact and while we can argue, the argument becomes less important as time passes. If I don't win this argument today, I will win it tomorrow. 2. I also claim that if I can make my code more readable and easier to maintain by adding a 'needless variable now and then, then it's well worth the cost. And as I said before, that cost is reducing every day, while maintaining readable code is becoming more important. So again, I'll eventually win this argument. So, whenever you feel in the mood, create another 'needless variable' because they need love too! -$self = basename($_SERVER['SCRIPT_NAME']); +$self = $_SERVER['PHP_SELF']; They return different things. I want the name of the script. -- -$submit = isset($_POST['submit']) ? $_POST['submit'] : null; -if($submit == 'Submit') +if($_POST) if($_POST) what? I'm cleaning the the POST variable. If the user has not clicked Submit, then I don't want to evaluate the POST. Sure, there are ways to forge and pass a POST variable, but this is one step in cleaning a superglobal. - -$pw = 'pw'; // define your password here -$user_id = isset($_POST['user_id']) ? $_POST['user_id'] : null; -$password = isset($_POST['password']) ? $_POST['password'] : null; -if (($user_id == $id) AND ($password== $pw)) +$pw='1a91d62f7ca67399625a4368a6ab5d4a3baa6073'; //sha1 hash of the password: php -r echo sha1(\pw\); +if (@strcmp($id, $_POST['user_id']) == 0 strcmp($pw, sha1($_POST['password'])) == 0) Sure. Here's the problem -- where's the novice going to get the hash for the password? I don't want to force the novice into another step in this demo. Besides, the only way that an evil doer can see the code in text is *if* there is a problem with the server -- isn't that right? If that's the case, then there's more problems here than what the user could have planned for. However, if there is another way, please explain. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 8:51 PM -0400 5/19/11, Alex Nikitin wrote: Tedd, yes you do have to worry about xss, yes with unescaped PHP_SELF you can inject code into the form here form name=my_form action=?php echo($self);? method=post Ahhh! Most excellent. I'll change that. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On Thu, May 19, 2011 at 8:51 PM, Alex Nikitin niks...@gmail.com wrote: Hey Adam :) I devoted entire 3 minutes to glimpsing over the code and showing simple ways to fix them, you make excellent points, i simply didnt even look into them. You are absolutely correct in saying that sha1 a weak way to do this (though it is wy better then md5), ofcourse the propper way to go about this is a sha256 hash with a solid salt, however if the salt is stored in clear text in code, and it would have to be in this case, granted someone gets the said code, the having used the salt adds no security to the hash. The whole idea behind is to add a little bit more at each level, so for example on your typical php/database setup, salt may be stored in code while the hash is stored in mysql, having the hash from the database and not having the salt makes it nearly impossible to reverse the hash, but if you could get both the salt and hash out of the database or in our case the code, it is no more secure then a hash by itself. Hmm that is an interesting bit about php_self, while my implementations (while still using php_self) are not exploitable in this fashion, its still an interesting concept, no this has not been locked down, as far as i can see from a couple of tests just did (briefly). Hmm, i have to reconsider how i approach PHP_SELF now, i will have to wrap it in htmlentities or something, i'll ponder that for now... In the meanwhile, i think it would be interesting to bounce some of this code to have someone else look at it, especially security-wise, it's been a bit of a project of mine when i get a few mins, i had to do something about it for our Amazon boxes that use rds, as you cant just use b64d, because you cant add any mysql modules, so i came up with this idea, but i'm not 100% satisfied with it atm: http://pastebin.com/tK5tBuiU Yeah https was going to be my next suggestion, actually why i got back into email before heading home and possibly forgetting, however you have to make sure you set up the server to be decently secure with it too, disable weak crypto there, fix tls renegotiation, etc. To be honest, at least with session fixation, i didnt look at the secured page code at all, but yes, a very good suggestion, i usually make a point of making it when someone asks me to glimpse at their code that uses sessions too, bah, it's been a long day at work, lol. Also i figured that Tedd would hopefully start by addressing the first set of things i threw at him, and then we can