Slashdot Mirror
PHP Security Expert Resigns
juct writes "PHP security holes have a name — quite often it was Stefan Esser who found and reported them. Now Esser has quit the PHP security team. He feels that his attempt to make PHP safer "from the inside" is futile. Basic security issues are not addressed sufficiently by the developers. Zeev Suraski, Zend's CTO of course disagrees and urges Stefan to work with the PHP development team instead of working against it. But given the number of remote code execution holes in PHP apps this year, Esser might have a point. And he plans to continue his quest for security holes in PHP. Only that from now on, he will publish them after reasonable time — regardless if a patch is available or not."
Update: 10/30 12:57 GMT by KD : Zeev Suraski wrote in to protest: "I'm quoted as if I 'point fingers at inexperienced developers,' and of course, there's no link to that — because it's not true! The two issues — security problems in Web apps written in PHP, and security problems in PHP itself — are two distinct issues. Nobody, including myself, is saying that there are no security problems in PHP — not unlike pretty much any other piece of software. Nobody, I think, argues the fact that there have been many more security problems at the application level, then there were at the language level. I never replied to Stefan's accusations of security problems in PHP saying 'that's bull, it's all the developers' fault,' and I have no intention to do it in the future."
I for one would like to thank him for the nominal increase in success rates of attacks thanks to him!
GREAT IDEA!!!!
First, the language is wide open for editing. It might help to be someone who not only finds bugs but fixes them.
Second, it's PHP. Add another API or something.
Isn't that an oxymoron?
There are two types of people in this world: those that categorize other people and those that don't.
On second thought I would have to agree that the majority of PHP flaws are due to unskilled programming.
just have a look
We have a large group of students, staff, and faculty that all have varying degrees of write access to a departmental Apache web server. Every few weeks someone asks why we're not giving people PHP access. Users love PHP because it's so easy; it makes them feel like they're clever programmers. But it seems like security knowledge is never imparted alongside the PHP training. People seem to think it's as benign as plain old HTML. When they ask for PHP I tell them we have a policy about not giving scripting-level access to users without good justification, and they have no idea why that applies to them since "we don't want to do any scripting; we just want to make PHP web pages".
But even leaving all that aside - it seems like every SANS newsletter has multiple announcements either about a bug in some popular bit of PHP-based software, or else in PHP in general. Until that changes, we're sticking to Perl and Python. It's funny, in a way, since the first time I saw PHP I immediately thought of the days when I was writing Active Server Pages on IIS4, because structurally it is so similar - and now we all realize the similarities on the security side (or lack thereof) as well.
#DeleteChrome
Huge problem is "default" installs - everyone knows where your sample scripts are. Delete those first thing then move/rename the active libraries.
Now, where's that Ruby book?
Most of the stuff on
Any language is only as good as the programmer using it.
I use a LAMP stack for the most part, many of the security holes in php aren't due to the language itself but the developers of the various webapps.
That being said, this requires a repost of the ol Adminspotting thang.
Choose no life. Choose no career. Choose no family.
Choose a fucking big computer, choose disk arrays the
size of washing machines, modem racks, CD-ROM writers,
and electrical coffee makers. Choose no sleep, high
caffeine and mental insurance. Choose no friends.
Choose black jeans and matching combat boots. Choose
chairs for your office in a range of fucking fabrics.
Choose SMTP and wondering why the fuck you are logged
on on a sunday morning. Choose sitting in that swivel
chair looking at mind-numbing, spirit-crushing web sites,
stuffing fucking junk food into your mouth. Choose
rotting away at the end of it all, pishing your last in
some miserable newsgroup, nothing more than an
embarassment to the selfish, fucked up lusers Gates
spawned to replace the computer-literate.
Choose your future.
Choose to sysadmin.
Shadus
It's widely acknowledged that open source programs are inherently insecure. Whether the cause is the availability of the "internal blueprints", the free-for-all repository commit access, or the rampant theft of patents, one wonders. By contrast, Microsoft's .NET platform, including the widely praised C#, doesn't have this problem. The guarding of the internal source code, the standards-adhering developers, and the rock-solid legality of its software patents gives Microsoft an advantage versus the haphazard "open source" languages like PHP and Java. One wonders if this is a harbinger of future defections in the open source language camp. Speaking as a patent lawyer, I advise all developers to switch to .NET and Microsoft's enterprise-class C#.
"Huge problem is "default" installs"
Huge problem is the lack of proper ingineering efforts.
PHP seems to me quite a good language for the task at hand, and its popularity seems to agree with me. Probably some PHP core developers are quite good at defining/devoloping it. The problem is that for a good product to be born that's not enough. Then you need people with proper ingineering knowledge and *attitude* and that I feel severily lack this people.
It's not only security flaws within the core of it, which is a clear symptom (while proper ingineering efforts would reduce them with time) it's they mix security fixes with new functionality; they change the interpreter behaviour and default options within minor releases... Those are symptoms of the underlying illness: bad ingineering attitude.
And it doesn't seem to change in the future; quite a pity.
...I must ask what you mean when you said PHP and ASP are "structurally similar". I'm assuming you mean vbscript, (as an ".asp" page can actually be written in many different languages), and I don't see much similarity between them, at least as far as their syntax.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Here's the announcement from the source himself, via his blog. Based on that post I'd say he sounds pretty disgruntled with how his efforts towards security were received i.e. "he PHP Group will jump into your boat as soon you try to blame PHP's security problems on the user but the moment you criticize the security of PHP itself you become persona non grata"
Are there better alternatives to PHP or is the answer just better coding practices while using PHP?
I ask because the majority of my experience is with C# and ASP.NET but I'm currently working on a project where the client would prefer to go with open-source alternatives. I'm not well versed in other platforms but have been looking at Apache/PHP/MySQL based on popularity & community. Ease of development is somewhat important, but speed & longevity (including security) are more important.
Sorry if this is a dumb question, I've never developed anything serious on a FOSS platform before.
When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability. Right, I'm going to trust these people.
Zope 3, Turbogears, Django, Pylons, etc.
I'll do the stupid thing first and then you shy people follow...
There sure are better alternatives to PHP in the OSS sector! PHP IMHO is a nice toy but nothing I would use in a commercial project.
A soon to be totally OS sollution is of course JAVA with Apache and Servlets/JSP. Just take a look at Sun's website, they have a lot of information, examples and tutorials available. Also, Java is totally plattform independent and easily installed on Windows, if that remains your development system.
Another, more recent sollution would be Ruby on Rails, which has some realy niffty features.
And no, not a dumb question at all! One hint: If you got the time, just download the OSS you are considering ang play around with it, that's probably more usefull than my dumb answer. ;-)
there is a wide choice of languages and platforms.
languages: there's java, there's python, there's perl, and there are more. each of the first three is (IMHO) a lot better than php (as I know it, up to about v. 4) for building web applications.
servers: Apache, with either mod_perl or mod_python access to the APIs is very good. Of course, there's the plenty of java web servers and ways to run those with or without Apache.
platforms: look at the Apache foundation's site for java, perl and python modules.
development environment: I prefer Eclipse, but there are a few to choose from.
