Bitcoin Forum
December 07, 2016, 12:43:03 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Rant against Lego Makers  (Read 1333 times)
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 04, 2011, 01:27:36 AM
 #1

I'm just damn F, rather big F, with "lego makers"!
I got this code to check and correct, done by a Lego maker - a "Lego Maker" is a coder who can't code and usually all he does is to keep stacking "components" with nice GUI's in Dreamweaver - and I just can't count the security holes and design bugs and flaws I found!...  Angry
Is it possible that even a god damn fricking mysql_connect isn't followed by a select db?! Then no page protections, no fricking username checking before registering, nothing to clean up or parse vars; SQLi all the way... Damn! My eyes already hurt of look at that... crap!
1481114583
Hero Member
*
Offline Offline

Posts: 1481114583

View Profile Personal Message (Offline)

Ignore
1481114583
Reply with quote  #2

1481114583
Report to moderator
1481114583
Hero Member
*
Offline Offline

Posts: 1481114583

View Profile Personal Message (Offline)

Ignore
1481114583
Reply with quote  #2

1481114583
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
cepler
Jr. Member
*
Offline Offline

Activity: 47


View Profile
August 04, 2011, 03:06:07 PM
 #2

!LEGO

Darn it you had me interested at first...
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
August 04, 2011, 04:20:04 PM
 #3

Welcome to modern web development, "Web2.0"!

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 04, 2011, 04:37:08 PM
 #4

I'd also like to rant against lego makers!

For one, why can you no longer buy just the big buckets of generic lego pieces in stores anymore?  They all have to be sets with all of these special-made pieces that no one really wants because they can't be used for anything else.  How lame.
Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile
August 04, 2011, 04:43:28 PM
 #5

I'm just damn F, rather big F, with "lego makers"!
I got this code to check and correct, done by a Lego maker - a "Lego Maker" is a coder who can't code and usually all he does is to keep stacking "components" with nice GUI's in Dreamweaver - and I just can't count the security holes and design bugs and flaws I found!...  Angry
Is it possible that even a god damn fricking mysql_connect isn't followed by a select db?! Then no page protections, no fricking username checking before registering, nothing to clean up or parse vars; SQLi all the way... Damn! My eyes already hurt of look at that... crap!

That's sounds similar to what I call PowerPoint developers... people who can't code neither frontend or backend without a GUI/IDE Cheesy

p.s. there's nothing wrong with using mysqli! Cheesy

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 04, 2011, 07:54:05 PM
 #6

I wasn't talk about using mysqli (the extension), but SQLi - As the vars aren't in anyway filtered but dumped directly to db, often like INSERT INTO blah(`username`) VALUES('{$_POST['username']}'); I was talking about SQL Injections (attacks).
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 04, 2011, 07:56:30 PM
 #7

I'm just damn F, rather big F, with "lego makers"!
I got this code to check and correct, done by a Lego maker - a "Lego Maker" is a coder who can't code and usually all he does is to keep stacking "components" with nice GUI's in Dreamweaver - and I just can't count the security holes and design bugs and flaws I found!...  Angry
Is it possible that even a god damn fricking mysql_connect isn't followed by a select db?! Then no page protections, no fricking username checking before registering, nothing to clean up or parse vars; SQLi all the way... Damn! My eyes already hurt of look at that... crap!
I understand why all the other things you mentioned are important for security, but why the bolded one?
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 04, 2011, 08:04:21 PM
 #8

Not for security that one, but for the code's sake, the used component has this "db.connection.php":

$db_user = "user";
$db_pass = "xxxxx";
$db_host = "localhost";
$db_name = "fricking_db";

mysql_connect($db_host,$db_user,$db_pass) || die("Error");

...
if this already sets the db name why not follow mysql_connect with mysql_select_db?! According to the site's "developer" if I put there mysql_select_db the component breaks, so I've to start all pages subset with a select_db after call this so called "connector".
Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile
August 04, 2011, 08:10:17 PM
 #9

I wasn't talk about using mysqli (the extension), but SQLi - As the vars aren't in anyway filtered but dumped directly to db, often like INSERT INTO blah(`username`) VALUES('{$_POST['username']}'); I was talking about SQL Injections (attacks).

That's almost criminal

Not for security that one, but for the code's sake, the used component has this "db.connection.php":

$db_user = "user";
$db_pass = "xxxxx";
$db_host = "localhost";
$db_name = "fricking_db";

mysql_connect($db_host,$db_user,$db_pass) || die("Error");

...
if this already sets the db name why not follow mysql_connect with mysql_select_db?! According to the site's "developer" if I put there mysql_select_db the component breaks, so I've to start all pages subset with a select_db after call this so called "connector".

And that's just stupid.

