I can vouch for this - my scout leaders used to hate it when we did "Drink as much cola as you can right before bedtime" contests. I always was out like a light. Everyone else was wired.
I also have some allergy medicine, and was warned not to take it less than 3 hours before bed if I wanted to sleep. I have a hard time staying awake 15 minutes.
Ok, you're driving the speed limit on a two lane road, which is 55 mph. You're being stupid driving that fast while it's raining, but you feel like you can handle it. You start to hydroplane, and run into a car going 100mph, and hit them head on. You spend a few days in the hospital. When you get out, you get 20 to life for vehicular homicide because his car didn't have a black box and yours did. It's just too bad that although your _wheels_ were going
95mph, you were only doing 55. When the ADR is read, it looks like you were doing 95, and he was doing 60. Fun stuff.
By "underlying OS", they probably are referring to Aqua (as most of the darwin stuff is irrelevant to a browser anyway). Aqua is owned by Apple, and closed source, much to the dismay of many potential OSX for Linux on x86 users.
Grsecurity has released a version for 2.4.21. I highly recommend it, especially for production environments with multiple users. I have found the ability to limit outgoing sockets by group invaluable.
1-4GB a month????? I pay $39.99 US, and I get 3GB a day (and I use it too). Is some of it kazaa and other p2p stuff? Of course, but lots of it is streaming videos (launch.com, etc), or downloads of perfectly legit software. For example, I got about 2GB of half-life mods yesterday.
I pay $100 for 1mb/sec for my server, or something like 400GB/month. I use that too. You may not notice the loss; a lot of people with less restricted broadband use it a lot more.
I said it's a strength, because some people use it that way. That being said, I _do_ seperate the text and the code, and in fact, most of my pages consist of little more than
<?php include ('includes/common.inc'); setTheme('themes/mytheme.theme'); pageHeader('Page Title'); pageMenu(); ?> Some HTML Here (with openTable(),closeTable(), and other builtin functions thrown in. <?php pageFooter(); ?>
I get very crisp, clean, easy to read pages, that take minutes to write (yeah, I do have to add entries to includes/menu.inc), and output perfect xhtml 1.0 transitional with css2 (excluding bad html in the body). I have over 50 themes I have done that use this system. Just because some people aren't up to doing a large-scale web application doesn't mean they should have to go to a lot of trouble to write trivial things.
What if someone simply wants the current date and time on their page? Or put the remote IP in a hidden field to read when it's in the google cache. Isn't a little mixing worthwhile when the project is small? That's a strength, not a weakness. People writing bad or ineffecent code is not the fault of PHP.
Re:Obligatory Smarty plug
on
PHP Cookbook
·
· Score: 1
I've tried smarty, for most things it isn't needed (although, I will it admit that the dropdown creation script is useful at times), and I won't accept the (minimal) overhead. I also work with other PHP developers, and I want my code to be readable by _any_ php developer, not just people familiar with smarty.
Security basics aren't that hard, just remember a couple of very simple rules.
1. If you allow user input, let PHP do it's job and automatically escape it. Don't count on php having magic_quotes_gpc set, simply run "ini_set(magic_quotes_gpc, 1);".
2. When doing an include() or opening a filename that includes part of a user submitted variable, make sure you clean any user input (check google for examples) user input, to prevent them from specifing a php script by http.
3. When using forms or cookies, avoid using the generic $variable. Use the specific $_GET['variable'] or $HTTP_GET_VARS['variable'] instead.
Those simple solutions should stop nearly any common mistake you may make.
This actually isn't necessarily as hard as it sounds. Find the offending bytecode (as in, compare the compiled apps if the source is not available to both, and compare). This is a pain, and the effectiveness depends on how well the stolen source was masked, but it can be very _very_ effective. Find it, then have the author transfer the copyright to a nice big company.:) If this sort of comparison weren't possible, the GPL would be largely unenforcable.
"I predict we'll either see show quality decline or cable costs go up."
Cable prices might go up, but I have a hard time envisioning show quality actually managing to take a turn downward.
Re:Kiss and say goodbye to Java language!!
on
PHP Cookbook
·
· Score: 1
Then use the Alternative PHP Cache, and get that speed up another 25-400% (depending on the size and complexity of your program. Eat that, java.
