I would recommend reading "Software Estimation: Demystifying the Black Art" [http://www.stevemcconnell.com/est.htm]. When estimates are created, there are many tasks besides "programming" that need to be done that are totally forgot about in the estimates and thus throws things off from the very beginning. We have to admit from the beginning that it is an estimate and is hinged with certain unknowns. If the unknowns are cleared up, we can be more accurate with our quoting (this is why requirements gathering should be done with careful attention). Also, since the estimates are just that, they need to not just be a number, but more of a range (if you have to give a number, choose the far end and be sure that you are confident that it can be accomplished by then - with a minimum of 90% certainty - and give the confidence with the estimate). One thing that I have learned is that I never negotiate on estimates/price, I only negotiate on functionality. If a manager/client wants it quicker/cheaper/less hours, fine, but I'm not going to change the number unless the functionality changes or more unknowns are cleared up (helping me to quote more accurately).

I think that the statement was completely taken out of context. To quote the FireFox developers on their blog https://wiki.mozilla.org/Firefox/Sprints/Windows_Theme_Revamp/Direction_and_Feedback:

I think the point was that Windows is getting rid of the menubar, in favor of the contextual strip or Office Ribbon, not that FireFox is going to use the ribbon in their design. They are simply trying to improve the interface and make it more like the competitors, IE and Chrome (who have come up with some novel ideas to improve the interface). If Windows is not going to have the menubar, then FireFox will look completely out of the times if they continue with it (whether the users on here like it or not).

Oh. So apparently "The Sunlight Foundation" is another name for the government now?! I think that I missed the part where this was under any presidential office.

Image this happening under the Obama office. Nope, I didn't think you could.

P.S. I *am* a fanboi of keeping the money that I earned.

I find that a lot of times managers like to feel important, so they force you to sit in a meeting where they tell you everything that they are working on and want to tell you way more than you need to know. There is nothing I hate more than being interrupted when I am developing some code to sit in a meeting, and then find out that I didn't need to be there at all and now my time was just completely wasted...

Lois McMaster Bujold

I think that I must be the only person who actually read the paper. The point of the author is not that we don't need good passwords, but rather that we would gain much more security out of making the user ids strong. The individual talked about all of the ways that accounts can be broken into and talked heavily about the method of bulk guessing accounts. If the site's user ids are very dense (meaning that the unused input space is little), then the chances of a break in are much more likely (like in the case of site generated user ids that are sequential). This is because the input space for passwords is only so large, and it is very likely that 1 in 1,000,000 users will have a random password. The research talked about how in order for this to be true, the site has to have a large amount of users (like a national bank chain). The author even mentions that it doesn't matter if the user writes his/her strong user id down, as it is only a portion of the credentials and is intended to prevent the bulk guessing of accounts. This used with stronger passwords (I should note that the author even talks about not really needing strong passwords if strong user ids are used) seems to be a good defense. It is a very interesting read, and the author brings thoughts to the table that have not really been discussed (as far as I have read). Before anyone attacks this simple synopsis of the paper, please read it to fully understand lol.

That was said in response to your previous statement:

My point was that I believe that is the case already.

While this might be correct that they both consume software, they are different markets. Not everyone using Windows will use a web browser, and not everyone using a web browser will use Windows. It is like saying that Google's search and advertising target the same customers - consumers of the Internet. Remember that the advertisers are also searchers (just wear different hats from time to time). Both instances seem to be two items that go hand in hand in people's minds today.

It could be stated that Google is stifling advancements in online advertising because the ad service is tied right in with search results (I'm not arguing that is wrong though), preventing other vendors from getting the market share on their service. To alleviate this, the EU will require Google to remove the advertisement feature from their web site and the user must choose if they want one of those services lol. I don't really think that is the problem per se. I think it is the ad service that is then sold to other web sites, which happens to be the same one used on their search site. Being that almost everyone uses google for search, they need to advertise on google. However, Google also makes money by then selling those ads to other third party sites. While I don't think this is wrong for them to do, other companies can look and claim that it is anti-competitive since this further cements their grips on the online advertising market. If someone advertises on Google, they also have the opportunity to show up on a vast array of other sites (a huge selling point). Explain how another competitor can come in to even compete? I'm not saying that Google is purposely doing so, but one has to understand that the government would need to keep an eye out to ensure that they aren't.

