Re: [PHP] Good Answers

[Wolf]

Yeah, to think we used to have English Majors as the wait-staff in
restaurants and drive-thrus so you at least were understood when giving
your food and drink order...

Richard Lynch wrote:

> PHP *has* lowered the "entry barrier" ridiculously low, to the point
> where we've got "idiots and English majors" writing really cool
> software -- complete with a total lack of any security features
> whatsoever.
> 
> We've made it so damn easy -- Isn't it our responsibility, to some
> degree, to warn users that they really do need to buy those trigger
> guards and locked cabinets and store the ammo separately from the
> weapon?


> I sometimes think PHP is a like a loaded gun in the hands of a child,
> it's just too damn easy to use and to get yourself into serious
> trouble SO quickly and easily.
> 

Yeah, though you know you can require things and make them mandatory
when giving someone the weapon, but you sure can't make them use them.

But I agree 100%.  I know I used to write some crappy code, but I am
definitely trying to get better about it all.

Wolf

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Micky Hulse]

Ligaya Turmelle wrote:

here is the link for the improved newbie doc -
http://zirzow.dyndns.org/php-general/NEWBIE



Might be nice to see a link to the NEWBIE information in the footer of 
the PHP list emails... know what I mean?




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Good Answers

[Jay Blanchard]

[snip]
Might I make a suggestion for an addition to the newbie email - in the 
"where to find more information" section - add a link either to the 
manual security section or phpsec.org
[/snip]

Cool idea, let's get that info together and I'll add it and throw it up
on my server...

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Ligaya Turmelle]

Richard Lynch wrote:

Hey y'all...

In the spirit of improving the mailing list, I'd like to suggest that
we, as a group, attempt to not provide answers with Bad Practices, or
at least always to point out that the Sample is Bad Practice for
production sites?

For example, an answer to a question about  where it
is clear that register_globals is "off" should either specifically
sanitize the data, or make reference to the need to sanitize the data,
or link to http://phpsec.org or something along those lines.

Otherwise, we merely perpetuate the problems of Bad Code with our
answers to newbies, who then run off and write insecure sites and
cause us more grief down the road.

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^

Might I make a suggestion for an addition to the newbie email - in the 
"where to find more information" section - add a link either to the 
manual security section or phpsec.org


--

life is a game... so have fun.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Ligaya Turmelle]

Jay Blanchard wrote:

[snip]
In the spirit of improving the mailing list, I'd like to suggest that
we, as a group, attempt to not provide answers with Bad Practices, or
at least always to point out that the Sample is Bad Practice for
production sites?

For example, an answer to a question about  where it
is clear that register_globals is "off" should either specifically
sanitize the data, or make reference to the need to sanitize the data,
or link to http://phpsec.org or something along those lines.

Otherwise, we merely perpetuate the problems of Bad Code with our
answers to newbies, who then run off and write insecure sites and
cause us more grief down the road.

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^
[/snip]

I vote for that. I need to find that doc...curt z had it on a site


here is the link for the improved newbie doc -
http://zirzow.dyndns.org/php-general/NEWBIE

--

life is a game... so have fun.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Jochem Maas]

As usual, Richard shows the quality of his mettle! :-)

I absolutely agree, some ideas:

1. have the mailing list automatically add a single line to the
mailing list sig that promotes security/good-practice and points to phpsec.org?
(I guess only someone like Rasmus could say whether this was even an
acceptable proposition)

2. promote 'hacking ethos' in general - which starts with RTFM but goes
further in that 'newbies' should be encouraged to broaden their understanding
of a problem area beyond 'getting it to work'

3. dish out more praise to those 'newbies' that do go the extra mile to
enrich their own skills beyond what is strictly necessary to get their
job done. encourage research and problem solving.

4. conversely I do believe we can [keep] making it clear that certain
attitudes don't cut it - I'm referring to the 'please do my job for me
crowd' - (in the end you can't save the all ;-) - maybe we can 'nominate'
certain experienced people to reply to messages which are blatantly bad
questions (and/or show blatant signs of not being interested in the 'why's)
encouraging people not to answer until the OP until he/she shows signs
of wanting to expand their own understanding and researching their own
problems. for instance the only reason I hardly ever have reason to
ask a question on the list is because the information/answers I'm looking
for have 99% of the time already been documented in articles/tutorials/etc
on web - (i.e. I'm always saying 'how the  does that work' and almost
always someone 'out there' has already written something that explains it!
it's a matter of finding it and taking the time to read/re-read)

[quite probably point 4 does not come accross the way I meant - in which
please ignore :-)]

in short I stand by you notion and will try to do my part.

[the kind is dead, long live php]

Richard Lynch wrote:

Hey y'all...

In the spirit of improving the mailing list, I'd like to suggest that
we, as a group, attempt to not provide answers with Bad Practices, or
at least always to point out that the Sample is Bad Practice for
production sites?

For example, an answer to a question about  where it
is clear that register_globals is "off" should either specifically
sanitize the data, or make reference to the need to sanitize the data,
or link to http://phpsec.org or something along those lines.

Otherwise, we merely perpetuate the problems of Bad Code with our
answers to newbies, who then run off and write insecure sites and
cause us more grief down the road.

