NYCPHP Meetup

[Chris Shiflett]

--- Jon Baer <jonbaer at jonbaer.net> wrote:
> There are alot of security areas where it just seems like certain things

> should just "happen automatically" yet you cant dictate how someone
> should be able to code/style it ... and nearly every book has a
different
> way to  go about it ...
> 
> <rant>
> Here is one example - page 285, PHP Developer cookbook:
> 
> It shows that EscapeShellCmd() should pretty much *always* be used
> when forking a process to read from ... yet its not something built-in
> nor shown in the example but is merely "stressed" as being important ...

Well, that function is indeed built-in. As for there being best practices
regarding security, there are. I've discussed such things in many places,
and I can't recall a single person ever arguing with me. If my suggestions
were the least bit controversial, I would expect to have to defend my
statements more often.

Also, most security-conscious people I know avoid shell commands at all
costs. I always hate writing about command injection and such, because I
really want to say, "don't do it."
 
> The same goes for DB usage ... would someone writing tons of code w/ 
> mysql_query() be a "bad coder" when generic Pear::DB exists, yet plenty
> of books really just jump right into the extension. I didnt see Pear
> covered on the outline for the exam, so Im hoping the 'PHP and
> database' section is generic since the cerification covers the
"language"
> itself. </rant>

Rants lose a lot of their force when you're making guesses about what it
is you're ranting about. The certification is on PHP, although I'm sure
everyone would agree that there is a certain fundamental foundation you
would want a PHP developer to possess regarding databases if you were
hiring. Some generic database questions should be expected.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security - O'Reilly
     Coming Fall 2004
HTTP Developer's Handbook - Sams
     http://httphandbook.org/
PHP Community Site
     http://phpcommunity.org/