Page 1 of 1
PHP is taking a lot of heat at Slashdot :(
Posted: Thu Dec 14, 2006 10:30 am
by Luke
Looks like PHP is really taking a beating from the users over at slashdot for how "insecure" it is. I read a few of the responses to this article, and found them really ignorant, but it bothered me none-the-less. Especially this comment:
"PHP Security Expert...
Isn't that an oxymoron?"
What do you guys think?
http://developers.slashdot.org/article. ... 0&from=rss
A few of the responses were pretty well thought out though, and some people had some
decent points about php's security flaws, but for the most part people are just stating what they've heard from others... which is disappointing.
Also, just found this:
http://www.suraski.net/blog/index.php?/ ... urity.html
I haven't had a chance to read it yet, but it's very relevant.
Posted: Thu Dec 14, 2006 10:32 am
by Jenk
Elitism, most probably from a load of .NET developers looking down their noses at what was originally a "hobby" language which has evolved over time to become what it is today.
I stopped reading slashdot years ago due to similar scenarios. Much like I stopped reading thedailywtf for the same reasons, too many jumped up idiots with extremely narrow views.
Posted: Thu Dec 14, 2006 10:43 am
by Luke
Jenk wrote:I stopped reading slashdot years ago due to similar scenarios. Much like I stopped reading thedailywtf for the same reasons, too many jumped up idiots with extremely narrow views.
Seems that way to me too... I always get very irritated reading the comments on slashdot as well as many other forums (besides this one). People's attitudes are very much effected by the fact that they aren't held responsible for for what they say.
Posted: Thu Dec 14, 2006 1:59 pm
by John Cartwright
If people don't want to implement proper security measures, thats not my problem.
Posted: Thu Dec 14, 2006 2:07 pm
by timvw
Well, i'm someone that thinks php should make it harder to create security problems... The problem is that the focus still lays on input... where the real harm is done (imho) by interfacing with output (xss in html, sql injection, ...)
eg: With most other webdevelopment platforms these days it's more or less impossible to output not-htmlspecialcharacterised data (without explicitely allowing it)...
I'm convinced that you can implement very powerful solutions with php... But on the other hand, php has such a low entry barrier that the problems of newcomers should not be neglected...
Posted: Thu Dec 14, 2006 2:11 pm
by Luke
I can deal with well thought out arguments, but just blindly stating that php is insecure, especially following "Well, I don't know much about php" is ignorant... even moronic.
Posted: Thu Dec 14, 2006 2:14 pm
by timvw
The Ninja Space Goat wrote:I can deal with well thought out arguments, but just blindly stating that php is insecure, especially following "Well, I don't know much about php" is ignorant... even moronic.
I've never known any different from /.... I've stopped reading that website long time ago...
Posted: Thu Dec 14, 2006 5:13 pm
by feyd
I love the articles Slashdot has, I rarely read the user comments however. Why? It's rare they have any actual substance let alone value.
Posted: Thu Dec 14, 2006 6:57 pm
by Christopher
I agree with
timvw that more could be done, but that is easier said than done. Fixing the basic dangers with basic request/response processing should have been done long ago. It has been done wrong a couple of times ... so I have hope they may get it right eventually.
I get two impressions of the PHP Group. First they are pretty defensive from being beaten down by criticism like this for years despite increasing popularity of the language. You can't blame them, but it does make them pretty conservative and old school in their attitudes. That causes changes to occur slowly. The second impresssion is that there is a large group of programmers both in and out of PHP who really have poor judgement/taste, yet tend to be pretty vocal in the way they think things should be done. That's why we got things like PEAR and lots of other junk in PHP. Whenever I hear people claiming that something like namespaces are essential for them I figure they might be in this group. Because these folks are constantly claiming that some feature(crutch) is a necessity for PHP it seems like the PHP Group has taken a go-slow attitude to see what actually sticks.
Ultimately these are qualities of open source development which make airing of dirty laundry a common occurrence (like this Stefan Esser episode) and let outsiders think there is more wrong than there perhaps actually is. That's not to let the PHP Group and Zend off the hook, but they are only human. For example, Zend doing the Zend Framework as shown them first hand all the problems that MVC framework creators have been complaining about for years -- and from PHP 5.0.4 forward they quickly started to add/fix a bunch of little stuff in PHP to support implementing a controller architecture. Am I bitter

sure, but such is life.