We need a PHP/MySQL programmer to help with PERMANENT.

In the absence of one, I would like somebody to help me find a previous volunteer named Brett Corbin, in Australia. His email address no longer works. There are many people named Brett Corbin but I saw one on a MySQL user group in Australia here:

http://www.sqlserver.org.au/user/bio/ViewBio.aspx?bioId=5029

... which has absolutely no info on him displayed, and I got no response from an email inquiry to the system.

Recently, I've been paying people thru elance.com but as usual the work is either questionable or the good guys get busy on other projects and then either get unresponsive or else sub it out to somebody else of much poorer quality.

What we really need is someone who sticks with us for a long time, not switching programmers and then the new one must figure out what the old one did. If you've ever been a programmer and had to go modify someone else's code, then you know what I mean ...

I am happy to pay for programming at "mate's rates".

Please reply here or else:

http://www.permanent.com/feedback2009.htm

Mark

Can I make a suggestion that using php might not be in our best interests? It's like the US national intelligence, there's a security hole practically everyday. I don't want to see PERMANENT get eviscerated by some nasty malware hacker.

That's interesting, klaks. I had no idea PHP was vulnerable that way. Are there any recent examples you've come across, or know of some forums or articles where security breaches and fixes are discussed? I think Mark would like to know. He's been learning the basics of PHP himself after finding he was wasting too much time pointing out oversights, mistakes or omissions to freelance programmers. At this stage, it's faster for him to look at someone else's code and just fix it himself than explain and detail again and again what's wrong. Of course, the solution is finding a competent programmer (who we're happy to pay "mates rates"), but we don't want to be using PHP if it turns out to be about as airtight as the Titantic! :eek:

The risk/benefit ratio of PHP/MySQL is very small.

This forum is run as PHP/MySQL, like most forums. So is our contact form and many other things on this website and on my company websites.

PHP/MySQL is so extremely popular that its userbase constantly tests and reports security issues. Like with Windows, when vulnerabilities are found, patches are released. The makers of PHP/MySQL are very open about security issues. That doesn't mean they have more security issues than other systems. It just means they publicize them. And they aren't so bad. The makers of PHP/MySQL are very diligent in analyzing and testing things, as is a lot of their vast userbase.

Like Windows and any other major system, PHP/MySQL will always have security holes discovered, and security issues undiscovered.

However, unlike Windows, the potential impact of, and seriousness of PHP/MySQL problems will be minimal.

If you hack a PHP form or a database, so what? Ours have no secrets of value. All our information is open. About all they could possibly get is our passwords to this forum, but that is not easy and I don't know anyone who has done this. And with these passwords, what would they do? Not much.

Your own notebook PC connected to the internet is a bigger risk. Every web browser and operating system has vulnerabilities. This is why we have antivirus and firewall software. The firewall usually has different level options. Most people don't have it at the highest level due to the benefit/risk ratio of a lower level. Look at your PC's default firewall level. Probably at medium to low.

I have run PHP/MySQL websites for years and never had a successful hack to the best of my knowledge by means of PHP/MySQL. I get many hack attempts daily to my server, but few bother to try to hack my PHP forms, none successfully thus far. Even if they did hack something successfully, I have offsite backups over time and keep an offline journal.

In the worst case scenario, I could reformat the hard disk and restore a backup.

Most of the time, they want to try to steal passwords or other information. We have no valuable information on PERMANENT.

However, the benefits of PHP/MySQL are great. Many kinds of information are best stored in databases. Then it can be displayed in various ways. A database with a programming front end is often the most time efficient and flexible method in "Information Technology" to store and manage information.

What is a good alternative to PHP/MySQL?

Every alternative has security issues. No significant piece of software has no security issues.

Take out PHP/MySQL, and you still have possible security issues with the Windows or Linux server, the Apache web server, the email server, and so on. Very unlikely but possible.

Throw out PHP and manually editing HTML files is not an option. As a website grows, making global changes in an HTML website is very difficult and prone to serious mistakes, editing 200+ files. Especially as a website grows and gets different kinds of sections. PHP/MySQL is very flexible and efficient. Change a line or two, and you change 200+ output files.

I use PHP/MySQL instead of its competitors because it is most popular thereby has a potentially large pool of programmers we can use. (Wish one would pop in here and offer to help out.) Also, PHP/MySQL is so well established that it is unlikely to go obsolete in the distant future. The old PERMANENT publications database with over 500 entries was created in Lotus Notes format in the mid-1990s, but where can you find Notes servers or volunteers or Notes mates rates these days ... much less in the future.

PHP/MySQL is the #1 most popular website programming system (maybe after flat HTML). It runs on Windows and practically all versions of Linux, plus additional operating systems.

Even many HTML websites actually have a PHP/MySQL back office. The difference is that the back office exports .html files which are uploaded or displayed, rather than .php files. So you don't see the .php or MySQL, you see only the .html, but the information is stored in its native format in a MySQL database and the .html files are just the export of a PHP back office.

