Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Slashdot Deals: Cyber Monday Sale! Courses ranging from coding to project management - all eLearning deals 25% off with coupon code "CYBERMONDAY25". ×

Comment Re:PHP (Score 5, Informative) 193

This is not a PHP thing, but a bad-developer thing.

I guess you didn't read past my first paragraph? Please do.

You can write the same crap in Java, .NET, Python or any language you want.

Go and search the web for tutorials in those languages. You will find that the situation is vastly better with these languages compared with PHP.

That's not PHP's fault.

It is - on many fronts.

Firstly, the language promoted for many, many years, a confusion between the various layers of the application. The whole magic quotes nonsense was an attempt to fix a problem relating to the database layer in the HTTP layer. This confused PHP developers for over a decade, and even though it has since been removed, it was in there for so long that an entire generation of PHP developers had their brains twisted out of shape with this confusion.

Secondly, the official documentation was super bad for years. Security vulnerabilities in the official tutorial for years, for example.

Thirdly, the API design is so bad it practically pushes unsuspecting developers into the wrong solution. addslashes()? No, use mysql_escape_string(). Oh wait, wasn't that mysql_real_escape_string()? Or perhaps mysql_really_really_i_promise_to_do_it_right_this_time_escape_string()?

Finally, the PHP community right from the very top embraces shitty practices, like ignoring failing tests in a release build. Again, a source of security vulnerabilities that simply doesn't need to happen.

Yes, you can write bad code in any language. But that doesn't mean that all languages are equal. PHP is far, far worse at this than its contemporaries and you shouldn't make excuses for it.

Comment PHP (Score 4, Interesting) 193

So why, in 2015, is SQLi still leading to some of the biggest breaches around?

Because typical PHP tutorials still teach old, broken ways of doing things and this shows no signs of abating. Go ahead and search the web for things like php mysql tutorial. The top hits are crap like this, written by incompetent developers who don't know what they are doing. PHP developers learn from crap like that, then they go on to write their own tutorials that are the same or worse.

And before you start, yes, this is something where PHP is stand-out bad. Go ahead and try the same searches with other languages. There is a vast difference in quality of learning materials. I mean, PHP had XSS vulnerabilities in its official tutorials until relatively recently. Newbies don't stand a chance in those circumstances.

Comment Won't work (Score 3, Insightful) 74

test it to see if it is actually the type of file that its file-name extension claims it is.

This won't work because a file can be a valid file in multiple formats at once and it can also be an invalid file that is nevertheless interpreted as a valid file as well.

Take for example, a plain-text file. Harmless, right? Nope. It can also be a valid HTML file containing executable JavaScript. Or an XML file containing a billion laughs attack.

Or take media type sniffing. Some browsers bend over backwards to interpret crap as HTML even when labelled otherwise by the Content-Type HTTP header. So one attack is to stuff enough HTML into PNG metadata to confuse a browser that doesn't follow the standards into thinking that it's HTML. This is a valid PNG file and anything that checks to see if it's really a PNG file will tell you that much. But it's still not safe.

Comment Re:Apple no longer looks as paranoid as it did. (Score 1) 69

Previously, they did not permit the use of third party libraries in your application; everything had to be built or sourced by you, because there's no intermediate library signing and vetting process that Apple can do on your behalf. They relaxed this when developers screamed like a stuck pig.

This has never been true and the bit about developers screaming like pigs is pure fantasy.

Perhaps you're getting it muddled up with the fact that iOS didn't support dynamically linked libraries? In any case, not many developers cared, we all just used statically linked libraries.

Comment Re:And we believe Gartner? Why? (Score 5, Informative) 113

They are so hilariously wrong so often you could build a successful career out of assuming they will be wrong about everything. A selection of their idiocies:

Comment Re:Let's get this out of the way (Score 1) 447

Sure, if you personally break the law, then you personally are liable.

couldn't you make the case that it was an act of criminal negligence

No. Criminal negligence doesn't simply mean "they did something that upset people". What makes you think they are doing something criminally negligent? What are they negligent of, and what makes it criminal?

Comment Re:Source control? (Score 1) 88

I can't think of anything in iOS 9 that should have touched code like this, which makes me wonder about the state of source control.

Why? Source control doesn't prevent regressions. Besides, they've clearly been working in this area for iOS 9, see the new network extension points for example.

Apple have had a few regression-type bugs before which again make me think their branching/merging strategies may not quite be up to snuff.

This doesn't even seem remotely related to branching/merging. To be blunt, it sounds like you're just learning source control and are seeing it everywhere.

anyone know of a changed area in iOS 9 that would have necessitated playing with something like this?

Read What's New in iOS. They update it every time they release a new version and it describes what's changed.

Comment Re:Congratulations Apple! (Score 1) 191

You have finally realized that your touchscreen controller actually provides a pressure strength and are able to hype it up like it's revolutionary.

Right now, Apple haven't said a word on the matter, let alone "hyped it up like it's revolutionary". There is zero confirmation from Apple, this is just a blog article based on a rumour.

Comment Re:I hate and despise - but they should still be s (Score 1) 818

You fail to understand the difference between a legal principle, such as the First Amendment, and a moral principle, such as Free Speech.

I understand it just fine. The parent commenter does not. He was talking about outlawing the flag.

The First Amendment is a legal enactment of the moral principle.

No, if the First Amendment were a legal enactment of the moral principle you describe, it wouldn't stop at restricting the government's right to curtail speech. It would compel Apple to publish this material. It does not. Ergo, the First Amendment is not a legal enactment of the principle you describe. It doesn't go anywhere near as far.

Apple's suppression of Confederate flag, and Civil War video games, and silly TV shows set in the South, is evil.

Nobody has the right to force Apple to use their resources to publish material that they don't want to publish. And Apple choosing not to publish something is not the same thing as them suppressing it. You want the confederate flag, you can get it from other places. Free speech is not about forcing somebody else to publish your crap.

Comment Re:I hate and despise - but they should still be s (Score 3, Insightful) 818

This is a country founded on the idea of Free Speech.

Your country was founded on the principle that the government should not stop anybody from speaking. It wasn't founded on the principle that corporations must be compelled to distribute other people's material regardless of content. Apple are not obligated to publish this material.

Much better than outlawing their vile ideas

Nobody is outlawing anything. This is an example of a business choosing not to publish something.

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]