PHP-guru estimation??

Re: PHP-guru estimation??


"Gabriel" <en_hemlig_pers on@hotmail.com> wrote in message news:c1f1e7b.04 01070936.767bec 49@posting.goog le.com...[color=blue]
> Hello everyone.
>
> If you were to code a secure membership system in PHP using MySQL with
> the follwing features:
> * a signup function where the user gets an email with a random
> password
> * passwords stored encrypted in database
> * login-system
> * password recovery tools
> * a system for secure-cookies
> * each player can se change his own data and see other members game
> stats
> * the system is supposed to handle real money for every user that the
> user can bet in different board games. Which means that security is a
> BIG issue.
> * a "side-system" for the administrators of the site to use when they
> need to add money to a users account (money that the user has paid
> through a VISA transaction).
>
> How long would you estimate that it would take? If possible I would
> also like you to rate you own PHP, MySQL skills from 1-10.
> 1=what is PHP?
> 5=I know my way around PHP and MySQL pretty good
> 10= PHP-MySQL-guru. There is nothing I do not know
>
> I am aware of the fact that this question is a bit strange, but my
> employer has asked me this question and my experience with PHP and
> MySQL is about a year old, but I've been programming other things in
> C++ and Java for a couple of years and my knowledge about security is
> average. He gave me 10 weeks to finish this project. Is this possible?
>
> Thanks in advance
> Gabriel[/color]


I've been doing quite a bit of PHP coding lately - but I still rely on PHP.net and occasionally the news-groups. There is no way
that I or anyone else can tell you if it's possible for YOU to finish this project in 10 weeks.

Aside from the security issues for money handling, the interface as you described it could be implemented in a short period of time.
Developers who have implemented login mechanisms/password recovery in PHP for three or more web sites could probably have that
portion of the site done in just a few days with code-reuse.

I think the security issues here are beyond PHP. Not that PHP can't handle them - it can - but there are other security concerns
outside of the user/database interface that would need to be addressed. For instance PHP can't help you if your system leaves
telnet available to the outside.

Making the content look pretty is a whole different issue, and can take endless amount of time. But you didn't say much about that.

For what you did say I think 10 weeks (400 hours) is adequate.

-CF

Re: PHP-guru estimation??

Gabriel wrote:[color=blue]
> Hello everyone.
>
> If you were to code a secure membership system in PHP using MySQL with
> the follwing features:
> * a signup function where the user gets an email with a random
> password
> * passwords stored encrypted in database
> * login-system
> * password recovery tools
> * a system for secure-cookies
> * each player can se change his own data and see other members game
> stats[/color]

Up to this pint, I would estimate approx. 3 hrs - programming and
testing only, but I already have done this before and have existing
frameworks in place.
[color=blue]
> * the system is supposed to handle real money for every user that the
> user can bet in different board games. Which means that security is a
> BIG issue.[/color]

Depends on the implementation. .. I would NOT store credit card info in
the database, but the amount the user currently has is ok.
[color=blue]
> * a "side-system" for the administrators of the site to use when they
> need to add money to a users account (money that the user has paid
> through a VISA transaction).[/color]

Simple form filed that updates the user's balance.

This brings up the total to approx 4 hrs, but that isn't including all
the design, betting and game stuff that you'd also need to do...
[color=blue]
> How long would you estimate that it would take? If possible I would
> also like you to rate you own PHP, MySQL skills from 1-10.
> 1=what is PHP?
> 5=I know my way around PHP and MySQL pretty good
> 10= PHP-MySQL-guru. There is nothing I do not know[/color]

7
[color=blue]
> I am aware of the fact that this question is a bit strange, but my
> employer has asked me this question and my experience with PHP and
> MySQL is about a year old, but I've been programming other things in
> C++ and Java for a couple of years and my knowledge about security is
> average. He gave me 10 weeks to finish this project. Is this possible?[/color]

10 weeks sounds like a good timeline to me, even with a couple other
projects going on at the same time.

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.

Re: PHP-guru estimation??

