Re: Re: Use placeholders. For SECURITY!

Replying out of order, let me start with the order I put my bullets in. I arranged those from easiest for a programmer to make happen to hardest. Trying to get co-workers who don't want to to do code reviews is definitely an uphill battle, which is why I focussed first on things that you can do which won't hit such political resistance.

On how critical the data that people work with is, I can't speak for most programmers. Speaking for myself, I have never had a programming job where I didn't wind up learning very sensitive things about people. My sense is that this is pretty typical. People stick information in a database, I have access to the database. People want to improve workflow, I get access to whatever data is in that workflow. People want financial reports run, I get to see the financial data.

I generally don't care about the data I have access to, but I get that access, and the fact that it is worth hiring me to work with the data means that someone thinks that it is worth a lot.

On your node, here is a fuller response. The attitude that, "Whatever you know and are getting by with is OK" is one that I highly dislike. Because what you don't know, will bite you. But you generally won't see that it is biting you because you don't know that you can do better. Furthermore far too many people for my taste have the attitude that they know how to program perfectly well and have no desire or need to learn more. I don't like encouraging that. See my response in the thread starting at Life beyond CGI and DBI to see an extreme example.

On fundamentals, I fully agree. And I agree enough that I wouldn't want to filter a person on whether a certain fact was known unless knowledge of that fact was indicative of basic background for the job that they need to do. I can let not knowing placeholders pass if you have the concept of not trusting user input down - you can learn placeholders pretty easily. Perhaps you don't know them because you used Class::DBI and never needed to look under the hood. But if you are thinking of using them and need a push, I definitely think that the push is worthwhile!

Comment on Re: Re: Use placeholders. For SECURITY!

Replies are listed 'Best First'.
Re: Re: Re: Use placeholders. For SECURITY! by nevyn (Monk) on Nov 14, 2003 at 11:46 UTC
On how critical the data that people work with is, I can't speak for most programmers. Speaking for myself, I have never had a programming job where I didn't wind up learning very sensitive things about people. My sense is that this is pretty typical. People stick information in a database, I have access to the database. People want to improve workflow, I get access to whatever data is in that workflow. People want financial reports run, I get to see the financial data. I generally don't care about the data I have access to, but I get that access, and the fact that it is worth hiring me to work with the data means that someone thinks that it is worth a lot. Well there's also the threat. If you are writing something that sells CDs on the internet, then anyone can access it and anyone can/will attack it. A web front end for some mid level managers though (passwd protected so only they can get to it) has a much lower chance of being attacked, so from that point of view while it might be sensitive screwing up and allowing XSS etc. isn't as bad as if it'd happened on amazon.com etc. For instance I've worked at places (I managed to leave quickly though :) where people mostly used telnet and had numerous machines where people had root access ... and one place where everyone used one machine for shell access, and gave the root password to it out. Hell one place I contracted at had single letter root passwords everywhere and they dealt with medical information. And while that is completely insane, IMO. The employees while having easy access to the gasoline and lighter, didn't burn the place down on a daily basis. Admittedly if they were knowledgeable enough and wanted to they wouldn't be seen ... but generally the people either weren't knowledgeable or didn't want to. But maybe I'm being somewhat too optimistic about the entire race :). -- James Antill	[reply]
Re: Re: Re: Use placeholders. For SECURITY! by sauoq (Abbot) on Nov 14, 2003 at 19:26 UTC
On your node, here is a fuller response. The attitude that, "Whatever you know and are getting by with is OK" is one that I highly dislike. I think that's a poor interpretation of what I wrote. It certainly wasn't my intended message. I hope it didn't sound that way to many others and I suspect it didn't because it seems to have been a relatively well liked node. I think (and hope) an attitude as you describe would attract more downvotes. The message I meant to convey was: what you know now is okay and you have to learn at your own pace and in your own way so don't get hung up on what you don't know, especially not details; concentrate on fundamentals and you will improve. I think that is appropriate advice to give to a novice-to-intermediate level programmer. -sauoq "My two cents aren't worth a dime.";	[reply]