Meanwhile, Symfony is advertised as an enterprise-ready framework. ]]> http://laurent.bachelier.name/2010/02/security-is-not-easy/comment-page-1/#comment-80 halfer Wed, 14 Jul 2010 12:08:48 +0000 http://laurent.bachelier.name/?p=143#comment-80 Hi Laurent, Well done; looks like you've done some excellent research on this one, and barring any problems with your solution, I hope it gets implemented. I agree: security is not easy! However, I do wonder if the general approach and tone might be somewhat dispiriting for your target audience (core team members). As a key moderator for the symfony forums, I sometimes see product feedback which is, sadly, borderline abusive, even though it is rarely intended as such. One recent thread on the quality of symfony documentation suggested that the work on the docs "sucked", the quality is getting worse, that symfony is unsuitable for business solutions, and that their author should be ashamed of them. Not at all the kind of polite and constructive feedback I would want to hear if I was the author in question, especially if the complainants had received my work free of charge! I am sure the author of the sfGuard method can take criticism in their stride. But, it is easier to swallow if it is couched in +gentle+ terms. Phrases like "silly", "strong ignorance", "badly designed", "every programmer should know"... are all likely to offend. Programmers, after all, are only human. One good approach to criticism is: "would I say this to someone in person"? If the answer is "definitely not", then it may be wise to avoid using that phrase in print. Hi Laurent,

Well done; looks like you’ve done some excellent research on this one, and barring any problems with your solution, I hope it gets implemented. I agree: security is not easy!

However, I do wonder if the general approach and tone might be somewhat dispiriting for your target audience (core team members). As a key moderator for the symfony forums, I sometimes see product feedback which is, sadly, borderline abusive, even though it is rarely intended as such. One recent thread on the quality of symfony documentation suggested that the work on the docs “sucked”, the quality is getting worse, that symfony is unsuitable for business solutions, and that their author should be ashamed of them. Not at all the kind of polite and constructive feedback I would want to hear if I was the author in question, especially if the complainants had received my work free of charge!

I am sure the author of the sfGuard method can take criticism in their stride. But, it is easier to swallow if it is couched in +gentle+ terms. Phrases like “silly”, “strong ignorance”, “badly designed”, “every programmer should know”… are all likely to offend. Programmers, after all, are only human.

One good approach to criticism is: “would I say this to someone in person”? If the answer is “definitely not”, then it may be wise to avoid using that phrase in print.

Good job!

Just using mt_rand() should be fine too, and maybe better.