• chl (unregistered) in reply to C# Man
    C# Man:
    phargoth:
    in my country we have a saying that is "the hell is full of good intentions"

    Sorry to be a pedant, but I thought the phrase was...

    "The road to hell is paved with good intentions"

    phargoth's country may not be your country.

  • Pontus (unregistered) in reply to Patrick

    Congrats on not understanding what directories do and what challenges large companies face. Separate users in every application? Separate passwords? Separate user access administration in every application (and we've got literally thousands)? Thanks, but no thanks.

    AD, like other LDAP compatible directories, provides central user identities, coordinates authentication and provides information data which can be used by applications and infrastructure (e.g. databases, web servers, portals) to make authorization decisions.

  • Peekee (unregistered) in reply to ObiWayneKenobi
    ObiWayneKenobi:
    I Collect Spores Molds and Fungus:
    Imagine a single Twinkie represents all the WTFs ever created in LAMP. Active Directory itself would be a Twinkie 35-feet long, weighing approximately 600 pounds.

    That's a big Twinkie!

    Mmmmmm twinkie.... drools

  • (cs) in reply to Kyanar
    Kyanar:
    Patrick:
    PHP Man:
    bjolling:
    Alex Papadimoulis:
    There are several different magnitudes of complexity that can be involved with an administration module, ranging from the full-on set of tables including users, groups, roles, tasks, operations, etc., to a simple IsAdmin column on the users table.
    There is nothing hard about creating full-on administration functionality. Let your domain administrators create, manage and maintain the necessary groups and roles inside Active Directory. In code use IsUserInRole to check what a user can do and use AzMan to perform authorization.

    OK, I'm a LAMP developer (Linux, Apache, PHP, MySQL). What the hell is Active Directory?

    Some bloated crap Micro$oft made to give admins job security. Basically, every function of an application is a "task", Users can be assigned multiple "roles" and if that role can perform a specific task, then permission is granted. Some tasks can be performed by more than one role, and if lots of users are given the same roles, the roles can instead be assigned to a "group" that the users then become "members" of. Administrators have access to all roles, so only one administrator account is needed - in case you lose the user with the role of assigning roles.

    Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.

    You're a complete dumbass. Active Directory is an LDAP server with Kerberos v3 extensions. Nothing more.

    It's sometimes hard to believe how many FOSStards inhabit TDWTF. If you don't know how to do the equivalent of Active Directory + AzMan (the obvious .NET solution) in linux you should GET A REAL DEVELOPMENT STACK.

    ~~ third try ~~

    <sarcasm>Maybe linux doesn't do LDAP?</sarcasm>

  • (cs) in reply to Patrick
    Patrick:
    <snip />

    Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.

    You're right! It is completely impossible to make an error in the code that skips the role check when roles are stored in MySQL instead of Active Directory. Thank you.

  • Neil (unregistered)

    It is possible to write good code in php, but examples of this are few and far between.

    I developed using php for a few years, but switched to java and it's various MVC frameworks and have since learned the error of my ways :)

  • jc (unregistered)

    Hey, what am I doing working on these complex, time-consuming modules for accessing a database of users in a secure manner. Today's WTF has shown me how a truly efficient developer does it. I'll code it up right away (but maybe in perl or python, because we all know that those are better languages). I'll really impress the clients with how quickly I can get such things working.

    Thanks for showing me a Better Way.

  • Anonymous Cow-Herd** (unregistered)

    A poor craftsman blames his tools. However, even a good craftsman is limited by truly bad tools. Am I poor at searching if I give up SSDS, and try something inferior such as slocate instead?

  • MP (unregistered)

    I currently work on a side-project with a guy somewhat like Bim Job (or maybe it is Bim Job himself).

    This is typical behavior from a delusional C# "programmer" (although he may use some other similar language, I would wager it is C#). The guy I currently work with doesn't realize C# and C are not the same language (thinking C# is the C programming language). He rants about his mastery of C despite is lack of pointer knowledge.

