Note to php coders offering services.

Wow, sorry but that's just dumb.

Think.... think... again...


So you're saying high quality software should cost the same as bad and buggy software? And the people who're been coding professionally for YEARS should charge the same as any noob? Wtf...


You get what you pay for...


The end.

 

I agree with you PHPl33t

youre an excellent coder btw

 

You certainly do get what you pay for and I don't think anyone is dumb enough to not agree with that. But my point was that if someone only earns xx a week from a site then they can't afford to pay the good coders prices. I think the noobs here do a lot of work for people that really can't afford the fees experienced pro coders charge. As I said in my earlier thread I have only done a couple of jobs here but people have been happy with what I have done and apart from one occasion when I didn't have the net for a couple of months due to moving house have I fixed any bugs in the sites I have built.

The way I see it is you and phpleet are obviously in a different league to a lot of coders on here, me included, but if you look at the sites that people are working on they don't require the skills of a xx an hour coder.

I can completely see your point for the larger more complex commerical projects but what harm am I doing if it takes me a couple of attempts to get a hobby site right.

 

yes 200% agreed

all compaines want quality coders .. but all cant afford! some go for professionals .. some for parttime freelancers.. its upto them ...

 

Yes, everyone starts somewhere. I used to charge $65 /hr back when I ran my store. But, now with the poor economy I have lowered mine to $25 /per hour. Note that I also offer 1 year support on all software and give my recurring clients 20% off their total price per job. So, I am not breaking arms, I am cahrging for my time and skill. 1 year support is a very powerful tool for a client and very time consuming with some of the not-so-savvy customers. Did I start so high? Hell no, I started at $10 an hour. Then again, I was also a professional that graduated with honors in web development. I also wrote the Internet's first Cpanel Email Integration mod and the first Plesk Email Integration mod. I earned my wings.

As far as getting into sessions vs cookies, this can go on forever just as a philosophical dicussion has no end. The discussion has plagued us for years. Do I use sessions? Sure, but very carefully. But, I use cookies very carefully as well.

As far as the age of the n00b I mentioned. Ok, true that adults cause part of this problem also. That disturbs me even more though, because an adult selling an unhoned trade skill is dangerous to the consumer. I got my start with open source and free mods for the newlife blogger and a few others. This gave me a great tool, user feedback and the gurus of the time taught me and critiqued my code. Then the customers came to me one day, once I had proven to have learned my trade. This is the path I recommend to those starting out.

Wow, this got very off topic.

 

Thanks Liberty!

 

On a last note, I am not dogging the new coders. I am showing them how the industry is. We get paid for how well we code. If our code is still running well after years of running with no hitches, then we did our job well. WIth all of the people in the world wanting a piece of the Internet pie, we have to stand out from the rest. We have to be the best if we want to buy that house or that diamond ring for our loved one.

I got into a discussion with my ex mother in law a few years back. I was talking baout the importance of a student's GPA. Her stand point was that as long as you float by with the degree, you are doing great. However, my view was/is that when you work hard and demand the best of yourself you not only open many doors of opportunity, but you also instill a great sense of work ethic and morals into yourself. There is no feeling better that a customer coming back after a couple of years and thanking you for working so hard on their project.

Companies want great coders, not mediocrity. Do you think google would hire an uneducated hacker? No, they are hackers because they are against the system. Thus, the system will never accept them. The ones that break out of their shell and take education seriously are the ones that succeed.

How to be a great coder? Read. Study. Code. Read and study more. When you are in the restroom, study a php cookbook. When waiting for your tv show to come on, read up on new technologies in Linux magazine. You can not know too much. When you take these extra steps, you know that the sky is the limit for you.