Good luck,
As a PHP user, I have attempted to better the thing by reporting what I think are bugs. I can't name a single one that wasn't closed with a WONTFIX and a terse, non-thankful "that is a feature, not a bug." I honestly have zero disbelief that those same programmers would turn against Esser when he blamed the language, not the user, for the security problem.
In particular, the late static binding issue (if B extends A then A::staticFunc() ran as B::staticFunc() is ran under class A not B). It's like how it took MySQL took a decade to get stored procedures and views despite many people asking for it. Many people complain about the late static binding issue but last I knew it was still "it's a feature, not a bug."
Regardless, thanks for your work Mr. Esser...
:wq
Yeah, with Java becoming open source, its right in line for you. Learning Java as a C# programmer is a joke, the basics are 95% the same, especialy if you use java faces (though I'm a bit "meh" about that).
.NET, really (I'm primarly a C# programmer myself, so I know where you're coming from). Unless you had a MSDN Universal license with Visual Studio Team Foundation, or were already using .NET 3.0 (Workflow, Communication, etc), this might actualy give you a lot more power than what you are used to.
You pull java with eclipse, apache, strut/spring/hibernate/junit, then pull any database that hibernate supports, and you're in business.
There's a learning curve, but you won't feel like anything is missing from
Yes, bad developers produce insecure code, but let me take you on a brief trip down memory lane.
Way back when, when the Web was new, and CGI was just starting out, there was some debate as to whether C or Perl should be the language of choice for writing CGI scripts. In the end, Perl became much more widely used because it was just too damn easy to open up major security holes writing in C, because it lacked some of the features of Perl (like making it impossible to commit a buffer overrun, for example). Perl won out in early CGI precisely because a lot of the problems of CGI security were already solved because of inherent features of the language.
Now, PHP came along and billed itself (and in fact was designed) as an easy way to make secure web scripts. So, if the PHP code has bugs that impact its security in web-based applications, these things should be addressed. Otherwise, it's going to end up being supplanted by another language that is more secure and easier to use to build web apps.
Blaming the developer for security is only going to take you so far when the language the developer is using is supposed to be SPECIFICALLY DESIGNED for web applications.
I'd love to justify your arguments by actually addressing them, but they just don't deserve it. Instead I'll just say that you, sir, are an idiot.
The "news" is that Stefan Esser unsubscribed from the security@php.net mailing list.
5 -Stefan-Esser-quits-securityphp.net.html
Stefan Esser will continue to work on PHP security through maintaining the Hardened PHP project [1] which is a patchset to PHP which enables some low level security features into the language, as well as the suhosin extension [2] for PHP which can be used without patching PHP and "protects servers and users from known and unknown flaws in PHP applications and the PHP core".
I am personally of the "full disclosure" security mindset, so if there was indeed an issue with the response time of the "PHP Security Response Team" then some outside pressure would be a good thing.
More about this on Zeev's blog [3].
[1] http://www.hardened-php.net/
[2] http://www.hardened-php.net/suhosin.127.html
[3] http://www.suraski.net/blog/index.php?/archives/1
Rails is pretty cute. An more functional (but less "shiny") alternative is Catalyst. It's written in Perl, which means you get the benefit of over 10,000 extension libraries from the CPAN to draw upon. Perl also has some nice features that Ruby or PHP lack, like full native unicode support and automatic taint checking. It's also faster, because it's had 10 years to mature. Sadly people seem to be ignoring Perl these days, but with recent improvements it's nearly as cool as Ruby (check out "Moose").
Also, if you'd like to access a database with compound primary keys, ActiveRecord won't support that, but Catalyst's ORM (DBIx::Class) supports it fine.
Rails is good for quick apps like a wiki or a blog, but for more complicated internal applications, Catalyst is where it's at. Stop by the website, check out our advent calendar, or perhaps try the tutorial. Join us in #catalyst on irc.perl.org if you have any questions!
My other car is first.
Developed by the guy who came up with the phrase "We had to burn the village in order to save it"?
Wow, stunningly insightful response "that's caused by inexperienced programmers". He's a clue: it doesn't matter what the origin of the problem is (other than to fix it longterm) - IT STILL NEEDS ADDRESSING. I got news for you: the concept of covering large security related cracks in code with prime bullshit is probably already patented by Microsoft.
Personally I would wonder if Essers' 'abrasive style' is not a result rather than a reason for not being listened to and if this flags up a major problem in the way PHP is coded and maintained I'm all for this move. There is no excuse for sloppiness.
So, the reaction discloses the attitude - seems Esser made the right move..
Insert
can someone explain how it is that the apperently consensus is that PHP is insecure by design, asside from just poor programming? Thank you.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
This reminds me a lot of the fundamental principle of politics:
In software, people with their feet so I bet this principle applies equally to this field.
Simon.
Anytime the tool does something that the user doesn't want it's a bug.
This applies to applications, programming languages, heck even cars if you want.
The fact is that if the user gets something they didn't want, no matter how stupidly they tried to use it, the tool still bears some of the blame. I don't care how dumb a thing the user did, there was something there that made them think they could do that and it's a bug.
With programming languages if the language allows the user to create a security hole it's the fault of the language on some level. Sure you can get stupid programmers but blaming the programmer entirely discourages the search for a better language. Yeah if I overrun my array in C it's my fault. But can it be entirely my fault when in Java that same bug wouldn't be a security exploit? Hey, if I drive my car straight off a cliff, is that my fault? Yeah. But a car with a computer failsafe driver wouldn't of gone off the cliff (hey, if two jetliners are on a collision course the computer takes over).
You can never make the perfect tool, even a big green button that will do everything you ever wanted will still have a bunch of people who didn't think to push the button. But it forces you to realize, you can never fix users but you can always fix your code.
I stole this Sig
I second the bloke who mentioned Catalyst. In one sense it's a url path dispatcher, but it's pretty elegantly done with full debugging support. Sure it's perl, but many people think that's a plus.
"...we should just trust our president in every decision that he makes and we should just support that." B.Spears 2003
>bugs were sometimes not correctly fixed or were re-introduced. This was often not noticed because there was no test-rig for exploits and the idea of having one was categorically rejected.
If that's accurate, and if there wasn't some unimaginable compelling reason, any security person would be unhappy.
I looked through some of the other mentions... though you won't find a plethora of hosting options, if you plan on a dedicated server, you may want to give apache2 + mod_mono2 a look... ASP.Net 2 goodness running on linux... the client libraries for mysql, firebird and postgres are pretty mature. You can develop on windows, and test/deploy on linux.
If you are interested in something different, would do like others have suggested, and look at Ruby/Rails, Catalyst or Java JSP/J2EE. Java will be the closest to C#, but I'm not such a fan of JSP.