    Guys like Bim Job are extremely difficult to work with because they have no idea how ignorant they are of the computer science field. They can repeat vocabulary words from college (e.g. "Turing Complete") without understanding the meaning of said words.

    My current C# colleague (again, possibly Bim Job) wonders why he is not allowed to work on the difficult projects despite "a mastery of the C programming language" as a C# "systems programmer". I just laugh and pick a competent programmer for the difficult projects.

  • ginandtonic (unregistered) in reply to gray goat
    gray goat:
    1. Who gives a shit if he misspelled a word?

    I do, since you ask. Now, who wants my shit?

  • Adam Robinson (unregistered) in reply to php,c#,java,brainf*ck,c++,objective-c,vb,ksh,csh,perl
    php:
    And the completely missing/ignoring the point award goes to.....

    Yeah, looks like I missed the point. If the point was "most developers (~80% according to your post) aren't good enough to do this", then you're right. It's also true that most developers aren't good enough to levitate or shoot snow from their rears; those things aren't possible.

    If that was your point, then your point is, well, pointless. If you were being serious, then you're wrong.

    If I've missed it, please enlighten me.

  • MP (unregistered) in reply to darkninja962
    darkninja962:
    I see nothing wrong with this. It's obvious that only admin users will be created with ** in their name directly in the database and the normal users will be restricted from using those characters with some javascript.

    The real WTF is using the double stars and not hardcoding the admin names and passwords. That would make maintenance a breeze.

    TRWTF is that you think you can use JavaScript - a client-side language that can be completely ignored or rewritten by the client - to restrict users from doing something bad.

  • Adam Robinson (unregistered) in reply to MP
    MP:
    TRWTF is that you think you can use JavaScript - a client-side language that can be completely ignored or rewritten by the client - to restrict users from doing something bad.

    Really? After you saw

    darkninja962:
    The real WTF is using the double stars and not hardcoding the admin names and passwords. That would make maintenance a breeze.

    You thought that was a serious post?

  • hobbes** (unregistered) in reply to Adam Robinson
    Adam Robinson:
    MP:
    TRWTF is that you think you can use JavaScript - a client-side language that can be completely ignored or rewritten by the client - to restrict users from doing something bad.

    Really? After you saw

    darkninja962:
    The real WTF is using the double stars and not hardcoding the admin names and passwords. That would make maintenance a breeze.

    You thought that was a serious post?

    You read a few threads around here, you find it's hard to distinguish serious from sarcastic without external clues.

  • anon (unregistered)

    What you all seem to be missing, is the question of who exactly this 'security' was intended to keep out.

    If it's intended to keep out any serious hackers, then it's very very bad. If it was intended to keep out your average script kiddie, it might possibly work, as they'll never try a username with "**" in it.

    However, if it was on a system which was only accessible internally, and it was intended to keep out the pointy-haired-boss, and no-one else, then it's fine.

    I've designed stuff like this; there's some crappy 'security' on the front-end, when infact anyone other than the boss could work out that the server's sharing it's /www dir with no password! But the boss can't work that out. In fact, the boss can't work out which day it is without looking at his socks. But he might fiddle with something on the 'admin' page that he doesn't understand (which would be any of it). Hence adding 'security' to the system.

    TRWTF in my case? The pointy-haired-boss, and his boss who's not fired him yet.

  • (cs)

    They, like, totally blew it.

    They should have included the password check, so that using ** would not only allow you to be an admin, but also to be an admin as any user you want.

    if(strstr($username, '**')) {
    
        $admin = 1;
        $username = str_replace('**', '', $username);
        $_SESSION['admin'] = 1;
    
        password_okay = 1;
    
    } else {
    
        $admin = 0;
        password_okay = password_check($username,password);
    
    }
    

    There's nothing like being able to give yourself more money and blame it on the CEO.

  • (cs) in reply to feugiat
    feugiat:
    Now, could someone explain to me how why this kind of WTF cannot happen using other languages? (if you need to see much-enterprise Java code from a major financial institution using similar backdoors, just tell me because I can provide).