Re:PHP most pervasive? PERL
on
PHP Cookbook
·
· Score: 1
function usual_slashdot_activity () { while ($phpzealots == "annoyed") { utter($meaningless_nonsense); } }
That wasn't so hard, was it?
Re:PHP Security
on
PHP Cookbook
·
· Score: 4, Insightful
The security problems usually aren't the problems of php, it's the developer's problems. PHP is one of the most newbie friendly web development languages out there. For heaven's sake, it even escapes user inputted strings FOR YOU. That stops most sql exploits, shell string exploits at the door. What happens is that some newbie who hasn't taken the time to read the documentation does something dumb like include($_GET['filename']); While this is a exploitable situation, how many CGIs have been exploited because the author failed to strip/escape user input?
PHP has a couple of common mistakes, but I'm far more apt to trust an inexperienced PHP programmer over an inexperienced Perl programmer, as far as secure code goes.
Re:More PHP
on
PHP Cookbook
·
· Score: 4, Interesting
/. itself may not be, but PhpSlash is. Also, I suspect the reason the slashdot crowd likes PHP so much is due to (among other things) a couple of reasons:
1 - It lets you mix html and code in. Sure, it's not the only language that lets you do it, but it's still a strength.
2 - It's free, open source (zend crap excluded)
3 - Microsoft hates it. That's always a plus.
4 - It's increadibly flexible and forgiving. Coming from a c background, this is one of it's most useful features to me. As far as I can tell, most programmers are inherantly lazy; They don't want to work harder than necessary to do a good job. In PHP, types are incredibly loose. If you want to use a string as a integer, a float, and a string all in the same line, you don't have to cast it. It just does it, and the incredibly vast majority of the time, it does just how you expected it to. Why can't C be that smart?
As a web developer, php has been a real life saver.
It would take a whole lot of perl code to achieve the same functionality that can be accomplished in 200 well-written php code. (Depending on what it did - it's based off my personal experiences).
In addition, the ability to mix and match html/php on a cross-platform programming language, as well as write scripts that also run on the command line is worth it's weight in gold (note to people who don't understand that saying, it's really valuable to me). Although perl and cgi scripts can be ran from the command line, they can't have (X)HTML mixed in quite as easily.
After paypal fees, it's something like 65% of 12,000. If you are going to donate (and you should), it's courteous to donate at least $1.50, to make the fees not so bad.
If you take the time to read through the forums, in many cases the manufactures themselves posted the files on their web site. Some of them still do, some have recently been taken down (due to a person _selling_ lots of them on CDS with an emulator in an online auction).
In many cases, the manufacturers posted the binary images on the site, and depending on the license (if any) distribution _may_ not have been illegal, and direct linking _probably_ wasn't. (although, the pictures used by the emulators are infringing on copyright).
Or, they could do something dumb like allocate a 256 character buffer, then actually let 256 characters be entered in (null termination assumed here). And, since it would be digitally signed (to prevent tampering, of course), changing it would break all the apps. It would be rather appropriate to exploit the palladium "secure" subsystem by using palladium itself to load arbitrary code to the secure area.
By accessable, I am referring to the outside (host) environment. It may work as a nice way of controlling external connections; however, it will not work when the entire environment is accessable (in other words, it makes a nice server, but a bad palladium replacement).
Virtual machines are inherantly insecure. Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will. Regardless of the cryptography, the process can be slowed down, stepped through, and have any protections disabled, or even reversed.
While it's a nice thought, it doesn't add too much in terms of security, a virtual machine compromised still allows access to the rest of the virtual machine. Raw harware access is not needed to wreak havoc.
I used to believe the same thing, however, over time I have realized that this approach _doesn't work_. People (as a whole) are DUMB! And while _I_ won't buy highly restrictive content, others _will_. The reality is that I don't make a very big difference. This normally wouldn't bother me except some of the content that comes out, I want. By having less restrictive, better implemented alternatives, at lease _I_ have a better chance of having some more freedoms with the content I would _like_ to see.
The system doesn't have ctrl-c set as a modifier. Furthermore, the selection window is jsut a right drag, only done once. After it's done, I don't have to select any more.
Trust me, if there was a faster way to do it, I woudl have.
