Hey,
I’ve read a few books and built a few sites but I still feel clueless.
How did you guys develop competence?
What did you practice? What opportunities presented themselves? What path did you take to (partial) mastery?
I’m debating contributing to a few Open Source projects to get my chops up. Any other ideas?
Did you include PHP.NET where they have the big red box at the top saying “This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.” ??? I love it when people argue with the page defining what things are 
10 SP, Ten. 16px is the 100% default size at 96dpi - and technically it’s 62.5% aka 10/16ths – but yes, the articles claiming a fixed relationship between px and default font are pure bull. Doesn’t help when you have people who should know better saying complete nonsense like "[url=http://webkit.org/blog/57/css-units/]This is why browsers use the 96 dpi rule when deciding how all of the absolute units relate to the CSS pixel."
BULL - Camel mannered tunic wearing molly-coddle. 
Given who said that, is it any wonder things are such a mess? Apparenly never used IE or Opera on systems of different DPI, or changed the default font size in his browser to match that behavior… Basically changing the system metric - something I’ve been doing since the release of Windows 3.0… Though I seem to be saying that a lot lately about ‘revolutionary new features’ in software.
Really that’s one of my big pet peeves, being I’ve been a 8514 (Win 3) large fonts (Win9x)/120dpi(winNT)/medium 125%(Win7) user for two decades…
I sure did 
He claimed that PHP5.3 was “purely experimental” and lacked “key” features of PHP such as register globals ( 
), not because it was bad practice but because it was harder to program into the new core, or something like that.
Fortunately he made a few dangerous errors; no escaping, no magic_quotes with his script requiring magic_quotes, having the same password on his demo admin account as his blog, bit of SQL injecting found me the password and I emailed his password to him. I think he got the hint, his domain is now ‘parked’, 3 months on.
^ he was also right (with the quote “just because they can write articles doesn’t mean they know what they’re talking about.”).
I can find a dozen articles claiming the “62% font size means 1em = 16px” myth.
This is absolutely a problem newbies to anything web dev related run up against, as a few have mentioned above. This is why it’s good to have a decent community, with people recognised as experts in their field posting information so that newbs and not-so-newbs can find the right way. Discussion with peers after getting more advanced is also essential.
Unfortunately, the qualifications required to write web articles are simply nadda, zilch, nought - nothing.
I STILL come across articles which explain things using register_globals and magic_quotes. I even emailed one author explaining this and he called my style ‘out of date’ because of “the amazing invention of register_globals which many developers are yet to realise the full potential of”. When I replied with a dozen or so links to articles backing my points up, he replied ‘just because they can write articles doesn’t mean they know what they’re talking about’.
Ironic.
What you always have to do is look at an article date. (Now this is really an argumentum ad novitatem but it does somewhat apply here.) In software engineering, things move fairly rapidly. If you’re looking at an article from 5 years ago, it probably uses mysqli, from 10 years ago? mysql. From 6 months ago? PDO. This isn’t a coincidence. Things change.
In our industry things move fast. There are always improvements. Both in the underlying technology and the principles behind the way we do things. The key is to embrace change. If you get set in old ways you will get left behind. I like to continually critique my own work… I’m constantly improving the way I do things, even when I reach a point where I don’t believe I can improve I do. Usually significantly.
Anyone ever considered that some of the advice written is not to help others but to confuse others?
Also that it creates books, and is another article when someone is stumped for a bit of filler content for their blog or other type of site.
To become competent i would say that its wise to believe half of what you read and hear.
This is, a mon avis, a great advice and me, as a newbie, I always found this part the hard to deal with.
We have different backgrounds, and different professional structures, on doing our programming. When I ask some questions about (to me, expecting to be) simple tasks, sometimes, I got answers… quite advanced, that require a lot, on our structural development environment (resources equipment, background knowledge, etc…).
So, many times, I end up desperate that I’m unable to accomplish a given advice. And of course we can’t. We need (literally) years to properly understand the answer.
Sometimes, good/best programming answers are not the best on a newbies point of view.
However, this doesn’t mean that as newbies, we should forget about them. No we don’t. Many times, I got my answers understood some months later. 
When we doing this alone, knowing what is good and not good programming practice, seems hard to find. My advice to solve it is to, cross data. And compare. And study.
