1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Note to php coders offering services.

Discussion in 'PHP' started by phpl33t, Jan 9, 2008.

?

Are there too many n00bs offering paid services at DP?

Poll closed Jan 24, 2008.
  1. Yes

    17 vote(s)
    73.9%
  2. No

    3 vote(s)
    13.0%
  3. Unsure

    3 vote(s)
    13.0%
  1. #1
    Quite a few people have been trying to get outsourcing work through me lately. The sad thing is that only one person had decent code. I see a lot of people that validate data incorrectly with stripslashes instead of mysql_real_escape_string. People that are in such a hurry to pump out the work that they don't validate data at all.

    All of them failed to call variables correctly when passing them from script to script. You have to use $_POST, $_GET, or $_REQUEST. Also, when you debug you should have error reporting set to E_ALL or 2047. How can you possibly think that having tons of notices, warnings, and errors is proper debugging?

    Wonder why we have so many script online that don't work? Lets look at the myspace clones and such. All that I have tried break on php5 because people are calling functions that they have not defined or calling variables and expecting register globals to do the work for them. WRONG. Register globals is dead people.

    I suggest that anyone who has had no formal education or has only read a couple of chapters of php for dummies just stop offering services and get back to studying. I am tired of people who are too lazy to study taking jobs and screwing them up, giving coders a bad reputation.

    To all customers, I suggest that you demand to see your work previews with error reporting set to 2047, then and only then can you know that your code is worth the money. Also, if you ask the coder to fix the issues and they refuse to, then file a paypal dispute! Paypal will back you up.

    It is time we got rid of these damn 14 year old fly by night script kiddies. This is a job for those who studied hard and worked hard over the years.

     
    phpl33t, Jan 9, 2008 IP
    Xavier_3D likes this.
  2. Xavier_3D

    Xavier_3D Well-Known Member

    Messages:
    1,299
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    140
    #2
    Thanks phpl33t. I'd agree with you. + Rep., But the 14 year Old Thingy is kinda Harsh, don't you think? :). I mean they may be Young but Remember George Hotz? He Unlocked IPhone, the First Time. So they may be young, but they don't lack the potential.
     
    Xavier_3D, Jan 9, 2008 IP
  3. phpl33t

    phpl33t Banned

    Messages:
    456
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    0
    #3


    Those young bucks that know their trade, I tip my hat to. This is a stereotype, but an earned stereotype. There are, of course, some that go the extra mile and learn the code inside and out. To those chaps, I say keep it up! Remember though, experience with knowledge brings power. To those starting out, write some freebies, offer them for the world to see. Get feedback and improve your techniques based on that feedback. When you are ready to offer premium services, the work will fall into your lap this way. Quality by example is great advertising!
     
    phpl33t, Jan 9, 2008 IP
  4. phpl33t

    phpl33t Banned

    Messages:
    456
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    0
  5. blueparukia

    blueparukia Well-Known Member

    Messages:
    1,564
    Likes Received:
    71
    Best Answers:
    7
    Trophy Points:
    160
    #5
    Yeah I am 14 years old and I am getting much better, but there are things I have yet to understand, mainly sessions, cookies and SQL injection protection, so those articles will hopefully help :)
     
    blueparukia, Jan 9, 2008 IP
    phpl33t likes this.
  6. phpl33t

    phpl33t Banned

    Messages:
    456
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    0
    #6
    I hate sessions. :eek: lmao Ever since sessions came around, accounts get hijacked left and right. Not often you hear of hijacked cookies. In fact, haven't read of it in years.

    Good luck! May the code be with you!
     
    phpl33t, Jan 10, 2008 IP
  7. 3dom

    3dom Peon

    Messages:
    304
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Cannot remember for sure but few hours ago got an error from

    something about 'mysql_real_escape_string first parameter have to be a string'. forced to turn the thing off - not sure how to avoid it.

    (atm works fine - cannot reproduce the error)
     
    3dom, Jan 10, 2008 IP
  8. phpl33t

    phpl33t Banned

    Messages:
    456
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    0
    #8
    ahhhhhh you hijacked my thread! lol

    http://us2.php.net/mysql_real_escape_string

    Looks fine to me.

    In fact, check this out: http://www.chipmunk-scripts.com/board/index.php?forumID=43&ID=10069

    Though, this is better, combined my functions with what you are trying. Protects against sql injections and xss in most cases.