    This is not a language-specific problem, but an architectural one. Almost every system of relevance that is supposed to run continuously w/o interruptions (.ie. a transactions processor, a web site, or a hardware monitoring/control system) has administrative requirements.

    Every system that has administrative requirements must implement reliable and secure administrative interfaces (ranging from command-line scripts to cute and cuddly web pages, depending on who or what will use those interfaces and how.)

    Everything that must be implemented must be taken into account from the get go - it can't be an afterthought (not if people want to have a degree of confidence they won't develop a WTF.) That is, it must be noted in the architecture, in the design, it must be included as part of the deliverables.

    Whether you work on PHP, RoR, Java or C, getting it right or missing it completely is the result of architectural and design decisions. Getting it right, or missing it completely, that is not language specific.

  • (cs) in reply to bjolling
    bjolling:
    Patrick:
    <snip />

    Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.

    You're right! It is completely impossible to make an error in the code that skips the role check when roles are stored in MySQL instead of Active Directory. Thank you.

    Do you realize how impossible it is to make that kind of assertion. Either that or LAMP-land operates under different rules of computability in complete isolation from the rest of the universe.

    For some systems, it is ok to have the roles stored and executed by (and within) the database. This is ok when the roles and the operations assigned to them are data/database-centric.

    This also implies that the bulk of business logic is also in the database, and that is a can of worms. Like anything else in software, you can get it right, or you can get it wrong.

    It is certainly not a universal solution, and this is predicated by having control of the database. What you do when you do not (which is usually the case in large enterprise systems).

    What do you do when your data is not from a relational database that lets you perform application-specific permission checking (.ie. data from a mainframe or a real-time data distribution service)?

    In many cases (in particular in the health and defense industry) you must have a decentralized role facility that is external and independent to both the data and the data store. In many cases, roles are assigned to tasks that don't logically map to data transactions or stored procedures.

    In fact, you seem to confuse access control (which could be done in some but not all instances from within the database) with role assignment.

    In very specific cases the solution that you propose makes sense. But in the large scheme of things, it is a very silly thing to propose. I'd suggest you get learn a thing or two about software/systems engineering before you climb your activist soapbox.

  • Bim Job (unregistered) in reply to MP
    MP:
    I currently work on a side-project with a guy somewhat like Bim Job (or maybe it is Bim Job himself).

    This is typical behavior from a delusional C# "programmer" (although he may use some other similar language, I would wager it is C#). The guy I currently work with doesn't realize C# and C are not the same language (thinking C# is the C programming language). He rants about his mastery of C despite is lack of pointer knowledge.

    Guys like Bim Job are extremely difficult to work with because they have no idea how ignorant they are of the computer science field. They can repeat vocabulary words from college (e.g. "Turing Complete") without understanding the meaning of said words.

    My current C# colleague (again, possibly Bim Job) wonders why he is not allowed to work on the difficult projects despite "a mastery of the C programming language" as a C# "systems programmer". I just laugh and pick a competent programmer for the difficult projects.

    Paragraph 1: No, not me. Paragraph 2: I'll save you the wager. Just dump a dollar in the charity box. Paragraph 2a: "Despite (h)is lack of pointer knowledge?" That's unfair. Many of my best friends are pointers. Paragraph 3: My definition of "Turing Complete" may well be rubbish. Your definition of "Turing Complete" is currently hiding behind a cloud. Paragraph 4: Some of us oldsters still worry about how to pick a "competent programmer" for even simpler projects. We'll just keep on bumbling along until you shine your light on us.

    You really are a bit of a delusional prat, aren't you?

  • Bim Job (unregistered) in reply to Len
    Len:
    Bim Job:
    But, let's get sane and business-like. I'm going to develop a website, in November 2009, over the next six months. I've got tens of cheap (and possibly brilliant) layout designers. I'm going to work on top of a LAMP stack, for some reason. (Hey, I'm not the CFO!)
    So ... what would you use? (Serious question). Why? (In more words: which technologies did you consider and reject and why.) When it comes to developing for the web, I'm truly a n00b -- I'm interested in the thought/decision processes and trade-offs behind the technology decisions.)
    Not that anybody trolling around here will tell you. And I'm probably the worst person to ask -- despite having developed an MVC website and been on maintenance for two or three more. (One of which was in PHP! Oh noes!)

