[Phpmyadmin-devel] Re: Debate on using newly added PHP (and MySQL) functions in core phpMyAdmin functions:
25 Sep
2001
25 Sep
'01
1:12 p.m.
Hi Geert!
Debate? Which debate? It's a requirement, isn't it?
And this is defenitly also the most correct way to
solve the problem - as array_unique first was
introduced in PHP 4.0.0 and by the way was broken
in PHP 4.0.4
Right and It's also the nicest and the quickest way to
do it ;)
This also calls for a general "WATCH OUT" to
all us
developers - please keep in mind that "core" phpMyAdmin
functions must not rely on newly added PHP
functions - as phpMyAdmin is used on many platforms that
has not been....
Well I thinks this is what we have done till now and that's the
main reason for the "defines.inc.php3" library.
BTW you forgot to write that PMA should be use with most
(all) browsers, let's say from Lynx/NS3 to IE6/Moz 0.9.4.
Comments on this is welcome and appreciated
Done ;)
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
25 Sep
25 Sep
1:32 p.m.
Hey again :-)
Debate? Which debate? It's a requirement,
isn't it?
Well, if we decides that we don't give a damn about older software-versions
then we can do it - so we must start with agreeing that it's a requirement
and not an option... But hopefully we all agree - but I mention it because
we are many people in the development team - and because more and more
people (users) suggest ways of improving the source code - and my point was
that not all bugfixes may just end up implemented in phpMyAdmin without
checking (and maybe even discussing) security and compablity issues...
My greatest fear at the moment is that with all the many code-changes that's
made every day - that we start to compromise with both security and
compability issues - and with this very powerfull database administration
tool - it's IMNSHO very - very very - important to always keep security
issues as a top priority - it's better to leave out a fancy feature to later
implementation - than to just give a damn about the security and hope that
it'll be fixed later...
(that's also why I think that the website and documentation might need an
update stating that it's a very bad idea running CVS development versions in
productions environments) and maybe we ought to start supplying fix patches
to the current final version - specially when security issues is adressed,
resolved and corrected. Instead of just keep telling people to upgrade to
the latest CVS development version where the fix has been supplied.
Get my thoughts?
Well I thinks this is what we have done till now and
that's the
main reason for the "defines.inc.php3" library.
I certainly agree - and let's all keep doing it that way! But we've need to
remind us selves about this from time to time ;o)))
BTW you forgot to write that PMA should be use with
most
(all) browsers, let's say from Lynx/NS3 to IE6/Moz 0.9.4.
Again - I coulden't agree more - it's more important to keep browser
compability (for usage on many platforms and in many browsers) than to make
nice, fancy and keen view features that's only working in the newest version
of IE etc.
--
Kind regards
Geert Lund
3:06 p.m.
Geert Lund - SilverSoft Productions a écrit :
Hey again :-)
Geert,
I respect the points you mention, but I would like a clarification on your part.
Are you only "feeling" a fear, or do you have facts to back your point that the
code-changes
are starting to compromise security and compatibility?
The beauty of open-source development is that anyone can see the changes and send
warnings
to a developer or to the list; and I think that all developers here are open
to discuss their changes and improve our collective skills.
Marc
Debate? Which debate? It's a requirement,
isn't it?
Well, if we decides that we don't give a damn about older software-versions
then we can do it - so we must start with agreeing that it's a requirement
and not an option... But hopefully we all agree - but I mention it because
we are many people in the development team - and because more and more
people (users) suggest ways of improving the source code - and my point was
that not all bugfixes may just end up implemented in phpMyAdmin without
checking (and maybe even discussing) security and compablity issues...
My greatest fear at the moment is that with all the many code-changes that's
made every day - that we start to compromise with both security and
compability issues - and with this very powerfull database administration
tool - it's IMNSHO very - very very - important to always keep security
issues as a top priority - it's better to leave out a fancy feature to later
implementation - than to just give a damn about the security and hope that
it'll be fixed later...
4:47 p.m.
New subject: [Phpmyadmin-devel] Re: Debate on using newly added PHP (and MySQL) functions in core phpMyAdmin functions:
Hey Marc (and others)...
I respect the points you mention, but I would like a
clarification on your
part.
Shoot away ;O)
Are you only "feeling" a fear, or do you
have facts to back your point
that the
code-changes are starting to compromise security and
compatibility?
No, no, I woulden't say that any of the developers on the project in
generally has started to write code that compromise security or
compability...
But I call for the awareness of the dangerous path of development being
maintained on a large project with many developers and even more users
helping with supplying bugfixes and feature improvements/enhancements - as I
see it for the moment the code is very stable and the security is good - but
with the many code-rewrites and more code-rearrangeing that's made, we
should keep more and more attention to not only checking the code for
browser-compability - but also checking that security isen't compromised
with the many code-changes.
And I still haven't seen any discussions on any code-rewrites - that's about
whether the change might create a security issue or not - and most of our
testusers (that uses the CVS version) will not sit down and test code for
security breaches, but only that new (and old) features work correct - with
the correct (and legal) use of phpMyAdmin.
So I was in no way attempting to imply that any on the developer team writes
lazy/faulty code or anything that... With my starting mail - I simply wanted
to draw attention to an issue that might become a problem in the long run -
if we just keep our minds into feature-enhancement (and feature-bugfixes)
and fancy things in general - and not stay focused on the importance in
writing code with as few security breaches as possible.
A good example is the inclusion of the phpinfo.php3 file - which provides
really important information about the server that phpMyAdmin runs on - and
nobody had their attention to including the AUTH-check in this file... A
mistake that wasen't fatal in any way - but the next mistake might be far
more fatal...
My question to some thoughts (in which my original post was intended): can
we afford to make fatal mistakes in this matter - in an administration
application used by 100.000+ users around the world - used by
administrators, developers, ISPs etc. etc. etc. - can we afford to _hope
that_/_rely on_ some one will find the security holes before the release of
final-versions of phpMyAdmin? Just because we all might be caught up in
rewriting code and enhancing features or adding new fancy stuff (because
that's far more fun than to check already written code) ;o)
Hope this clears it up a bit? But please anybody - do comment in any way -
because I think that focus on this subject is in any way for the best of
phpMyAdmin ;-)))
PS. It might look like I'm being paranoid - but I work as a web system
developer at the largest ISP in Denmark (TDC Internet), and has to keep
focus on security in all that I do :-/ (sometime it would be more fun just
write new stuff and fuck the 'bad' code I've written i the past - but I
don't think that my employer think it's fun when someone compromises the
security, database-integrity etc.
Wow - that was a long answer :-))) But in any way - I'll check out the code
more closely and see if I can find stuff that might be a problem - as soon
as I'm done with the server-cluster setup I'm doing these next couple of
days :-)))
--
Kind regards
Geert Lund
8392
days inactive
8392
days old
3 comments
3 participants
participants (3)
-
Geert Lund - SilverSoft Productions -
Loïc -
Marc Delisle