Gabriel wrote:[color=blue]
> Hello everyone.
>
> If you were to code a secure membership system in PHP using MySQL with
> the follwing features:
> * a signup function where the user gets an email with a random
> password
> * passwords stored encrypted in database
> * login-system
> * password recovery tools
> * a system for secure-cookies
> * each player can se change his own data and see other members game
> stats
> * the system is supposed to handle real money for every user that the
> user can bet in different board games. Which means that security is a
> BIG issue.
> * a "side-system" for the administrators of the site to use when they
> need to add money to a users account (money that the user has paid
> through a VISA transaction).
>
> How long would you estimate that it would take? If possible I would
> also like you to rate you own PHP, MySQL skills from 1-10.
> 1=what is PHP?
> 5=I know my way around PHP and MySQL pretty good
> 10= PHP-MySQL-guru. There is nothing I do not know
>
> I am aware of the fact that this question is a bit strange, but my
> employer has asked me this question and my experience with PHP and
> MySQL is about a year old, but I've been programming other things in
> C++ and Java for a couple of years and my knowledge about security is
> average. He gave me 10 weeks to finish this project. Is this possible?
>
> Thanks in advance
> Gabriel[/color]

10 weeks? Shoot, if that's your job and you're devoting 40hrs/wk (or more)
to it, you should be able to do it in ten days and not break a sweat. (and
btw, I would rate myself at 10 in all categories.)

Re: PHP-guru estimation??

Building the system you described is easy. I would put coding time at around
a week, and another week for setting up the server. The tough thing is
proving that the system works correctly. In order to perform proper and
thorough QA testing on the site, you'd need a complete functional specs and
a complete technical specs. From these you develop test cases covering all
possible scenarios. And then you need to analyse the system to see how it
can withstand different types of attacks. Finally, internal policy has to be
developed controlling who has access to the database, encryption keys, SSL
certificates and so forth.

If you're the only member of your development team, there's no way you can
do all that in 10 weeks.

Uzytkownik "Gabriel" <en_hemlig_pers on@hotmail.com> napisal w wiadomosci
news:c1f1e7b.04 01070936.767bec 49@posting.goog le.com...[color=blue]
> Hello everyone.
>
> If you were to code a secure membership system in PHP using MySQL with
> the follwing features:
> * a signup function where the user gets an email with a random
> password
> * passwords stored encrypted in database
> * login-system
> * password recovery tools
> * a system for secure-cookies
> * each player can se change his own data and see other members game
> stats
> * the system is supposed to handle real money for every user that the
> user can bet in different board games. Which means that security is a
> BIG issue.
> * a "side-system" for the administrators of the site to use when they
> need to add money to a users account (money that the user has paid
> through a VISA transaction).
>
> How long would you estimate that it would take? If possible I would
> also like you to rate you own PHP, MySQL skills from 1-10.
> 1=what is PHP?
> 5=I know my way around PHP and MySQL pretty good
> 10= PHP-MySQL-guru. There is nothing I do not know
>
> I am aware of the fact that this question is a bit strange, but my
> employer has asked me this question and my experience with PHP and
> MySQL is about a year old, but I've been programming other things in
> C++ and Java for a couple of years and my knowledge about security is
> average. He gave me 10 weeks to finish this project. Is this possible?
>
> Thanks in advance
> Gabriel[/color]

Re: PHP-guru estimation??

Chung Leong wrote:[color=blue]
> Building the system you described is easy. I would put coding time at
> around a week, and another week for setting up the server. The tough
> thing is proving that the system works correctly. In order to perform
> proper and thorough QA testing on the site, you'd need a complete
> functional specs and a complete technical specs. From these you
> develop test cases covering all possible scenarios. And then you need
> to analyse the system to see how it can withstand different types of
> attacks. Finally, internal policy has to be developed controlling who
> has access to the database, encryption keys, SSL certificates and so
> forth.
>
> If you're the only member of your development team, there's no way
> you can do all that in 10 weeks.[/color]

10 weeks is extremely generous. Personally, my opinion is that if you're
going to do attack testing, sure - do a bit yourself, but get an external
person / group to try and hack the system. You don't have a fresh
perspective, they do. As for everything else, this really is not that
complicated, and should be doable within a two week period. Anyone saying[color=blue]
>10wk is either a really poor coder, has time management issues, lies to[/color]
their employer about how long their work takes, or some combination of those
three.

