Quote:Original post by ID Merlin
No, I can't log on as admin from the net, but I can remote in to my work PC and access it there, if I have to.

That's good practice, if a bit cumbersome for the administrators. I doubt sites like this one gamedev.net is going to use it (although this is pure guesswork), at least not for moderators. But if you work with more sensitive things than forum posts and articles, it's definably worth doing.

However, people can still steal each other's rights in the same way, and you can't have all your customers go through localhost, it would defeat the purpose.

But as VizOne says, the problem lies in eval()-ing dynamically built strings. It's so damn dangerous. It'd be great if it weren't the main method taught in almost every tutorial around the web.

Quote:Original post by Ahnfelt
But as VizOne says, the problem lies in eval()-ing dynamically built strings. It's so damn dangerous. It'd be great if it weren't the main method taught in almost every tutorial around the web.

That's a problem in its own right. All the php/asp tutorials out there always seem to favour inline sql :(

It's not exactly surprising, considering it's usually database agnostic (unlike a typical prepared statement), and because using prepared statements would just add extra noise and no immediate gain to a tutorial trying to explain other concepts. I'd think security needs teaching separately, but you can't really plan for people teaching themselves over the internet.