Leaning web development (php, mySQL, AJAX...)

Andrej Marjan amarjan-e+AXbWqSrlAAvxtiuMwx3w at public.gmane.org
Tue Dec 18 17:19:46 UTC 2007


Brandon Sandrowicz wrote:
> It's a matter of preference.  I have never personally used Drupal, but
> I know that a lot of people create a web app code that is horrible
> mangled and unable to be maintained because they just code by the seat
> of their pants.  And coding directly in PHP MySQL allows people to
> make horrible mistakes like not properly escaping user input that is
> going into an SQL query.  It's not like in Perl where you have DBI
> that abstracts some of that for you.
>   

Indeed, when starting with PHP, I think the the safe course is to 
*expect* one's code to be riddled with major security holes. It takes 
knowledge, experience and work to make a reasonably secure PHP 
application -- just look at the history of such things as Wordpress.

That's actually a big argument FOR using a framework in PHP: do your 
homework and pick something that abstracts and validates away as many of 
the language's dangerous mis-features as possible, leaving you with much 
less tedious and error-prone work to do.

Writing web apps just for fun can be... fun, but if you're going to put 
anything on the Internet, it's vital to be aware of the (many, many) 
security risks, considerations and gotchas with web development. Check 
out the archives of the Web Security mailing list for a bit of a scare, 
and for a better appreciation of Walt Dnes's paranoia: 
http://www.webappsec.org/lists/websecurity/

The OWASP site (http://www.owasp.org/index.php/Main_Page) is also 
invaluable for their guide and top 10 lists, as well as web security tools.

I don't mean to discourage anyone from jumping in and trying stuff on 
LANs. I just want to bring some attention to the fact that putting up 
applications on the Internet can be dangerous -- not just for your 
application, but for all your application's users.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list