NYCPHP Meetup

[tedd]

At 12:45 PM -0700 7/3/06, inforequest wrote:
>For some of us, that is the script-kiddie problem that plagues PHP. It
>is easy to "adopt" a script but if you do, you adopt a set of
>assumptions (and coditions) along with it. Usually they are not obvious.
>That makes it "easy" because you don't need to think through those
>details, but it also makes it harder as you later discover those details
>are actually important. You may not be able to modify those adopted
>scripts as needed. And of course, if you never learn of the importance
>of the details, they may be out there awaiting exploitation.
>
>I have no problem with scripts like yours, tedd, but it would be really
>useful if they came with some details of the assumptions made and links
>to tutorials that cover all the bases. Your outbound link could frame
>the issue, with the destination providing what is needed to understand
>the approach you took with that script.  Otherwise, as a list of "hot
>scripts" I could not  recommend them to anyone for fear of perpetuating
>the PHP script-kiddie problem. Clearly they serve some other purpose for
>you.

Your points are well taken.

For example, when I first put up that script, I had someone do code injections and I learned the hard way what that was about -- there was no harm done. I'm sure the person was just showing me the dangers. I think I learned -- if nothing else, I bought Chris Shiflett's PHP Security book and just about memorized it.

As for me laying out what it is I'm doing on my site, that's more documentation that I'm prepared to do at the moment. That site is actually MY collection of my scripts where I try different things and learn first hand how they work, like what happened with injection thing. It's also my repository of snip-its I've developed so I can have starting foundations for future work. I do a lot of different things.

For example, last week I was creating a CAPTCHA with sound and that was interesting. As soon as I finish testing, I'll publish it for others to review. Yesterday I just learned how to create pdf documents (that's mondo cool) and I found a client who wants me to generate some MySQL/PDF forms for him. And today, I was reading about generating Flash from php -- tomorrow, who knows?

But the point is that while I might not be as advanced as the rest of you, the site in question is for my development and not really set up for selling script-kiddie scripts.

>I thought Michael's reply was excellent because it addressed the
>question and provided outbound links when they are obviously needed
>here. but would it get read? I'm not sure, and especially when the
>reader could just adopt a script that looks like it works. It seems
>sooooooo easy to just go with the script, eh?
>
>-=john andrews

Another point well taken.

In my defense of ignorance, I'm literally learning more each day and this is one of the ways I learn. If the poster wanted my script, or how I did it, then I would explain as best I could (as would anyone). If the poster and I are ignorant of problems beyond us, then I guess we will both will learn the hard way -- but who hasn't?

However, if your point includes that I should also refrain from commenting about things that may be beyond me, then I'm not sure as to how to respond. I believe that if you don't put your intellect at risk by demonstrating its limitations, then you don't learn.

As with all of us on the intellectual highway, we're always following someone.

Have a good 4th.

tedd

-- 
------------------------------------------------------------------------------------
http://sperling.com  http://ancientstones.com  http://earthstones.com