is it generally safe to store them in a .htaccess-restricted folder provided that the filename has been cleansed of path separators

The htaccess restriction is important to prevent one of the other leading causes of PHP vulnerability: Allowing someone to upload a valid jpeg with a .php file extension in an image field and not checking the file extension before putting it somewhere someone can request <img src="profilepics/pwnme.php"> from the server. In fact, don't try to cleanse the filename. Just assign it one yourself. Keep the original filename in a database (aware of SQL injection) if you think someone will completely flip out if they can't find out what the file was named, and keep userpic12345.[extension as determined from content]

Part of the reason why PHP is such a large gun for shooting yourself in the foot is that it mixes content and code by design, so you have to have a few extra precautions when accepting content from somewhere else that it doesn't have unwanted code mixed in. Some of the precautions are basic PHP (like "include() is not how you read a file"), others take a little more awareness of the entire environment (like "the webserver will happily execute anything anyone uploads with a php extension in a folder accessible from the web").

For gods sake, don't include() it to send it to the browser, because it could be a valid image with in an EXIF tag.

It's just that PHP has managed to attract a huge number of absolute retards who do things like evaluate image files (it WAS an image file you uploaded, right? It ended in .gif, right? So it's totally an image file and I shouldn't even be bothered to verify the contents because nobody would ever upload php code ending in .gif) in order to dump the contents out to the browser instead of using ANY of the multiple functions or methods to do just that securely.

Sysadmins often use VC on their configuration files as well

Definitely. etckeeper (can be configured to use one of serveral VC systems) is excellent for this job and I use it so when I do something that breaks the server, rolling back the configuration to a known good state is trivial.

You're saying that in so far as the iron was unmined, and as such, the actual quantity / quality unknown, the people who accepted it as collateral should not have?

Assuming that the poster isn't exaggerating, perhaps they should have asked to see a business plan, considered the history of the mining company to judge their ability to extract the ore, considered the fact that the company is the king's crony should anyone dare call to collect, etc. You know, things that require research and footwork, that can't be spit out by an algorithm.

essentially it's a bluff on a good day, a fraudulent transaction on a bad day

The only way for anyone to find out would be for the company to fuck up a trade and lose money. As long as they can pay back their loans it won't matter to any of their lenders if the iron never leaves the ground. The fun begins when the lenders try to collect, I'd guess the mining company would just hand them shovels and tell them to get to work.

not the financial system

The "financial system" allowed them to claim iron underground as a valuable asset even if there was no plans or way to monetize it. The people giving this company money on this basis done fucked up, pets.com style, no matter how you look at it.

If the "financial system" is there to separate fools and their money, then it's working as designed.

Live updates on who's calling who? We'll see if it's "just metadata" when it's the government's representatives being spied on.

Yep. There are some great sites out there that discuss things like this. I end up pulling out this one on a regular basis and have a read through all the comments by people who write useless shit software where it doesn't matter if they have anything correct, raging at the guy for suggesting that they should work a little harder to make something better ("Think of how much money we'd have to spend! We've got no budget for changing char(10) to varchar()!!1! Rawwwwrr!")

There's another good one about time, but nobody rages about anything in it, except for people who insist on storing future events in GMT without the local timezone, and I think they all committed suicide when the government changed DST and they couldn't figure out when their times were anymore.

Apart from medical databases, there are no good reasons (imho) to store the gender of a person

really? you cant think of one good reason?

Really? You cant even read the post?

BTW the reason everyone has a gender is so a computer can send you your junk mail with a proper salutation, Mr. Jennifer.

It's only illegal for baseball stars to lie to congress.

Yeah, the time for denials is over, they fucked up the coverup hardcore. They had their shot a week ago when google was saying "prism? what prism?" they could have said the guy faked a powerpoint slide and is pulling one over on everyone to get his name in the news and sell books, but no, they came out and said "yeah we're doing it but we're doing it for your own good" and pushed that line hard and fast.

Everyone from the President on down basically spent the last week saying "yeah, we're doing this, but we're doing it to protect Teh Freedums".

And now they're suddenly not doing it? Pull the other one!

Why are we even talking about this still?! Didn't you hear? Syria used chemical weapons and crossed the line Obama told them not to cross! Quick lets talk about Syria! They've got it coming now!

"What makes you worth tracking?"

As the cost of this approaches $0, it's pretty easy to make tracking any given person's life worth more than it costs to do it.

They will be laughing on the other sides of their faces when Obama's storm troopers round them up and ship them to a FEMA camp.

Why should I worry? It's not like the government is tracking every website I visit and every person I talk to, how would they know if I've even downloaded this liberator gun, much less made one?

(oh wait...)