progress into more and more secure solution :) Tedd, yes you do have to worry about xss, yes with unescaped PHP_SELF you can inject code into the form here form name=my_form action=?php echo($self);? method=post Also a bit of a pep talk. You can make your code a lot more secure with a little bit more work. It would be wrong to stop and not worry about security, simply because code splits into two categories, secure and owned, there is no grey area, if someone can bypass your security, then no matter how simple your code was, it did nothing to stop the attacker, and thus did not fulfil its primary duty, in today's web world some security is not any better then no security, protecting against regular users is pointless as they are not the ones who will try to break your system ;) Just my $.02 All great points, Alex. In terms of your pastebin code, you have a succinct, clean coding style (Strunk White would be proud.) If I have some free time this weekend, I'll try to take a look, for whatever little that's worth :P Pleasure, Adam -- Nephtali: A simple, flexible, fast, and security-focused PHP framework http://nephtaliproject.com
Re: [PHP] A Review Request
My general rule of thumb regarding variables from post and/or get, is such: if you use it once, dont throw it into a variable, if you use it more than once, then put it in a variable. If you name things consistently and well, regardless of how long from now you are reading the code, $_POST['password'] will be just that, and it's not any less obscure then $pass, especially if used just once, and cleaner... Regardless of the cost of performance decreasing, performance is an overall thing, if you dont care for performance in any one place, you don't really care for performance, and in the instant world that we live in, performance should be as serious of a consideration as security, that is actually why Facebook wrote their PHP interpreter, they understand that users want FAST. And performance means you should consider things, even overly extensive commenting, even if something is better done one way, doesnt mean it is the best way to do it. For example i LOVE recursive functions, but i never write them in scripting languages, because they run a lot slower then a for loop, however more elegant any such function would be, it just doesn't perform... And i understand it's a simple example, those two variables don't really matter, and wont use much more space, but constantly thinking consistency, security, performance, will help you achieve better code in the end, even if puristically-speaking it's worse. Another reason is overall clarity and clenliness of the code, counting lines is a bad practice, but avoiding unnecessary lines helps, and it adds up, sometimes using inline logic and avoiding declaring unnecessary variables goes a long way to make your code much more concise and readable actually, especially if you have a lot of it. That said, i always initialize my arrays, because it avoids notices... but here is a brief example: (!DEBUG) || error_log(Fetch Data: .memory_get_usage()/1048576); reads and writes a lot better and faster then: if(DEBUG) { $memory = memory_get_usage()/1048576; error_log(Fetch Data: .$memory); } if($_POST) is just that, that will check if someone/thing used POST to POST data to your script. You don't post anything else, and you check for existence of other variables, you are not any better with checking for submit. And your browser will most certainly never send a post request just for the kick of it, so... not sure what your objection to a cleaner if statement is exactly..? (It's as easy to pass a submit as it is to pass a username and a password, you dont gain any security by checking for submit) You want the path of the script as well, if i put it in my test folder under doc root, your action will never execute because it will be a level off. $self=htmlentities($_SERVER['PHP_SELF']); Servers occasionally mess up, and it can not even be their fault, php messes up, stuff happens. If you use security in layers, then code with a hashed password will not reveal your password, where as if i am able to dump your source, i have the keys to your kingdom otherwise. And you comment and document ways to get the hash, or provide a utility to generate that hash, through say an install script or something that will fill in the password. That code and the fact that apache should execute it, is currently your only layer of security, so make it two... Your scenario: server messes up or i change htaccess to dump your code i look at code i own keys to your kingdom, and you dont know about it My scenario: server messes up i look at code i'm still SOL... no keys, so your protected area is still protected -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray On Thu, May 19, 2011 at 8:57 PM, tedd tedd.sperl...