Slashdot Mirror
I can vouch for this - my scout leaders used to hate it when we did "Drink as much cola as you can right before bedtime" contests. I always was out like a light. Everyone else was wired.
I also have some allergy medicine, and was warned not to take it less than 3 hours before bed if I wanted to sleep. I have a hard time staying awake 15 minutes.
Ok, you're driving the speed limit on a two lane road, which is 55 mph. You're being stupid driving that fast while it's raining, but you feel like you can handle it. You start to hydroplane, and run into a car going 100mph, and hit them head on. You spend a few days in the hospital. When you get out, you get 20 to life for vehicular homicide because his car didn't have a black box and yours did. It's just too bad that although your _wheels_ were going 95mph, you were only doing 55. When the ADR is read, it looks like you were doing 95, and he was doing 60. Fun stuff.
By "underlying OS", they probably are referring to Aqua (as most of the darwin stuff is irrelevant to a browser anyway). Aqua is owned by Apple, and closed source, much to the dismay of many potential OSX for Linux on x86 users.
Grsecurity has released a version for 2.4.21. I highly recommend it, especially for production environments with multiple users. I have found the ability to limit outgoing sockets by group invaluable.
Note to moderators, go ahead and -1 offtopic me, I have karma to burn.
I haven't done much with shell scripts, and never bothered to learn awk. It works, and that's fine for me.
1-4GB a month????? I pay $39.99 US, and I get 3GB a day (and I use it too). Is some of it kazaa and other p2p stuff? Of course, but lots of it is streaming videos (launch.com, etc), or downloads of perfectly legit software. For example, I got about 2GB of half-life mods yesterday.
I pay $100 for 1mb/sec for my server, or something like 400GB/month. I use that too. You may not notice the loss; a lot of people with less restricted broadband use it a lot more.
I said it's a strength, because some people use it that way. That being said, I _do_ seperate the text and the code, and in fact, most of my pages consist of little more than
e .theme');
<?php
include ('includes/common.inc');
setTheme('themes/mythem
pageHeader('Page Title');
pageMenu();
?>
Some HTML Here (with openTable(),closeTable(), and other builtin functions thrown in.
<?php
pageFooter();
?>
I get very crisp, clean, easy to read pages, that take minutes to write (yeah, I do have to add entries to includes/menu.inc), and output perfect xhtml 1.0 transitional with css2 (excluding bad html in the body). I have over 50 themes I have done that use this system. Just because some people aren't up to doing a large-scale web application doesn't mean they should have to go to a lot of trouble to write trivial things.
What if someone simply wants the current date and time on their page? Or put the remote IP in a hidden field to read when it's in the google cache. Isn't a little mixing worthwhile when the project is small? That's a strength, not a weakness. People writing bad or ineffecent code is not the fault of PHP.
I've tried smarty, for most things it isn't needed (although, I will it admit that the dropdown creation script is useful at times), and I won't accept the (minimal) overhead. I also work with other PHP developers, and I want my code to be readable by _any_ php developer, not just people familiar with smarty.
Security basics aren't that hard, just remember a couple of very simple rules.
1. If you allow user input, let PHP do it's job and automatically escape it. Don't count on php having magic_quotes_gpc set, simply run "ini_set(magic_quotes_gpc, 1);".
2. When doing an include() or opening a filename that includes part of a user submitted variable, make sure you clean any user input (check google for examples) user input, to prevent them from specifing a php script by http.
3. When using forms or cookies, avoid using the generic $variable. Use the specific $_GET['variable'] or $HTTP_GET_VARS['variable'] instead.
Those simple solutions should stop nearly any common mistake you may make.
This actually isn't necessarily as hard as it sounds. Find the offending bytecode (as in, compare the compiled apps if the source is not available to both, and compare). This is a pain, and the effectiveness depends on how well the stolen source was masked, but it can be very _very_ effective. Find it, then have the author transfer the copyright to a nice big company. :) If this sort of comparison weren't possible, the GPL would be largely unenforcable.
"I predict we'll either see show quality decline or cable costs go up."
Cable prices might go up, but I have a hard time envisioning show quality actually managing to take a turn downward.
