On Wed, 24 Mar 2010, Eric Lease Morgan wrote:
> On Mar 24, 2010, at 3:24 PM, jenny wrote:
>
>> My question is, where would you recommend I would begin? What's hot
>> right now in the library world? Python, PERL, Ruby? Any advice you'd
>> have for a beginner like me or even recommendations for online courses
>> would be extremely appreciated
>
>
> If you are approaching the problem for the point of view of learning a
> programming language, then then you have outlined pretty good choices.
> At the risk of starting a religious war, I like Perl, but PHP is more
> popular. Java is pretty good too, but IMHO it doesn't really matter. In
> the end you will need to use the best tool for the job.
I know there's a lot of stuff written in it, but *please* don't recommend
PHP to beginners.
Yes, you can get a lot of stuff done with it, but I've had way too many
incidents where newbie coders didn't check their inputs, and we've had to
clean up after them. Just yesterday, I was helping someone at another
federal agency clean up after someone got in through a PHP script and
had turned their site into an ad for cialis. (but cleverly disguised,
using their header / footer, and it only showed up when you passed the
correct query_string to it)
The problem's gotten so bad here, that we've been asked to send our entire
web directory on each server to our security office, so that they can run
it through some security scanner that looks for problems in PHP code.
(they relented to my running 'find' on the system for PHP scripts, as we
serve a few dozen TB of data over HTTP)
We're also running intrusion detection software that managed to catch
someone attempting to exploit refbase (and that was strike #2 against it
... I've never gotten a response to my e-mails to the maintainer, so we've
since had to scrap the installs of it that we had).
So, anyway ... don't do PHP. Even Tim Bray recommended that at ASIS&T's
2009 annual meeting, where he gave the plenary. (He recommended people
learn Ruby, instead)
Personally, I do most of my work in Perl, where I can, but I'd recommend
Ruby or Python over someone learning PHP (unless it was to learn enough to
migrate code off of PHP).
...
and yes, I know I've stirred this pot before:
[log in to unmask]" target="_blank">http:[log in to unmask]
[log in to unmask]" target="_blank">http:[log in to unmask]
...
And if you're using PHP, and can't get away from it, consider using
something like mod_security to watch for signs of malicious behavior:
http://www.modsecurity.org/
(note -- not an endorsement, I don't use it myself, as they've got
something installed on the upstream firewall that does it ... which means
that someone else sees it happen, and then we have to clean it up, fill
out paperwork that we've cleaned it up, have meetings about how we're
going to clean it up (when we already did), etc.)
-Joe
|