Michael J. Ryan - tracker1.info
Someone should fork PHP and do a major rewrite. Drop features like HTML embedding, introduce properly defined packages and make all functionality available in both procedural and OO fashions. Clean up the function names so they're predictable. And make some of the more dangerous functions safer.
PHP could be turned into a decent general purpose scripting language if someone would fork it. Unfortunately that means that we'd need someone who knows the codebase, has time and is fed up with the current PHP development process. Maybe we could talk Esser into it...
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Just because the language is easy is no reason to (attempt) to make it idiot proof. Numerous crappy 'security features' have already been added to the annoyance of decent programmers. Making it more secure by design would only encourage sloppy programming, which already is a big problem.
"PHP Security Expert Resigns, cites own incompetence as reason".
Those are the times I wish I'd knew more C/C++ to support such a fork.
So long, I am currently switching most of my PHP projects to python (which is a PITA if you are used to php's mysql-handling and regexp-support..., but a major step towards a more reliable webserver enviroment). Unfortunately, clients tend to persist on PHP ("Build it, we'll find a 15-year-old scriptkiddy to do the support and extensions...")
Screw the FSM - Real geeks believe in the Invisible Pink Unicorn
> Hey, if I drive my car straight off a cliff, is that my fault? Yeah. But a car with a computer failsafe driver wouldn't of gone off the cliff (hey, if > two jetliners are on a collision course the computer takes over). Hey, if I hit my thumb with a hammer by mistake, would it be my fault?Yeah. But a hammer with computer failsafe hammer-operator would avoid hitting my thumb, right?
That depends (of course). Ruby on Rails is very nice, but the Ruby language is very different from C#. PHP is much more similar.
If you decide to go with PHP, have a look at the Symfony project. It's a well-documented rails-like framework for PHP, it really promotes better coding practices.
Free GPL Java Mobile Tetris game: Jamos
Moving from C#/ASP.NET (and presumably SQL Server) to PHP/MySQL is like chopping your hands off. You can do much better than that.
DB-wise, PostgreSQL is as powerful as SQL Server in most ways, and more powerful in many.
Language-wise, you have Python, Ruby, Java and even Perl. Perl is baroque and dated and I'm not sure I could recommend using it now. Java brings with it the whole Java stack and accompanying XML hell and performance issues (yeah, I know, they don't really exist and it's all a conspiracy). Ruby and Python are fairly different languages -- Ruby is more fun while Python is more powerful and better-supported.
But to be honest, there is absolutely no reason why you should leave C# at all if that's your preferred environment (and it's certainly at least as useful a skill as any of the above). Mono is pretty darn solid and it's possible to write web components with it that are 99% (maybe 100%, I dunno, but I seem to recall I found some minor issues) compatible across windows and Linux.
My choice would probably be a Python environment backed with PostgreSQL. As it happens, I use PHP and MySQL just for the sake of keeping au fait with the 'less robust' end of the market -- if that's not an issue I don't see why you should use them. After C#, PHP is a pretty bitter pill to swallow.
Whence? Hence. Whither? Thither.
Now, PHP came along and billed itself (and in fact was designed)
I call shenanigans! No way was PHP 'designed'!
Whence? Hence. Whither? Thither.
Law makers in Texas are debating a bill to enable people to own nuclear weapons and heavy artillery and to remove safety catches from guns.
"All you should need is a great big red button that says 'Fire'" said Congressman Bobby Ewing "Its ridiculous that people are prevented from using these things and having to put up with safety devices it just encourages sloppying thinking"
"By letting people launch nuclear weapons with a big red button we are making sure that everyone is aware of how to properly care for their nuclear weapon and that it is their god given right and responsibility to fire it carefully" said some bloke in a hat "I'm fed up with all the ridiculous procedures I have to go through to fire a gun, let alone blow up France just because a few bleeding heart liberals feel they need to protect stupid people in New Hampshire"
In related new Iowa has banned the use of indicators, roll cages, air bags, crumple zones and seatbelts as it gives people too much sense of security. California has banned the use of door and window locks and the use of burglar alarms as they make houses "secure by design".
Secure by design is the only type of security that really counts.
An Eye for an Eye will make the whole world blind - Gandhi
A bad worker blames their tools and a bad boss blames their workers.
..... then trips you up with anotherobviouslynamedfunction($par2, $par1). You could say it's not all PHP's fault, as the functions originate from different shared libraries, and PHP is only providing an interface to them by their original name and with something like their original syntax. But it still smacks of laziness on the PHP developers' part. Short aliases for commonly-used functions (a context-sensitive editor can always expand them for the benefit of the anal retentive), and differently-named work-alikes for functions that take their parameters in a different order than you might expect, wouldn't have hurt. Would they?
There's no denying that PHP has things wrong with it. It started out as a bastard son of Perl, tried to be a bit more n00b-friendly and tripped over its own cleverness. The beauty of Perl is its very inconsistency. The functions you use most have the shortest names, and there is no need to clutter things up with unnecessary brackets around arguments. Regular expressions, which you are going to use all the time, have a distinct syntax. Number and string data types can be interchanged with such wild abandon, there have to be separate operators for addition and string concatenation (JavaScript, I'm looking at you). There are constructs to populate arrays quickly. All things are subordinate to the goal of letting a programmer get a job done. Easy things are easy, hard things are possible. Perl is so broad-minded, it even has the Principle of Equivalence built in!
PHP lures you in, with obviously_named_function($par1, $par2)
Still, you've got two choices, I suppose. Learn to put up with the idiosyncracies or learn another language. And never forget the Principle of Equivalence; "All Means to the same End are equally valid", nor its corollary, "Means which are not equally valid serve different Ends".
Je fume. Tu fumes. Nous fûmes!
Would a suitable headline be "Goaded, Esser Back"?
Apologies to Douglas R. Hofstadter
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Learning Java as a C# programmer is a joke, the basics are 95% the same
I'll second that having come from the other direction - I'm a professional Java programmer and sometime hobbiest C# programmer. While I certainly wouldn't claim to be an expert and I've not done anything I'd consider particularly complicated (a couple of fairly noddy webapps and a couple of basic D3D things), C# was incredibly easy to pick up.
It's official. Most of you are morons.
I'm currently writing an app with Catalyst. ("Currently" as in "paused to look something up while working on it and spotted this story".) It's based on Perl and usually combined with Template Toolkit, which uses a mini-language to describe templates. I definitely recommend it—it's about the cleanest way I've found to create a dynamic site.
Catalyst is designed to keep the different parts of your app separate from each other, unlike PHP which tends to encourage mixing presentation code with application logic. (You can write PHP apps nearly as cleanly as Catalyst apps, but Catalyst helps you do it while PHP makes it fairly inconvenient.) It basically carves your site into three big chunks—Model, which talks to the database; View, which talks to the web browser; and Controller, which bridges the other two. Typically you'll need a model for each database, a controller for each section of the site, and a view for each method used to access the site (HTML, RSS, web service, PDF...). Models are usually auto-generated, and the glue code for the views is written for you, so you basically just have to write your templates and application logic.