    If it's small (say circa 10 pages) and unlikely to expand -- ie it's a shop-front with jazz like shopping carts, et al -- go with PHP. PHP is designed for that.

    If you want something out quick, and plan on learning lessons and building V2.0 with something else -- go with PHP.

    If you've programmed before, go with the language you're comfortable in. Might be Perl (typically), might be Python, might even be a .NET language.

    The choice of technology is, in fact, irrelevant -- right up to the point where you need to hire somebody else to fill in the gaps.

    At that point, you're pretty much fucked if you chose PHP and want to continue with PHP. Then again, you're pretty much fucked with Ruby on Rails.

    It's a harsh world out there.

  • zidar (unregistered)

    Don't kill me for this comment, but if and that's a big IF, he prevented just anyone to put "**" to their username and if he checked for those magics starts after the username and password verification, then it could actually be a bit safer than it looks. But considering someone was as "brillant" as that, I think it's quite possible that that peace of code was the first thing that checks the username.

  • (cs) in reply to Len
    Len:
    Bim Job:
    But, let's get sane and business-like. I'm going to develop a website, in November 2009, over the next six months. I've got tens of cheap (and possibly brilliant) layout designers. I'm going to work on top of a LAMP stack, for some reason. (Hey, I'm not the CFO!)
    So ... what would you use? (Serious question). Why? (In more words: which technologies did you consider and reject and why.) When it comes to developing for the web, I'm truly a n00b -- I'm interested in the thought/decision processes and trade-offs behind the technology decisions.)

    Serious answer: It depends on the environment.

    • Is it a high volume site?
    • Is the data produced by it self contain?
    • Or is its data to be consumed by other apps?
    • Does it consume data generated by other apps?

    .. and so on and so on.

    Also, there is the question - how large is the app expected to be?

    I really don't see Bim Job's points against PHP, but I'm not going to go there. You can take my opinion with a grain of salt as well. However, based on experience, this is how I would answer your question.

    If there is an existing code base (or apps ecosystems), I would try to use a language related to the technology family in use.

    If it's a Java shop, I'll stick with Java for the heavy back-end lifting, for user-facing sites on the public Internet or for anything that needs to handle large volume of requests. In particular I'd stick to that if it is a large web system where you have dozens of developers involved.

    In the same Java shop, I'd opt for Groovy or JRuby (or some other dynamically typed language) for internal web apps, for the mom-and-pop store web page or as front-ends for Java back-end doing the heavy lifting. On web sites that require constant change and malleability more than anything else, I'd go with Groovy or JRuby or Jython.

    Similarly, on a .NET shop, C# would be my equivalent to Java, and VB or VFP as the Groovy/JRuby counterparts.

    The reason for choosing to stay within a technology family is that applications never live in isolation. They need to be maintained, and for that you need to leverage the knowledge possessed by the existing development and infrastructure teams.

    PHP, I'd use it in bare-bone places where either:

    • the app expected size is small, or
    • the expected traffic is small, or
    • as a front-face to much larger and powerful back ends (like Facebook does.)

    Using PHP will assume that 1) I like it, and 2) I don't suck at development, but that is true of any technology I end up choosing.

    The most important things are not the exact programming languages, but understanding the architectural needs of web development (sessionless or near sessionless, malleability, fault-resiliency, good web UI design principles, security.)

    Other things that you need to know, and which many web developers are painfully ignorant off, are the characteristics of networks, of the internet and on how things between your app and your client like firewalls, caching servers and the like might affect users' experience.

    I'm a Java guy, so I'm biased. I'd say if you want to learn web development, and assuming you possess good (or at least acceptable programming and engineering , learn both Groovy on Rails as well as the JEE stack for web development (Spring+Spring MVC or Spring+Struts/Tiles).

