Everything is at the new place, but most of it is still spread out across the floor. Lily seems to be doing well. She is happy to explore, but she keeps calling out. The Feliway stuff worked great! A half hour after plugging it in Lily seemed much less "wired". I have internet & cable, but no couch or bed yet. Hopefully soon, but I need to make space first. Oh, and I fixed my research code so it works fine on my linux box (which I'm actually using for the first time in a year!). Go me.

Lots of people like to tell me that PHP is not secure. I’m not entirely sure I understand what they mean. I get mixed impressions from differently people too. I’m under the impression that most people don’t code things properly in PHP to make their code secure, but that PHP is not fundamentally broken. This is always the impression I get when I google. Am I crazy?

I know I need to be very careful with exec (I don’t currently use it) and I need to check email addresses for inject attacks (thanks to a hacker who pointed that one out to me the hard way :) ), double check all input variables. Don’t trust anything in a cookie. Is there anything other major that I’m missing?

Along similar lines, how do you cleanse variables to sql? Do you need to do anything more than stripping semicolons.

----

That's it for tonight. I am full of sleepyness. Thanks in advance for any insights.

I was thinking about how I can better secure the admin section of my website. I currently have it behind htaccess. (I prefer that to something I code because I make mistakes sometimes ... well lots of times :) ). I don’t really think anyone would be listening, but I don’t want to send my password in plain text anyway. I wanted to put it behind an SSL. Unfortunately my webhost wants to either 1) charge me $35 for it, or 2) have me use theirs for free.

I’m fundamentally opposed to 1. I looked up how to do it, and I could install the certificate myself if I had access to the httpconfig file. Its just a couple lines of code. (I’m actually pretty displease right now with my webhost, but they just automatically charged me again for another year and I’m not pissed off enough to pay for two hosts.)

Option 2 won’t work with my current layout. My admin stuff looks for a config file in the root directory (using $_SERVER['DOCUMENT_ROOT']) to figure out where important hidden files are. If I go with option 2, the files will appear be linked into a different webroot directory, and so the files won’t be able to find that necessary config file. I don’t want to go through all my files to make a change to all my files.

My question: is their another way I can set up a secure connection? Or, even more fundamentally, if I did, would the htaccess popup utilize that secure connection? It seems the password prompt happens before the page is actually connected to. I’m not sure what that means.

More website questions! I’m going to split these over several posts to avoid confusing myself.
----
I currently have a spiffy php file (skinChooser.php) for skins. It checks to see what skin has been saved in the cookie, verifies that it’s valid - that kind of thing. Inside the file I have an array declared that contains both of my skins’ names. I want to start including more information than just skin name. I’m thinking stuff like “short name”, “full name”, “description.”

One thought was to store this in a database. That way skinChooser could look up said information. The advantage is that I wouldn’t have to modify skinChooser when I make a change. The disadvantage is that my webhost is slow. I’m already starting to see some delay opening pages. Additionally, most pages would not care about this additional information anyway, only one page (themes.php) would. Perhaps the time wouldn’t be much of a factor, and then I would have the information easily available in case I want to have some other file aware of it.

Another thought is to store it in the additional information in the skinChooser (or themes). That way no database call is needed. It would require me to update the files whenever I want to make a change, and there’s some risk that I would forget and the two files would fall out of sink. Perhaps this is not horrible because I have a function validSkin() in skinChooser, so at the very least I would not display old or removed skins.

A final thought is a hybrid of the two. I can have an array of skin names, just as before, and have only the functions that need the additional information call the database. I think this is more work than its worth.

What do you think/what would you do? Keep in mind the number of skins is, and will likely remain, small (currently 2). I have vague plans to add more, but not an idea of what I want them to look like and it takes me a couple weeks to be happy with a new skin.

I would love to download all of my gmail into a zipped file on my hard drive. Is this possible?

I need some advice.

( The big problemCollapse )

( the not-as-big problemCollapse )

( the not-really-a-problem problemCollapse )

I also have a php question: I have files of defines. I want to be able to write to them, so I tried to have my program chown and chmod them. I keep getting "Warning: chmod(): Operation not permitted." Is anyone familiar with this type of warning and how do I make it go away?

I'm going to switch to PHP! But I realize it's still going to be a bit more involved then I thought before. And I have more questions.

Question:
I generally try and include all the code in a single file. For example, I have a email script that invokes itself when someone hits the send button. So the basic layout of the script is

if (contents_of_form_filled_out){
checkFormValues()
sendDataViaEmail()
returnToPreviousPage()
}
else{
displayForm()
}

I do this because I don't want to have lots of script files hanging around that someone might stumble across and send bogus data to. But it makes the scripts a little harder to read and a little bulkier and leads to tons of if statements. Do you think this is a bad practice in general? Or should I do it the way everyone else does it? What about for something more complax, where I want to make sure users are logged in, or that did data processing? If I had lots of files, they would each need to verify authentication, and that the data is complete and in a good form?

Question:
Speaking of logging in... What do people know about setting up sessions in php? I'm still trying to work with my login script, but I'd rather not have to authenticate on every page.