 

Thanks Nico, I stand corrected my friend:

function clean($value) {
	// I clean the string up when my function is called.
	$search = array('javascript:',  
	                'document.location', 
	                'vbscript:', 
	                '<marquee', 
	                '<script', 
	                '?php'); 
	$value = str_replace($search, '_', $value); 
	$value = mysql_real_escape_string(strip_tags(trim($value)));
	return $value;
}
function vdata($value) {
	if (get_magic_quotes_gpc()) {
		//if the dope has magic quotes on, strip them
		$value = stripslashes($value);
	}
	if (!is_numeric($value) || $value[0] == '0') {
		// now do the cleaning
		$value = clean($value);
	}
	return $value;
}

$_GET = @array_map('vdata', $_GET); 
$_POST = @array_map('vdata', $_POST); 
$_COOKIE = @array_map('vdata', $_COOKIE);

PHP:

 

hackers are not againt the system .. seeing the recent codes anyone can turn into a hacker .. too many exploits out there in the scripts

its the coders develop scripts which get hacked easily .. and that resulted in even a noob getting credit cards from shopping cart through simple sql injections or google dorks .. blame coders not hackers .. even the cpanel 10 had many exploits .. even recent vbulletin 3.6.8 had exploits with so many professional coders .. thanks to hackers they know their mistakes ... shell hacking was so easy that 10000000s of sites get hacked every year

so if coders cant do their job correctly they will be thrown out of the society even if they have learnt phds .. companies hire ethical hackers who care for the system and find loopholes through QTP,SQA testing tools and thast why google is at top

 

It's not a philosopical discussion; it's a technical one, and what you've written on the topic so far makes no sense.

Sessions require some means of identifying the user between HTTP requests. Cookies are the most common means of doing this (others include SSL client certificates, tokens passed in the URL or in forms, etc.).

"Sessions vs cookies" makes about as much sense as "lunch vs sandwiches".

 

If you're going to provide suggestions at least provide good ones. This right here is an example of a very bad practice.

if(!get_magic_quotes_gpc())
{
  $_GET = array_map('vdata', $_GET); 
  $_POST = array_map('vdata', $_POST); 
  $_COOKIE = array_map('vdata', $_COOKIE);
}
else
{  
   $_GET = array_map('stripslashes', $_GET); 
   $_POST = array_map('stripslashes', $_POST); 
   $_COOKIE = array_map('stripslashes', $_COOKIE);
   $_GET = array_map('vdata', $_GET); 
   $_POST = array_map('vdata', $_POST); 
   $_COOKIE = array_map('vdata', $_COOKIE);
}

PHP:

All this shows is your solution is to simply assume all data belongs in mysql and should have it's data escaped no matter what. Awful thing to do considering you may have data you do not wish to escape. You also at this point must have a mysql connection because mysql_escape_string uses it. If there is none then well the chances of success are not great and a warning error will be thrown.

You're best to build this sort of thing into your database select, insert and update logic. So in the case of insert and updates something simple could simply be passing an array in and doing the escape at that level. You could of course take it a step further and start telling it which types you're expecting. Reason I mentioned this is if you're going to do inserts and updates with arrays depending on your database engine you may not be able to put ' ' around integers for example.

I believe Zend_Db_Table (http://framework.zend.com/manual/en/zend.db.table.html) in zend framework does this.

As for if sessions are safe or not. There are instances where you're going to need to use them. You cannot avoid them like the plague because you cannot make the assumption every user has cookies enabled. Of course you can help minimize the risks by having more verifications than simply the session id. You can also make use of session_set_save_handler to start saving sessions on the database opposed to a temporary directory inside a web server.

 

Agreed. This is the cause of things like the ever-growing chain of \'\'\'\'\' that users experience on some sites when they have to go through the server-side form validation a few times. The time to escape data is when preparing it to go into the database (if it fails validation, then you need to be using htmlentities instead, when you prepopulate the form).

Escaping is different from sanitisation. It is entirely sensible to sanitise data the moment it comes in, but preparing it for the idiosyncrasies of various other APIs and protocols shouldn't happen until its fate is sealed.

 

One other thing to keep in mind with sanitisation is everyone has a different definition of sanitized data for php. For some it may be stripping non standard characters. For others it may be using htmlentities on it. But this is very application dependent. For example I would never touch my incoming data until I'm ready to use it as sometimes I may need to keep HTML or whatever.

 

I used that as an example, I only use the functions themselves adn call them as needed throughout my scripts.

I will never post anything as a fix-for-all.