Presentación
Vídeo
Transcripción
Extracto de la transcripción automática del vídeo realizada por YouTube.
okay I guess it's time to start my name is Chris Tankersley thank you for coming to my talk don't trust your users a little bit of housecleaning right up front like I said my name is Chris Tankersley I've been doing PHP for about 10 years I have
a lot of projects up on github which are kind of out of date but if you're interested you can go take a look the last couple of years I've been doing a lot of symfony2 and Drupal development so my open source stuff has lacked behind a little bit because
I've been doing a lot of client work but to know a little bit more about me I never graduated college I actually went to a local community college that was kind of in the transition from being an old-style Technical College two associates college and eventually
they're going to turn into a four-year degree but you could really see how everything was structured there when you went in and signed up for classes I did computer programming you just took a huge massive amount of languages so the vast majority of my
degree was taking things like COBOL and RPG because we have a lot of factories C++ C sharp vb.net and then some very basic classes but probably the best thing I got out of it was my programming teacher Vaughn plesner he taught every single program in class
the same way and I loved it he also had Wi-Fi in the room and it was one of the few rooms that had Wi-Fi so i could play on my computer all day but since he taught every single class the same way he didn't actually teach the programming language per se
every single class was about programming in general and how to think about designing programs of the methodology for designing programs and the syntax was kind of irrelevant so you could sitting if you went through one class you basically SAT through everything
else- syntax changes so he taught us a lot of acronyms and a lot of people in here probably familiar with things like dry don't repeat yourself but instead of saying you use a class he would teach why you should do these things so why you should use a
class why you should put things in function why you should put things in a subroutine depending on the type of language you're working on and keeping things simple he never would say stupid and we always tried to get him to do it but he never would but
keeping your programs simple and uncomplicated because the more complicated system you have the harder it is to maintain and especially when it comes to things like security the more complex systems the harder it is to secure those things any kind of build
everything down to input process and output he actually had us made charts at the beginning of classes on how we're supposed to structure these but the idea is every single program take some sort of input be it from a user from a file from a web service
we have to do something to it and then we displace some sort of output it could be another file it could be a web page it could be a CSV file and he taught us a whole bunch of other acronyms probably the best one he taught and the best general-purpose one
is garbage in garbage out it's our job as a developer to make sure that our systems don't take bad data because unfortunately we cannot trust the user to play by the rules and do things the way they're supposed to be so we can't assume that
Mary and accounting is going to not put commas in numbers that bobbin sales is always going to remember to collect an email address or always collect a phone number we want to pretend that we're one big happy family and this is actually the only the kids
on my dad's side do I this was the best family picture I could find and I don't actually talk to these people so there's probably both this is only about a third of the amount of people that were there that day but we like to think that everybody
will play nice but not everybody does and those are the people that we have to watch out for because either they decide that they don't want to listen to the rules or they don't want to pay attention how many people have gotten a support ticket that
says this form doesn't work and literally that's the support think if this form doesn't work and then you ask and you say well what was the problem what gave me an error message okay what was the error message said their email was empty okay what
did you fill in an email well no we can't fix those kind of things that we can at least stop a form from going through without an email address there's lots of people again like I said that they don't do it to be mean they just don't pay attention
and of course there are malicious people as well who do try to actively break things in the system so what happens if I change a drop-down choice that's not there what happens if I think probably the best example I've ever seen was I think it was best
buy way back when right after they put up in e-commerce site you could order TVs which was awesome you didn't have to go into the store you could just order it online and we could ship to you the best part about it was though the price was part of the
form so you could change the price and the order would go through and you could buy a huge TV for a buck I don't know how many or those fulfilled and I never tried it because I'm fairly certain that's fraud and I don't recommend doing that
but even simple things like that or you know malicious things like that are things that we have to watch out for I'm going to mostly talk about contact forms today because I think that's something everybody can relate with but really any kind of data
entry be it from a user from a web service from a file we can't really trust we have to go through and we have to make sure that the data that's coming in is good data and it's the kind of data that we expect so this is the crappy contact form
off of my website I'm a freelancer and this is basically my website because I do a lot of word-of-mouth stuff so i have this form there i want your name and your email and your phone number and then basically i wanted to argue a person of business what
you want to build and how you want me to contact you I'm sure all of us and hopefully none of us have done this recently but we have all built a form that if I leave all of this blank and hit submit that it will go through as a business person I don't
want blank at blank with a blank phone number to come through so I should take my due diligence to make sure that mr. blank is a business and once a web app doesn't come through it all I want that name I want that email address i want that phone number
[ ... ]
Nota: se han omitido las otras 3.337 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.