Forgot to heed my own advice
January 22nd, 2008
One of the features I stressed in PHP Solutions was the need to write secure code. On page 378, I said it was essential to display error messages in a development environment so that you can debug your code. However, raw error messages look unprofessional in a live website. Well, guess who forgot to take his own advice? Yes, it was me—guilty as charged. Do as I say, not do as I do.
I found out as a result of a couple of messages posted under a pseudonym to my blog. Since I have been involved in an acrimonious discussion about security in the past couple of days, I suspect that someone involved in that discussion, either as a participant or an observer, wanted to embarrass me. The way in one of the messages was phrased appeared to be a direct reference to something I had written in the other discussion. Sure, I’ve ended up with (a little) egg on my face, but the error message didn’t reveal anything about the structure of the site; and I have now implemented the advice on page 378.
Am I embarrassed about the event? Yes, I suppose I am, but we all make mistakes from time to time. If I have made a mistake, I’m usually the first to admit it, particularly if the person pointing it out does so in a spirit of mutual help. I decided not to publish the messages—not to save my red face, but because the poster didn’t have the decency to use his (or her) own name, and because it was done in an offensive way. The poster accused me of wasting my time in a forum that I haven’t visited probably for about two years, although it’s a forum that provides a lot of free and usually very sound advice about website design.
Security on the web, as well as in everyday life, is important to all of us. Pointing out another person’s mistakes can be a valuable service. It’s not a question of scoring points, but of helping one another. Throughout the other discussion, I used my own name, as did most other participants. We had a genuine disagreement, but everyone was open about it. Sadly, the person who found a minor security error in one of my pages decided to be abusive and hide behind a false name. So, whoever you are, thank you for bringing it to my attention, but your actual posts have been sent to cyberoblivion.
9 Comments Add your own
1. Nathan Smith | January 22nd, 2008 at 3:42 am
David: That’s unfortunate to hear, but I applaud you for taking the moral high road and not sinking to this person’s level. Off-topic, I’ve read your book PHP Solutions, and found it to be a great resource. Keep up the great work in the PHP community, and please do let me know if any other books come out.
2. David | January 22nd, 2008 at 10:31 am
Thanks, Nathan. I spent a lot of time deciding whether to publish the comments that drew my attention to the mistake. The easy option would have been just to delete them from the moderation list, and change my code without saying anything. But I didn’t want to give the other person the opportunity to call me dishonest.
As for other books, I’m in the final stages of agreeing a follow-up to PHP Solutions, and hope it will be out later this year.
3. Nathan Smith | January 22nd, 2008 at 3:32 pm
Awesome. I’d love to see a Solutions style book that has more OOP concepts and whatnot. I’m looking forward to it.
4. David | January 22nd, 2008 at 3:51 pm
Well, if I tell you that the code name for the book is “oops!”, it sounds as though you won’t be disappointed.
5. Jonny Jingo | January 31st, 2008 at 11:38 am
OK David, I think we can resolve the issue here if you pass the Zend Certification Exam, then you can call yourself a PHP’er
The issue wasn’t leaving in raw debugging code but poor input validation, in this case the query string. Your code also displayed poor use of PHP and MySQL which is why I managed to generate Page 4 of 9383 or whatever it was!
At the end of the day it’s no big deal because the web is full of poor code but as a teacher you will be shot down if you slip up, you know that. Put yourself up there and someone will always try to shake your tree and see what falls down.
I applaud your honesty though, although I don’t think you needed to make a blog post about it.
Anyway I will leave you in peace to carry on in the fantasy world of Adobe, the ‘amateurs’ choice of web dev tools. I had high hopes you would leave ‘Toy Town’ web dev and build a PHP app to take us to a far away Galaxy but it was not to be!
Don’t lose too much sleep wondering who I am, if you look out of your window you will see me, I am the gnome at the bottom of your garden!
6. David Powers | January 31st, 2008 at 7:11 pm
Although Jonny Jingo has used both a false name and a false email address, I’ve decided to approve his post because it raises some interesting points. First of all, I have been contemplating taking the Zend Certification exam for some time, and decided to try the online practice test. I’ve taken the practice test three times, and on each occasion scored “Excellent”, so I don’t have many worries about passing the real thing. It’s certainly not the sort of test you could pass by memorizing a few quick facts, but an exam provides only a snapshot of knowledge, so I’m not wholly convinced of its value in the real world.
Equally, there’s no guarantee that someone with a paper qualification writes perfect code every time. The code in the page that failed could certainly be improved. However, the error would not have been displayed onscreen if I had implemented my own advice. What’s important about errors is that they should fail gracefully without exposing sensitive details or permitting data injection.
The scorn you show for Adobe tools is misplaced. Admittedly, a lot of Dreamweaver users are amateur and unskilled; but it’s also used by many professional design studios. I started using Dreamweaver to make static websites. When I decided to start using PHP, Dreamweaver was the logical choice. I was able to design the static elements of the site in Design view, and switch to Code view to hand-code the dynamic elements.
It wasn’t until my publisher asked me to write a book about using PHP in Dreamweaver that I even bothered with any of the automatic code generation (the server behaviors). The code is much more verbose than what I had been writing myself, but I quickly came to realize that large numbers of people were relying entirely on Dreamweaver to do all the coding on their behalf. This struck me as both extremely limiting and potentially dangerous. So I set out to write books to teach those people how to understand the code written by Dreamweaver, adapt it where necessary, and begin to write their own code.