Because it's based on Perl, you automatically get a few bonus security features, like taint checking (which tracks user-provided data to ensure you don't use it in unsafe ways) and database libraries that use placeholders. Catalyst apps almost never use raw SQL either (they use libraries that create objects to represent the tables and records), so injection attacks are virtually impossible.
If you don't want to use Perl, Ruby on Rails is fairly similar, and I know a lot of people swear by it; Ruby has a shallower learning curve as well. It doesn't have the libraries or userbase Perl does, though.
Hey, you try to find an open nick these days!
use Perl;
== Jez ==
Do you miss Firefox? Try Pale Moon.
PHP is interesting.
Can anyone explain why the following code:
echo print("2"). 3 . print("4");
Results in the following output: 42311
Bullshit
I am hesitant to try any framework whose partisans routinely bash other frameworks. I'm used to getting this from Python; it's refreshing to see a Perl guy screaming at the wind.
Well I moved from C# to Java a couple of years ago when a client wanted to be able to deploy to AIX. I found the transition dead easy. If you fancy taking a look at Java and want a good starter IDE you could do worse than look at Sun's Java Studio Creator which has a lot of the same look and feel as Visual Studio and is free and open source. If you want something that rocks and don't mind paying for it IDEA is easily the best IDE I've ever used for anything. Ruby on Rails is where all the hype is at the mo, of course, but I'm not much of a fan myself mainly because Ruby is so damn slow.
If PGP stands for 'Pretty Good Privacy', I wonder if PHP should really stand for 'Pretty Hopeless Privacy'...
Oolite: Elite-like game. For Mac, Linux and Windows
> Bullshit
;)
As the linked article said, this is an experimental patch + hack. With DBIC, you just do find({key1 => $val1, key2 => $val2}), which is a natural extension of the simple single-key case: find({key1 => $val1}). This all works very well in practice, as opposed to the it-might-work approach of ActiveRecord. I'm not saying you shouldn't use ActiveRecord... but I wouldn't use it.
> I am hesitant to try any framework whose partisans routinely bash other frameworks.
Bashing? I said it was good. There are some places where Catalyst is better, and some places where it's not as good. In my experience, Catalyst's good points make more complex applications easier (frontend to an HR system is what I've done), whereas Rails full-stack approach is great for CRUD applications. You're allowed to like both, ya know!
> I'm used to getting this from Python; it's refreshing to see a Perl guy screaming at the wind.
These people (I'm one of them) get upset because their languages are technically better than the alternatives, but "nobody" uses them, and they're shunned for not using PHP. "Perl is so 1996, man, use PHP or Ruby now." Irritating. use Perl;
My other car is first.
If you do decide to go the Java route have a look at Seam and Ice faces. The combination of the two is very powerful and both are open source.
my butt would be giving buttloads of major security holes ...
Something which is used extensively gets more flaws discovered than something that is used less. Get this in your heads.
Read radical news here
Amazon has The Design of Everyday Things by Don Norman available second hand. He argues similarly. If a door has a sign that says 'push' and someone tries to pull, you can blame the user, but it would be better to design a door that invites pushing and discourages pulling. Or vice versa. abebooks.com also has some copies. It was also published as The Psychology of Everyday Things. Good read.
Loose lips lose spit.
> I am hesitant to try any framework whose partisans routinely bash other > frameworks. I'm used to getting this from Python; it's refreshing to see a Perl > guy screaming at the wind. You win. Meta bashing is so much more mature.
"...we should just trust our president in every decision that he makes and we should just support that." B.Spears 2003
And you know it was a PHP exploit *how* exactly?
PHP has security issues??!!!!
Nice philosophy, but you're delusional if you think it can be applied to everything.
It certainly won't work for power tools or programming languages...or even flatware.
Maybe one day we'll have A.I.'s that make all the decisions for us, and robots that chew our food for us so we don't need forks. But then we won't be quite human anymore.
So I read the piece from his blog and the heise article, I didn't see any remorse against Stefan from the PHP group. I can see Stefan making that accusation, though. It can be very difficult to fix bugs, and sometimes it can take a very long time. So - with the information I got thus far - I think Stefan is trolling and tries to get some publicity. That seems also be the reason why he wants to do a month of PHP bugs.
Something which is used extensively gets more flaws discovered than something that is used less. Get this in your heads.
That's assuming that the flaws exist in the first place. It's true that incredibly popular pieces of software a subject to more scrutiny and exploitation, but how much can go wrong is a characteristic unique to the design of the software itself, something that would be the same regardless of how many people used it. It would be rather obtuse to entertain the idea that all pieces of software somehow contain the same number of security flaws, and that's to say nothing about their magnitude.
This would of course be why Java, probably the most widely used commercial language on the planet, has had so many massive security issues......
Oh wait, it hasn't has it. It is also why Apache had so many more security issues than IIS4 because Apache was used... oh hang on that one doesn't work either.
Maybe if you used you mouth rather than your butt for speaking you might make more sense.
An Eye for an Eye will make the whole world blind - Gandhi
Any time I see a Rails vs. Django comparison, which is quite often, half of the Python users have their nose hiked 90 degrees into the air. They're maybe half as bad as the Lisp community (which rates a full centidijkstra in arrogance). I don't represent this as being scientific fact, but it is exactly what I have observed.
The classic example is the database access API (or maybe it's specific to mysql, I forgot). It doesn't support bound parameters. Use of placeholders ('?') and bound parameters is a must for secure SQL, but PHP doesn't support them, and instead requires the developer to jump through hoops escaping user-supplied data which must be passed as literals into the SQL statement.
Although it might be possible to make a secure SQL-using PHP script, the odds seem against it. Everytime I look at the changelogs of popular PHP applications, I see new fixes for SQL injection vulnerabilities. Clearly programmers don't always remember to escape those literals!
Lack of placeholders also affects the database's ability to cache prepared statements. Statements full of literals are different each time through the loop, whereas parameterised statements can be executed more quickly.
All in all, PHP strikes me as a toy language and not well suited to writing secure systems.
That was a retard's joke back in '97!
Rails doesn't scale well. Even the rails devs will tell you that. And yes, I know this, because I've been to a conference where the rails presentation said just this. We use PHP on an enterprise level for a major bank in a G7 country. I don't want to say which one for business reasons. It's clear you don't know much about Rails or PHP. Also, if you want to build something 'serious' then you wouldn't use JSP. By now, you'd think people would realize that mixing data and logic is bad. It's amazing how many people still do this blindly.
PHP has many eyes, yes. That's one of it's great advantages. But it also is prone to security issues. Any grown up PHP dev will admit that flat out. Fault tolerance, Reverse proxy, URL dispatching, close ties with the Framework/CMS team, basic brain functions when configging Apache and the underlyin OS, common ground standards of secured client server communication and some other details are part of the regular toolkit of PHP developers to deal with these issues. The versatility of PHP comes with that tradeoff, one has to deal with it, period.
