Buyers beware of cheap rates ....

Well, most of my coding I do for fun, not proft, so on the very rare occassion I do take up jobs its because they interest me, so I either do them for free, or quite cheaply. For me churning out 2000-3000 lines of PHP for a shopping cart or CMS for $10 is awesome to me, I'd pay to be able to write PHP for half the day, so to get paid is even better.

 

But people create websites not for fun..they will be very serious about their project and will not be willing to take risks.

 

I've got a couple thousand lines of code you can write for me for $10 ... just let me know when you are ready.

 

blueparukia please help ErectADirectory..I may also need a few thousand lines if code.Really Funny..LOL

 

@security

Have you ever given a thought about the security of your website when selecting a programmer ????

When offering an Internet service, you must always keep security in mind as you develop your code. It may appear that most PHP scripts aren't sensitive to security concerns; this is mainly due to the large number of inexperienced programmers working in the language. However, there is no reason for you to have an inconsistent security policy based on a rough guess at your code's significance. The moment you put anything financially interesting on your server, it becomes likely that someone will try to casually hack it. Create a forum program or any sort of shopping cart, and the probability of attack rises to a dead certainty.

In the days to come I will be writing about few general security guidelines which may help buyers in arriving at a decision to select programmers

Don't trust forms.

Hacking forms is trivial. Yes, by using a silly JavaScript trick, you may be able to limit your form to allow only the numbers 1 through 5 in a rating field. The moment someone turns JavaScript off in their browser or posts custom form data, your client-side validation flies out the window.

Users interact with your scripts primarily through form parameters, and therefore they're the biggest security risk. What's the lesson? Always validate the data that gets passed to any PHP script in the PHP script. "Verification Strategies" need to be put in place to validate discrete data. An experienced programmer can protect against cross-site scripting (XSS) attacks, which can hijack your user's credentials (and worse). The coding should be done in a professional manner so as to prevent the MySQL injection attacks that can taint or destroy your data.

Will be back with more info...

 

Another one is URL parameters where data provided from it should always be sanitized.

 

Here here. You don't necessarily even have to turn off JavaScript. I've demonstrated many a vulnerability just by using FireBug in FireFox.

 

I have seen many coders code something like this:

$sql="SELECT * FROM users WHERE username='$_POST["username"]' AND password='$_POST["password"]'";

PHP:

no hashing, no validation, no mysql_real_escape_string.......huh!

 

They are basically asking for it. lol

Isn't it something like you just put ' AND 1=1' for password and all is good for using the data from the first record?

 

@security
Have you ever given a thought about the security of your website when selecting a programmer ???? (Continued....)

Don't trust users.

Assume that every piece of data your website gathers is laden with harmful code. Sanitize every piece, even if you're positive that nobody would ever try to attack your site. Paranoia pays off.

Turn off global variables.

The biggest security hole you can have is having the register_globals configuration parameter enabled. Mercifully, it's turned off by default in PHP 4.2 and later.

Novice programmers view registered globals as a convenience, but they don't realize how dangerous this setting is. A server with global variables enabled automatically assigns global variables to any form parameters. For an idea of how this works and why this is dangerous, let's look at an example.

Let's say that you have a script named process.php that enters form data into your user database. The original form looked like this:

<input name="username" type="text" size="15" maxlength="64">


When running process.php, PHP with registered globals enabled places the value of this parameter into the $username variable. This saves some typing over accessing them through $_POST['username'] or $_GET['username']. Unfortunately, this also leaves you open to security problems, because PHP sets a variable for any value sent to the script via a GET or POST parameter, and that is a big problem if you didn't explicitly initialize the variable and you don't want someone to manipulate it.

Take the script below, for example—if the $authorized variable is true, it shows confidential data to the user. Under normal circumstances, the $authorized variable is set to true only if the user has been properly authenticated via the hypothetical authenticated_user() function. But if you have register_globals active, anyone could send a GET parameter such as authorized=1 to override this:

<?php
// Define $authorized = true only if user is authenticated
if (authenticated_user()) {
    $authorized = true;
}
?>

Code (markup):

The moral of the story is that you should follow safe procedures to access form data. It doesn't sound like it would happen often, but exploits for register_globals are second only to XSS attacks in PHP. Furthermore, global variables can lead to much subtler issues that will cause bugs later on in your code. Will be back with more info...

 

That is exactly why I am taking my time finding a programmer. I always look at portfolios and take the time to think about all the possibilities. And one final thing, they can shove their 50% upfront smart talk..... You get paid after you have delivered. That's how I work as well.

 

This thread makes me laugh. Some people got a script for $10... I'd not work for that amount for an hour (I'm paid more for what I do because I do it well).

Security is a HUGE issue. Have you ever looked on the Security forum here on DP ? I am freaked out each time I open it. People simply have no clue. No offence - but I'm just SCARED that so many webmasters start to worry about security only when they start to be hacked.
The WORST is all these people who give bad advices - people who have no clue blindly apply them and feel they are secured, but they are not at all. A false sense of security is the worst thing because people are not only vulnerable but they are also not careful.

