PHP web site compromised
PHP web site compromised
Posted Oct 28, 2013 13:41 UTC (Mon) by sorpigal (guest, #36106)In reply to: PHP web site compromised by cabrilo
Parent article: PHP web site compromised
Of course, most PHP coders aren't worth their salt, and out in the wild there is a lot of code where people simply never consider XSS or SQL injections or whatever else can come from the cruel world.
But, how is that a problem of PHP?
It's a problem with PHP because PHP entices people who are not used to worrying about security and correctness to begin programming. Instead of easing them in to concepts like these most of the PHP world seems dedicated to misinforming them, or ignoring the problem entirely, leading to a situation where more and more bug-riddled code is produced.
The problems with PHP as a language are a few minor things mostly in the implementation, like not being noisy enough when bad things could happen (my favorite example: use of undeclared variables), but the problem with PHP culture is a systemic lack of interest in correctness. Most new PHP programmers will go to php.net and read the documentation, which happily documents use of built-in functions in unsafe ways, and then perhaps will copy/paste some of the snippets from the comments section, which are often naive or buggy. I can't blame the language directly for these things, but the culture surrounding the language is such that no one appears to think it's a problem and more and more new programmers learn the same bad practices every day.
If PHP is where a person learns programming, or learns web development, as appears to often be the case, he will spend months or years unlearning bad habits and learning how to produce good code... if he is dedicated enough to do so and doesn't just stop learning once he knows enough to be dangerous. It's a waste and a shame, and I blame PHP for the fast-and-loose attitude that allows bad practices to continue unchecked. Perhaps it's unfair of me.
Posted Oct 28, 2013 15:55 UTC (Mon)
by cabrilo (guest, #72372)
[Link] (1 responses)
Pure PHP looks like a ready made solution for developing sites. It's not, it needs a MVC framework to make it functional, just like Python needs Django or Web2Py and Ruby needs Rails.
Posted Oct 28, 2013 16:13 UTC (Mon)
by Cyberax (✭ supporter ✭, #52523)
[Link]
Posted Oct 28, 2013 18:30 UTC (Mon)
by khim (subscriber, #9252)
[Link] (6 responses)
Why not? This is language specifically created to write buggy code. It's the goal of said language, it's raison d’être. It tries to do “the right thing”, but does it extremely sloppily which means that all it's magic quickly explodes in novice's hands and it's really hard to write something robust. My new favorite example is PHP's ++ operator. It's bad enough that it works on strings. But when you'll try to understand just how it works on strings… Perl has smartmatch operator which is so awful that the only thing about it that you actually need to know is “don't use it, period”. Unfortunately most (almost all) language constructs are as magical as perl's smartmatch operator. And you can not avoid them! You only hope is careful control over said magic and this is actually more tedious then in any other language. When you are doing something wrong you are not given errors or even warnings. Heck, most of the time your program actually works! Only when confronted with carefully prepared input it breaks apart. The only two languages with such a property which I know are PHP and JavaScript. And I'm not even sure which one is worse: PHP is awful, sure, purely from linguistic standpoint it's not a even a contest, but… there are very simple solution—just don't use it and you are golden. JavaScript is distant second in this contest, but there are problem: PHP's solution just does not work! Quite often you must deal with it and substitute is not an option!
Posted Oct 28, 2013 20:20 UTC (Mon)
by mathstuf (subscriber, #69389)
[Link] (4 responses)
Posted Oct 29, 2013 23:51 UTC (Tue)
by nix (subscriber, #2304)
[Link] (3 responses)
;P
Posted Oct 30, 2013 7:47 UTC (Wed)
by micka (subscriber, #38720)
[Link] (2 responses)
Posted Oct 30, 2013 15:17 UTC (Wed)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
[1]Now that I think about it, would one author would have to defer to another even if the savior isn't bound by license to the other? Would that count as criteria for "must save"?
Posted Oct 30, 2013 19:18 UTC (Wed)
by nix (subscriber, #2304)
[Link]
PHP web site compromised
PHP web site compromised
PHP web site compromised
I can't blame the language directly for these things.
$a = '2d9';
$a++;
$a++;
echo $a;
Can you even guess what will be the result? And it'll be the result?PHP web site compromised
It also has an awesome license. Seriously, why didn't I think of including
PHP web site compromised
If you are caught in a dire situation wherein you only have enough time to save one person out of a group, and the Author is a member of that group, you must save the Author.
in my software before? I mean, yeah, GPL-incompatible, but, hey, it could at some point in the future save my life, as long as not too many other people use the same license! How many copyright licenses can you say that about?
PHP web site compromised
PHP web site compromised
PHP web site compromised