|
|
Subscribe / Log in / New account

PHP web site compromised

PHP web site compromised

Posted Oct 28, 2013 17:22 UTC (Mon) by mjg59 (subscriber, #23239)
In reply to: PHP web site compromised by cabrilo
Parent article: PHP web site compromised

PHP has features that allow you to shoot yourself in the foot. That's fine - so does C, and I'm a big fan of C. PHP has a huge library of features and documentation and is pretty much designed to make it easy for new programmers to pick it up, which is great - programming should be as accessible as possible.

The problem is that any language which has both of these characteristics and does little to stop you from shooting yourself in the foot is inevitably going to lead to inexperienced developers doing dangerous things, and since PHP tends to end up facing the Internet that results in badness. Ideally there'd be a language with the gentle difficulty curve of PHP which let you do useful things without making it quite so easy to screw everything up.

to post comments

PHP web site compromised

Posted Oct 28, 2013 17:44 UTC (Mon) by oldtomas (guest, #72579) [Link]

We're going on a tangent here, but I feel compelled to comment:

I think your assessment is spot-on. The biggest liability of PHP at the moment is IMHO reams of bad example code lying around on the 'net. Since it's perhaps (for better or worse) *the* language for beginners, there will be lots of cargo-cult programming.

I think the best service PHP fans could do to their language is to hunt down anti-patterns (sprintf SQL query generation, regexp XML parsing, etc. etc.) and counter them with current good practices.

PHP web site compromised

Posted Oct 28, 2013 18:51 UTC (Mon) by khim (subscriber, #9252) [Link] (6 responses)

PHP has features that allow you to shoot yourself in the foot. That's fine - so does C, and I'm a big fan of C.

There are few pieces where C i magical and even that often is too much (the fact that it can implicitly convert float to int rarely helps and often hurts), but PHP is magical from the bottom to the top. You can not actually fix that, the only way is to pick some other language.

Ideally there'd be a language with the gentle difficulty curve of PHP which let you do useful things without making it quite so easy to screw everything up.

Unfortunately that's impossible. The camel has two humps and the only way to make language suitable for the Joe Average is addition of some kind of “common sense” to it. Then one can “talk with computer” and “look, ma it can guess what I'm trying to do!”. Of course the flip side of this very same property is inherent insecurity: since your language (Ok, interpreter of your language) is trying to second-guess you intentions with the help of bazillion of complex rules it sometimes does mistakes. Which can then be exploited by adversary.

PHP web site compromised

Posted Oct 29, 2013 17:31 UTC (Tue) by oldtomas (guest, #72579) [Link] (4 responses)

> There are few pieces where C i magical and even that often is too much [...]

Yes. To be fair, C's magic is more than one would expect. See for example <http://blog.regehr.org/archives/213> and following. With aggresively optimizing compilers and reordering processor architectures, the amount of magic beneath C is downright scary.

(I'm a big fan of C, nevertheless, but fair is fair ;-)

PHP web site compromised

Posted Oct 29, 2013 17:48 UTC (Tue) by hummassa (subscriber, #307) [Link] (3 responses)

Well, once you enter the realm of undefined behaviours, the behaviour will be... undefined! What else could be expected?

PHP web site compromised

Posted Oct 29, 2013 17:56 UTC (Tue) by khim (subscriber, #9252) [Link] (1 responses)

Of course, but who do we have hundreds of them? This makes life easier for compiler writers but miserable for users. Most of them should have been unspecified or implementation-defined instead.

PHP web site compromised

Posted Oct 30, 2013 1:21 UTC (Wed) by hummassa (subscriber, #307) [Link]

"why hundreds of them"?

Simple: C (and the C subset of C++ also) is still a glorified semi-portable assembly language. if you overdefine the language, you harden some behaviours that will be inefficient when you port to other architecture.

Good? Not really.

But workable. And that's why none of the "C successors" ever really caught on as kernel implementation languages, for instance. Once you need to write something in "readable assembly", C is the answer...

PHP web site compromised

Posted Oct 29, 2013 21:28 UTC (Tue) by oldtomas (guest, #72579) [Link]

> the behaviour will be... undefined!

Right you are :-)

Magic enters when it becomes difficult to build up a mental model of the border to the undefined. Or, as khim puts it "...hundreds of them".

Not criticizing compiler writers. We users stake our expectations on the optimizer quite high. We get the magic we pay for ;-)

PHP web site compromised

Posted Oct 29, 2013 23:55 UTC (Tue) by nix (subscriber, #2304) [Link]

Unfortunately that's impossible. The camel has two humps and the only way to make language suitable for the Joe Average is addition of some kind of “common sense” to it.
You appear to be taking a paper that says 'nobody has ever looked at this before, but in our one test with this small sample we found something that might be interesting' and generalized it into a universal law. This is not so much bad science as outright scientific mythology.

(<old-fart>grumble grumble can nobody read any more</old-fart>)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds