Bitcoin Forum

I'm just damn F, rather big F, with "lego makers"!
I got this code to check and correct, done by a Lego maker - a "Lego Maker" is a coder who can't code and usually all he does is to keep stacking "components" with nice GUI's in Dreamweaver - and I just can't count the security holes and design bugs and flaws I found!...  >:(
Is it possible that even a god damn fricking mysql_connect isn't followed by a select db?! Then no page protections, no fricking username checking before registering, nothing to clean up or parse vars; SQLi all the way... Damn! My eyes already hurt of look at that... crap!

!LEGO

Darn it you had me interested at first...

Welcome to modern web development, "Web2.0"!

I'd also like to rant against lego makers!

For one, why can you no longer buy just the big buckets of generic lego pieces in stores anymore?  They all have to be sets with all of these special-made pieces that no one really wants because they can't be used for anything else.  How lame.

That's sounds similar to what I call PowerPoint developers... people who can't code neither frontend or backend without a GUI/IDE :D

p.s. there's nothing wrong with using mysqli! :D

I wasn't talk about using mysqli (the extension), but SQLi - As the vars aren't in anyway filtered but dumped directly to db, often like INSERT INTO blah(`username`) VALUES('{$_POST['username']}'); I was talking about SQL Injections (attacks).

I understand why all the other things you mentioned are important for security, but why the bolded one?

Not for security that one, but for the code's sake, the used component has this "db.connection.php":

$db_user = "user";
$db_pass = "xxxxx";
$db_host = "localhost";
$db_name = "fricking_db";

mysql_connect($db_host,$db_user,$db_pass) || die("Error");

...
if this already sets the db name why not follow mysql_connect with mysql_select_db?! According to the site's "developer" if I put there mysql_select_db the component breaks, so I've to start all pages subset with a select_db after call this so called "connector".

That's almost criminal


And that's just stupid.

Lol, gotcha.  Yeah, I've always followed my connects with select db... doesn't make any sense not to.  If it's breaking the code, then the "developer" needs to figure out why.  Because it shouldn't.

It doesn't "break the code", it breaks the "beautiful GUI", so if later on he fires up the wonderful Dreamweaver to change the password for an instance, it won't recognize the format of that "beautiful" component.  ;D

Wait... seriously??  He's worse than I thought...

Yep...
If I got it right, DW has some menu where he can fire up a GUI and input the settings there, but if you change the file manually, DW then can't recognize its format.
I'm not quite in to DW's behavior as I'm a notepad/kate coder.

I use DW MX for development myself, but never the GUI feature.  The only reason I use it is because it combines FTP + a colored editor in one, which makes it a convenience more than anything.  I tried the GUI feature early on, but unless you're just coding static HTML pages, it's worthless.  Certainly should not be used by a PHP developer!

For the best use with built-in FTP/code highlight/project management within PHP I would suggest NuSphere PHPed or, as OS alternative, Notepad++ with FTP and project manager plugin

I'm already familiar with Dreamweaver, so will probably stick with it.  Thanks for the suggestions though, I'll check them out if I get time.

DW doesn't have code auto-completion, I guess you would enjoy that PHPed feature:

say, you've this

function my_function($var1,$var2,$var3 = 1){
//function code
}

And when you type somewhere else

my_f it will bring up a small pop-up bellow the text showing something like: my_function($var1,$var2,[$var3]) if you just hit enter you'll get my_function(|) (where | is the cursor).
Pretty handy specially if you've to deal with big classes (works the same way, you type $a = new ClassX("init vals"); and when you do $a-> if brings up an inline drop-down with all the functions and vars within that class - pretty much like Visual Studio, if you're used to it).
DW just bring up auto-completion for PHP built-in functions.

PHPDeveloper (another soft like PHPed) also can do this with JavaScript functions.

I would actually recommend using Geany (http://www.geany.org/). Like Notepad++, but much cleaner, cross-platform, much lighter, has better autocompletion and code 'understanding', proper code collapsing, and a whole bunch of features that don't get in your way but are still very useful. I would choose it over Notepad++ any day.

This looks interesting, will give it a try some time as I like having the same tools across the different platforms that I use.

So much for the lego rant.  :P

Interesting regarding the code completion.  DW does do CSS class/id completion, but that's all I can remember.  It probably does javascript completion as well.  PHP completion would be handy though.

OK... using DW's components is like plastic Lego, using classes is, at least, Lego Technic.  ;D

Mindstorm anyone?  :P