I'm not sure I quite agree with your assessment. I believe that there is a very large barrier to entry for someone to compete with google. Even if some other company could somehow develop a competing algorithm (which is pretty unlikely due to all of the PhDs google employs and the decade head start - their only real threats have failed time and time again), they also have to have the technology infrastructure to handle the load. There is more to the search engine than other web applications. I'm not so sure that the fact that they have a great search engine is the concern. I believe the tie-in with that and the ad service is what is seen as the monopoly behaviors. They pretty much dominate the search so much that there really is not a reason to even market that much on any other search engines (stifling competition in the online advertising sector). So now, anything that they do to increase their market share in the online advertising sector is questionable if they are doing it to hinder competition or better a product. It is the same argument that Microsoft is trying to say with the browser tie-in with the operating system. They say that you can simply download and install another one if you so desire... after all, it is just a click away in the browser.

You know, I'm not quite sure that will work on non-mobile/non-touch screen devices too well. The average slashdotter (and anyone growing up in the modern generations) most likely types too fast for that to even really register in their brain as the letters turn to asterisks too quickly. I think that hen peckers are the only ones who would really gain any advantage out of that. That is why it is so successful on the iPhone, you have no choice but to hen peck.

Saying that a user should not be able to put in html is a cop out. As a versed software engineer, you should be completely perfect with parsing data and validating it. In fact, if you have a degree from a university (which I'm assuming that you do), you should have had to deal with grammars in one of your classes. It sounds like you don't recognize the need for this, as you are most likely not what one would classify as a "web developer". That is fine, but some applications require the use of this. One very realistic example is a CMS controlled by a company. They need this type of control. Creating your own language (bbcode or wiki-code) defeats the purpose of the standards that are out there (HTML), especially to the extent that a CMS needs.

Well, you attempted to fix your problem in this response but my first statement is correct. mysql_escape_string does have some problems. You have to use mysql_real_escape_string to be sure if you are inserting binary data into the database as there can be potential injection attacks done otherwise.

If you think that most PHP developers are extremely bad, I think that you need to look around at all developers. You find really bad code in all languages, and pretty often (go to thedailywtf.com for some examples). I would hardly look at my fellow developers (you know the real ones...) building frameworks like Drupal and call them extremely bad. You can say this is a minority, but I think that you are sadly mistaken, especially if you think this "Web 2.0" thing is a hype. Wait a few more years and look at the technology that is built around the web browser (regardless of the back-end technology).

PHP has won out as the language of choice on the web, its a fact. PHP is not what it used to be, prior to version 5.2. It is a robust language that can create very rich and scalable Internet technologies. I work with Fortune 500 companies who are completely satisfied with using PHP over Java. A "serious developer" should be comfortable in any language (whether PHP, Java, Ruby, Python, etc.). In fact a "serious" web developer must be versed in many languages, as they piece together systems in different languages.

Unfortunately you are incorrect at how easy it is to prevent these issues. In some examples, you want the input to come through as HTML that is allowed to be displayed back to the end users. An example of this is MySpace.com (or even the commenting system here). Do you remember the Samy worm that crawled through their system? The techniques you have given would not have worked. An advanced parser that validates the input is necessary to prevent that (by stripping out the bad portions of the data). I was tasked with creating such a parser for a website I worked on (emerciv.com) to prevent the XSS attacks like that from occurring (and also the problem with invalid HTML that can break page flow). Furthermore, mysql_escape_char is not the industry preferred method of preventing MySQL injection attacks as it still allows some to occur; the preferred method is to use PDO. You might want to study up on those...

Oh, and by the way, I am a software engineer (finishing up my Master of Science in Software Engineering with a focus on Knowledge and Information Engineering from the University of Michigan's Dearborn campus at the end of the summer and have been asked by the Electrical and Computer Engineering department chair to create new curriculum for the undergraduates in interactive web development, and will be teaching it as well) and I consider myself a PHP developer (amongst other languages) and take offense to that ;)