We suffer more in our imagination than in reality. - Seneca
I mostly agree, but you know the saying: When you build a foolproof tool, nature makes bigger fools. There is a balance where automatic overrides don't introduce more problems than they solve. Every uncaught user error beyond that limit isn't even partially the tool's (or the tool builder's) fault. A car navigation system is a problem in itself if it tries to prevent you from driving off a cliff while you want to cross the gap on the newly built bridge.
On the matter of PHP, I have no doubt that the language is problematic. There are just too many non-obvious ways to shoot yourself in the foot. A language which is mostly used to process untrusted input should make it easy to write code that is safe from certain low level attacks. The language cannot enforce proper application logic, but it shouldn't take as much knowledge and leg work to avoid run-of-the-mill code injection as it does with PHP.
Yes it does. It's a question of design, the design of the programming language, of its documentations and of its library can make security holes much harder to create.
When it actually becomes harder to do the wrong thing than to do the "right" thing, creating security holes becomes the fault of the user. When it's much harder to do the "right" thing than the "wrong" one, and most documentations suggest the "wrong" thing, then it's completely the fault of the language.
Most PHP issues are the latter.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Flexibility is a double edged sword because it allows programmers to do everything more easily, including writing bad code, but I am in favor of that because it rewards good programmers. I don't think good programmers should be punished by reducing PHP's flexibility just because there are some (or even many) stupid PHP programmers out there.
Primarily, creating a secure application requires that the programmer considers security in the design of the application; syntax is NOT -and should never be- the primary source of security in any application because that would make the language incredibly inflexible and I'd venture that most PHP vulnerabilities are caused by programmers who did not consider security in their design, which would still be a problem if they used any other programming language.
Use Django then, it does.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
Mod parent up, please. Excellent information.
It's a flexible language compared to Java (this has its benefits too of course), and it has a lot of exposure to people who can't program, but that doesn't mean that good code somehow cannot be written in it.
// MD_Update(&m,buf,j);
We use some web apps on our internal network. Most of them are written in Java, with a few legacy Perl scripts still being used. We're going to be developing some new applications soon, and as part of the process we had to decide what language and frameworks we were going to use.
At a recent meeting, one poor fellow decided to suggest PHP. You should have seen the reaction! All at once about eight or nine of the other developers and architects just started laughing outright. One even had a memorable line: "We will not use PHP anywhere in our network. Gonorrhea on a camel's gonads has better security than PHP." I've never seen an idea shot down so quickly. And I'm thankful it was.
engineering
md5sum
d41d8cd98f00b204e9800998ecf8427e
Could someone explain to me why I can never EVER see the first comment? I have to infer what was said from the second comment. In this case, I presume the first poster said that PHP was the best programming language. I am using the newfangled AJAX-y comment thread expandomatic, but there's no button to click to see the first comment if it's been modded down.
"I am hesitant to try any framework whose partisans routinely bash other frameworks."
Says a Rails guy...
You're giving users far too much credit. When a user asks how they can set a variable on line 50 of a script and use the value of that variable on line 20 (no, not functions), and insists that it must be done that way, there's only so much a language can do to help that user. PHP has/had its fair share of problems, many of which have been fixed (register_globals and magic_quotes_gpc have been off by default for a long time, register_globals will be removed completely in PHP6), but a complete idiot will write terrible code in any language. Most languages are just too difficult for complete idiots to figure out.
Like all other programming languages, PHP is a tool (cue jokes). A person that knows how to use the tool well can do some very impressive work with it. A person that doesn't know how to use the tool will probably just break stuff.
Reading all the comments about PHP throughout the years, I think it's about time that Slashdotters unite against PHP(and Microsoft and...add whatever it is that Slashdotters hate).
I think the functionality of the language is it's biggest enemy when it comes to security. If the language is simple enough like for instance you can only make programs that can print out "Hello world" then it can be considered very secure. It's maybe not very useful, but very secure.
I know programmers who should never be allowed to program in anything but Java or C# and then only simple code.
The only Rails guy I see routinely mouthing off is DHH. Most of his invective (that I've read) is aimed at Java, though, which is a mitigating factor. J2EE is easy to bash because you'll be right most of the time.
You have to know your programming language, and I don't just mean syntax. Know what it aims are. There are always compromises to be made in programming. Some languages (eg. C/C++) allow low level platform dependent control, some (eg. Java) no pointers (use GC's) and cross platform, others (eg. Perl, PHP) allow RAD, massive library support.
When I first started dabbling in PHP I recall it being billed as an easy language to learn so non-hardcore programmers could ease into web design. I've seen excellent graphic artists get by with enough PHP to get the job done. They are pushing content and rely on popular CMS's to take care of the scary stuff.
PHP could probably use improvement, what can't, but people harp on about it needing typed variables etc, to me that raises the bar of entry and goes against some of PHP's strengths. Consider for a moment that not everyone has a mindset for typed variables and that their is power with untyped. There are other languages if this feature is a show stopper for you.
If there are bugs in CMS's (or whatever) written in PHP, then those (professional) programmers made errors. You really don't ... go blaming your tools. You chose them.
Programming has always been been about finding better ways of dealing with gotchas in all programming languages, whether they be memory leaks or catching untyped variable issues.
If I smash my thumb in with a hammer, can I blame that tool as well? Sounds like a glitch in the hammer by your standards.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
A big problem with regards to PHP vs. Java is that its awfully harder to get Java going in a server-side fashion on your box. Where you only need a simple Apache module for Java you'd need a product like the Tomcat server to get the best out of Java. Which, for a common user, means more trouble and overhead. Now you got 2 software products to configure which can make your life a lot harder.
;-)).
When looking at the Java Enterprise Edition (EE5) you'll notice that it comes with its own application server called Glassfish, its even fully open sourced. However, even though its a lot easier to setup and tune Glassfish when compared to Tomcat (a nice spiffy web interface in which you can do everything vs. a limited administration interface and lots of manual editing of config files) its still making things too complex for common use. You still need at least 2 ports opened up (one for webserver, one for application server) or figure out a way how to start forwarding requests.
No more. A very good alternative for all this complexity is the Sun Java Webserver 7. Its not offcially released yet, this is the 3rd release candidate, but despite that its very useable. This is basicly a combination of both an extensive webserver which can easily compete with the likes of Apache and a java container (or "application server") fully embedded into the system. So you only need to worry about a single software product to setup both your web and application -server needs.
There is a little thing to keep in mind: when it comes to Java technology (EE5) then you'll notice that the Java webserver 7 is a little behind in some regards. The support for JSP, servlets, etc. doesn't keep up with the latest versions but supports standards (jsp, serlvets, jsf) which are one release or such behind. But that doesn't mean its functionality is any less than Tomcat or the Sun application server.
If you're now considering Java but looking up to maintaining 2 software products I'd definatly check this out. It runs on Windows, Linux and even Solaris (duh, as if that wasn't to be expected from Sun
Why not just use Mono? It's an open source implementation of .net http://mono-project.org/
Have a look at the PEAR library sometime, specifically MDB2. It does what you're looking for in PHP.
