NYCPHP Meetup

[Peter Sawczynec]

An Unnecessary Diversion That Requires No Attention

Thirty years ago an alarm on a car was an outrageous extravagance, 15 years
ago a moderately-priced optional add-on. Today, comes from the factory
pre-installed. Who would expect less? 

Wouldn't it be nice if in the near future, in the general discussion of
programming languages one of the finer selling points of why use PHP would
be: "PHP makes it exceptionally hard for even a novice to code insecurely.
It is literally one of the best for security. Hands down. That is a general
industry consensus."

This dialogue about form handling, the difficulties and solutions offered
here absolutely positively should be offered in the php.net general
introduction along with these other hypothetically named sections such as:

"For novice: The secure PHP install. Execute steps 1-10, period. Don't ask
any questions just do it this way", 

"For advanced: The fully-locked down php.ini, a freshened standard in
scripting language security", 

"Changing to secure form code now",

"Understanding the unsafe chasm in an HTTP to PHP communications transfer", 

"Extremely compromising errors display should be turned off by default, and
logging to file into an default errs directory should be the default.", 

"Try the new phpMyErrs versatile errors log viewer works like phpMyAdmin is
to MySQL. (Maybe can look into Apache err logs too.)", 

"Introducing the watch_this_script() function (superseding the less
intuitively named error_log()) that accepts a valid email address as an nth
parameter and if put at the top of a script page will email date, time and
all errors on that script with line number(s) automatically. How about a
baldly named recent_ten_errs(). Both work from anywhere, at any time like
phpinfo().", 

"Introducing the mandatory retrieve_safe_post_data() that accepts a
non-optional array of the variables expected (and that you would have to
modify the php.ini to not use this function) and a the new standardized
safe_email function that is quite strict and strips out all the really in
your face bad strings (unless you provide an exceptions white list). That
both of these function would even throw security_errors when they do catch
stuff and have an optional nth parameter of the email address that should
get the date, time and errors notifications.",


And all this might be commingled with the very exciting and brand new to
PHP6:

"How the new PHP6 acts as a pseudo-streaming media server with the new:
stream_media functions family." 

"The new get_time_by_long_and_latitude() and/or get_time_by_city() functions
that have daylight savings, leap year, procession of the stars (kidding)
built-in."

"'<Embed_code name="embed_script_1" params="v1, v2, v3" language=" PERL |
ASP | VB " />'"

I have just finished una semana difícil. 

But truly thank you to all -- many so tremendously gifted who contribute to
this endless conversational venture. 

Someone once mused: be careful, the more you use it, the more you can get
used. Seems to apply quite aptly to all digital tools and functions. 

Peter



-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Billy Pilgrim
Sent: Friday, September 02, 2005 5:10 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] PHP Form Validation


With md5, you can also setup a non-ssl secure login.

http://pajhome.org.uk/crypt/md5/index.html

Yahoo Mail uses this approach for non-ssl logins.  (You can view source to
see the pajhome.org javascript library.)

BP
_______________________________________________
New York PHP Talk Mailing List
AMP Technology
Supporting Apache, MySQL and PHP
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org