I don't think the point of this article was to be a copy and paste twitter alternative, it's more to show that it's possible to do it (at least that's what I got out of it).

There's also no hashing/salting of user passwords or anything. Even with some minor coding experience you should be able to pick this out.

I get that, but when I'm not browsing Hacker News I keep company with hundreds of teens who take code like this and implement it into their own sites, or edit it a bit and redistribute it. I think releasing code of this standard without specifically stating that it is not ideal for actual public use, you put these teen's sites at risk - perhaps without even realising it.

I don't think all code should have to come with a warning label.

I'm 17 years old, falling into your teen category, and there is no way I would ever run that code in a production environment - just by looking at it I can tell it's unfit.

You use Hacker News, you don't fall in to my teen category. :) (That's a compliment.)

Have a look at some of the sites here if you have time: rev.iew.me/users & you'll see what I mean.

For the record, I agree, code shouldn't have to come with a warning label; but I have seen many a site taken taken down by similarly bad code. I do my very best to help these youngsters where I can, because I was in their position once too. (Hence why I am here, to learn more and be able to offer more help to those who don't know so much.)

In your experience (pigeon holed as a teen), do you see your technical discrimination as the exception or the rule?

In my experience (still a teen...) it's the rule until proven otherwise. I mean just by being a teen many people assume you have some level of technical knowledge, but it doesn't go beyond helping people with setting up their computers and phones...anything like programming is like an "oh, really?" to a "oh, wow [you can actually do it]!" thing.

Well, to be specific, that was the case for me from 13 to 16, then I started prefacing that with "I'm majoring in computer science" and then the discrimination started to go away.

It's not just you. They don't use htmlentities at all.

I'll admit that I'm no PHP expert, but I was under the impression that htmlentities prevented XSS by converting all special html characters to their equivalent html entity.

If HTML entities works properly, and it is used properly, shouldn't it prevent XSS since an attacker who inputs something like <script>alert("xss")</script> would simply see the message displayed back to them instead of the browser actually executing it?

Hmm, yeah you're right. I'm not sure what I was thinking of.

mysql_real_escape_string() _will_ protect you from code injection.

- http://php.net/mysql_real_escape_string "Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks."

- http://www.php.net/manual/en/security.database.sql-injection...

- http://www.metatitan.com/php/16/protecting-your-phpmysql-que...

- http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

CODE injection, and SQL injection are two different things. I am talking about injecting malicious JavaScript etc - XSS attacks primarily.