Example of 3)
I see many database connection tutorials here and there, showing different ways for establishing a connection to it. Many use mysql_connect, and if we do not stop there, we look and we see that mysqli is better then the other and if we keep looking we can see that PDO is actually even better… and so on… How do we know if it’s better or not? We listen the arguments, the details, and generally, found that something that some articles ignore, and others, don’t.
I’ll second that. As a rule of thumb computer science degrees are worth less than a sheet of bog roll. In an industry where three years is obsolete and five years is the scrap heap, what good is a four year program using ten year old textbooks?
Some of the worst design practices and coding I’ve seen came not from people with degrees though - you want really bad look at the garbage put out by educators.
Though when both combine to do something; Hell, just look at your average college website for examples of educational ineptitude.
Or programs like the one a friend of mine took at the local state college that teaches nothing but Dreamweaver and Flash Pro, and doesn’t even tell the students that there’s this thing called HTML underneath the WYSIWYG.
Things getting easier sure is true. Of course I keep raising the bar as I go so I still have plenty of difficulty at times.
I’ve noticed by looking at my older code - what I thought was great at the time - often looks like total kludge now 
so I guess I must be getting somewhat better.
Definitely not you, Salathe. I’ve got a lot of respect for the work that you do.
Edit: I also just found out that you can embed the quote tag inside the OT tag. It looks a bit funky, but works well enough.
Ironically, some of the worst programming I’ve come across has been from people with degrees, and the worst programmers are usually designers at heart. It’s also usually the case that the worst designers are programmers…
If your looking on open source projects and hope to see good/secure code then you will in most cases become utterly disappointed.
In general most open source PHP projects is plagued with security holes, mostly due to the projects started out of the code of a simple script written by someone and then afterwards its been modified/updated by more people that calls themselves PHP developers.
The ease of entry point PHP has is both a good thing and a curse. But it does cause the language to have a lot more bad developers than many other languages.
Btw, on the opening and ending PHP tags, if the PHP code is the last information in the document you can ignore the ending PHP tag.
Why would you be passing the PDO object by reference? Would it not be a better idea to wrap an adapter around it, as it would give you more options in the end.
Though claiming that every commercial script is like a swiss cheese is kind of a huge over statement. For a real commercial PHP script that has been created by a company, then there is usually not any more security issues than with any other software written in other languages (Thinking on application sold for $1000 or higher for a license).
On the other hand if you buy a license for an application that cost $50 you cant really expect that high quality.
Something does not sound too good here, thinking from an efficient application point of view. Sounds like there is too much information inside a few files making it too thigh coupled, this will make it very difficult to modify things later on.
Keep in mind that no chain is stronger than the weakest link. It does not matter if your script is as secure as “fort knox” if the backdoor is left unlocked (i.e. server).
Security is a good thing and way too many PHP developers look too lightly on it, but I believe that you are taking the security a step too far, by default you need to be able to trust the owner of the server. I.e. that any files they append to the script will be safe and not a security risk. The only main consern should be any data that is used by the script, as long as you make certain it is clean your application will be secure. If the server owner screws up and upload some unsecure files, then that is their fault, not yours as the author of the application. After all, if I have server access I can do anything I want anyway and your security approach on the PHP side wont help.
In addition your posts are a little incomprehensive and difficult to follow, so this might actually mean we get a different understanding of your post than the point you tried to get a cross.
When you go to school they teach you how to read things like this from #man trap:
BASH BUILTIN COMMANDS:
bind [-m keymap] [-lpsvPSV]
bind [-m keymap] [-q function] [-u function] [-r keyseq]
bind [-m keymap] -f filename
bind [-m keymap] -x keyseq:shell-command
bind [-m keymap] keyseq:function-name
Someone always suggests the best answer to a problem is read the man page. I know there’s a logic to this. I just don’t get it intuitively. I know there’s got to be some info document explaining how to read this logic, and its never in a published how-to book. That’s why I like yous guys. golly gee, you’re swell. 
you tells me what I need to know in real words.
Thanks guys, that was great. Good answers to my ORIGINAL question.
Please stop bickering though…
Is there a way to ignore users on this forum?
That’s not a rebuttal, it’s an appeal to (your own) authority and a deflection of my primary point, which was that if you are going to make a point, you should back it up. This isn’t Schneier on Security – you shouldn’t make the assumption that your audience is inherently knowledgeable about the security landscape.
