PHP Security, the oxymoron

Well now that some of you have met me from OSCON, you are probably thinking to yourself, “What’s the deal with your blog? There is no PHP in there, you poser.”

How true.

I better start writing some stuff, before they kick me out of the “all-star PHP line up”.1

I think that when most people hear “PHP” and “security” used in the same sentence, it seems about as out-of-place as, say, putting “Rasmus” and “Terry” in the same sentence. Basically this thread summarizes how most people view PHP security.

I suppose the first thing I need to do in order to defend the honor of PHP is say that these losers have their own agenda: foisting Java or dotNet as “real” and “enterprise”2, or perhaps they’re just sore because PHP book sales are going up at their expense.

Nothing works better than a good ad hominem, I always say.

Well I suppose for the three of you left unsatisfied with my deconstruction, I should go through the tedious task of addressing the actual complaint which boils down to:

  1. “PHP has the worst security history of any language.”
  2. “PHP shoves a mess of shit into the global namespace” (or other assorted digs on register globals).
  3. “PHP doesn’t have the concept of a prepared statement.”
  4. “PHP security cures (magic quotes, safe mode, stripslashes) are sometimes worse than the disease.”

Continue reading

Posted on by tychay 37

Switched back to DSL

I’m back up.

Comcast was very funny.

For the last half-year, if the cable modem goes down, by the time they address the problem, it is gone. Since addressing the problem means sending an engineer which costs me and Comcast a lot of time and money, I resolved to wait until it was down for a day before calling them about it. The strange thing about cable modem is that sometimes it seems so slow, I am sure that a phone modem would be faster.

Then the internet went down, I waited 24 hours and called them. And then was given a sequence of successive lies about when it would be up. Somehow, there was a “scheduled service outage in my area” at that time and that I must have been one of the 4 out of 419 people whose cable didn’t come back up after the outage. Pesky little details like the scheduled outage occurred well after my cable went down seem to be unnecessary.

(There was this brief 30 minute episode with them on when their CS representative got offended that I called the so-called scheduled-service-outage-that-leaves-me-without-internet-for-five-days-minimum an “excuse.”)

By the time they acknowledged that this wasn’t a problem on my end, the earliest engineer they could send to look at the problem would be after I’ve already left for OSCON. Now it seemed reasonable to me that if a junkie like me who has been addicted to the internet since I was seven can tolerate being without internet in the home for two weeks, Comcast can tolerate not being paid for two weeks.

Comcast didn’t see it this way.

Continue reading

Posted on by tychay 1

Another book…

I finished Harry Potter and the Half-Blood Prince at five this morning. It was okay that the package came at around noon because I had to finish re-reading Harry Potter and the Order of the Phoenix (early senility).

I’m actually a rather slow reader, it’s just that I don’t stop. Besides, I had to finish it because Caitlin was hot on my tail (and she was re-reading the entire series, not just the last book).

I should exact revenge all all you blogger idiots who spoiled the ending of Book 5 before I had a chance to finish it two years ago…

Continue reading

Posted on by tychay 1

Regulating podcasts

This thread has been rated S

Now that Apple is offering Podcast integration into iTunes, an absurd argument has popped up concerning warnings vs. parental responsibility.

In typical polarizing fashion the discussion has been divided into a neat dichotomy: those who demand that Apple should censor/rate content for the sake of the children and those who think that you are just a lazy parent out-of-touch with today.

Even the people who disagree drop into the illogical and irrational. Take this high rated response from someone who claims to not “entirely agree with either of these guys” (but clearly is showing his biases):

It seems that they would, even by their own standards. We (meaning society in general, not just parents) expect such a system for movies, TV, video games, music, etc. And btw, we’re missing the point with some of this by focusing solely on children. I know plenty of adults who don’t care to see or hear “adult content” and would appreciate a warning in advance so a label system would serve people other than just parents.

My wife dislikes “adult content” in music and ironically, Apple does such a thing for iTunes Music Store (those little ‘explicit’ tags on some songs and albums.) It would seem even by Apple’s own standards they have come up a little short with their implementation of podcasts.

It would be very easy for Apple to classify podcasts in this manner (or ask providers to self-rate) and then give parents control over what podcasts their children could access via the parent controls panel.

Continue reading

Posted on by tychay 0

The Worst “Best Man” Toast

I was Best Man at my brother’s wedding last week. I think that perhaps the only reason was because Mia asked Ken to make me Best Man—Ken knows better. While my family does love me, they know that I am highly erratic at best.

Let’s put it this way: When I was seven years old, my Mom took me to Kennywood. The parking lot is just the other side of the freeway and there is a short tunnel under the freeway to get to the entrance on the other side. That day, my mother gave me a ten dollar bill in the parking lot. When we got to the other side (about 20 yards later), I had lost it. We went back and looked for it and it was nowhere to be found.

Is that the sort of person you should be entrusting your wedding rings to?
Continue reading

Posted on by tychay 30

HTML Overlays are bollix

Dru pointed out HTML Overlays which are the application of XUL Overlays (for Firefox and Thunderbird) to HTML.

Basically the idea is to break up a document into two groups:

  1. The parts that change.
  2. The parts that don’t (like the template).

The first group is actually delivered in the requested document. The second group is dynamically inserted by Javascript. The idea is that the script and the static parts will be cached on the browser, greatly reducing bandwidth and the load of the server.
Continue reading

Posted on by tychay 1

Astrophotography for the Amateur

When we arrived in Yosemite on a new moon late at night, the most noticeable thing was the stars in the sky. It was so dark you could easily pick out the Milky Way. So I stayed up even later to take 30 second bulb exposures with a tripod and timer. I wanted to edit some of them and asked Sean if he could suggest something.

He suggested “Astrophotography for the Amateur” by Michael A. Covington. Even though the book is “hardcore” there is apparently a whole section on taking photos without telescopes with separate chapters on comets/meteors, the moon, and eclipses. (I wonder if there is anything on taking photos of the sun.)

Continue reading

Posted on by tychay 1