Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Messages - Arantor
7186
Off-topic / Re: A PHP fork?
« on June 16th, 2011, 05:48 PM »
And you're explicitly distrusting the original contents in favour of something more reliable. ;)
7187
Off-topic / Re: A PHP fork?
« on June 16th, 2011, 01:26 PM »
SMF ditches COOKIE from REQUEST. With good reason: minimising data taint. People who are not tech savvy invariably use REQUEST for everything. I know I did when I first came to PHP.
Consider, for a moment, the implications of using REQUEST for everything. You cannot verify the source of anything, the very first line of defence against CSRF is gone, and if you're using REQUEST rather than COOKIE you even risk adding session fixation to your vulnerability list, just for starters.
Forcing users to use GET and POST, rather than an ambiguous source is a nice step, though honestly I'd love to see a proper taint detection method such as in Perl, where you explicitly can't do anything to input without some kind of sanity check first.
Consider, for a moment, the implications of using REQUEST for everything. You cannot verify the source of anything, the very first line of defence against CSRF is gone, and if you're using REQUEST rather than COOKIE you even risk adding session fixation to your vulnerability list, just for starters.
Forcing users to use GET and POST, rather than an ambiguous source is a nice step, though honestly I'd love to see a proper taint detection method such as in Perl, where you explicitly can't do anything to input without some kind of sanity check first.
7188
Off-topic / Re: A PHP fork?
« on June 16th, 2011, 11:40 AM »
Um, no it shouldn't. REQUEST out of the box would normally be GET, POST and COOKIE. And therein is the reason why REQUEST is unsafe without pre filtering like SMF does.
7189
Off-topic / Re: A PHP fork?
« on June 16th, 2011, 01:43 AM »
Oh, well, I came from ASP Classic prior to PHP, so the REQUEST concept was nothing new. What I like is that SMF explicitly sanitises REQUEST regardless of anything else, so it honestly makes no difference for SMF or Wedge for this fork.
7190
Off-topic / Re: A PHP fork?
« on June 16th, 2011, 01:32 AM »
And that's something I think is quite good ;)
7191
Off-topic / Re: Does anyone else love mechanical keyboards?
« on June 15th, 2011, 07:54 PM »
Cool, thanks.
7192
Off-topic / Re: A PHP fork?
« on June 15th, 2011, 07:53 PM »
If you read what he has to say, though, he'd love to contribute this stuff to 5.3/5.4 but the powers that be are kicking stuff back - if I contribute a patch to something, I don't expect to have to wait a year for it to be evaluated. This did, unfortunately, happen with SMF (though it was more like 6 months rather than a year)
Yes, PHP 6 needs a fresh build and that's not where he's going, but he acknowledges that fact - it is more about raising awareness right now.
Yes, PHP 6 needs a fresh build and that's not where he's going, but he acknowledges that fact - it is more about raising awareness right now.
7193
Off-topic / Re: Does anyone else love mechanical keyboards?
« on June 15th, 2011, 07:44 PM »
The Model M was a hand-me-down. I'm going to be looking for a new keyboard so I might try the Cherry.
7194
Off-topic / Re: Does anyone else love mechanical keyboards?
« on June 15th, 2011, 07:30 PM »
I can only relate from my experience and given that I'm a heavy handed typist, that combined with an IBM Model M keyboard (that big-ass scary thing with fully mechanical switching), tired my hands out after an hour or so.
7195
Off-topic / A PHP fork?
« on June 15th, 2011, 07:29 PM »
http://www.xarg.org/2011/06/php-hacking/
I'm staring at this and quietly thinking 'why in god's name weren't some of these implemented in PHP itself?'
I mean, [] syntax for arrays, various string/array enhancements and optimisations. Plus he really took some brave moments with forcibly kicking out register-globals and magic quoting instead of them being deprecated. And, for the love of all things holy, he's made UTF-8 the default! (About fucking time. ISO-8859-1, or CP1251, or other character sets... not default.)
I'm not sure about this being really deployed (I think PHP is perhaps too entrenched at the moment) but it does feel like he's doing it because he's frustrated with the way PHP is being developed - and doesn't that sound familiar? ;)
I'm staring at this and quietly thinking 'why in god's name weren't some of these implemented in PHP itself?'
I mean, [] syntax for arrays, various string/array enhancements and optimisations. Plus he really took some brave moments with forcibly kicking out register-globals and magic quoting instead of them being deprecated. And, for the love of all things holy, he's made UTF-8 the default! (About fucking time. ISO-8859-1, or CP1251, or other character sets... not default.)
I'm not sure about this being really deployed (I think PHP is perhaps too entrenched at the moment) but it does feel like he's doing it because he's frustrated with the way PHP is being developed - and doesn't that sound familiar? ;)
7196
The Pub / Re: Separating wma and wmv formats
« on June 15th, 2011, 07:12 PM »
Yeah, I see where you're coming from - which is why I'm suggesting making it be optional for the player type.
7197
The Pub / Re: Separating wma and wmv formats
« on June 15th, 2011, 07:04 PM »
It might be nice to be able to offer both small and large+spectrum visualiser options through the media bbcode.
7198
Off-topic / Re: Does anyone else love mechanical keyboards?
« on June 15th, 2011, 07:02 PM »
While my fingers love the physical feedback, they don't love how tiring they are.
7200
Off-topic / Re: Salary in web development
« on June 15th, 2011, 01:01 PM »
Well, about a year ago I applied for a full time PHP developer position in London, and the salary there was £34,000. Even allowing for it being in London where salaries are considerably higher (locally to me the equivalent would be about £26,500), that's about par for the course. (Note those figures are GBP not USD, add 40-50% on top for USD equivalent)
What you have to remember with salaried, though, is that the money isn't the only thing. The people you work with, work-life balance, these are important too. When I used to work for a large mortgage company, I turned down promotion to team leader more than once because I knew if I did, I'd end up working plenty more hours trying to sort out clusterfucks and not get paid overtime for it, and given that then I was already out the house at 5.30am, to be in work by 8am, leaving at 4.30pm, home at 7pm, any more hours and I wasn't interested.
What you have to remember with salaried, though, is that the money isn't the only thing. The people you work with, work-life balance, these are important too. When I used to work for a large mortgage company, I turned down promotion to team leader more than once because I knew if I did, I'd end up working plenty more hours trying to sort out clusterfucks and not get paid overtime for it, and given that then I was already out the house at 5.30am, to be in work by 8am, leaving at 4.30pm, home at 7pm, any more hours and I wasn't interested.