amelierosalyn

Skip navigation

All posts tagged with "Rants"

PHPAskIt is insecure!1!1!zomg!11

I came across a couple of websites discouraging the use of PHPAskIt because it uses a database and therefore absolutely must be insecure.

One such example states:

PHPAskIt isn't completely secure, either. It uses a database so I woulda thought that was more INsecure than the flat file of Waks Ask & Answer script.

Another says:

PHPAskit is just as insecure [as Wak's Ask&Answer] only people think it's secure because it's not flat file.

And so on, and so forth.

For the record, there is no difference in security in using one method or another, as long as they are both done properly. Wak's Ask&Answer and CuteNews (flat file scripts) aren't. PHPFanBase and SimpleDir (MySQL scripts) aren't either. Jem's Bella~ series and FlatPress however, are flat file scripts and they are fine. Similarly, WordPress and PHPAskIt are MySQL scripts and they are absolutely fine.

Yes, it's true that hackers discover more and more vulnerabilities in scripts and programming languages all the time, so those scripts may not always be secure in their current versions so it is very important to keep your scripts up to date. But to say a script is insecure because of the method of storage that they use is stupid and shows complete ignorance. If you are going to say a script is insecure, don't just back it up with "well I looked it up online and it said it was insecure". People seem to like publishing fake reports of insecurities (probably where all this is coming from, actually... PHPAskIt had a nice security hoax published about it - and in case you're still living in the dark ages it was wrong) so "looking it up online" isn't always the answer.

If in doubt, ask someone who knows what they're talking about. :)

You don't need to ConvertToPHP just to use includes

I have seen countless threads on the various forums from people who are asking for help because their member lists don't show in whatever popular fanlisting script they're currently using. When asked for their code, 9 times out of 10 it looks like this:

<?php
include('header.inc');
if(!$_SERVER['QUERY_STRING']) { ?>

Here are all my members!!!!
[Insert member list code here]

<? } include('footer.inc'); ?>

Can you spot what's wrong with that?

If you can't, here's the answer. Most fanlisting scripts use the query string (that's the bit that comes after a ? in a URL, such as country=USA in a URL like members.php?country=USA) to display members from different countries. The code there includes a line which says if (!$_SERVER['QUERY_STRING']) { which means "if there is no query string, do the following..." ... and the person has stuck their member code in the "do the following" bit (signified by the { and }). The members list WILL fail here, because it relies on the query string. If you tell the members to only show when there is no query string, it will break when you attempt to go to a country.

Now the reason this is happening so often is because it seems that people think "ooh I need a PHP page... How do I do that? Ah, NL-ConvertToPHP." This is wrong, people! All you need to have a "PHP page" is to give it a .php extension. If you want headers and footers (which NL-Convert uses as well), there are millions of tutorials on how to do this online. Don't assume that just because that script is called "ConvertToPHP" it is the be-all and end-all of how to make PHP pages.

Oh yeah, and I have internet again. Just in case anyone was wondering.

Why I don't like target=_blank

I get asked quite a lot why my links don't open in new windows, and could I please add target="_blank" (or target="new" - which is incorrect) to them? The answer to that is no. I have never used target="_blank" on my site, except when I used popup windows (ewww, I know). And even then I wasn't happy about doing it. Especially now, when I validate to doctypes that don't support the target attribute.

Ok, I do have my Firefox settings set to ignore target="_blank", but why should I have to change my settings because of your site? I don't like being told how I'm going to go to a link. I want to choose for myself whether I am going to open a new window, a new tab, a new browser, or reuse the same page. I want links to follow what I've told my browser I want to happen. Usually, I reuse the same page. However, I never ever have more than one browser window open, and that is how I want it to stay, thank you very much. I can't stand cluttered desktops/taskbars where I don't know which window contains what. At least with tabs I can rename them and order them and whatever else (Firefox extensions FTW!1!).

This behaviour stems from the times of IE6 and other non-tabbed browsers, however is still being used today - people don't want visitors leaving their sites, so they force another browser window to open. On my old computer this was a nightmare - it couldn't cope with more than one instance of IE and opening another (by choice or otherwise) resulted in the whole thing crashing. Likewise, my current computer is getting slower and more dodgy every day, and opening an instance of Firefox/IE/anything takes it quite a while (yes, I have defragmented/taken off spyware/viruses/etc. It's just getting old). That's another reason I only have one FF window open, actually, heh. To those people (who don't want visitors leaving their sites) I say this: if your site is worth visiting, people will go back to it. You don't have to force them to stay on your site. In most cases, they will end up closing your site's window anyway.

So my point (I do have one, honest): please don't use target="_blank". It's not only inaccessible, but it's a nuisance to those of us such as myself (and it's not just me) who dislike our default settings being overridden. Let the user choose how to open links. Like I said, if your site is really worth staying on, people will stay on it. There is no need to force them to do so.