    I bet there will be people are going to groan and moan that these choices are ugly and this and that. Whatever. They exist and people use them. Knowing them will make you marketable.

    If you choose a .NET platform, then learn how to develop web apps in C# (or VB, but I'd go with C#) as well as Ruby on Rails on the .NET platform.

    That will be my take. As you start learning, you don't need to master all, but you need to be aware of how and when to use static and dynamic type languages. They are tools for specific types of nails, and you need to be able to work with both types.

    -- edit --

    I'd suggest to also know how to install and configure Apache HTTP server or any other *nix based http server. Play how to modify headers (such as timeouts and caching headers) and all that crap. It is ugly and it sucks, but people use it, it is a de-facto standard. Plus it doesn't take that long to learn it. Unless you have no knowledge of Unix, it should take you probably 16-48 dedicated hours to really get it.

  • binford2k (unregistered) in reply to Dave
    Dave:
    bob171123:
    If you just trash PHP without providing a good alternative, you've done nothing but troll. At least someone provided neko as an alternative to PHP, Bim Job just ranted unintelligibly. I hope it at least made you feel good Bim Job.

    Ahh good - someone said exactly what I was thinking.

    Y'see - this is why system programmers aren't invited to the christmas party...

    It's all right. He'll be greasing his wang nuts.

  • (cs) in reply to luis.espinal
    luis.espinal:
    bjolling:
    Patrick:
    <snip />

    Woo. So, that's the simple version. And then in the code you can accidentally make something that completely skips the role check, and everyone can access it. Among other problems.

    You're right! It is completely impossible to make an error in the code that skips the role check when roles are stored in MySQL instead of Active Directory. Thank you.

    Do you realize how impossible it is to make that kind of assertion. Either that or LAMP-land operates under different rules of computability in complete isolation from the rest of the universe.

    For some systems, it is ok to have the roles stored and executed by (and within) the database. This is ok when the roles and the operations assigned to them are data/database-centric.

    This also implies that the bulk of business logic is also in the database, and that is a can of worms. Like anything else in software, you can get it right, or you can get it wrong.

    It is certainly not a universal solution, and this is predicated by having control of the database. What you do when you do not (which is usually the case in large enterprise systems).

    What do you do when your data is not from a relational database that lets you perform application-specific permission checking (.ie. data from a mainframe or a real-time data distribution service)?

    In many cases (in particular in the health and defense industry) you must have a decentralized role facility that is external and independent to both the data and the data store. In many cases, roles are assigned to tasks that don't logically map to data transactions or stored procedures.

    In fact, you seem to confuse access control (which could be done in some but not all instances from within the database) with role assignment.

    In very specific cases the solution that you propose makes sense. But in the large scheme of things, it is a very silly thing to propose. I'd suggest you get learn a thing or two about software/systems engineering before you climb your activist soapbox.

    I'm not sure what to think of your post. I guess you must have missed the sarcasm in mine.

    • Previous poster claims that in an Active Directory it is possible to miss a role check when your make an error.
    • I respond that this could never happen if he would store his roles in MySQL. I thought my sarcasm here was obvious.

    I completely agree that roles and user membership must be handled outside of your applications. Like I posted before, in a .NET environment you would choose Active Directory (AD) or maybe the more light-weight Active Directory Application Mode(ADAM). I'm sure that when you develop on a LAMP stack, you have LDAP servers as well with nice management interfaces.

    My point is: creating a user management tool for any application is NOT as hard as the article suggests. Just use the correct tool for the job.

  • (cs) in reply to bjolling
    bjolling:
    I'm not sure what to think of your post. I guess you must have missed the sarcasm in mine.

    Yeah, my sarcasm-o-meter is currently broken, and I certainly confused you with the poster you were replying to. My bad!

