I was having a heated debate with a non-academic lead programmer about how best to get programmers to write “correct” code. That is, to conform to the programming idioms of a company and code in a way considered best practice.
To completely side track the issue of exactly how best to elucidate what is “best practice”. [...]
Filed under: ramblings | No Comments »
Cookies! Why, why, why do so many sites reveal so much information in unsecured cookies?
This para-phrased from a million PHP Cookie examples:
$stuff[] = ‘about the structure of your web logic’;
$stuff[] = ‘perhaps some flags you find handy’;
$stuff[] = ’some variable names that mimic table or column names’
// ok so expire in [...]
Filed under: rants | No Comments »
This para-phrased from a million PHP log-in examples:
$password = some_database_query(“SELECT password FROM users WHERE username = “$_SESSION['username']“);
if($_SESSION['password'] == $password) {
//ok safely logged in
}
So what is wrong with that?
Well, the password and username are finished with right?
But…
THEY ARE STILL LIVE IN THE SESSION!!!
Given that session hijacking is relatively easy (very easy on a shared host) [...]
Filed under: rants | 1 Comment »