Coding discussion

[Maxine MagicFox]

Somewhere, a long time ago, I had a thread like this. Well, whatever. I ain't searching for it.

Anyways, I'm trying to create the blog system for the site - not too difficult of an idea, but I've never made one - which I'm not all too bothered by. The students in my class last year could do it, so can I. I'll figure out the Previous and Next buttons.

What's REALLY bugging me, though, is that Archaic has requested, quite reasonably, that I make sure that it is ABSOLUTELY secure.

So I have to prevent SQL injections. Which I thought last year that str_replace would be good enough, but thinking on it now... no, not really. There's still a lot of flaws with the idea. I checked the internet and people were recommending "prepared statements". Does anyone else know what these are and can explain SIMPLY what they are and how they work. I have read several articles but I want a dumb-y version with a simple example.

Also, more importantly - and I lost points on my main project last year -what is the normal method used to protect connection sql data. I know I need to put it into another document but I somehow don't think doing an include statement will solve my issues in any way. I haven't googled this yet so any ideas are appreciated.

[negzee]

[Reynard-Miri]

[Kimiko]

I feel so wholly incompetent at PHP now. I did that introductory course/self study only a few weeks ago, but I haven't seen most of the stuff you used there.
*sigh* I shouldn't even apply for PHP programmer internships like this..

[Maxine MagicFox]

(I'll set the prepared statements to the side for now because I THINK I get it and I'm going to wait until I've created some of my own scripts for it and you can 'grade' them for me and make sure that I did them correctly. Though I might still have one or two questions. You pretty much retold me what I read in the articles, but I needed the dumbing down a bit. They do seem VERY useful - just thinking a little bit outside the box and I can already see some areas that they could be helpful not just within the scope of preventing sql injections, so I'm really wanting to try to learn them.)

@Connection:
Yes, putting the document outside of the root folder was what our instructor told us was most secure, but my question is... well, what should be in it? And how should the data be called?

Is it like a normal connectioninfo.php document that I call in with a
<?php include('~/connectioninfo.php') ?>

^ Is this right? It doesn't "feel" secure to me since the data is essentially be loaded into the document anyways? But you can't see php data so... I dunno. o_O; I'm just a little confused on how to make it work. To me this idea above is exactly the code you typed out indicating it was the height of stupidity.

@Kimiko: Uggg, I know. ^_^ But, it's so fun. I love the not knowing with this stuff and having to really focus to figure it out.

And I wouldn't worry about the current discussion we're having now Kimiko. I have my Associates in Web Development and we did not discuss this stuff in class. I would go for the internships and don't let things stress you out. Internships were put into place with the idea that you are fresh and new. You can't get a job in the field yet because you are too new, so an internship will help teach you how to do it in the job-market.

And like my teachers said: <_<; All jobs will want you to code just a little bit differently. They'll teach you their own methods.

[negzee]

[Maxine MagicFox]

LOL, yeah the ~ was just something I threw in there. I know that wouldn't work. -_- In my experience I find that it's better/safer to just write out the full file path that you want to call. Especially since I make weird folder systems to begin with.

Can you explain " include()/require(). require_once()." to me. This is the first time I'm seeing these.

[Reynard-Miri]

I really feel I should say something on this subject, given that information security was my concentration in college... Remind me to look at this more closely over the weekend. ^_^"

I will say this, though: Assume that 9 times out of 10 the user is malicious. That's nowhere near an accurate statistic, but it puts you in the correct frame of mind.

[negzee]

[Maxine MagicFox]

^_^ I always go by this rule

That's a good security rule to go by. Similar to my rule about coding and trying to think of possible breaks:
9 times out of 10 the user is stupid


Anywho: I'm going to the coffee shop tomorrow with my sister. So I'll start tapping out some coding and then I think I'll PM you negzee for your advice/evaluation.

<_<; I hope I can do this within the testing environment. It's actually got me slightly worried... uggg, another problem raises its big ugly head. maybe just to test it I'll just make an alternate folder and throw it in there and see if I can execute things by linking back to that folder. It will be the same idea in principal.

[PLA]

^ "Stupidity is far more dangerous than evil, for evil takes a break from time to time, stupidity does not."

[Reynard-Miri]

No, when it comes to coding practices, malice is a lot worse than stupidity.

[Maxine MagicFox]

[Reynard-Miri]

[Riseatrance]