    -- third try --

  • (cs) in reply to Ad hitlerum
    Ad hitlerum:
    Given how misspelled words and malformed syntax drastically affect programming languages, I'm always surprised that some of the people who comment here don't do any better with regular written language.
    I've always thought the same. Why is it ~70% or the web can't spell 'separate' (they always spell it 'seperate'). I've even seen this in GUIs. Although the one that really twists my nuts is spelling 'lose' as 'loose' - why add another fucking letter! What happens when they read aloud - do they pronounce 'loose' as 'lose' or what? 
    Of course spelling is important. If one reads a 400 year old manuscript, the random variations in spelling make it far harder, & therefore slower to read. A small amount of variation is tolerable, but it must be viewed as a 'bad thing', otherwise we'll end up back in the 15th century.The dictionary was a huge step forwards, obviously 
    
  • (cs) in reply to Anonymous Cow-Herd**
    Anonymous Cow-Herd**:
    Am I poor at searching if I give up SSDS, and try something inferior such as slocate instead?

    SSDS - now there's a piece of work. Legendary WTFery.Wonder what part of the web he's infecting with his insanity now?

  • Gerrit (unregistered) in reply to C# Man
    C# Man:
    phargoth:
    Sorry but... we are talking about Credit Cards Numbers and payments etc... the last thing that this should be is transparent. in my country we have a saying that is "the hell is full of good intentions", and this is one of those cases.

    Sorry to be a pedant, but I thought the phrase was...

    "The road to hell is paved with good intentions"

    No doubt it is in your country. The saying was from phargoth's country.

  • Swedish tard (unregistered) in reply to method1
    method1:
    Anonymous Cow-Herd**:
    Am I poor at searching if I give up SSDS, and try something inferior such as slocate instead?

    SSDS - now there's a piece of work. Legendary WTFery.Wonder what part of the web he's infecting with his insanity now?

    He's atually back here, trolling the forums. :) Go check it out. ;)

  • Swedish tard (unregistered) in reply to Bim Job
    Bim Job:
    Len:
    Bim Job:
    But, let's get sane and business-like. I'm going to develop a website, in November 2009, over the next six months. I've got tens of cheap (and possibly brilliant) layout designers. I'm going to work on top of a LAMP stack, for some reason. (Hey, I'm not the CFO!)
    So ... what would you use? (Serious question). Why? (In more words: which technologies did you consider and reject and why.) When it comes to developing for the web, I'm truly a n00b -- I'm interested in the thought/decision processes and trade-offs behind the technology decisions.)
    Not that anybody trolling around here will tell you. And I'm probably the worst person to ask -- despite having developed an MVC website and been on maintenance for two or three more. (One of which was in PHP! Oh noes!)

    If it's small (say circa 10 pages) and unlikely to expand -- ie it's a shop-front with jazz like shopping carts, et al -- go with PHP. PHP is designed for that.

    If you want something out quick, and plan on learning lessons and building V2.0 with something else -- go with PHP.

    If you've programmed before, go with the language you're comfortable in. Might be Perl (typically), might be Python, might even be a .NET language.

    The choice of technology is, in fact, irrelevant -- right up to the point where you need to hire somebody else to fill in the gaps.

    At that point, you're pretty much fucked if you chose PHP and want to continue with PHP. Then again, you're pretty much fucked with Ruby on Rails.

    It's a harsh world out there.

    Just wanted to toss a word in here. Me myself Im a systems developer, and see plenty of wtfery in my line of work.

    As far as PHP goes, my own knowledge is about on the level of what we see here on tdwtf. I also am not a great fan of the syntax in PHP, although, I guess I can get used to it if I had to. Nor am I fond of the utter lack of naming conventions in standard libraries, but again, thats what Google is for.

    My point?

    I've got a friend doing PHP work professionally, well, he does pretty much whatever the owner of a website wants him to, except that he never, ever backs down on code quality. He'd rather lose a job than leave crappy code after himself. I've seen code heäs worked on before and after, and the after code is a joy to look at, whereas the code before sometimes more resemble some shit some koprofag ate and then threw up again.