Re: PHP-guru estimation??

For a time I was working as a QA analyst. We used to say that QA is about
checking for compliance, not correctness. Without detailed documentation you
really can't test anything. Say you hire this external person to test your
site. How do you know he/she did anything? As the result that pleases is no
results, you'll end up with just that.

Uzytkownik "Agelmar" <ifetteNOSPAM@c omcast.net> napisal w wiadomosci
news:btjkpk$7km pc$1@ID-30799.news.uni-berlin.de...
[color=blue]
> 10 weeks is extremely generous. Personally, my opinion is that if you're
> going to do attack testing, sure - do a bit yourself, but get an external
> person / group to try and hack the system. You don't have a fresh
> perspective, they do. As for everything else, this really is not that
> complicated, and should be doable within a two week period. Anyone saying[color=green]
> >10wk is either a really poor coder, has time management issues, lies to[/color]
> their employer about how long their work takes, or some combination of[/color]
those[color=blue]
> three.
>
>[/color]

Re: PHP-guru estimation??

"Gabriel" <en_hemlig_pers on@hotmail.com> wrote in message
news:c1f1e7b.04 01070936.767bec 49@posting.goog le.com...[color=blue]
> Hello everyone.
>
> If you were to code a secure membership system in PHP using MySQL with
> the follwing features:
> * a signup function where the user gets an email with a random
> password
> * passwords stored encrypted in database
> * login-system
> * password recovery tools
> * a system for secure-cookies
> * each player can se change his own data and see other members game
> stats
> * the system is supposed to handle real money for every user that the
> user can bet in different board games. Which means that security is a
> BIG issue.
> * a "side-system" for the administrators of the site to use when they
> need to add money to a users account (money that the user has paid
> through a VISA transaction).
>
> How long would you estimate that it would take? If possible I would
> also like you to rate you own PHP, MySQL skills from 1-10.
> 1=what is PHP?
> 5=I know my way around PHP and MySQL pretty good
> 10= PHP-MySQL-guru. There is nothing I do not know
>
> I am aware of the fact that this question is a bit strange, but my
> employer has asked me this question and my experience with PHP and
> MySQL is about a year old, but I've been programming other things in
> C++ and Java for a couple of years and my knowledge about security is
> average. He gave me 10 weeks to finish this project. Is this possible?
>
> Thanks in advance
> Gabriel[/color]

rating PHP 4 Mysql 5 Project planning 9

This project should be able to be at the 90% stage in under 40 hours time
using unique code and combining it with available code.

It would work and do what you want, but it may or may not be secure or
pretty.

The reason I used 90% was the 90/10 rule that has seemed to dog me since I
started programming back in 1966. That is the first 90% of any software
project seems to take 10% of the time and the last 10% takes 90% of the
time.

The only way to beat this that I have found is to take the first 5 to 7% of
the projected time and not start on the project but use it to develop a very
detailed plan and very specific specifications. Then I seem to only spend
about 70 of the total projected time completing the entire project.

--
God Bless you,
Al Kolff

"There is a God we want, and there is a God who is. They are not the same
God. The turning point of our lives is when we stop seeking the God we want
and start seeking the God who is."
Patrick Morley
Seven Seasons of the Man in the Mirror
p184

Re: PHP-guru estimation??

I noticed that Message-ID:
<c1f1e7b.040107 0936.767bec49@p osting.google.c om> from Gabriel contained
the following:
[color=blue]
>If you were to code a secure membership system in PHP using MySQL with
>the follwing features:
>* a signup function where the user gets an email with a random
>password
>* passwords stored encrypted in database
>* login-system
>* password recovery tools[/color]

I thought the idea of an encrypted password was that no one, other than
the user, would know what it is?

Or do you mean the things that ask a security question and then allocate
a new random password?

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/