@gmail.com wrote: At 2:29 PM -0400 5/19/11, Alex Nikitin wrote: Also don't declare a bunch of needless variables for their one-time use, don't compare unsanitized strings with a binary unsafe operator, server variables contain link to current script, here are examples of what i mean: I object. First of all 'needless' is in the eye of the beholder. I've seen ton's of 'needless' comments about how programmers waste precious space by declaring needless variables because they can do things more cryptic. I've also heard in the past how programmers should be cryptic and even shorten their variable names, not use indenting, and do all sorts of other nonsense to save space and make their code run quicker. However, they forget a couple of important considerations. 1. Code running tomorrow will run-faster and cost-less to store than today. That's a fact and while we can argue, the argument becomes less important as time passes. If I don't win this argument today, I will win it tomorrow. 2. I also claim that if I can make my code more readable and easier to maintain by adding a 'needless variable now and then, then it's well worth the cost. And as I said before, that cost is reducing
Re: [PHP] A Review Request
On Wed, May 18, 2011 at 03:22:35PM -0400, tedd wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? I've always been a fan of your site(s). It's been annoying from time to time that the code making a certain example work wasn't available. Here, it is. As pointed out, there are security and other issues. But since I know what kind of code you can produce, I realize you left these issues in place because you were getting at a different point. And I agree with the majority that your bracing style is horrid. But I long ago despaired of turning you from the Dark Side(tm). ;-} Making professional coding techniques visible to others can only be a good thing. I've been doing this for a while, but I'm still interested in how other people do these things. I never know when I might learn something. Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On May 18, 2011, at 3:22 PM, tedd wrote: Hi gang: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Cheers, tedd -- --- http://sperling.com/ I can say I really don't like your bracing style. I don't see a reason to use a form submit to go back to the login page, instead I normally present errors on page. Other then that, looks good. Maybe redirect http://sperling.com/php/ to an index of examples? Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: [PHP] A Review Request
At 3:31 PM -0400 5/18/11, Joshua Kehn wrote: On May 18, 2011, at 3:22 PM, tedd wrote: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/http://sperling.com/php/authorization/ What do you people think? -snip- I can say I really don't like your bracing style. I don't see a reason to use a form submit to go back to the login page, instead I normally present errors on page. Other then that, looks good. Maybe redirect http://sperling.com/php/http://sperling.com/php/ to an index of examples? Regards, -Josh -Josh: There are all sorts of bracing styles, as you can see here: http://rebel.lcc.edu/sperlt/citw229/brace-styles.php Fortunately, we are all free to choose the one we like. :-) I like the Whitesmiths style. As for your other comments, they made good sense to me, so I made adjustments. Thanks, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On May 18, 2011, at 4:34 PM, tedd wrote: -Josh: There are all sorts of bracing styles, as you can see here: http://rebel.lcc.edu/sperlt/citw229/brace-styles.php Fortunately, we are all free to choose the one we like. :-) I like the Whitesmiths style. As for your other comments, they made good sense to me, so I made adjustments. Thanks, tedd Tedd- Yes, bracing style is one of those personal preference things. Some work better for others. I use Allman style most of the time, unless I'm doing inline anon. functions in JavaScript, then I sometimes switch to KR. Regards, -Josh Joshua Kehn | josh.k...@gmail.com http://joshuakehn.com
Re: Re: [PHP] A Review Request