While the basic concepts between C# and Java might be similiar (I haven't gotten around to C# myself yet), java has some pretty strange things entrenched in they way that it is employeed. For webapps, EJB and J2EE will leave you in a straight jacket. Granted there are alternatives to EJB (Spring, Hibernate, etc), but EJB is still "the standard" way to do java on webapps, if you are going for anything more than a servlet. I have poured over several J2EE books and I still have a hard time wrapping my mind around EJB and the umpteen levels of abtraction and interfaces required to use it properly. Somebody one said that "Java programers have a morbid fascination with complexity"; that is absoutlely true of the twisted minds who thought up EJB. My gosh, the J2EE Tutorial from Sun is *several hundred* pages long.
PHP has its problems, but I find it much more satifying because it is more straight forward. It's easy to write bad code in PHP, but its also easy to write good code in PHP. PHP is definately a less versitile and less powerful tool than Java, but its still a good tool for its intended job.
http://www.php.net/manual/en/ref.pdo.php is probably what you're looking for.
Being a hypocrite is just as bad.
I would advise using ASP.NET in mono (if you can get it to work, I have had difficulties in the past) or Java.
Java is actually *used* by a great number of people, compared to the rabid fanboyism and hype surrounding some other technologies.
Whatever you do, don't use MySQL. PostgreSQL is many times better.
-1? Wow, I thought my winning the argument with LOGIC would have negated a troll mod.
It depends on your task. If you are building small to medium-sized web-applications, I would recommend Seaside. For larger projects, there are things like GNUstepWeb and Struts. If you want something slow that doesn't scale well, but is 100% buzzword-compliant, then there's Ruby on Rails. If you want to re-use existing ASP.NET code then you could try Mono.
For many needs, Apache is not a good choice. I personally prefer Lighttpd, which is lighter, faster, and easier to configure. It has nice FastCGI integration, so you can use it with most frameworks.
As for databases, I still haven't found a good reason to use MySQL. If you need a real database, I'd go with PostgreSQL, which is more standards compliant than MySQL, and faster for complex queries. If you want something slightly more structured than a flat file, then try SQLite, which is simple, lightweight, and faster than MySQL for simple queries.
I am TheRaven on Soylent News
And automatically labeling someone as a partisan (when he even said that he likes Rails!) just because you have never been able to write a single line of Perl code, is even worse.
(BTW, Catalyst is 10 times more flexible than Rails.)
Emanuele.
So how many holes does your butt have, anyway? Or are you still trying to find them all?
You mean you would never use PHP in commercial projects like Flickr, Digg, Yahoo!, del.icio.us, imageshack, hotscripts, or other sites of that caliber, right? Well those websites ALL use PHP. Get your head out of the "let's bash the programming language itself instead of just criticizing the bad programmers who make it look bad" club. There are lots of ways to write insecure code, sure. But there are also lots of ways to write secure, efficient, well-designed code that can handle hundreds of thousands (even millions) of requests each day, and these sites prove it.
The reason you can quickly find so much insecure code is just a side effect of the low barrier to entry. PHP is one of the easiest to learn programming languages I know of, and because of that, you have people writing code that have never programmed before in their life. Of course their code is going to be shitty and insecure - they haven't been taught better. It is possible to write insecure code with any almost any language, so don't bash the whole language overall. It's not a bad programming language just because it doesn't hold your hand or prevent you from shooting yourself in the foot.
I think I've been around the block with the options:
However, my current solution that gives me the most productivity is to install Drupal and add functionality using Drupal PHP modules. That way I delegate the design, security and most of the maintenance to the Drupal team. I only worry about coding the correct "hooks" for my application. Drupal provides an API that takes care of most common tasks. For example, last weekend I took a project I wrote in ASP.NET to query stock transactions (result paging, complex search controls) and reimplemented the functionality as a drupal module in 1 day. The original project took me 2 weeks in ASP.NET.
I just look at the code for the built in modules as my guide. Once I understood the hook API and looked at some examples I've found I can put together complete applications in hours, not days or months.
If there were a Drupal equivalent for Ruby or Perl that was as mature, I'd jump at it.
Third(ed?). I use some C# at work (C++ is the normal, everyday language), and it's remarkably similar to using Java, especially when you don't use any of the more esoteric features.
Any language that tries to check my taint is a language I don't want.
Keep your code out of my nether regions!
Is it only me who thinks that PHP after version 2 started getting so much weight and bloat that I would believe anything about how insecure it had become.
Rate new features/functions added to PHP at times seems to be exponential. Something that points to poor project management: it looks like incapable of handling the exploded PHP popularity and attention it gathered.
Though my opinion might be outdated: I was programming PHP last time when version 3 was getting its first releases.
All hope abandon ye who enter here.
PHP IMHO is a nice toy but nothing I would use in a commercial project.
A soon to be totally OS sollution is of course JAVA with Apache and Servlets/JSP
I doubt people enjoying PHP would actually find their way into JAVA; not those I know at least. I really dislike PHP, but I recognize it has vertues: it is something that a *lot* of people can use, like VB for example. Unlike JAVA. Unlike perl. Unlike many (most?) other things.
Saddly, it's something that also give unexperienced programmers very bad habbits, such as accomodating broken and unorganized APIs (not surprizingly, their code looks as broken and unorganized as the API they're using). Not even mentionning the configuration and troubleshooting hell.
I find that the most ugly aspect of PHP is the way it sometimes approaches standard programming concepts in a very "exotic" way.
This cause a lot of problem to me because I've strong references in other language/platforms, but seems to be okay to those unexperienced users who usually don't realize there's something odd/strange.
It's obviously been a very long time since you've coded in PHP. The native PDO layer in PHP 5 supports bound parameters for all database drivers, and there are numerous other data abstraction layers that support this which have been around even longer.
Just because all these "popular PHP applications" you mention (care to cite examples?) don't follow good programming practice doesn't mean the language itself is flawed. PHP can't force someone to write good code.
I don't know any guys who do Java and Perl, but I do have a female friend who does...
The new language features? Taken from Haskell. The only functional implementation at the moment? Written in Haskell. OOPS.
What do you have against Haskell? Haskell kicks ass.
--
Promoting critical thinking since 1994.
Actually get some friggen types implemented! Then, half the SQL injection flaws that are in PHP scripts would become null.
"Free software" is a matter of liberty, not price.
Hosting for a servlet engine or Rails or mod_perl is more difficult to find than PHP/MySQL hosting.
There is for python (Plone)
I'll do the stupid thing first and then you shy people follow...
Follow the argument. The GP said that Perl was technically superior. I countered with the fact that Perl is doing a huge rewrite and taking a bunch of ideas from Haskell. This is not a slight against Haskell, which I would describe first and foremost as "thought-proviking"; it is, instead, proof against the imagined technological superiority of Perl 5. Perhaps I was not clear: the "OOPS" was meant to be taken against the statement of technological superiority, not the use Haskell.