    
    
    function clean($value) {
    	// I clean the string up when my function is called.
    	$search = array('javascript:',  
    	                'document.location', 
    	                'vbscript:', 
    	                '<marquee', 
    	                '<script', 
    	                '?php'); 
    	$value = str_replace($search, '_', $value); 
    	$value = mysql_real_escape_string(strip_tags(trim($value)));
    	return $value;
    }
    function vdata($value) {
    	if (get_magic_quotes_gpc()) {
    		//if the dope has magic quotes on, strip them
    		$value = stripslashes($value);
    	}
    	if (!is_numeric($value) || $value[0] == '0') {
    		// now do the cleaning
    		$value = clean($value);
    	}
    	return $value;
    }
    
    if(!get_magic_quotes_gpc())
    {
      $_GET = array_map('vdata', $_GET); 
      $_POST = array_map('vdata', $_POST); 
      $_COOKIE = array_map('vdata', $_COOKIE);
    }
    else
    {  
       $_GET = array_map('stripslashes', $_GET); 
       $_POST = array_map('stripslashes', $_POST); 
       $_COOKIE = array_map('stripslashes', $_COOKIE);
       $_GET = array_map('vdata', $_GET); 
       $_POST = array_map('vdata', $_POST); 
       $_COOKIE = array_map('vdata', $_COOKIE);
    }
    
    PHP:
     
    phpl33t, Jan 10, 2008 IP
  9. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #9
    Ehh? Sorry, but what kind of logic is that? If used correctly, sessions are the most secure way to pass data between pages. Google "Sessions vs cookies" and you'll find a lot of discussions which will all lead to the same conclusion.


    Nico's lesson for today: DRY (Don't repeat yourself)

    Your vdata() function checks for magic quotes, so now your code above is doing it twice.

    Plus your code could be simplified to: (Yet another DRY)

    
    
    if (get_magic_quotes_gpc())
    {
       $_GET = array_map('stripslashes', $_GET); 
       $_POST = array_map('stripslashes', $_POST); 
       $_COOKIE = array_map('stripslashes', $_COOKIE);
    }
    
    $_GET = array_map('vdata', $_GET); 
    $_POST = array_map('vdata', $_POST); 
    $_COOKIE = array_map('vdata', $_COOKIE);
    
    
    PHP:
    But anyway, as I said already, the array_map() on stripslashes() isn't necessary 'cause your vdata() function takes care of this already.


    As for the tips for noobs:
    
    if (isset($_GET['example']) && !empty($_GET['example'])) {
    $example = $_GET['example'];
    } else {
    die('example not set');
    }
    
    PHP:
    You're probably using isset() to avoid the mentioned undefined variable notices. empty() is a language construct, which when used on undefined variables doesn't throw notices either. So if you're using isset() just to avoid the notices, you can use empty() alone.


    Anyway, the point of this thread is good. I see highly insecure codes every day. It's seems almost like people don't care. Most of them don't even fix their codes after I tell them about the security holes.
     
    nico_swd, Jan 11, 2008 IP
  10. woods

    woods Peon

    Messages:
    228
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Not contributing a lot to the topic, but just dropping a thank you for saying this so I don't have to sit here mumbling thinking I'm alone on DP knowing how to write decent code :p (Yeah, slightly cheesy)

    Makes me remember of the mass defacement a group made a few days. 70'000 sites ended up with malicious code. Worst part is that I would have no problem doing such a bot myself which is similar - probably just used a simple script that queries google (or other SE) and then tried modifying parameters on the URLs to see if they're vulnerable..

    And of course you'd add stuff to the query to get good results if you wanted to, let's say, add a link to your site on every one of the hacked sites. Quite easy to get backlinks from competitors in the same niche.

    (No, I don't do such stuff. Don't think about PM'ing me)

    .. Repped! :)

    Coders - Read about securing your code!
    Buyers - Ask if they're even aware of what SQL injections, cross site scripting attacks, etc etc is.

    Edit: Voted yes, even though I have no idea how many of the coders which are bad at security. However many it is, it is that same amount of people too much :)
     
    woods, Jan 11, 2008 IP
  11. TwistMyArm

    TwistMyArm Peon

    Messages:
    931
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Yeah, I was thrown by that, too. Especially seeing as the only part of a session that ends up on the client side is generally a cookie, I don't see how either is more insecure than the other...
     
    TwistMyArm, Jan 11, 2008 IP
  12. phpl33t

    phpl33t Banned

    Messages:
    456
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Actually, I am follow the debate of sessions vs cookies quite a bit. I also know that the majority of arguements for sessions are often opinions and irrelevant facts that do not sway my opinion. It is this simple...

    Sessions get hacked all the time because coders are being too lazy to deploy good security. How many times have you seen cookies hijacked? That is my point and I still don't see anyone truly challenging that point.

    Yes, and it is not the client side that is being hijacked, my friend. It is the session handling server side that is attacked. Session IDs are a big problem, and using just cookies cures any risk of security fault.

    Here is some reading on the subject for you:
    http://en.wikipedia.org/wiki/Session_hijacking
    http://www.sitepoint.com/article/php-security-blunders
    http://phpsec.org/projects/guide/4.html
     
    phpl33t, Jan 11, 2008 IP
  13. shallowink

    shallowink Well-Known Member

    Messages:
    1,218
    Likes Received:
    64
    Best Answers:
    2
    Trophy Points:
    150
    #13
    So, you seem to be harping on this subject. Here's an idea, either write up the "total way to securely write php code" and post it so everybody can read it or write up your guidelines for 'new' hires. In said guide you can explain code you will pay for and code that will be rejected. With the latter watch your itrader plummet.
    Course, the real question would be how much are you offering those so called n00bs. IF it's 7/hr, you get burger flipping code.
    Just my .02
     
    shallowink, Jan 11, 2008 IP
  14. phpl33t

    phpl33t Banned

    Messages:
    456
    Likes Received:
    33
    Best Answers:
    0
    Trophy Points:
    0
    #14
    A true coder does not need the client to tell him how to code. A true coder can tell the client how it should be coded and then if the client doe snot want it done securely, then the client can go elsewhere. Why attach your name so crapware? That is the difference between $65 /hr and $7 /hr coders. The $7 /hr code is not worth running. A good coder would not accept the $7 /hr work to begin with.
     