For my own businesses, I hired PHP/MySQL programmers. From looking at their code, I have figured out how to tweak things, simply because it's quicker for me to do some things myself than the time required to instruct the programmer/designer. However, if it would take me much time, then I write up the specs, maybe create a Photoshop image to illustrate what I want, and pass that on to the programmer.

Last weekend, I taught myself the beginnings of the fundamentals of PHP/MySQL. I have no intentions of becoming a PHP/MySQL programmer, since just creating a decent script takes a few days of time which a CEO like me simply does not have due to so many other responsibilities. Creating a whole website or major application could take weeks of focused time.

Of course, the CEO shouldn't be doing the programming in the trenches!

However, *from a longterm viewpoint*, I think it will probably save me some time to understand the structure, built in commands, and some other things simply because it takes me time to instruct programmers / designers whereby some things I can do myself in less time than what's required to instruct someone else. Also, it helps me assess and manage others' work. PHP/MySQL is really simple and fun.

I just don't have the time for it, and doing things myself which other people can do just goes against my philosophy. There are too many things in the world which need to be done, which nobody else in the world will do, and which I can do. I have a big sign in my office which says "If someone else can do it, then don't ask Mark." I have more things to do for this world, which nobody else is doing or will do (and usually can't do) than I have time for.

Unfortunately, that includes some things to do which require a database and front end.

If I could find a good "designer* who can program, then I would be relieved of many such micromanagement tasks. I would be happy to find that I wasted my time last weekend learning PHP/MySQL myself.

Good design seems to be something lacking. I can always tell a programmer to create a documents database so users can add documents. The programmer won't know what fields and options to include. That's part of conceptual design. Also, even with all the right features, that doesn't mean novices can figure out how to use it. Again, that's design.

Usually, the problem is because the programmer really *doesn't care*, they just say "What next, boss?" and do the *minimum* they think for their work to pass, they get paid, and the boss not get angry.

I have watched enough programmers (many with university degrees in computer science) programming with typical carelessness. They think I don't know anything about programming so that they can slip it past me. I don't mind mistakes and oversights, especially by people who are learning or trying, with good intent. However, I have to hire programmers for commercial tasks, too, who I pay, and the carelessness is sometimes staggering. A crashed business website is serious. (Better to learn on PERMANENT.)

So much of our information must be stored in databases! Nobody has stepped up AND followed thru in the PHP/MySQL realm (except Brett Corbin who I cannot find now), and I don't want to wait any longer.

As long as I, or we, can get data into a database, then someone can step in later to help us manage and present it in a secure way.

Last weekend, I created my first MySQL database and my first PHP front end form, for a particular application I will present later. Works great and I use it on my notebook PC to add data to my database, and to search and pull it out, but I will need to pretty it up and add in a few standard security routines before I put it onto the PERMANENT website where anybody can use it. (I installed all the necessary web hosting modules onto my notebook PC before any of this could happen.)

Anyway, if not PHP/MySQL, then what is the solution, and why is it better overall, after considering all the plusses and minuses?

The vast majority of security risks are due to the programmer not following good programming practices, not because of any inherent vulnerability or the language. Millions of websites use PHP/MySQL without getting hacked. The biggest single thing to keep in mind is any ALL user input returned to the server MUST be checked/filtered by the code. Strings longer than some maximum length must be rejected or truncated. Special characters must be stripped out, or the string simply rejected.

My personal experience with PHP is pretty limited, even though I've got a B.S. in Computer Information Systems, as well as A+, Security+, and Network+ certifications. I do consider myself a pretty good database designer, including MySQL.

I plan on being around on this forum for a while (at least until someone REALLY pisses me off), but have doubts about whether I would be able to make the time commitment for what you need. I would be happy to provide you with limited free advice and guidance at times, for what it's worth.

If you want to get into maintaining things yourself, I strongly recommend that you get a copy of PHP & MySQL by Example (http://www.amazon.com/PHP-MySQL-Example-Ellie-Quigley/dp/0131875086/ref=sr_1_1?ie=UTF8&s=books&qid=1271522295&sr=8-1) by Ellie Quigley and Marko Gargenta

You may be able to find someone in the Philippines on this website (http://bestjobs.ph). Filipino programmers and web designers tend to have very good ethics and work hard for their wages.

We have now hired a permanent, full-time PHP/MySQL programmer in Thailand, who can also do AJAX and other cool stuff. First project will be to incorporate the existing content into a Content Management System or CMS. This will make updating content, adding new pages, expanding the website etc. much easier and faster in future. Right now, the website comprises manually created and edited HTML files I did a decade ago, which are tedious to edit. Suggestions on small quick tweaks, additions, improvements we can make in the meantime are most welcome. Just PM me.