Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Looks like PHP is really taking a beating from the users over at slashdot for how "insecure" it is. I read a few of the responses to this article, and found them really ignorant, but it bothered me none-the-less. Especially this comment:
A few of the responses were pretty well thought out though, and some people had some decent points about php's security flaws, but for the most part people are just stating what they've heard from others... which is disappointing.
Elitism, most probably from a load of .NET developers looking down their noses at what was originally a "hobby" language which has evolved over time to become what it is today.
I stopped reading slashdot years ago due to similar scenarios. Much like I stopped reading thedailywtf for the same reasons, too many jumped up idiots with extremely narrow views.
Jenk wrote:I stopped reading slashdot years ago due to similar scenarios. Much like I stopped reading thedailywtf for the same reasons, too many jumped up idiots with extremely narrow views.
Seems that way to me too... I always get very irritated reading the comments on slashdot as well as many other forums (besides this one). People's attitudes are very much effected by the fact that they aren't held responsible for for what they say.
Well, i'm someone that thinks php should make it harder to create security problems... The problem is that the focus still lays on input... where the real harm is done (imho) by interfacing with output (xss in html, sql injection, ...)
eg: With most other webdevelopment platforms these days it's more or less impossible to output not-htmlspecialcharacterised data (without explicitely allowing it)...
I'm convinced that you can implement very powerful solutions with php... But on the other hand, php has such a low entry barrier that the problems of newcomers should not be neglected...
I can deal with well thought out arguments, but just blindly stating that php is insecure, especially following "Well, I don't know much about php" is ignorant... even moronic.
The Ninja Space Goat wrote:I can deal with well thought out arguments, but just blindly stating that php is insecure, especially following "Well, I don't know much about php" is ignorant... even moronic.
I've never known any different from /.... I've stopped reading that website long time ago...
I agree with timvw that more could be done, but that is easier said than done. Fixing the basic dangers with basic request/response processing should have been done long ago. It has been done wrong a couple of times ... so I have hope they may get it right eventually.
I get two impressions of the PHP Group. First they are pretty defensive from being beaten down by criticism like this for years despite increasing popularity of the language. You can't blame them, but it does make them pretty conservative and old school in their attitudes. That causes changes to occur slowly. The second impresssion is that there is a large group of programmers both in and out of PHP who really have poor judgement/taste, yet tend to be pretty vocal in the way they think things should be done. That's why we got things like PEAR and lots of other junk in PHP. Whenever I hear people claiming that something like namespaces are essential for them I figure they might be in this group. Because these folks are constantly claiming that some feature(crutch) is a necessity for PHP it seems like the PHP Group has taken a go-slow attitude to see what actually sticks.
Ultimately these are qualities of open source development which make airing of dirty laundry a common occurrence (like this Stefan Esser episode) and let outsiders think there is more wrong than there perhaps actually is. That's not to let the PHP Group and Zend off the hook, but they are only human. For example, Zend doing the Zend Framework as shown them first hand all the problems that MVC framework creators have been complaining about for years -- and from PHP 5.0.4 forward they quickly started to add/fix a bunch of little stuff in PHP to support implementing a controller architecture. Am I bitter sure, but such is life.