Letter for Adorjan (SQ Contributer)
I started to fix your script, but..... I better leave it. It is a group study project, and those kind of projects are normally very messy. Don't get me wrong, it is a good thing that you wanted to learn PHP with others, but next time, please, have some PHP coder as a teacher, who is working in PHP so that he can show you the right way to script. You are a beginner in PHP and you started with the hardest thing: the open source project. To code an open source project, you must have a knowledge about how to code secured PHP scripts. Things, like "trigger_error" which on error shows every detail of the server, are NOT ALLOWED! It is the same thing, as for
example: You open a bank and install some very expensive code protection for the bank safe, and you write down the password on a piece of paper and put it above the code protection box. Now, everybody have access to the bank safe, and soon, you will notice that there is no money in the bank, and your whole protection system was a waste of money because you left the password in the place where everybody can see it.
The way you coded the seniorquoter is good for you and your friends, but it is not good for widely use. It is very unsecured. So, I will try to fix everything, if I will be in mood, but I don't promise anything. Next time, you want to have a programming study group, call somebody who knows very good the things you want to study with your group. I can bet that in your town there is one, if not more, PHP coders who does not work for big companies for big salary, and who are just waiting for a chance to teach someone for free. By the way, I learned PHP not by learning some functions, or stuff, but by understanding one easy guestbook script, and after that creating something similar with more functions and ability.
After 4 months of coding for about 6 hours a day, I learned PHP very good.
:) It's not about how others teach the programming languages, it's about how the individual can easily learn it. When I was in high school, we had a subject of programming in C. I never understand that language, not even now, and on the tests I only knew to write the beginning of the code and the end of the code (header, footer). The real code between was a blank paper. I couldn't understand how to code.
Then, 2 years ago, I wanted to learn PHP. I take some books from my friend, who is a programmer, and started to learn PHP. But, the same problem as with C occured. I couldn't connect the lot of functions and string types, and who knows what not into one code. So, I quited learning PHP. But after few months, I found a very easy script which I started to understand. How? I moved from line to line, looking up for every function on php.net and slowly understand how the code works. That was my starting point. I just want to say, that not everybody can learn a new programming language with the standard learning method, because we are not the same.
Some people needs some different approach to the programming language that will help them to learn it. :)
My Response
Thanks for writing to me. I understand your point about how the code is insecure. I know trigger errors are a big no-no - but this is still beta code and one of the issues we have to fix is this. I have filed a bug report: http://bugzilla.theplaz.com/bugzilla-3.0.2/show_bug.cgi?id=132
I agree in hindsight that I should have perhaps found a professional who was willing to help. I agree too that understanding is a big part. I learned PHP the same way you did - going through examples line by line on my own and php.net.
I think the participants were only starting to understand PHP. I think my schedule was a bit rough (~40 days; hour and a half per day) and way to compressed. This could have been an entire year between learning PHP and building SQ.
For security, are you referencing PHP5 functions? I know that programming PHP5 is more robust and secure. However for beginners - this was already too advanced.
I know this is a sorry excuse - but that page is the admin panel. Yes it should be secure; but if they have access to the panel then have all of the data and they can mess the install up. Is there any security problems on the server to be worried about in trigger error (besides the DB password)? The admin login page and quote submission site (unchanged from when we last worked on it) need to be secure - and the admin page should be as well.
As for where we are in the code - I think that if week look over every script and confirm the security I think we can have a passable project. It is not Drupal or Wordpress level - I don't plan to support plug ins or templates - since the purpose is so narrowly defined. My opinion is that when we fix the few remaining problems (trigger error [bug 132] and forgot password security [bug 40]) then we have a usable product.
Thanks for your help and you are more then welcome to fix things when you are in the mood -Michael