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[tedd]

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^



Yep, and right next to "How to think good", "How to Google", and "How to RTFM"

:-)

tedd
--

http://sperling.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Micky Hulse]

Good thread. Great points.

I always thought this Sitepoint thread was very helpful:



Cheers,
Micky

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Richard Lynch]

On Wed, May 10, 2006 2:16 pm, Eric Butera wrote:
> On 5/10/06, Richard Lynch <[EMAIL PROTECTED]> wrote:

> these issues because they don't even know to consider these things.  I
> still see so many examples passed on that have the ability to inject
> SQL or spam via E-Mail Header injection.  I mean to be fair the php
> manual never mentions that if you don't protect the parameters going
> into mail() injection is possible.
>
> I know the argument always ends up being "The language is there, you
> need to protect yourself from shooting your own foot."  But isn't PHP
> so popular because the barrier into programming with it so low?

I understand that the Manual and our answers could not possibly
anticipate, much less provide advice to avoid, every possible
combination of events that leads to losing one's foot.

That said, if we didn't care about keeping our feet, wouldn't we all
be writing CGI scripts and custom Apache Modules in C?

PHP *has* lowered the "entry barrier" ridiculously low, to the point
where we've got "idiots and English majors" writing really cool
software -- complete with a total lack of any security features
whatsoever.

We've made it so damn easy -- Isn't it our responsibility, to some
degree, to warn users that they really do need to buy those trigger
guards and locked cabinets and store the ammo separately from the
weapon?

This is always a judgement call, but do we really want to spend the
next decade living with the consequences of NOT providing Security
advice to newbies?

zillions of web forms for email feedback with header injections
zillions of XSS attacks

We have to be pragmatic about this and inform users what NOT to do of
the most common mistakes, if only to protect ourselves from the
collateral damage of them shooting their foot off

It's our own inboxes and our own bandwidth, and, ultimately, the
quality of the Internet itself at stake.

If we can document for beginners the most common security mistakes,
and have that documentation "in their face" when they first encounter
the "answer" to what they perceive as their "current problem" surely
that's worth a little effort and the blurring of the line drawn at
just providing the function and leaving the responsibility on the user
to be responsible.

I sometimes think PHP is a like a loaded gun in the hands of a child,
it's just too damn easy to use and to get yourself into serious
trouble SO quickly and easily.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Good Answers

[Eric Butera]

On 5/10/06, Richard Lynch <[EMAIL PROTECTED]> wrote:

Hey y'all...

In the spirit of improving the mailing list, I'd like to suggest that
we, as a group, attempt to not provide answers with Bad Practices, or
at least always to point out that the Sample is Bad Practice for
production sites?

For example, an answer to a question about  where it
is clear that register_globals is "off" should either specifically
sanitize the data, or make reference to the need to sanitize the data,
or link to http://phpsec.org or something along those lines.

Otherwise, we merely perpetuate the problems of Bad Code with our
answers to newbies, who then run off and write insecure sites and
cause us more grief down the road.

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^

--
Like Music?
http://l-i-e.com/artists.htm

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



I agree with this 100%.  I know as I started with PHP years ago I
though "Great! Here is a perfect snipplet that works for what I need
to make my site wrapper!"  Didn't take long to learn that snipplet
that I found on Google was just screaming to include remote code. ;)

How was I to know when I was just playing around for the first time
making a dynamic site that passing ?page=x could allow people to run
PHP code on my site through an include.  Nowhere in the tutorial did
it mention anything about remote including.  My guess is that the
author wasn't aware of it either since it was such a small easy thing.

After I realized what was going on I made it a point to read as much
as I could understand into code security.  The hardest part for me is
trying to get out of the mindset of making the script work, but rather
into the mindset of if someone were trying to exploit my script, what
can they possibly do?  Once I did that I was able to see that not
forcing ?id=x to use $id = (int)$_GET['id'] could get me into trouble
if I wasn't fortunate enough to have mod_security enabled on our
server.

I'm sure this is very obvious to most of you and that is great.  But
people asking for help really aren't up there yet and need guidance in
these issues because they don't even know to consider these things.  I
still see so many examples passed on that have the ability to inject
SQL or spam via E-Mail Header injection.  I mean to be fair the php
manual never mentions that if you don't protect the parameters going
into mail() injection is possible.

I know the argument always ends up being "The language is there, you
need to protect yourself from shooting your own foot."  But isn't PHP
so popular because the barrier into programming with it so low?

I guess all I can say is thank you for this mail Richard and I'll try
and do my part. :)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] Good Answers

[Jay Blanchard]

[snip]
In the spirit of improving the mailing list, I'd like to suggest that
we, as a group, attempt to not provide answers with Bad Practices, or
at least always to point out that the Sample is Bad Practice for
production sites?

For example, an answer to a question about  where it
is clear that register_globals is "off" should either specifically
sanitize the data, or make reference to the need to sanitize the data,
or link to http://phpsec.org or something along those lines.

Otherwise, we merely perpetuate the problems of Bad Code with our
answers to newbies, who then run off and write insecure sites and
cause us more grief down the road.

Hmmm.  Maybe this should be part of a Netiquette document "How to give
good answers" right next to that "How to ask good questions" document
:-^
[/snip]

I vote for that. I need to find that doc...curt z had it on a site

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php