I dont know why but whenever I *accidently* open a webpage with Java on it I have to sit still for 2/3 minutes. My browsers (FF2 & IE7) would not allow me to even go to other tabs and do something.
Its a nice short break every once in a while.
However if I am in a hurry sometimes I have to KILL the browser and start doing everything again while avoiding the JAVA *enhanced* website.
So if JAVA is the future, I am off on holidays.......
Only on /. would that get modded "Insightful"...
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
"if you'd like to access a database with compound primary keys, ActiveRecord won't support that"
It will, it just needs a plugin for the time being. And nothing's stopping you from using Og or some other ORM layer (or no ORM layer) if ActiveRecord's insufficient.
Actually, I once wrote an ActiveX component in perl that talked to a Java server (which I also wrote) via XML diff. The diff itself was also XML. Java was great for the combo of XML processing and heavy networking support that I needed. NIO had just come out, otherwise I would have been forced to use C++.
If you want to talk of language I use daily, I'm more of a Perl guy than anything else. I'd be much happier using Ruby or Python or Haskell or whatever, though, as I am sick of writing $this->{shit} = [qw(oh god the pain)];
If I am a web app developer, sure something might be easy to use, but who gets blamed if security is breached - me.
:-)
Why would I want to use a language whose governing body decides that it's not worth fixing architectural security problems and leaves the burden to me as a developer? I have enough to worry about with deadlines, bureaucracy, Microsoft, the RIAA, RSI, IRS, etc.
Sure you take the good with the bad with any programming language, but I think they might be shooting themselves in the foot if the outgoing security guy's statements are accurate.
Oh good, positional arguments. Who decides the order? They're not positional in the database...
The internals of Perl are old. Over the years, they've come to be fairly full-featured and quite speedy... but they're 10 years old. Any piece of software that organically grows for 10 years is going to become a maintenance nightmare, and that's the state of perl right now. Hence it's time for a rewrite.
Perl 6 (the language) takes some features from Haskell. I don't see the problem -- Haskell has some good ideas. So does Ruby, so we're borrowing from there too. Perl6 is designed to be a language that anyone can use, regardless of whether they prefer functional or declarative syntax (this is partially true in Perl5; see map/grep).
As you note, Pugs is written in Haskell. Who cares? Is everything a rip off of C since it's implented in C? Pugs' purpose is to be a prototype of the real implementation. It's much easier to do the final implementation (on Parrot) when you've had somewhere to play with the concepts. You're welcome to start porting some of the complicated stuff to Parrot any time you want. This Saturday is "Parrot bug day", so why not stop by the IRC channel (irc.perl.org #parrot) and hang out?
Lastly, why is any of this stuff an "OOPS"? If you actually looked at these projects, then you'd be really excited about how easy programming is going to become in a year or two. Why criticize something that you can directly benefit from? Why not help us make it happen sooner instead?
My other car is first.
Perl has borrowed from other langauges too -- sh, awk, sed, C, lisp, etc. Since perl5, some interesting new languages have appeared, so it's time to integrate these into perl :) Perl is designed to be a one-stop-shop for solving your programming problem and getting on with your life, not to be a "real programmers only need xyz functionality".
Anyway, I don't understand why you think borrowing good ideas is admitting failure.
My other car is first.
And let's not forget Wikipedia (MediaWiki is written in PHP)
Ok it's obvious that seasoned coders have a distaste for PHP. But what would the recomendation be for someone who's about to embark on several web projects, and thought PHP / MYSQL was the answer? I'm 100 pages deep in my 2nd PHP book and you guys just scared the **** out of me... I'm ready to hit the book store tonight and start a new approach, but where to start? Assuming I take the Perl route, what books would you recommend to take me from a novice to a worthy code writer?
If Perl 5 was technologically superior, as the guy I was arguing with stated, nothing would need to be borrowed. I never said or implied that stealing ideas from Haskell is a bad thing - I think quite the opposite. We agree, you're just misinterpreting what I said.
The GP was talking about server side Java and made no mention of Java applets which is what you're talking about.
Being simple is good.
,powerful, handy, everythere! use it, improve it, dont judge it!(critics shall only go make their own prefect language).
we just need a powerful tool to get job done!
there is no need to use a full-featured and mysterious "Real" programming language like Java , only for webs!. it's like shooting mosquito with missiles.
security is an everyday issue... see windows, a multi-billion program that still has security holes.
PHP , popular
China, in fact, is very fragile.
The problem is that PHP is objectively a bad language. It does not really have a meaningful niche. When presented as a language for beginners, it makes it too easy for them to shoot themselves in the foot. For a "heavy duty" language, it has nothing to offer over its competition (be it Python or Ruby), and is generally more clunky even at what it does.
magic_quotes_gpc is off by default in the recommended php.ini file, however is on in the .dist ini file.
In PHP you can do things like this...
$stmt = $mysqli->prepare('SELECT foo FROM bar WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
no quoting there.
register_globals has been off by default for a very very long time.
Which is one of the problems. Why the heck is stuff like that in an
In Perl, you do things like: This way you don't need to worry whether it's enabled or not enabled in some
That's exactly how it should be. Now, why does it seem that most PHP software doesn't use it?
I would like to comment on that statement. Developers or novice class users know something about using that many don't. If you go along with your system and usage history by staying consistent as never wanting to learn all the fancy stiff in program languages and a few other secrete things that I can't tell you. The system it self gives you free programs. If you really work at developing then you discover free software magically appears on your system. With the day you open it as it property, It's like a gift. That is a secrete to why we keep at it. The free stiff we magically receive You also get special icons that no one else has and advanced functions that no one else has. Oh WELL.
A simple reason: ruby was laid out by a japanese...
it's a fact..
China, in fact, is very fragile.
I hear you on $this way Perl does OO, I don't like the syntax, not that it matters.
/., they just pay the bills writing [technology name].
I no doubt believe that slashdotters fall outside of my comments, I'm really talking about the daycoders who don't care about the tech. These people I know don't read
Oh yea, it took them 5 mayor versions to set up reasonable database access, obviously PHP is the pinnacle of design and security.
One unusual gotcha with MDB2 is when it returns a query result as an associate array, it converts the field name indexes to lower case. I think this is because MySQL isn't case-sensitive for field names, just table name, but at any rate it isn't documented and is unexpected as most other oo db interfaces at least fake case sensitivity in field names! If you know how to get the last inserted Id I'd appreciate a shout
Apocalypse Cancelled, Sorry, No Ticket Refunds
My Real(tm) jobs have always been building large scale websites using Java/C++ and sometimes a bit of Perl thrown in. Those technologies no doubt work (though I've managed to escape the J2EE mess) and are more capable. However, there is a certain class of applications where PHP really can't be beat.
And by and large, most casual websites fall into that class. Want a simple blog and image gallery? Hard to do it quicker than PHP. The main plus to PHP is that its easy for anybody who knows Perl or C to pick up, it's interpreted and generally does what you need it to. No, it's not pretty, or particularly maintainable, but for most little projects, it's the fastest way to get things done and is good enough.