On 18 May 2011 at 20:31, Joshua Kehn josh.k...@gmail.com wrote: On May 18, 2011, at 3:22 PM, tedd wrote: What do you people think? I can say I really don't like your bracing style. I completely disagree - having the braces lined up is the only way to go. Means I don't have to search all over creation for the matching one :-) More constructively: you might want to say Copy/Paste rather than Cut/Paste. I've found examples of this type to be very helpful in the past, btw. Much of my learning is done by poking around for information to solve problems I may have with some combination of PHP, ajax, javaScript, CSS, and/or HTML, so good for you is what I say. Tedd: you have written who's instead of whose on your √ website. tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 11-05-18 04:42 PM, Tim Streater wrote: On 18 May 2011 at 20:31, Joshua Kehnjosh.k...@gmail.com wrote: On May 18, 2011, at 3:22 PM, tedd wrote: What do you people think? I can say I really don't like your bracing style. I completely disagree - having the braces lined up is the only way to go. Means I don't have to search all over creation for the matching one :-) Joshua's style (Allman) also lines up. I also find tedd's particular bracing style disconcerting. I always brace myself for it when I visit his site (sorry couldn't resist ;) I'm also in the Allman camp :) Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 18 May 2011 22:34, tedd t...@sperling.com wrote: At 3:31 PM -0400 5/18/11, Joshua Kehn wrote: On May 18, 2011, at 3:22 PM, tedd wrote: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/http://sperling.com/php/authorization/ What do you people think? Good initiative. One thing though: Please do not EVER suggest that people copy/paste your code. Do NOT provide a nice option for copying it or suggest that it will work if you just copy this and add a suffix. Plenty of people will mess things up somehow, you'll discover a bug somewhere, etc. etc. Copypasted code is one of the worst things the web has done. So please don't add to it :) Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] A Review Request
Joshua's style (Allman) also lines up. I also find tedd's particular bracing style disconcerting. I always brace myself for it when I visit his site (sorry couldn't resist ;) I'm also in the Allman camp :) Cheers, Rob. IMO, the style used by tedd just wastes one tabulation index (the zeroth). Moreover, since I mostly endow myself with the luxury of Komodo or Eclipse for finding closing braces, I have been teaching myself nothing but KR for the last few years. I like it's efficiency. To put something useful in this post: Please correct This Authorization Proceedure to This authorization procedure or, if you must, This Authorization Procedure Otherwise I can only encourage such an initiative because it can help out and save time. Best regards, Jasper Mulder -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 10:55 PM +0200 5/18/11, Peter Lind wrote: On 18 May 2011 22:34, tedd t...@sperling.com wrote: At 3:31 PM -0400 5/18/11, Joshua Kehn wrote: On May 18, 2011, at 3:22 PM, tedd wrote: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Good initiative. One thing though: Please do not EVER suggest that people copy/paste your code. Do NOT provide a nice option for copying it or suggest that it will work if you just copy this and add a suffix. Plenty of people will mess things up somehow, you'll discover a bug somewhere, etc. etc. Copypasted code is one of the worst things the web has done. So please don't add to it :) Regards Peter Peter: Thanks, but the point here *is* to get people involved using PHP. The code I've placed in the Copy/Paste sections will work as-is *IF* the users follow directions. I've tested it and it does work. Granted, for over a dozen years I've provided various code to users and have more than my share of stories to tell of how they don't follow directions -- just take a look at my Web Tips pages. However, I would have greatly appreciated someone showing me what an include was back in 1998. It could have saved me a lot of trouble. This is just one way to give-back. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 18 May 2011 23:12, tedd t...@sperling.com wrote: At 10:55 PM +0200 5/18/11, Peter Lind wrote: On 18 May 2011 22:34, tedd t...@sperling.com wrote: At 3:31 PM -0400 5/18/11, Joshua Kehn wrote: On May 18, 2011, at 3:22 PM, tedd wrote: I am considering providing PHP code to the general public via my website This is my first attempt: http://sperling.com/php/authorization/ What do you people think? Good initiative. One thing though: Please do not EVER suggest that people copy/paste your code. Do NOT provide a nice option for copying it or suggest that it will work if you just copy this and add a suffix. Plenty of people will mess things up somehow, you'll discover a bug somewhere, etc. etc. Copypasted code is one of the worst things the web has done. So please don't add to it :) Regards Peter Peter: Thanks, but the point here *is* to get people involved using PHP. Good and noble intent. Does not in any way have anything to do with copypasting. The code I've placed in the Copy/Paste sections will work as-is *IF* the users follow