I Can't Believe I Do This for a Living

Mary asked me to help write a small script to take an email address and append it to a text file. I know PHP has a lot of built-in functionality for working with files, but for simplicity’s sake, this is what I came up with:

$email = $_POST[‘email’];
system(“echo $email >> list.txt”);

We were about to put this up, making it accessible to the entire internet, when — in a moment of sudden clarity — I realized that I’d just violated the first rule¹ of web security.

Fortunately, we caught this before the site went live, and added some code to check that the input is a valid email address, but if you were wondering why PHP gets so little respect as a web development language, the answer is: jackasses like me.

SliceHost

Lately, a number of Rails developers have been singing the praises of SliceHost. The concept is really cool: 20 bucks a month gets you your own “slice”, a server loaded with your preferred flavor of Linux. From there, you install and configure whatever you want: Ruby, Python, PHP, Java, anything.

I’m tempted to sign up, but MediaTemple has been pretty good to me, and this might be more power (and more hassle) than I really need.

www.vt.edu

No words really seem appropriate to describe Monday’s events, so I’ll hold my tongue. I’d just like to say that Virginia Tech’s web team has shown itself to be a real class act. Well done.

Project update

The project I mentioned earlier has a name, Hab.la (“speak” en Español), and an adorable, sombrero-wearing mascot. We’re hoping to go beta in early May. Exciting stuff — more info soon.

¹ This code basically gives everyone on the internet access to your server. For example, typing

xxx; rm list.txt; echo you got served

would erase the mailing list, and leave in its place the worst insult known to man. And that’s pretty much the least malicious thing you could do. For more information, see Top 7 PHP Security Blunders.

« Fun with Logo Design
Django First Impressions »