Blog : Posts tagged with 'programming'

*

Defence In Depth

In which we discover we’ve been bad, and have a rant about why


A couple of weeks ago, I discovered that my site had, apparently, been compromised, but my hosting company had handled it. WordPress had been broken in the process; but I’m not entirely surprised. Nevertheless, I thought everything was now happy.

This morning, though, a letter from Google lets me know: it hadn’t been fixed. My site has, for the past fortnight, been serving up crap to any passing search engine. This can’t be good. I don’t blame my hosting company: what they did do was above and beyond the call of duty, and they can’t be expected to understand and trace every twisty little maze of code paths in WordPress that might result on something being sent back to the client’s screen.*** What it does make me want to rant about, though, is PHP.

PHP is – if you’re not a geek and haven’t heard about it – by far the most common “web-programming” language around today. Its modus operandi is: you intersperse chunks of programming code in and around the static content in your web pages. When your webserver reads a page, it will run the chunks of code as a program. In WordPress’s case, the chunks of code run off to a database and fetch my posts, your comments, and so on, from it, and send them back to a client. Thus, one web page can output many posts, managing them is much easier, and so on. All well and good.

PHP, though, is … well. It’s not exactly the best language for the job, which is being polite about it. I’ve been doing lots of programming in it myself lately, for our Office Intranet, and it’s just not as rigorous as other languages. The syntax doesn’t somehow seem as thorough. Apart from the little differences you always get between languages,* it has little corners that feel slightly wrong when I use them, as if I’m transgressing the boundaries between types of programming object in a bad and dirty way.

That’s just a minor thing, really, just me quibbling. What my big problem is, what makes PHP an utterly unsuitable programming language for its job, is one particular feature much adored by people who want to take control of your website and use it to advertise pr0n and drugs. It’s a feature which is unutterably stupid, so stupid I can’t believe anyone thought it should have been created. PHP will, if you like, go and read a file from anywhere on the internet, and run it for you. Which means that a shifty-looking programmer who gets illicit access to the files on your website only has to add a couple of lines of code, to get complete control of everything. Bang. Like that.

Now, you could say: well, FP, you shouldn’t have been using FTP. And you’re right.** My hosts offer SFTP instead, and I should have been using that. There’s no good reason to use FTP either if you have an alternative available. But that doesn’t mean that the next hole along the line shouldn’t be blocked either. It’s called: defence in depth. At work, we have a high fence round the whole site, and an alarm system just inside it; but that doesn’t mean that we leave the office buildings unlocked. Security shouldn’t be brittle; ideally it shouldn’t be thin either. Once you’ve breached the first layer, the tools to complete the job shouldn’t be left lying around.

* The difference between ‘elseif’ – which is a PHP keyword – and ‘elsif’, Perl‘s spelling of the same thing – will forever damage my brain.

** I have a good story about how weak FTP can be – but it can wait for another time.

*** and, indeed, it’s my own fault; I should right away have compared the live files with my known-good backups.

2 comments so far. »

Keyword noise: , , , , ,

*

Masochism

In which FP goes back to BASICs


No, I’m not a masochist.

I take a strange, geeky, masochistic pleasure, though, in making things hard for myself. In doing computer-based things the long way round. In solving the problems that are probably easy for some people, but hard for me. In learning new things just because it’s a new challenge.

Today, I was wrestling with a piece of Basic code in an Excel spreadsheet. I’ve not touched Basic since it had line numbers,* and I barely know any of it. I forced myself to work out how to do what I wanted in it.** It was mentally hard work, and meant a lot of looking back and forth to the help pages, but I got it done in the end. It might not be written in the best way, the most efficient way, or the most idiomatic way.*** But doing it was, strangely, fun.

* this is geek-speak for “a long long time ago”.

** or, rather, what the consultant I was assisting wanted.

*** for non-geeks: every computer language or system has its own programming idioms, which fit certain ways of programming particular problems. Someone used to language A will, on switching to language Z, often keep on programming in language A’s style even if this produces ugly and inefficient code in the other language.

No comments yet. »

Keyword noise: , , , , , , , , , , , ,

*

Search this site

*

Contact

E: feedback [at] symbolicforest [dot] com

IM: Ask me if you'd like to know

*

Post Categories

Artistic (118)
Dear Diary (349)
Feeling Meh (48)
Geekery (109)
In With The Old (34)
Linkery (37)
Media Addict (164)
Meta (79)
Photobloggery (94)
Political (113)
Polling (7)
Sub category (19)
The Family (31)
The Office (70)
Unbelievable (53)