Security is hard. Programming correctly is not easy. You cannot hire a 15 years old and expect professional work.
I have been programming since the age of 10 and I simply have noticed that the quality of what I was doing at that age or when I was 15 was simply BAD. But I didn't know it at the time. If I have been here on DP at that age I bet I would have been trying to sell my services...

Programming a successful, fast and secure web application requires experience and knowledge. There is no magic. You can't pay someone $5 an hour and expect high-grade work. And I'm sorry for all the teenagers out there, but most of you don't probably have the experience to do that correctly.

 

@security
Have you ever given a thought about the security of your website when selecting a programmer ???? (Continued....)

SQL Injection Attacks

Because the queries that PHP passes to MySQL databases are written in the powerful SQL programming language, you run the risk of someone attempting an SQL injection attack by using MySQL in web query parameters. By inserting malicious SQL code fragments into form parameters, an attacker attempts to break into (or disable) your server.

Let's say that you have a form parameter that you eventually place into a variable named $product, and you create some SQL like this:

$sql = "select * from pinfo where product = '$product'";


If that parameter came straight from the form, use database-specific escapes with PHP's native functions, like this:

$sql = 'Select * from pinfo where product = '"'
mysql_real_escape_string($product) . '"';


If you don't, someone might just decide to throw this fragment into the form parameter:

39'; DROP pinfo; SELECT 'FOO


Then the result of $sql is:

select product from pinfo where product = '39'; DROP pinfo; SELECT 'FOO'


Because the semicolon is MySQL's statement delimiter, the database processes these three statements:

select * from pinfo where product = '39'
DROP pinfo
SELECT 'FOO'


Well, there goes your table.

Note that this particular syntax won't actually work with PHP and MySQL, because the mysql_query() function allows just one statement to be processed per request. However, a subquery will still work.

To prevent SQL injection attacks, do two things:

Always validate all parameters. For example, if something needs to be a number, make sure that it's a number.

Always use the mysql_real_escape_string() function on data to escape any quotes or double quotes in your data.

 

What's the problem? Can't get work here because they think your rate is too high?

 

@rkquest

Rates depend on the work that you undertake. You need to assess the extent of work involved and do not quote blindly. Never go after everything. If you are good programmer, you will get work.

 

I know that. I work for a company so I don't really need to work freelance here. But I take freelance jobs here on my spare time just for the extra bucks which I usually spend on the internet too. I don't charge high, does that make me a not so good programmer?

 

The issue is not whether somebody is a good programmer or not. People who are searching for programmers are very serious about their projects and look for dedicated programmers. Not somebody out to make a fast buck and vanishing without any further support. You can hear many instances of clients getting cheated here. Rock solid coding requires dedication and commitment to the project. A $1000 project cannot be done for $200 in 1 week....some people fall for the cheap rates and false delivery times, and without proper references of past works and fall in the trap and loose their money and time.

 

in a way i agree with this thread. .sometimes cheap isnt good, but when your a small business, loosing money each month overall, you cant afford to have a large layout expense for a coder. the folks that do do my work are given full consideration for their work, and if needed, i will gladly work an arrangement for them. but some folks ask 150-500$ just to do a simple page is outragous. they may be great, i dont know, but i feel that the work isnt worth THAT much money.

so, sometimes, free or cheap is good. those that like to keep their skills alive are great, because they take pride, and care in their work (most of the time). and those that do it all the time, no offense, but get sloppy sometimes, because they get complacent (spelling?) and let small things slip thru the cracks.

ive seen it happen before on an html template i had done. look great, until i went to change some text around and started finding lots of broken things. and i paid decent money for it! so in a way, paying more, isnt any better than the cheap guys..

 

Good for you, however, most freelances work with at least a bit of up front requirement. It prevents people from bailing last minute. Case in point : a very close friend spent a long time on a flash design, and, when it was finished, the client "changed their mind" and refused to pay. Sure, it's the cost of doing business, but a 25% deposit is not an unreasonable request. When you drop off your computer for repair, you don't get it back until you pay (it's your deposit). A deposit ensures that the customer is actually interested in purchasing your services.

As far as SQL injection attacks, my husband did his final project for his information securities class on this. It was a very funny slide show, where the admin was an unsuspecting sheep and the hacker was a pirate. He went through step by step how a few malicious form entries can expose basically everything about a database. Host name, user name, table names, table properties, on and on and on. He said people (some of which were 5th year CS majors) couldn't believe the vulnerabilities. D'oh!

 

I've never taken upfront payment for programming work here in DP and if you can see my iTraders, I've done quite a lot of work. But that has been taken advantage of twice. I did the work and the client backed out. Good thing they're just small projects. What I did for the first one is sell copies of the script for $10 a piece and I actually earned more. For the second one, I gave the script away for free here in DP too and I managed to get some greens.

Well as for "Buyers beware of cheap rates ...."
Some programmers can offer cheap rates because they live in a country
where $30 can buy you breakfast, lunch, and dinner for a week and you'll
still have extra cash. I know this because I live in such country.
So take that into consideration as well..

Cheap rate doesn't equal bad service.