When credit card numbers etc. are stolen on the Internet, almost always this is by hacking a server with a database, not by intercepting packets traveling on the Internet.
SSL requires a separate authentication scheme. Each SSL site has an encryption key and a so-called "certificate" provided by a trusted authority, e.g. the company Verisign. The problem is that with faulty configuration or programming, certificates may expire or otherwise be invalid. Then the browser asks the user to accept some new certificate, which the user usually does without knowing if it is genuine or not. This happened to me at the weekend on the H&R Block Taxcut purchase web site.
In general, the weakest aspects of security are human and social.
The Homeworth site has some basic user interface problems:
There are too many pages: first you must enter the zip code, then you
must enter address on next page
"Back" doesn't work well. "Print" doesn't work at all
"Edit page gives
Sorry... A system failure has occurred in application
HOMEWORTH Error code: 100099
Usually graphic design is only a small aspect of user interface.
The Homeworth front page is 40K bytes, much bigger than necessary.
Single quote ' and double quote " are slightly different in strings. PHP can use both. HTML uses ".
// and # give an end of line comment. /* and */ give multiline comments.
<!-- and -->
When a double-quote string is printed, variable names are replaced by
their values. This is called variable expansion. When a single-quote
string is printed, new lines in the source code are printed.
Integer zero, double zero, and the empty string are treated as the Boolean FALSE. Other values are TRUE.
Variables are declared, initialized, and have their types changed automatically as needed. When a string is used where a number is needed, the start of the string is parsed as a double, or as an integer if only the start of the string can be parsed.
The special functions isset(), is_int(), is_double(), is_string() are useful for handling input from humans. Note that each value submitted via an HTML form is always stored as a string in a PHP variable.
In the HTML form: <INPUT NAME="avail" TYPE ="checkbox">Available immediately
In the PHP script, you might write $avail = isset($avail);
Now $avail has type integer and value either 0 or 1.
The unary operator @ switches off error reporting while its operand is being executed. For example print @($x/$y) will not give an error message even if the value of $y is zero.
Because PHP has dozens and dozens of operators, it is easy for bugs
to arise from precedence issues. The logical operators !, &&,
|| bind more tightly than the assignment operators =, +=, &=,
etc.
Function arguments are untyped and call-by-value by default. Call-by-reference is indicated by &, for example
function raise(&$salary,$percent = 4) { ... }but note that PHP does not have C-style pointers in general. A default value is indicated by an assignment.
Because variables are not declared, global and static variables must be indicated as such. Remember that static variables only live during one script execution.
All functions are global, even if syntactically they are nested.
A function can be assigned to a variable.