In a new post to his blog, Chris Hartjes, spurred on by an article in the latest edition of php|architect magazine (covering protecting your code), has shared a few opinions starting with a certain paragraph near the end.

To start, I will focus on the paragraph above. What I get out of that is that if only your source was closed and hidden from prying eyes, it would not have bugs in it. Which is, of course, total nonsense. Code has bugs because it's open and they feel safer? There are two kinds of bugs: application bugs (which is the code I would write) and system bugs (in this case, bugs that that appear from PHP itself). I'm sorry, but there is nothing I can do if there is a bug in PHP that causes my application to crash except to point this bug out to the people who have the ability to fix it.

He goes on to talk more about how protection like this (the article talks about using the IonCube Encoder) will not stop someone if they're really determine to get at the code underneath the encryption. His only suggestion is to make an application good enough that people wouldn't want to try to steal it as much and would rather pay for their version.

Encode your stuff if you want, but be aware that the minute you choose to do that you are telling your customers "I don't trust you" and I have a hard time understanding a business model that assumes people are going to want to steal the stuff you sell.

One can never be too secure when it comes to online applications. PHP has its problems, making it a bit too easy sometimes to write back code that makes for insecure applications, but, thankfully, there are some simple steps to be taken to greatly reduce these risks. This article from PHPHacks.com shares some of the easiest.

Their recommendations are:

• Never, Ever, Trust Your Users
• Using Golbal Variables Correctly
• Handling Error Reporting
• Preventing SQL Injection
• Avoiding File Manipulation
• Avoiding Using Defaults
• Not Leaving Installation Files Online
• Avoiding Predictability

Oh, and my personal favorite, which is funny at first glance but seriously true when you really think about it "Be Completely and Utterly Paranoid".

Related to his work on the Services_Trackback PEAR Package he worked on, Tobias Schlitt looks today in this new blog post at some of his more recent thoughts on trackback spam.

It's been a long while since I worked on my PEAR package Services_Trackback, mainly because I was much too busy with work and university. Nevertheless I made up my mind about how to solve the problem of the so-called trackback spam.

Taking for granted, that the idea should work, there are 2 main questions to answer: "How can a sender of a trackback be identified?" and "If and how must the trackback standard be changed to support the identification?" For question #1 there is a simple answer (IMHO): PGP/GPG (further on referred to as GPG, for simplicity).

He suggests that since there is already a "trust relationship" inherent in the system, a PGP/GPG setup might be the most flexible, easy-to-use, constantly adapting method for preventing one of the banes of bloggers' existences...