    phpl33t, Jan 11, 2008 IP
  15. shallowink

    shallowink Well-Known Member

    Messages:
    1,218
    Likes Received:
    64
    Best Answers:
    2
    Trophy Points:
    150
    #15
    Oh so you pay 65/hr? Pass me an application. Love the 'true coder' remark. I can see the post now :
    Wanted only one true coder who can pull the magic keyboard from the stone gets to work for me.

    My suggestion was for you to clearly state what it is you expect from these n00bs. Worse case scenario, it will scare them off. It isn't telling them how to do their job, its telling them what you will accept. Vast difference in those two concepts.

    You keep on about the n00bs, but what about the people hiring them? Where's their culpability in this?

    PS: A good coder won't work for 7/hr but a hacker will work for nothing. ummm
     
    shallowink, Jan 11, 2008 IP
  16. TwistMyArm

    TwistMyArm Peon

    Messages:
    931
    Likes Received:
    44
    Best Answers:
    0
    Trophy Points:
    0
    #16
    OK, tell me in plain English how using cookies is more secure than using sessions, because obviously I'm an idiot.

    That first link you gave? It actually refers to cookie theft as the 'mode' of session hijacking.

    The second link talks about session ID protection but again, the session ID is stored in the cookie... so really we're talking about cookie protection, right?

    The third link? Well again, it's all about what a client can do to steal a session.

    I guess my 'summary' question is this: what can you do to steal a session that I can't do to 'steal' a cookie? You say that it's the server side handling that is attacked... well of course. But it's not like people are 'intercepting' sessions (and if they are, they can just as easily intercept cookies). So if it's not about interception it's about impersonation... and that's just as easy with cookies as it is with session IDs (ESPECIALLY seeing as, as I mentioned early, nine times out of ten the session ID is maintained in a cookie).

    So please, explain to me in your own words how cookies are more secure than sessions, as apparently those links are over my head (or, as I suspect, they don't really support your hypothesis)...
     
    TwistMyArm, Jan 11, 2008 IP
  17. crazyryan

    crazyryan Well-Known Member

    Messages:
    3,087
    Likes Received:
    165
    Best Answers:
    0
    Trophy Points:
    175
    #17
    That could be applied to adults as well, and not just teenagers - and it's not really an earned stereotype in my opinion because there aren't really that many teenage coders (14/15ish) out there right now.
     
    crazyryan, Jan 11, 2008 IP
  18. liam1412

    liam1412 Active Member

    Messages:
    387
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    60
    #18
    At the end of the day though mate there are also people wanting to pay little for a lot of work on here. People that want there services cheap are on here. People with mega bucks to spend use proper outsourcing sites etc.

    Im a noob and learning and have done a few bits of work on here. Nothing I can't handle and am always up front and honest about my experience and offer full support to rectify issues that may arise from my lack of it. I feel the few jobs I have done have helped me to learn a lot. It's okay to be able to code perfect on a desktop locally and can even test on your own host. You can test your scripts until you think it is working perfectly but until your scripts have ended up on a few servers, configured differently and have been used day in day out and under load then you will never know how diffferently one tiny configuration may make a script behave.

    You are obviously very skilled at what you do but what is the harm in somebody who is not running a multinational zillion hit a day site paying someone $60 to do what you would charge $500 for. Not wanting to sound rude or like im trying to cause a fight, just a different perspective to look at it from. :)
     
    liam1412, Jan 11, 2008 IP
  19. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #19
    When it comes to security, you should also ask yourself what kind of data should be stored in cookies or sessions at all.

    Sensitive data should never be stored in either of both. Passwords, if needed, should only be stored encrypted. Things like credit card numbers, etc... should ONLY be stored in the database, and then they should be pulled only when it's actually needed. Why carry it around all the time?

    If the user wants to change any sensitive data, see it, or purchase an item over your website, etc... he should be forced to re-enter his password, or to verify his credit card's security code.

    Plus, the danger doesn't necessarily need to come over the internet. If you store data in cookies, it'll be on the clients computer, and can be seen by co-workers, friends, family members, etc... While using sessions, no one can access directly the data.
     
    nico_swd, Jan 11, 2008 IP
  20. surya_143s

    surya_143s Banned

    Messages:
    51
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    0
    #20
    i agree .. there should not be price difference in good coding and bad coding..

    if good coders take 10$ / hr .. then noobs wont hav any jobs left which is what should happen ...

    but these good coders feel like gods and arrogant and charge 100$/hr and only some companies can afford that .. giving chance to noob coders to their work
     
    surya_143s, Jan 11, 2008 IP