PHP is taking a lot of heat at Slashdot :(

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

PHP is taking a lot of heat at Slashdot :(

Post by Luke »

Looks like PHP is really taking a beating from the users over at slashdot for how "insecure" it is. I read a few of the responses to this article, and found them really ignorant, but it bothered me none-the-less. Especially this comment:
"PHP Security Expert...

Isn't that an oxymoron?"
What do you guys think?
http://developers.slashdot.org/article. ... 0&from=rss

A few of the responses were pretty well thought out though, and some people had some decent points about php's security flaws, but for the most part people are just stating what they've heard from others... which is disappointing.

Also, just found this: http://www.suraski.net/blog/index.php?/ ... urity.html
I haven't had a chance to read it yet, but it's very relevant.
Last edited by Luke on Thu Dec 14, 2006 10:32 am, edited 1 time in total.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Elitism, most probably from a load of .NET developers looking down their noses at what was originally a "hobby" language which has evolved over time to become what it is today.

I stopped reading slashdot years ago due to similar scenarios. Much like I stopped reading thedailywtf for the same reasons, too many jumped up idiots with extremely narrow views.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Jenk wrote:I stopped reading slashdot years ago due to similar scenarios. Much like I stopped reading thedailywtf for the same reasons, too many jumped up idiots with extremely narrow views.
Seems that way to me too... I always get very irritated reading the comments on slashdot as well as many other forums (besides this one). People's attitudes are very much effected by the fact that they aren't held responsible for for what they say.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

If people don't want to implement proper security measures, thats not my problem.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Well, i'm someone that thinks php should make it harder to create security problems... The problem is that the focus still lays on input... where the real harm is done (imho) by interfacing with output (xss in html, sql injection, ...)

eg: With most other webdevelopment platforms these days it's more or less impossible to output not-htmlspecialcharacterised data (without explicitely allowing it)...

I'm convinced that you can implement very powerful solutions with php... But on the other hand, php has such a low entry barrier that the problems of newcomers should not be neglected...
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

I can deal with well thought out arguments, but just blindly stating that php is insecure, especially following "Well, I don't know much about php" is ignorant... even moronic.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

The Ninja Space Goat wrote:I can deal with well thought out arguments, but just blindly stating that php is insecure, especially following "Well, I don't know much about php" is ignorant... even moronic.
I've never known any different from /.... I've stopped reading that website long time ago...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I love the articles Slashdot has, I rarely read the user comments however. Why? It's rare they have any actual substance let alone value.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

I agree with timvw that more could be done, but that is easier said than done. Fixing the basic dangers with basic request/response processing should have been done long ago. It has been done wrong a couple of times ... so I have hope they may get it right eventually.

I get two impressions of the PHP Group. First they are pretty defensive from being beaten down by criticism like this for years despite increasing popularity of the language. You can't blame them, but it does make them pretty conservative and old school in their attitudes. That causes changes to occur slowly. The second impresssion is that there is a large group of programmers both in and out of PHP who really have poor judgement/taste, yet tend to be pretty vocal in the way they think things should be done. That's why we got things like PEAR and lots of other junk in PHP. Whenever I hear people claiming that something like namespaces are essential for them I figure they might be in this group. Because these folks are constantly claiming that some feature(crutch) is a necessity for PHP it seems like the PHP Group has taken a go-slow attitude to see what actually sticks.

Ultimately these are qualities of open source development which make airing of dirty laundry a common occurrence (like this Stefan Esser episode) and let outsiders think there is more wrong than there perhaps actually is. That's not to let the PHP Group and Zend off the hook, but they are only human. For example, Zend doing the Zend Framework as shown them first hand all the problems that MVC framework creators have been complaining about for years -- and from PHP 5.0.4 forward they quickly started to add/fix a bunch of little stuff in PHP to support implementing a controller architecture. Am I bitter ;) sure, but such is life.
(#10850)
Post Reply