directions. I've tested it and it does work. *IF* the users follow directions - a lot of them won't. Some of them will copypaste it into different environments than you have envisaged. Then someone will probably also find a bug in it at some point. Granted, for over a dozen years I've provided various code to users and have more than my share of stories to tell of how they don't follow directions -- just take a look at my Web Tips pages. However, I would have greatly appreciated someone showing me what an include was back in 1998. It could have saved me a lot of trouble. You make my point for me but for some reason don't want to follow the logical conclusion of it. Why? This is just one way to give-back. Suggesting people that they copypaste your code is a very bad way of giving back. Suggesting that they read and understand the code is a great way. I hope you see the difference. Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] A Review Request
On 18 May 2011 at 22:22, Peter Lind peter.e.l...@gmail.com wrote: On 18 May 2011 23:12, tedd t...@sperling.com wrote: This is just one way to give-back. Suggesting people that they copypaste your code is a very bad way of giving back. Suggesting that they read and understand the code is a great way. I hope you see the difference. Not obvious. If I have copy/pasted code and it hasn't worked, that's been no-one's fault but mine, and I've then gone back and looked at it more carefully. Any example given on the web, seems to me, is likely to be copy/pasted unless you take steps to make it not possible. tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] A Review Request
On 18 May 2011 23:28, Tim Streater t...@clothears.org.uk wrote: On 18 May 2011 at 22:22, Peter Lind peter.e.l...@gmail.com wrote: On 18 May 2011 23:12, tedd t...@sperling.com wrote: This is just one way to give-back. Suggesting people that they copypaste your code is a very bad way of giving back. Suggesting that they read and understand the code is a great way. I hope you see the difference. Not obvious. If I have copy/pasted code and it hasn't worked, that's been no-one's fault but mine, and I've then gone back and looked at it more carefully. Any example given on the web, seems to me, is likely to be copy/pasted unless you take steps to make it not possible. I personally don't care if someone comes back whining to Tedd after copypasting the code. I would think it sad but it doesn't affect me as such. What I do care about are the people that will mindlessly copypaste the code, get it into halfworking state mixed with some other strange stuff that they picked up from some other site, then throw the whole together on a server and start telling their friends how awesomely easy php is and that they should just copypaste *their* code (not Tedd's because his only does a bit of the job). As is probably clear by now, in my opinion it would be much better to go the motions of the script a bit at a time, with comments of *why* things are done (not *what* is done) - and why you really should spend a bit more time learning about security, because if you copypaste Tedd's script and just change the password to 'mypass', you won't have learned a thing even as your script is bruteforced in 2 seconds flat. Anyway, I doubt I have much more to add to this so I'll refrain from it. Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On Wed, May 18, 2011 at 2:22 PM, Peter Lind peter.e.l...@gmail.com wrote: You make my point for me but for some reason don't want to follow the logical conclusion of it. Why? This is just one way to give-back. Suggesting people that they copypaste your code is a very bad way of giving back. Suggesting that they read and understand the code is a great way. I hope you see the difference. In my opinion this is hardly the logical conclusion. Are you suggesting that Tedd should post an *image* of the code so that people cannot copy-and-paste it? What if someone uses OCR to get the code? I find sample code useful in any form, but having a way to get it running easily so I can tweak it and learn on my own from there is awesome. And Tedd, that bracing style is atrocious! As they say, there's no accounting for style. :P Bravo on this initiative though. David
Re: Re: [PHP] A Review Request
On Wed, May 18, 2011 at 2:38 PM, Peter Lind peter.e.l...@gmail.com wrote: As is probably clear by now, in my opinion it would be much better to go the motions of the script a bit at a time, with comments of *why* things are done (not *what* is done) - and why you really should spend a bit more time learning about security . . . Ah yes, books. Yes I love books too and think they're great. This isn't a book to teach you how to be a professional PHP developer. This is a how to get X done example, at least in my view. It's perfect for a professional developer who needs to quickly get up to speed on how to do X in PHP, someone who can copy-and-paste the code, read it, and understand how to take it to the next level. David
