Posted: Thu Jan 26, 2006 12:11 pm
Nobody is talking about "blame" because we are talking about living project. I hope you are not saying that there should be no discussion of ways that people think PHP can be improved. PHP has become what it is today, in part, because of these types of public discussions.Jenk wrote:My personal opinion is that none of this "blame" should be on PHP at all.. hell, would it be PHP's fault if I hosted a script like the following on the public domain?
no, it certainly would not.Code: Select all
<?php eval ($_GET['v']); ?>
Again, it's not anybody's fault. The discussion is about how difficult it should be to shoot yourself in the foot. It is my opinion that currently you need to know too much to write secure apps. PHP has a steady history of fixing these problems -- but the problem space has been expanding much faster than the solution space in recent years.Jenk wrote:I think we are looking at this the wrong way completely (when I say we, I mean everyone) If there is a fault with the Zend engine itself that can be exploited, then yes - that is a PHP fault, otherwise it is all down to the developer.
That's really the other language's problem and not PHP's. Because PHP is so widely use and used by so many newbies, I think it has different needs that, say, assembly language regarding security.Jenk wrote:I actually disagree with the "built in filtering" idea.. what happens if someone learns a few bits on PHP, it works "safely" then they go onto other languages and find a whole manner of holes in their logic..
I'm not saying that you should not be able to get to the raw value for $_GET['v'], but I think the basic usage should be more secure. There are thousands of lines of code in the PHP Code Forum where request variables and put directly into SQL. If it had no effect on your ability to "do what *I* want it to do" (meaning there was still a way to get direct values) then why not make that standard coding practice safer?Jenk wrote:I'm also a power freak, I want the code to do what *I* want it to do (within reason.. I'm not about to go and start entering 1's and 0's). Nothing more, nothing less. I very much dislike the dumbing down of application development when the kid gloves are put on.