    Point... Yeah... Point being, there are people out there that are good programmers that actually work with PHP. So you are not completely up the wrong creek without a paddle if you have to hire someone. Though, I guess your chance of hitting some random shithead that read "Teach yourself programming in 3 days!" is a lot greater with PHP than with, say, C/C++ and that whole family of languages.

    Uh, I guess I should stop ranting now. Though, there is a point in there somewhere. I think. ;)

  • RFQ (unregistered) in reply to Patrick

    Oh, Patrick, better yet, hire some dumbass that reads the HTTP GETS and writes the response to the client in a text editor by hand, and no need of PHP or nothing else, just teach him HTTP...

  • Bim Job (unregistered) in reply to Swedish tard
    Swedish tard:
    Just wanted to toss a word in here. Me myself Im a systems developer, and see plenty of wtfery in my line of work.

    As far as PHP goes, my own knowledge is about on the level of what we see here on tdwtf. I also am not a great fan of the syntax in PHP, although, I guess I can get used to it if I had to. Nor am I fond of the utter lack of naming conventions in standard libraries, but again, thats what Google is for.

    My point?

    I've got a friend doing PHP work professionally, well, he does pretty much whatever the owner of a website wants him to, except that he never, ever backs down on code quality. He'd rather lose a job than leave crappy code after himself. I've seen code heäs worked on before and after, and the after code is a joy to look at, whereas the code before sometimes more resemble some shit some koprofag ate and then threw up again.

    Point... Yeah... Point being, there are people out there that are good programmers that actually work with PHP. So you are not completely up the wrong creek without a paddle if you have to hire someone. Though, I guess your chance of hitting some random shithead that read "Teach yourself programming in 3 days!" is a lot greater with PHP than with, say, C/C++ and that whole family of languages.

    Uh, I guess I should stop ranting now. Though, there is a point in there somewhere. I think. ;)

    One last attempt at sanity: I think pretty much all of this is good advice. (Ignore the comments about syntax -- it's just what IT people bitch about.)

    To summarise: (1) For a simple website, you might very well be able to do it yourself -- in PHP, or possibly ASP.Net. Buy a Dummies book -- there's no shame in this -- and play around on your home machine before loading it up on a server. (2) Always start with a simple website. (3) Don't get distracted by loonies arguing over "frameworks." I could recommend one or two, and caution against one or two more. The signal-to-noise ratio on these things is pitifully weak. (4) If you insist on using a framework, buy a book on it first. If you can't understand the book, how the hell can you expect to understand the framework? (5) Always get a second opinion. And then a third. And maybe a fourth. (6) Point (5) is particularly relevant if you try to hire a second person to "help out."

  • Personal Hoem Pages for teh win (unregistered) in reply to Bim Job
    Bim Job:
    99.999% of PHP programmers should concentrate on crochet.

    this is so true. I was unfortunate enough to work for a self-taught PHP fanatic around 5 years ago. sadly his fanaticism didn't extend to actually learning the capabilitites of the language beyond having no methods, no encapsulation, zero code reuse, countless include files differentiated by suffixes like "003", referencing db query result columns by index, "saving columns in the database" by comma-delimiting multiple columns into one and paying no interest in the things that make PHP halfway usable like PEAR and PECL (they were too much to learn at once). when I asked him where he'd learnt how to program like that he proudly proclaimed:

    Right here!

    source control didn't come into it either. instead, I was instructed to perform a full ghost of my machine to tape every friday, taking up over an hour of development time, which he was paying. money for doing literally nothing seems appealing when you're stressed and under pressure - believe me, the actual appeal is short lived.

    CAPTCHA: commoveo - commoveo and say that to my face (you need a Yorkshire accent to make it work)

  • roopjm (unregistered) in reply to ObiWayneKenobi

    this comment made my day :)

  • eric bloedow (unregistered)

    reminds me of an old story: some company gave their GUEST account Admin access! so ANYONE could get full access simply with Username "guest", Password "guest".

Leave a comment on “Starring The Admin”

Log In or post as a guest

Replying to comment #:

« Return to Article