To use an example: you say that developers should never use global variables to store security state, and that’s good advice (so is “Don’t use global variables”). However, simply following a pronounced edict like that isn’t how we get better software; indeed that path leads to Cargo-Cult developers following suggestions for the wrong reasons (and thus never knowing when they should break the rules they were given).
I can tell that you’ve got a lot of useful wisdom to impart to the community, but your communication style can make it very difficult to understand.
First off – THANK YOU!!! I’ve been saying that pretty much since the Church of Stallman was formed and am honest to JHVH shocked to find anyone else willing to actually SAY IT.
Also true.
Shades of Basic in most every incarnation. VB crapplets for example.
Yeah, but to me that’s like leaving out the closing tags or WORSE, HEAD/BODY tags in HTML, I like to see it so that structure is maintained.
Because I don’t want it to be able to be modified once initialized inside my db.php. I consider that another vulnerability. Much less that if I don’t restrict it’s scope by passing by reference, it’s a global again.
I’ve seen sight few that qualify for that though - I’m not saying they don’t exist, but there are very few that seem to meet up to that standard… Mind you, I’ve been dealing with garbage like Goldmine and so forth so…
Actually, makes it simpler in a way, though really it’s a sacrifice to go cross-SQL. mySQL doesn’t take the exact same queries as Oracle or MSSQL - hell there are even enough differences for postGre to occasionally need query tweaks. Do you inline those changes with if statements on every query, or do you just include the appropriate values by extending the PDO object with an array containing all your queries appropriate to the task at hand? This part of why I LIKE pdo->prepare a LOT.
As I said, the only secure system is one with zero access, from there it’s a matter of degree.
It’s sad when that’s a step too far - really is.
Which is fine for large companies handling it in-house, but not for something joe-six pack is going to install on any of the billion fly-by-night shared hosts. I think the target audience plays a crucial role on that.
I’ve gotten that for 40 years, getting a little sick of it. As I’ve said other places “Englisc, modor wyrter! Gedon eow cweþan hit!?!” – I know my manner of speech is archaic, but DAMN is education really that piss poor now or something? Half the time you make a simile now you get some jackass saying “That’s off topic, what’s that got to do with it?”… and yes, I said simile, not Smiley.
The lack of general literacy really is one of my pet peeves. Maybe I should just turn my hat around backwards, put my pants around my knees and start typing everything in L33T?
Though I also think it’s the New England Yankee businessman attitude - we’ll tell you something sucks to your face… and then try to help make it better. If you aren’t willing able to get angry over something sucking, and couch every statement in meaningless plattitudes how the devil is anything supposed to get better. Slapping the rose coloured glasses on people’s heads and leading them down the garden path by saying “everything’s ok” is not how things get BETTER… But we’re the type of people who will call you a lazy sleazeball *** to your face right before we give you the shirt off our backs.
New Englanders are NOT a friendly people in terms of speech - but we’re also generous to a fault. <brooklyn>Ya got a freaking problem with that?</brooklyn>
“The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable man.” – George Bernard Shaw
I think one of the best things to learn is not to blindly listen to people without understanding why they say what they say.
You get posts on this forum by people using the most bizarre conventions because someone once told them to, and because they never questioned it they can end up with a mess of code.
That’s why I say to try and cut down on tutorials - some of them are pretty poor. A lot of them are written by people looking to score credit and look superior, so sometimes I’ve even seen articles about the basics of arrays and they throw in quick mentions of polymorphism when using objects as arrays. By doing that they are confusing the reader (who is bound to be a beginner) more than anything. If you feel confused by a tutorial, or advice from another programmer, do yourself a favour and ask about it here, we’ll help you clear it up.
[ot]This is one of the things you might want to consider, DeathShadow. Sometimes the guy just wants assistance with PHP - talking about other programming languages (pascal, assembly etc) just makes the original poster lose confidence. I’m not trying to be critical, I’m just echoing some things that people have asked me about. If a 4 year old asks how to make green paint from yellow and blue paint, don’t start talking about photons!
Basically, you’ve shown yourself to be a good programmer, you don’t have anything to prove in that respect. Just focus on being a good teacher ;)[/ot]
Another big thing you need to grasp is that for any one goal, there are a vast amount of ways to accomplish it. Experiment.