PHP and filepro - login lesson

[Fairlight]

On Fri, Apr 13, 2018 at 11:49:57AM -0400, Richard Kreiss via Filepro-list
thus spoke:
> How many times have experienced programmers written code that had
> security flaws?

In my experience, most 'programmers' know their language, but are nearly
completely oblivious to the systems for which they're programming.  This is
extremely prevalent in the filePro community.  Lots of people can code
business applications which work fine within themselves.  However, whenever
they have to interact with anything else on the system outside filePro, the
lack of knowledge really exposes itself, often in ways which present
vulnerabilities.

I see far too many programmers in -all- languages who know only their
toolsets, but know next to nothing about the platform for which they write.
That is a road to disaster.  The percentage of such people is simply
higher in languages with low barriers to entry, largely because they don't
require you to know what you should have to know.  It's not so much filePro
specifically, so much as it is a combined mindset of laziness, lack of
curiosity or care about how things work, and a low barrier to entry which
allows you to get away with the first two Ä until you're bitten by a
problem you should have known better than to create.

There are definitely positive things to be said about at least being
familiar with the concepts instilled by strongly typed languages, even if
you eventually migrate away from them for something more convenient.

> Mark, at least endeavors to make sure his coding is secure. The issue
> is how secure the tools are that one is working with. If one doesn?t
> understand this, code can have security holes. Think of all of the app
> updates for smartphones that arrive almost daily. Microsoft used a piece
> of public domain software and for some unexplained reason removed the
> code which made the software very secure.

Sounds like MS.  :b~~~   (Bonus points for citing a flaw with something MS
did, Richard!)  :)

There are just plain -bad- design decisions made. fP Tech themselves (or
a prior incarnation, possibly) made one with fpCGI in v1, whereby the
parameters for the command line were all defined on the -client- side,
in the page.  That was ridiculously inexcusable.  They 'fixed' it in v2.
The 'fix' was never set to be the default mode of operation, however, so
there is still a -lot- of insecure fpCGI code out there, even under the
last version ever released (which is no longer supported).  What was also
horrible was that they had an issue with not sanitising the incoming data
before it hit the command line in v1.  After being notified of the issue
(which affected both *nix and Windows, I might add), it took over a month
to get a fix to customers, as I recall.

Yes, the core upon which you base your own work matters.  A lot.  I'm
reminded of the Spruce Goose.  It was a great feat of engineering, in
some respects.  It was also undermind by an -incredibly- bad design
decision, and the choice of the base platform (wood, in this case) made it
a basically untennable and irreparably flawed design overall.  Same with
the MiG-25, which had incredible performance for an interceptor, but which
had a -glaring- problem with overheating engines which burned up because
they were made of steel instead of titanium.  You can at least chalk that
up to the shortage of titanium the Soviets were facing.  The point remains
that some of the -best- engineered things out there are screwed from the
start due to a bad choice of platform.  The further point remains that most
'programmers' these days don't even plan well enough to be making the best
anything.  Why add choice of a questionable platform to the list of sins?

> Mark?s comment on not giving his work product away free is his
> choice. There have been developers on this list who have given code away
> without charge and others who have charged. No one complained about
> purchasing John Esak?s accounting software or his ?pig in a Polk?.

I say this to Wayne (or anyone else) who really wants to pull out that
straw man about me not releasing code:

1) I released some old demo filePro code of mine sometime in the last month
or so.  Pay attention.  I even -re-released- it when someone pointed out
the first SSL link was broken; I provided a working link.  It's impossible
to forget having done that.  You have what appear to be intentionally
selective memories.  That's already been released, warts and all.  (I would
do a few things differently these days.)

2) My Perl code is my product.  Which part of 'proprietary software' and
'trade secrets' is unclear to you?  Would you like my bank account number,
while you're at it?  Screw that.  I owe you nothing.

3) You can call me on not releasing my code once fP Tech has released
-their- source code freely.  Until then, you don't have a leg to stand
on.  If I'm to be subject to your arbitrary whim of demands, then so should
everyone else be, including your beloved fP Tech.  Anything short of that
is simply a witch hunt and a personal vendetta.  I'm -fine- with that,
because I actually give a damn about very few people's opinions of me, but
at least have the integrity to call it what it actually is, people.

> Your complaints remind me of the early Napster users. ?We don?t want to
> pay for anything at . That was their mantra.

Seems to be the mindset from which these yahoos are operating.  That was my
take as well.

I especially got a kick out of the hypocrisy of the one guy saying that
the list should be about providing help, not opinions.  Stating what he
felt the list should be -WAS- stating a bloody opinion.  What kind of a
self-unaware hypocrite does it take to not recognise that they just did
-exactly- what they're complaining about?  Logic 101.  Geez.

I -am- helping people.  If a post of mine gets even one [more] person to
improve their security and coding practises, I'm fulfilling my goals.

m->
-- 
Audio panton, cogito singularis.