Then use the Alternative PHP Cache, and get that speed up another 25-400% (depending on the size and complexity of your program. Eat that, java.
function usual_slashdot_activity () {
while ($phpzealots == "annoyed") {
utter($meaningless_nonsense);
}
}
That wasn't so hard, was it?
The security problems usually aren't the problems of php, it's the developer's problems. PHP is one of the most newbie friendly web development languages out there. For heaven's sake, it even escapes user inputted strings FOR YOU. That stops most sql exploits, shell string exploits at the door. What happens is that some newbie who hasn't taken the time to read the documentation does something dumb like include($_GET['filename']); While this is a exploitable situation, how many CGIs have been exploited because the author failed to strip/escape user input?
PHP has a couple of common mistakes, but I'm far more apt to trust an inexperienced PHP programmer over an inexperienced Perl programmer, as far as secure code goes.
/. itself may not be, but PhpSlash is. Also, I suspect the reason the slashdot crowd likes PHP so much is due to (among other things) a couple of reasons:
1 - It lets you mix html and code in. Sure, it's not the only language that lets you do it, but it's still a strength.
2 - It's free, open source (zend crap excluded)
3 - Microsoft hates it. That's always a plus.
4 - It's increadibly flexible and forgiving. Coming from a c background, this is one of it's most useful features to me. As far as I can tell, most programmers are inherantly lazy; They don't want to work harder than necessary to do a good job. In PHP, types are incredibly loose. If you want to use a string as a integer, a float, and a string all in the same line, you don't have to cast it. It just does it, and the incredibly vast majority of the time, it does just how you expected it to. Why can't C be that smart?
As a web developer, php has been a real life saver.
It would take a whole lot of perl code to achieve the same functionality that can be accomplished in 200 well-written php code. (Depending on what it did - it's based off my personal experiences).
In addition, the ability to mix and match html/php on a cross-platform programming language, as well as write scripts that also run on the command line is worth it's weight in gold (note to people who don't understand that saying, it's really valuable to me). Although perl and cgi scripts can be ran from the command line, they can't have (X)HTML mixed in quite as easily.
"(12000 /.'ers X $1 each)"
After paypal fees, it's something like 65% of 12,000. If you are going to donate (and you should), it's courteous to donate at least $1.50, to make the fees not so bad.
However, it only takes 3 guys with some modpoints, an agenda, and a bad attitude to wreak some karma havoc.
If you take the time to read through the forums, in many cases the manufactures themselves posted the files on their web site. Some of them still do, some have recently been taken down (due to a person _selling_ lots of them on CDS with an emulator in an online auction).
In many cases, the manufacturers posted the binary images on the site, and depending on the license (if any) distribution _may_ not have been illegal, and direct linking _probably_ wasn't. (although, the pictures used by the emulators are infringing on copyright).
Or, they could do something dumb like allocate a 256 character buffer, then actually let 256 characters be entered in (null termination assumed here). And, since it would be digitally signed (to prevent tampering, of course), changing it would break all the apps. It would be rather appropriate to exploit the palladium "secure" subsystem by using palladium itself to load arbitrary code to the secure area.
By accessable, I am referring to the outside (host) environment. It may work as a nice way of controlling external connections; however, it will not work when the entire environment is accessable (in other words, it makes a nice server, but a bad palladium replacement).
Virtual machines are inherantly insecure. Because the internal virtual address space is accessable externally, it can be modified, tampered with, or viewed at will. Regardless of the cryptography, the process can be slowed down, stepped through, and have any protections disabled, or even reversed.
While it's a nice thought, it doesn't add too much in terms of security, a virtual machine compromised still allows access to the rest of the virtual machine. Raw harware access is not needed to wreak havoc.
I used to believe the same thing, however, over time I have realized that this approach _doesn't work_. People (as a whole) are DUMB! And while _I_ won't buy highly restrictive content, others _will_. The reality is that I don't make a very big difference. This normally wouldn't bother me except some of the content that comes out, I want. By having less restrictive, better implemented alternatives, at lease _I_ have a better chance of having some more freedoms with the content I would _like_ to see.
The system doesn't have ctrl-c set as a modifier. Furthermore, the selection window is jsut a right drag, only done once. After it's done, I don't have to select any more.
Trust me, if there was a faster way to do it, I woudl have.