Re: [PHP] A Review Request
At 11:22 PM +0200 5/18/11, Peter Lind wrote: On 18 May 2011 23:12, tedd t...@sperling.com wrote: Thanks, but the point here *is* to get people involved using PHP. Good and noble intent. Does not in any way have anything to do with copypasting. That's more of an argument than a fact -- and I don't feel comfortable calling it copypasting. I'll stick with calling the practice Copy/Paste as defined by Apple. Sure, people can argue that M$ invented the practice, as they did everything else, but I remember M$ claiming that the mouse wouldn't make it, and that was before Copy/Paste. :-) Back to point, I just spent 16 week teaching 16 college students via Introduction in PHP by giving them code to copy/paste. As a result, I saw most take-off and learn more than I taught. Sure, there were some who just didn't get it, but I think they would not have gotten-it even if I had forced them to hard-code everything. Some people are not geared for programming. --- *IF* the users follow directions - a lot of them won't. Some of them will copypaste it into different environments than you have envisaged. Then someone will probably also find a bug in it at some point. If they do find a bug, then I'll deal with it. But putting this link up for review by peers, as I've done here, is one way to help catch those bugs. -- Granted, for over a dozen years I've provided various code to users and have more than my share of stories to tell of how they don't follow directions -- just take a look at my Web Tips pages. However, I would have greatly appreciated someone showing me what an include was back in 1998. It could have saved me a lot of trouble. You make my point for me but for some reason don't want to follow the logical conclusion of it. Why? I stated my reason, Perhaps I'm wrong, but that remains to be seen. However, it is not fact that your position is a logical conclusion -- it's just your conclusion. This is just one way to give-back. Suggesting people that they copypaste your code is a very bad way of giving back. Suggesting that they read and understand the code is a great way. I hope you see the difference. I see the difference, but I don't agree with you. I say that if you give people a small sample of something that interest them and it works, it is far better than forcing them into Adventures in Keypunching to see any results, which was the way I was introduced into programming. That was NOT good. Ours is just a difference of opinion. Thanks for your help and opinion. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On 18 May 2011 23:50, tedd t...@sperling.com wrote: At 11:22 PM +0200 5/18/11, Peter Lind wrote: On 18 May 2011 23:12, tedd t...@sperling.com wrote: Thanks, but the point here *is* to get people involved using PHP. Good and noble intent. Does not in any way have anything to do with copypasting. That's more of an argument than a fact -- and I don't feel comfortable calling it copypasting. I'll stick with calling the practice Copy/Paste as defined by Apple. Sure, people can argue that M$ invented the practice, as they did everything else, but I remember M$ claiming that the mouse wouldn't make it, and that was before Copy/Paste. :-) Back to point, I just spent 16 week teaching 16 college students via Introduction in PHP by giving them code to copy/paste. As a result, I saw most take-off and learn more than I taught. Sure, there were some who just didn't get it, but I think they would not have gotten-it even if I had forced them to hard-code everything. Some people are not geared for programming. --- *IF* the users follow directions - a lot of them won't. Some of them will copypaste it into different environments than you have envisaged. Then someone will probably also find a bug in it at some point. If they do find a bug, then I'll deal with it. But putting this link up for review by peers, as I've done here, is one way to help catch those bugs. -- Granted, for over a dozen years I've provided various code to users and have more than my share of stories to tell of how they don't follow directions -- just take a look at my Web Tips pages. However, I would have greatly appreciated someone showing me what an include was back in 1998. It could have saved me a lot of trouble. You make my point for me but for some reason don't want to follow the logical conclusion of it. Why? I stated my reason, Perhaps I'm wrong, but that remains to be