Tag: security

Mailing list talk has consequences

One of my engineers was leaving the building for a late lunch and held the door open for me and another director. Before we parted, we had a short chat in the doorway about approvals on a purchase order.

“Hey, I need to see your ID!” Building security yelled at us.

“Huh? What?” H— replied?

“That’s the new policy. I need to ask to see everyone’s keycard.”

“It must be related to that mailing list thread.” I told H—, matter-of-factly. (For over a week now, an internal mailing list thread has been going on about building security. I stopped reading when someone suggested that the only way to solve this was to install lasers to detect when two people enter with one card, and another one argued that we should just make an HR policy to fire anyone who lets anyone in without proper ID. The reason I stopped was because neither post was trolling us in jest.)

The building security guy continued indignantly, “Even if I know you, even if you’re a manager—and I know you two are managers. L—, the head of the company, said I must to ask for your ID or call her down to greet you in the lobby.” (Sidenote: L— is not the head of the company. On the other hand, poor L— suggested on the mailing list that any solution hopeless because building security is seriously underpaid by the owners, perhaps to the point of illegality.)

I joked, “Even if I thought the discussion that touched off this policy was a waste of everyone’s time?”

Building security apparently has about as much humor as our company mailing list. So I reluctantly dug through my wallet and and pulled out a blank white piece of plastic, that may or may not have been my car parking card—they’re identical and I do not have an RFID reader on my person.

He let me through anyway.

That’s good, because to this day I do not know the average airspeed of an unladen swallow.

Posted on by tychay 0

What’s the deal with short_open_tag?

A friend asked me today:

Why isn’t short_open_tag set to On in php.ini at [servers you set up] or in general?

Basically short_open_tag allows you to use <? and <?= in addition to <?php when formatting code. The latter can be very useful if you are using PHP as a templating language—like with Savant or no templating system at all.

Many people think that there is a security reason for this. For the life of me, I can’t really see the security problem with the setting though I can see the security problem with the coding. That is… if you code using short_open_tags, then you run the risk of running that code on a server where this variable it is off somewhere and suddenly you are dumping PHP code to people’s browsers. But that almost never happens and really if you have a configuration issue, you have bigger problems.

The real reason is simply that it violates valid XML markup to use short tags. Simply put, let’s say you have an example where your PHP page has to generate a valid XML file that needs a XML directive.

<?xml version="1.0" ?>

With short_open_tags, this will generate a fatal error in the PHP engine! The workaround is to do something nasty like

echo '<'.'?xml version="1.0" ?>';

(or some such). As more websites contained XHTML or some weird sort of sacrifice to the Gods of all things XML (SOAP, XMLRPC, REST-XML), it was sooner convenient to admit defeat and just start coding in valid XML markup.

It violates valid xml. It was not recommended for use because it isn’t guaranteed to be on everywhere. Ever since then people have been in the habit of not using short tags just in case they are off. Soon, it became part of the php.ini-recommended and short tags, like asp_tags and the alternative syntax for control structures got relegated to the dustbin of history.

What is the alternative syntax for control structures? Let’s not go there. 😉

Posted on by tychay 14