A message I try to drum home all the time is that unless you understand the code being used in your web page, you shouldn’t use it. Most beginner’s books on PHP treat security as an afterthought. It should be at the forefront of the developer’s mind at all times, so if you get caught out making a mistake like I did, you can react quickly to put it right.
I certainly wouldn’t choose Dreamweaver as the IDE of choice to build a PHP application with the Zend Framework, but it’s an excellent tool for anyone who needs to add some PHP functionality to a small website. When writing PHP classes, I prefer to use PhpED. I have also been experimenting recently with Zend Studio. They’re both excellent because of the code completion, debugging features, and code introspection. But I wouldn’t use them in a million years to build my XHTML or CSS.
I make no apologies for not designing a PHP app to take you to a faraway galaxy. I write books for the beginner to intermediate level. Everyone needs to start somewhere. I hope that what I teach through my books gives readers a solid understanding of the basics and inspires them to go further.
And no, I won’t worry about you. If you’re the gnome at the bottom of my garden, you’ll be pretty wet and miserable at the moment, while I’m indoors in the warm.
7. Kevin Cheng | February 1st, 2008 at 4:53 am
Hi, David,
I’m currently deeply immersed in reading your “PHP Solutions” book and applying the knowledge gained to Web pages that I’m coding up. This is a great book, since you explain quite clearly the reasoning behind the code examples throughout the book - something not every book does or does well. So I’ve certainly found your book helpful so far.
Just a question: I am a beginner to Web programming (although I’ve done other types of programming). For doing server-side programming to implement dynamic behavior and a database-driven site, which is the better approach: Dreamweaver or hand-coding?
From reading your previous reply to another poster, I get the impression that Dreamweaver doesn’t really generate PHP code for you (since you mentioned that you switch to code-view to hand-code the dynamic elements). I have so far decided to go the hand-coding route (for PHP and everything else). Should I bother purchasing Dreamweaver? Would Dreamweaver really speed code development (particularly the PHP and MySQL code)?
Thanks.
Kevin
8. David Powers | February 1st, 2008 at 8:53 am
Hi Kevin, the code generated by Dreamweaver is fine. It’s particularly useful for doing quick, routine tasks, such as connecting to a database to insert new records, update them, or perform a search. Dreamweaver is also useful in that it offers code hints for more than 2,600 PHP functions; it has syntax colouring, a balance braces feature, and it automatically displays the HTML content of include files in Design view. Dreamweaver has a lot of excellent features, so don’t take any notice of Jonny Jingo’s dismissive attitude that it’s a program for amateurs.
The problem with Dreamweaver is that the code it generates automatically only scratches the surface of what PHP is capable of. The big mistake that many people make is to think that Dreamweaver will “do everything” for them. It won’t, and in my Dreamweaver books, I stress the need to be able to hand-code. Without that skill, your ability to develop database-driven websites will be severely limited.
So, should you get Dreamweaver or go for a different IDE? It really depends on your goals. If you want to concentrate on developing the back-end of database-driven sites, then PhpED or Zend Studio is probably a better choice. If you are also involved in designing the front end of websites, then Dreamweaver is an excellent tool for generating standards-compliant XHTML and CSS that also has some useful PHP features. Don’t make the common mistake of regarding Dreamweaver as a WYSIWYG website builder. If you try to use it as a drag and drop design tool, you’ll end up with nightmarish spaghetti code. However, if you have a solid understanding of XHTML and CSS, it greatly speeds up the construction of a website, and renders a reasonably accurate view of what the site will look like while you’re still working on it. There’s a 30-day free trial available from the Adobe site to help you assess whether it’s the right tool for you.
9. Kevin Cheng | February 2nd, 2008 at 6:45 am
David,
Thanks for your very helpful and prompt reply. I didn’t know Dreamweaver has the support you mentioned for PHP and for connecting to a database - I thought it was just for auto-generation of HTML, CSS, and Javascript code. I’ll now certainly keep Dreamweaver in mind. PhpED and Zend Studio also sound promising for heavy PHP work. Briefly, I’m an engineer in my full-time day job (albeit not a software engineer and not in anything related to the Web), but am starting a Web-site business part-time. As I’m doing everything myself, I’ll be working on both the front-end (browser-side) and back-end (server-side and database) coding of the Web site. Right now I think I’d probably want an IDE tool to help me primarily with the PHP and MySQL coding, so I’ll probably first try out PhpED or Zend Studio (and then Dreamweaver if I need to). Thanks again for pointing me to these tools.
Your comments also confirm to me that hand-coding is necessary to implement a quality database-driven site - This is really valuable to me because I wasn’t sure if I was making it harder than it needs to be (by hand-coding thus far in the Notepad++ text-editor instead of using a more graphical tool). However I will look into PhpED and Zend since they specifically help with PHP coding.
On a somewhat separate topic: I’ll need to implement a shopping cart and credit-card payment processing for my site. Is it possible to do this all with PHP and MySQL? Are there particular things to watch out for in coding the shopping cart? If this is especially complex to do (and as I’m new to Web programming), is there a good reference book or two on coding a Web shopping cart that you can point me to?
Thanks again.
Kevin
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed