|
ErIog posted:I don't think anyone is saying that type juggling shouldn't be an option. They're saying it shouldn't be the default behavior, and that "==" shouldn't be called an equality operator in the documentation of the language. I know you can't compare languages 1:1 all the time, but someone coming to PHP from any other language is bound to not understand the intricacies of "==" vs "===". They'll use "==" like they're used to without realizing that the thing that's going to behave like they're accustomed to is actually "===". I agree with this post.
|
#
¿
Dec 11, 2010 16:56
|
|
|
|
| # ¿ Apr 27, 2024 10:24 |
|
|
So since we're on the topic of password security, even though it's off topic I thought I'd try to check whether my understanding of what I do currently is correct. (This is distinct from checking whether what I do is correct, which it isn't.) My site currently computes an MD5 hash for each user's password. Each user has a different, randomly generated salt. But the method used to do this is quite fragile: I just use a call to PHP's crypt() function to generate the salt and the hash when the password is first supplied. (The documentation states that if no salt is supplied, a random one is generated.) That would be fine but whether PHP uses MD5 or DES is determined by the version of PHP and by the system it is running on. It could be that PHP might end up using DES. The hashing scheme that PHP will default to is indicated by a constant CRYPT_SALT_LENGTH. So in a configuration file I have a line checking that CRYPT_SALT_LENGTH is equal to 12. If it is not then a bland error message is displayed and my scripts refuse to run at all. This seems to work as intended, because all the stored passwords in the database start with $1$, and the first 12 characters are different in each field. The documentation indicates that this is how an MD5 hash should start, and that the salt appears at the start of the hash (so the salts are indeed all different). But this is a fragile way to do things because if my host changes PHP versions or I move my site then it could suddenly break and I'd have to change the code for creating and checking passwords. It's also my understanding that better hashing-schemes are available than MD5. So the planned remedy for this is to 1) introduce a column in the database that indicates which hashing-scheme is being used for the password. (At the moment if I did this, the values would all be 'MD5'.) 2) implement a constant that states the current "preferred hashing-scheme". If someone logs in and their password is currently not stored using the preferred hashing-scheme, then since they've supplied their password, it can be hashed again to obtain a hash in the preferred hashing-scheme. The password and hashing-scheme columns in the database can both be updated. 3) implement code that generates random salts of the appropriate type. PHP's crypt() function does this, but only if you are using the default hashing scheme. If I wanted to use blowfish or AES then I would have to generate the salt myself, or operate without a salt (not acceptable). 4) switch to using a better hashing-scheme than MD5.
|
|
#
¿
Dec 18, 2010 16:04
|
|
|
Aleksei Vasiliev posted:Any remedy has to keep compatibility with the existing set of passwords. I may adopt bcrypt() as the better hashing-scheme in (4), but the other steps are needed because I can't upgrade a user's password to a new hashing-scheme unless they obligingly log in and let me see their actual password. There will be users who have lost interest in the site and will never log in again; I'll be stuck with these users' passwords having MD5 hashes. So the other infrastructure to support the superseded, older form of password hashing has to be a part of the solution.
|
|
#
¿
Dec 18, 2010 16:48
|
|
|
Murodese posted:Force a password reset on next login? Users that don't log in won't care and be locked out, and those that do can have their passwords updated. Yeah, the plan is to re-hash the password when a user logs in who has an outdated hash. But if a user doesn't log in, you're saying after a certain amount of time their password should be invalidated? I could do that I suppose, and if they try to log in later display a message asking them to email me from the email address associated to their account. That seems to be setting myself up for extra work, though.
|
|
#
¿
Dec 18, 2010 17:37
|
|
|
hahahahahahahahahahahahahahahahahahahaha while debugging something: Fatal error: func_get_args(): Can't be used as a function parameter in /[redacted]/sc_geometry.php on line 801 whaaaaaaat
|
|
#
¿
Dec 18, 2010 21:40
|
|
|
Zhentar posted:You could easily keep the number that need to be reset to a minimum by brute-forcing the most of the ones that don't log in. 
|
|
#
¿
Dec 19, 2010 00:55
|
|
|
Wheany posted:So is it time for a security thread? Title: you don't know poo poo about security, seriously, even if you think you are being humble. A thread about security sounds like a good idea.
|
|
#
¿
Dec 19, 2010 15:26
|
|
|
ymgve posted:Old but goodie about security: I stopped reading that after about the second scene, or act or whatever. What an obnoxious way to write.
|
|
#
¿
Dec 19, 2010 18:15
|
|
|
A OBLIVION MOD... posted:Uhh, that's how screenplays are written. What an obnoxious way to write.
|
|
#
¿
Dec 19, 2010 19:16
|
|
|
Lumpy posted:That's how screenplay software is written. code:
|
|
#
¿
Dec 20, 2010 02:13
|
|
|
No Safe Word posted:horror found it's from Xenogenesis's post.
|
|
#
¿
Dec 20, 2010 16:04
|
|
|
Kind of disconcerting that the absolute value function could return a negative value. What do other languages do? (I mean languages in which the minimum representable integer is greater in absolute value than the maximum representable integer, obviously.)
|
|
#
¿
Jan 30, 2011 02:33
|
|
|
baquerd posted:Not that the practice isn't a nightmarish hell to debug and maintain, but I often found it to be an intuitive approach to problems when I was first learning. The main argument against using it from a functionality perspective, as far as I can see, is that it doesn't let you do anything you can't already do with an associative array.
|
|
#
¿
Feb 11, 2011 13:35
|
|
|
pokeyman posted:That's a silly reason. Take that argument far enough and we'll all use assembler whose only instruction is subtract and branch if less than or equal to zero. Well ok, so what I should really have said was: it's like using an associative array, except with less control over what you're doing and much greater potential for hard-to-spot security problems. Really I think you can compare "variable variables" : associative arrays, with global variables : local variables. If I write $$var then I could be referring to any variable. How do you know what the hell I'm doing? If I write $myarray[$parameter] then you know that line of code can only touch the contents of the associative array $myarray, which presumably is an appropriate thing for my code to be doing. So pretend I said: it's like using an associative array, but with problems that wouldn't apply if you just used an associative array in the first place. pokeyman posted:I haven't touched PHP in a solid decade so I don't know how this particular feature works but does it help make something clearer or easier to use? IMO no it doesn't, if anything it seems to me to obfuscate things, although like any technique I'm sure it gets more intuitive the more you do it.
|
|
#
¿
Feb 11, 2011 16:59
|
|
|
I don't see what the problem is. Just use "4re35na2aTaVasAy4re35na2aTaVasAy4re35na2aTaVasAy" and you'll be fine. 
|
|
#
¿
Feb 24, 2011 16:34
|
|
|
I don't see what's wrong with that. Isn't it just an operator precedence issue? In many situations it is necessary to use brackets to enforce the desired order of operations. This seems no different.
|
|
#
¿
Mar 3, 2011 14:44
|
|
|
nielsm posted:The issue is that the precedence is illogical and different from every other language that has the ternary operator. I'd like to be able to disagree, but I looked over Alexei's example and couldn't deduce the rules it uses to evaluate that expression to "horse". Still, if I were at all unsure about the precedence, I'd just slap a few pairs of brackets in so as to make it clear what should happen, so I don't really see the problem.
|
|
#
¿
Mar 3, 2011 14:59
|
|
|
_aaron posted:PHP was not the first programming language created. Many other languages use a ternary operator with the same order of precedence. Why should PHP come along and change things? Why shouldn't it? (In general, not in this specific situation.)
|
|
#
¿
Mar 3, 2011 17:55
|
|
|
bobthecheese posted:Any horrors thread is bound to contain php. PHP's many and varied shortcomings have been well-documented here and elsewhere. So it seems surprising to me that nobody has either (i) forked it and radically overhauled it (by breaking backwards compatibility); or (ii) set out to write a "better" version which has a less broken parser, more elegantly implemented language features, a more consistent standard library etc. Is there are reason why there isn't a "php, but better" out there? I mean I know that there are other web scripting languages/frameworks out there, like perl and python and .net. But whenever I've looked into python it's seemed less focused on web development than PHP and all of the material I've looked at about using it for a web application waffles on about whether you're using CGI or Fast-CGI or mod_python or god knows what else, then tells you you've got to choose all kinds of components for your web application because python isn't enough on its own, etc etc... (I'm talking primarily about this guide, which presents a whole lot of discussion about various things but nowhere answers the question of why it has to be so complicated when compared to PHP's implementation.) And I don't know much about perl but it sounds similar to python but apparently also has bizarre syntax that leads to impenetrable code. So given that PHP does at least do one or two things right (you can write a script, upload it and it will work right loving now without needing to faff about - and it gets out of your way quite well if you want to do something simple, and has everything you might want in its standard library); but does a lot of things wrong, why isn't there something that takes the good things about PHP and loses the bad parts? 
|
|
#
¿
Mar 3, 2011 22:41
|
|
|
wwb posted:^^^Ugh. Though is that a case of them using PHP as a scripting language to merge the DBs -- which could be somewhat defensible -- or is it a case of them building the new combined wfc + wachovia web stack on some horror of a PHP script. "Content-oriented"? I've not heard that before. What's an example of something that isn't content-oriented?
|
|
#
¿
Mar 4, 2011 01:57
|
|
|
Munkeymon posted:Show us switch statement that can deal with greater than or less than and that would be a valid alternative. I'm OK with what GrumpyDoctor wrote and the only problem I would have with it is that I don't trust all other programmers to understand the ternary operator well enough to not accidentally gently caress it up. Several people I work with would be totally lost, for example. php:<?
