Comments on: Server Hacked Thanks to Insecure PHP Script

By: Hamid

Hamid — Sat, 18 Jun 2011 12:14:25 +0000

I had similar experience with same company VALUE ON WEB and selected them for same reasons. I ended us losing a lot of money and when tried to have code reviewed by new company got this response –
“Hello Hamid, Thanks for sending over the files, unfortunately the code is awful. You have about 300 PHP files which all have html and php code together. Not even the slightest separation has been attempted. Also, just a warning, the project has a big security risk. All queries on the database are not protected against even the most basic attacks like sql injections. From what we could see Zend has not been used at all. Given the current status we can’t take over the existing code. Let me know your thoughts. Best wishes, Paul”

By: Marco Demaio

Marco Demaio — Wed, 15 Dec 2010 20:27:36 +0000

the truth is that security is not a good marketing word, people expect security as normal part of the job, like when at the supermarket they buy a can of beans they expect not to find inside a moldy one so they just look at the color of the sticker on the can and at the advertisement they saw on tv show. But good programmers are usually not good in marketing, and beside you not many people are willing to pay so many bucks for programmers.

By: Mark Bridgeman

Mark Bridgeman — Fri, 12 Nov 2010 13:27:47 +0000

I fully agree with the above, as I professional web builder I have had servers hacked in the past when I’ve taken over someone else’s website as the customer was unhappy with the previous company. I’m older and wiser now and understand that I should not take it on face value that another companies code is ok simply because they are ‘professionals’. I’ve learned that they might be competent, but ‘competent’ and ‘professional’ are not the same thing. Furthermore there is nothing worse than picking through someone elses unfamiliar code…

By: Karen Mae Farro

Karen Mae Farro — Tue, 28 Sep 2010 16:07:36 +0000

The success of a certain business depends not only to the manager but also to the staff. It is just so annoying sometimes to have such an irresponsible employee which is not dedicated or serious with work. What I do, actually, is to base their income on their output. That way they are motivated to work hard and better.

By: wesley

wesley — Tue, 07 Sep 2010 17:34:42 +0000

You should require all projects to be done in some sort of PHP framework, something like kohana or yii. In my experience that will get rid of a lot of the crap firms… Plus, these frameworks have several security standards built in (file uploading, sql escaping, etc..)