seen. However, it is not fact that your position is a logical conclusion -- it's just your conclusion. Premise: The code I've placed in the Copy/Paste sections will work as-is *IF* the users follow directions. I've tested it and it does work. Premise: Granted, for over a dozen years I've provided various code to users and have more than my share of stories to tell of how they don't follow directions -- just take a look at my Web Tips pages. Logical conclusion: you cannot guarantee what you're trying to, namely it does work. Regards Peter -- hype WWW: plphp.dk / plind.dk LinkedIn: plind BeWelcome/Couchsurfing: Fake51 Twitter: kafe15 /hype -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 2:41 PM -0700 5/18/11, David Harkness wrote: On Wed, May 18, 2011 at 2:22 PM, Peter Lind mailto:peter.e.l...@gmail.competer.e.l...@gmail.com wrote: You make my point for me but for some reason don't want to follow the logical conclusion of it. Why? This is just one way to give-back. Suggesting people that they copypaste your code is a very bad way of giving back. Suggesting that they read and understand the code is a great way. I hope you see the difference. In my opinion this is hardly the logical conclusion. Are you suggesting that Tedd should post an *image* of the code so that people cannot copy-and-paste it? What if someone uses OCR to get the code? I find sample code useful in any form, but having a way to get it running easily so I can tweak it and learn on my own from there is awesome. And Tedd, that bracing style is atrocious! As they say, there's no accounting for style. :P Bravo on this initiative though. David David: Thanks for the support. :-) You know, if you sat down with me and saw how my IDE handles braces, I think you might see the reason why I code like I do. I can double click on any brace and the entire section within the brace (plus braces) is highlighted. From there I can indent, outdent, cut/paste, drag-drop, or do whatever I want. This is NOT to say that you can't. Also, I use this bracing style for not only PHP, but for JavaScript, and even CSS -- not to mention numerous other languages that came before. I've been using this brace style since my old C days back in the late 80's and FB since 1984. I even use a similar indent style for tabs and divs in html. It all works for me. YMMV. I just try to be consistent through all my programming. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
On May 18, 2011, at 3:06 PM, tedd wrote: You know, if you sat down with me and saw how my IDE handles braces, I think you might see the reason why I code like I do. Tedd, I like the demo. Thanks for posting it. From another post of yours, I take it that you're a Mac guy. Which IDE do you use? Marc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re: [PHP] A Review Request
At 2:44 PM -0700 5/18/11, David Harkness wrote: On Wed, May 18, 2011 at 2:38 PM, Peter Lind mailto:peter.e.l...@gmail.competer.e.l...@gmail.com wrote: As is probably clear by now, in my opinion it would be much better to go the motions of the script a bit at a time, with comments of *why* things are done (not *what* is done) - and why you really should spend a bit more time learning about security . . . Ah yes, books. Yes I love books too and think they're great. This isn't a book to teach you how to be a professional PHP developer. This is a how to get X done example, at least in my view. It's perfect for a professional developer who needs to quickly get up to speed on how to do X in PHP, someone who can copy-and-paste the code, read it, and understand how to take it to the next level. David David: That's certainly part of it. I want to show web developers simple things they can use in their web sites. I think most of these people aren't stupid, but rather they are simply not informed about some very easy things that can help them tremendously. Am I going to get some flack for this? Certainly, some people won't get it, but that's not my target audience. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] A Review Request
At 12:03 AM +0200 5/19/11, Peter Lind wrote: On 18 May 2011 23:50, tedd t...@sperling.com wrote: Premise: The code I've placed in the Copy/Paste sections will work as-is *IF* the users follow directions. I've tested it and it does work. Premise: Granted, for over a dozen years I've provided various code to users and have more than my share of stories to tell of how they don't follow directions -- just take a look at my Web Tips pages. Logical conclusion: you cannot guarantee what you're trying to, namely it does work. Regards Peter What??? The only logical conclusion here is a lack of clarity. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php