Re[2]: [PHP] Re: php security books

[Richard Davey]

Hi Andrew,

Wednesday, July 4, 2007, 4:23:38 PM, you wrote:

   Avoid the O'Reilly one as it is flawed.

  In what way?

 Its written by Chris Shiflett, isn't that enough reason?

No, not really. The errata are clearly published online, and while you
could argue that some of them shouldn't have existed in the text in
the first place, security is such a moveable feast that whatever is
written today will almost surely have changed within a very short period
of time, regardless of the author.

If just one person takes something useful away from his book, that
makes them think damn yes, I DO allow that in my scripts!, then it
was a worthwhile purchase. He (along with a number of others) have
done a wonderful job of raising the PROFILE of security (or lack
thereof) in PHP applications and the PHP world in general. Before the
likes of him and Steffan started blogging and writing about all the
issues out there it was a piss-poorly covered area that most
developers (*especially* new ones) ignored or were not even aware of.

Even if some of the techniques in the book are now flawed, the profile
and awareness he has generated did nothing to harm the PHP community,
and does not warrant your shit slinging.

Cheers,

Rich
-- 
Zend Certified Engineer
http://www.corephp.co.uk

Never trust a computer you can't throw out of a window

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Re[2]: [PHP] Re: php security books

[Andrew Hutchings]

In article [EMAIL PROTECTED]
[EMAIL PROTECTED](Richard Davey) wrote:

  Hi Andrew,
  
  Wednesday, July 4, 2007, 4:23:38 PM, you wrote:
  
 Avoid the O'Reilly one as it is flawed.

In what way?

   Its written by Chris Shiflett, isn't that enough reason?

  No, not really. The errata are clearly published online, and while
 you could argue that some of them shouldn't have existed in the text
 in the first place, security is such a moveable feast that whatever
 is written today will almost surely have changed within a very short
 periodof time, regardless of the author.

Sure, and I'm not debating the rate that security moves, or that there
are newer techniques for some of the stuff. I haven't read the errata
to be honest, do people ever read those? (open question)
  If just one person takes something useful away from his book, that
 makes them think damn yes, I DO allow that in my scripts!, then it
 was a worthwhile purchase. He (along with a number of others) have
 done a wonderful job of raising the PROFILE of security (or lack
 thereof) in PHP applications and the PHP world in general. Before the
 likes of him and Steffan started blogging and writing about all the
 issues out there it was a piss-poorly covered area that
 mostdevelopers (*especially* new ones) ignored or were not even aware
 of.
  
  Even if some of the techniques in the book are now flawed, the
 profile and awareness he has generated did nothing to harm the PHP
 community,and does not warrant your shit slinging.

I have no doubt he is a great bloke and a great public speaker / PR
for PHP application level security, I apologise if it sounded like
FUDing (why does that sound dirty?).  I just don't like / agree with
his book or some of the security articles he wrote (again, I haven't
read them in quite a while).  I think Ilia's book is a lot better.
I also agree that awareness is no bad thing, but people should also be
aware he is not the be all and end all of PHP application level
security, and he has made mistakes (as have I and probably everyone
else here at some point).
If Chris were to re-write into a second edition, then who knows, I may
like it.


-- 

Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen 
leads to downtime. Downtime leads to suffering...I sense much Windows in you...

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php