switch (true) {
case 4 < 1:
echo 'heads';
break;
case 5 > 9:
echo 'shoulders';
break;
case 3 < 9:
echo 'knees';
break;
case 4 > 1:
echo 'toes';
break;
default:
echo 'rear end';
}
?>
|
|
#
¿
Mar 4, 2011 19:31
|
|
|
Yeah, I'm confused as to why you would expect a tab not to count as one character.
|
|
#
¿
Mar 10, 2011 19:00
|
|
|
 PHP is deprecated
|
|
#
¿
Apr 12, 2011 14:14
|
|
|
// The great pyramid / 
|
|
#
¿
Apr 16, 2011 22:05
|
|
|
yaoi prophet posted:http://falconpl.org/index.ftd?page_id=facts Witness the power of facts! 
|
|
#
¿
May 11, 2011 20:13
|
|
|
Wheany posted:Is there any reason for doing Not really. It's not what you were asking about, but I could kind-of see doing ['hello', name + '.', 'how are you?'].join(' ') because it would mean you wouldn't have to remember to put spaces in all the right places.
|
|
#
¿
May 12, 2011 13:01
|
|
|
All Hat posted:join used to be more efficient, not sure if it is anymore. Surely this statement is meaningless without an indication of whose javascript engine you are talking about? I mean, I'm assuming this is something that might vary between browsers.
|
|
#
¿
May 12, 2011 16:53
|
|
|
Sometimes I do that when I find i have an off-by-one error and I'm confident the code is otherwise correct. I know I shouldn't really do it, though.
|
|
#
¿
May 14, 2011 16:21
|
|
|
I know nothing about Java so don't yell at me if the syntax is off, but surely this is better?code:
|
|
#
¿
May 18, 2011 21:15
|
|
|
Contra Duck posted:I'd call them an ambulance. I'd call them a wally, but fair enough.
|
|
#
¿
May 24, 2011 15:09
|
|
|
My favourite piece of PHP stupidness is displayed at http://www.php.net/manual/en/function.ctype-digit.phpcode:code:
|
|
#
¿
May 28, 2011 19:31
|
|
|
http://stackoverflow.com/questions/6163683/cycles-in-family-tree-softwarequote:I am developer of Family tree software (written in C++ and Qt). I had no problems till one of my customers mailed me a bug report. The problem is that he has two children with his own daughter. And he can't use my software because of errors. Those errors are result of my various assertions and invariants about family graph being processed (for example after walking a cycle the program states that X can't be both father and grandfather of Y). How should I resolve those errors, without removing all data assertions? Masterful troll, or all kinds of horror at once?
|
|
#
¿
May 28, 2011 19:42
|
|
|
quote:@Chelle: use mysql_real_escape_string() on the value of $id: $sql = "select functionName(" . mysql_real_escape_string($id, $link) . ")" and then use $sql in mysql_query() 
|
|
#
¿
Jun 1, 2011 18:53
|
|
|
Is there a language that allows fallthrough inside switch, but requires you to explicitly declare it? Like thiscode:* break, fallthough, return, exit, probably others
|
|
#
¿
Jun 17, 2011 15:07
|
|
|
MononcQc posted:http://coding.smashingmagazine.com/2011/07/07/my-favorite-programming-mistakes/ Hmm, learning by making mistakes is only good if you draw the right conclusions from the mistakes.
|
|
#
¿
Jul 7, 2011 19:43
|
|
|
code:code:Hammerite fucked around with this message at 17:24 on Jul 30, 2011 |
|
#
¿
Jul 30, 2011 17:21
|
|
|
angrytech posted:Another controversial opinion: the only people who use spaces for indentation are communists and satanists. I use tabs for indentation. but i set tabs to be 1 space each.
|
|
#
¿
Jul 30, 2011 17:40
|
|
|
Eggnogium posted:
Acceptable. Better: code:code:Hammerite fucked around with this message at 02:23 on Jul 31, 2011 |
|
#
¿
Jul 31, 2011 02:21
|
|
|
Brecht posted:Coding horror spotted. He is right. At least: rules always have a reason behind them. It's important to understand the reason why a rule exists. If you understand the reason for the rule, you know enough to determine when breaking the rule is a valid course of action.
|
|
#
¿
Aug 4, 2011 18:06
|
|
|
|
| # ¿ Apr 27, 2024 10:24 |
|
|
Plorkyeran posted:I love code which uses 4-space indents but replaces each set of 8 spaces with tabs. It's like they're going out of their way to maximize the chance of it looking it like. haha what, who would do that instead of just making a tab 4 spaces?
|
|
#
¿
Aug 5, 2011 17:47
|
|