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 04, 2011, 08:19:27 PM
 #10

Not for security that one, but for the code's sake, the used component has this "db.connection.php":

$db_user = "user";
$db_pass = "xxxxx";
$db_host = "localhost";
$db_name = "fricking_db";

mysql_connect($db_host,$db_user,$db_pass) || die("Error");

...
if this already sets the db name why not follow mysql_connect with mysql_select_db?! According to the site's "developer" if I put there mysql_select_db the component breaks, so I've to start all pages subset with a select_db after call this so called "connector".
Lol, gotcha.  Yeah, I've always followed my connects with select db... doesn't make any sense not to.  If it's breaking the code, then the "developer" needs to figure out why.  Because it shouldn't.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 04, 2011, 08:44:52 PM
 #11

Lol, gotcha.  Yeah, I've always followed my connects with select db... doesn't make any sense not to.  If it's breaking the code, then the "developer" needs to figure out why.  Because it shouldn't.

It doesn't "break the code", it breaks the "beautiful GUI", so if later on he fires up the wonderful Dreamweaver to change the password for an instance, it won't recognize the format of that "beautiful" component.  Grin
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 04, 2011, 08:55:12 PM
 #12

Lol, gotcha.  Yeah, I've always followed my connects with select db... doesn't make any sense not to.  If it's breaking the code, then the "developer" needs to figure out why.  Because it shouldn't.

It doesn't "break the code", it breaks the "beautiful GUI", so if later on he fires up the wonderful Dreamweaver to change the password for an instance, it won't recognize the format of that "beautiful" component.  Grin
Wait... seriously??  He's worse than I thought...
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 04, 2011, 09:28:19 PM
 #13

Yep...
If I got it right, DW has some menu where he can fire up a GUI and input the settings there, but if you change the file manually, DW then can't recognize its format.
I'm not quite in to DW's behavior as I'm a notepad/kate coder.
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 04, 2011, 09:58:50 PM
 #14

Yep...
If I got it right, DW has some menu where he can fire up a GUI and input the settings there, but if you change the file manually, DW then can't recognize its format.
I'm not quite in to DW's behavior as I'm a notepad/kate coder.
I use DW MX for development myself, but never the GUI feature.  The only reason I use it is because it combines FTP + a colored editor in one, which makes it a convenience more than anything.  I tried the GUI feature early on, but unless you're just coding static HTML pages, it's worthless.  Certainly should not be used by a PHP developer!
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 04, 2011, 10:28:59 PM
 #15

For the best use with built-in FTP/code highlight/project management within PHP I would suggest NuSphere PHPed or, as OS alternative, Notepad++ with FTP and project manager plugin
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 05, 2011, 12:04:03 AM
 #16

For the best use with built-in FTP/code highlight/project management within PHP I would suggest NuSphere PHPed or, as OS alternative, Notepad++ with FTP and project manager plugin
I'm already familiar with Dreamweaver, so will probably stick with it.  Thanks for the suggestions though, I'll check them out if I get time.
BCEmporium
Legendary
*
Offline Offline

Activity: 938



View Profile
August 05, 2011, 12:22:45 AM
 #17

DW doesn't have code auto-completion, I guess you would enjoy that PHPed feature:

say, you've this

function my_function($var1,$var2,$var3 = 1){
//function code
}

And when you type somewhere else

my_f it will bring up a small pop-up bellow the text showing something like: my_function($var1,$var2,[$var3]) if you just hit enter you'll get my_function(|) (where | is the cursor).
Pretty handy specially if you've to deal with big classes (works the same way, you type $a = new ClassX("init vals"); and when you do $a-> if brings up an inline drop-down with all the functions and vars within that class - pretty much like Visual Studio, if you're used to it).
DW just bring up auto-completion for PHP built-in functions.

PHPDeveloper (another soft like PHPed) also can do this with JavaScript functions.
joepie91
Sr. Member
****
Offline Offline

Activity: 294


View Profile
August 05, 2011, 12:41:08 AM
 #18

I would actually recommend using Geany (http://www.geany.org/). Like Notepad++, but much cleaner, cross-platform, much lighter, has better autocompletion and code 'understanding', proper code collapsing, and a whole bunch of features that don't get in your way but are still very useful. I would choose it over Notepad++ any day.

Like my post(s)? 12TSXLa5Tu6ag4PNYCwKKSiZsaSCpAjzpu Smiley
Quote from: hawks5999
I just can't wait for fall/winter. My furnace never generated money for me before. I'll keep mining until my furnace is more profitable.
Xephan
Jr. Member
*
Offline Offline

Activity: 42


View Profile
August 05, 2011, 03:51:25 AM
 #19

I would actually recommend using Geany (http://www.geany.org/). Like Notepad++, but much cleaner, cross-platform, much lighter, has better autocompletion and code 'understanding', proper code collapsing, and a whole bunch of features that don't get in your way but are still very useful. I would choose it over Notepad++ any day.

This looks interesting, will give it a try some time as I like having the same tools across the different platforms that I use.

186q9YUW3x8TVHC5aYBEqgZZYMxft8Cw9f
SgtSpike
Legendary
*
Offline Offline

Activity: 1344



View Profile
August 05, 2011, 05:00:44 AM
 #20

So much for the lego rant.  Tongue

Interesting regarding the code completion.  DW does do CSS class/id completion, but that's all I can remember.  It probably does javascript completion as well.  PHP completion would be handy though.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!