Just as Perl is awesome for doing quick text manipulations, PHP is great for doing quick websites.
As for security holes, I'd agree with others, it really doesn't seem intrinsic to the language. I've run various websites written entirely PHP for the better part of 5 years without a single exploit. You just have to be reasonably clueful and check your inputs, as you would in any language.
PHP probably gets a bad name because its the easiest of all languages to create dynamic content in. PHP is almost always included with hosting packages, and anybody can start putting in some <?'s and get to work. It's no easier to write exploitable code than C, it just happens to automatically be on the network, so it is automatically vulnerable.
I've recently started playing with Cake, a Rails like framework for PHP and so far I like what I see. Will have to dig into its internals a bit before I trust it fully from a security point of view, but it combines the best of PHP (speed, ease of deployment) with solid design patterns. Again, I wouldn't pick it for a big project, but for everything else it's awesome.
-Nic
Except in large scale applications (and sometimes even small ones) PDO adds too much overhead and becomes a bottleneck.
From my experience the main cause of insecure PHP software is developers not turning the error validation to the highest during development, so when an unsuspecting user downloads the software little do they know that their system can and often is wide open to stupid bugs and security problems. When you leave error_reporting to the default setting you miss lots of important details, like array keys being passed as constants, variables being referenced before they're created (especially with arrays), incorrect return types, etc, etc, yet people wonder why their code is so buggy? I was installing vtiger, which is a pretty comprehensive CRM that has lots of potential to hit it big, the other night for a client and was slamming my had against the wall at the sheer number of stupid syntax bugs that were in the system.
How many programs out there tell you to turn on the old register_globals that everyone knew was a huge security problem?
How many programs tell you to turn down the error_reporting level to hide their development incompetence?
I was actually considering starting a movement to have the PHP community clean up their act, we'll see if its still needed after the dust settles from this.
Personally I think that with PHP 5.2 they should have stopped supporting deprecated coding practices, like accepting invalid variables and invalid array keys, so that this stupidity could finally stop.
That's why I don't do much with PHP anymore, a large portion of the open source projects that clients want you to "make work" are riddled with utterly stupid mistakes that you spend days if not weeks cleaning it up before you can actually start doing any work.
Damien
Well remember the current Zend people took the work of someone else in PERL and created PHP 3 and on. It started as a PERL library to ease CGI development.
.NET, but classic ASP) Microsoft did a great job of keeping the API constant and offering a fair amount of security for the time. If PHP won't be secure, it could at least be consistent. Why can't the open source community make something like ASP? Many people using PHP are hobbyists and things could get much easier for them. And before anyone posts that the API stays the same, look at the changelog for PHP sometime.
I can't believe they still haven't caught up to the ease of use of ASP. (not
MidnightBSD: The BSD for Everyone
My son fell off his bike and skinned his knee, so I bought him knee pads. Then he fell off his bike again and skinned his elbow, so I bought him elbow pads. He fell off and got a rock in his hand, so I bought him gloves and wrist guards. He then fell over in the park and got a goose-egg, so I bought him a helmet. Then he ran into a tree so I bought him a suit of body armor.
Now he has so much protection that he couldn't possibly hurt himself right?
What's that you say??? Give him lessons on how to ride his bike? Holy shit! I never thought of that!
To all those who say that PHP is weak because it doesn't protect the developer... I say you don't understand PHP or development very well at all.
I recommend not letting whiny slashdot posters make your technology choices for you.
If you keep reading more and more books, you'll never actually create anything. I say pick your simplest web project and take a stab at it using whatever technology you think you can pull it off in. You'll learn a lot from the experience, and then you can decide if you want to learn a whole new language.
If you listen to slashdot, you're going to be using Ruby on Rails, Postgresql, and no <table> tags. If you did that would you be using superior technology? Yes, you would be. But by the time you learn RoR (and OOAD and ActiveRecord and MVC and...) and Postgresql, you could have implemented 3 web projects in PHP/MySQL.
I'd advise you to use PHP/MySQL until they no longer meet your needs. Then, learn something else.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
Since you're wise enough to dump PHP and switch to Python, and you're looking for a good way to do SQL, then you should definitely check out SQLAlchema. It's light years ahead of Ruby's "ActiveRecord", plus it has several different front-ends that simplify it and make it as easy to use as Ruby's ActiveRecord and Python's SQLObject, while still allowing you to use its much more advanced features.
Not only is it much more powerful than Ruby's ActiveRecord (which is causing people to abandon PHP in droves), but SQLAlchemy is astronomically better than anything PHP has, and PHP will never have anything that even approaches ActiveRecord because of foolish bugs and design flaws that the charlitans on the PHP team stubbornly refuse to fix. (As described in detail in Zend's ZActiveRecord Boondoggle.)
-Don
Take a look and feel free: http://www.PieMenu.com
one who really code php seriously will soon find the flexibility, the extensibility, the ease of the language! that's one of reasons why they are so many web application written in php.
China, in fact, is very fragile.
[I posted this earlier in the context of PostgreSQL Slammed by PHP Creator, but it bears repeating, since the charlitans at Zend still haven't addressed the problem, and NEVER WILL. Would anyone from Zend please finally comment, and explain just how PHP's plan for a database solution is better and more secure than Python's SQLAlchemy? -Don]
The creators of PHP are morons, and their support company Zend is dishonest and incompetent. The ZActiveRecord boondoggle demonstrates exactly what I mean: They can't program their way out of a paper bag, an don't even understand the limitations of the very language that they haphazardly "designed".
It makes me laugh that Lerdorf would slam Postgres, because the PHP designers have no understanding of object oriented programming or databases: instead they invent half baked cargo-cult designs, which are naive reactions to other systems they don't understand: they try to ape their surface features without understanding the reasons behind the way they're designed.
PHP references were thrown in as a band-aid to work around the horrible design flaw that arrays and objects were foolishly DEEP COPIED by default. If you pass or return an array from function to function, its contents are DEEP COPIED, which is EXTREMELY inefficient and leads to all kinds of horrible bugs because it's the last thing a sane programmer would expect. So instead of fixing the design flaw in PHP, they add "references" that LOOK and SOUND like C++ references, but actually are completely different, again misleading programmers into thinking they understand what's going on, but working totally differently than a sane person would expect. PHP references are actually half baked symbol table references. The sloppy implementation caused many bugs that CORE DUMP PHP! PHP references were so poorly thought out and badly designed, that there were many edge conditions that they hadn't considered, that simply didn't work together, caused memory leaks and core dumps, and had useless and confusing semantics: callers passing references, functions declaring that they take references, functions returning references, etc. Compare that to C++'s simple and consistent definition of references in term of pointers. The only way to make a PHP reference to an object is to put it in a variable -- you can't make a reference to a field of an object or the return value of a function without storing it in a temporary variable -- totally unlike C++, and totally stupid.
PHP's object oriented programming system is a half-baked imitation of C++'s object model, haphazardly designed by charlitans who had no clue about the fundamentals of object oriented programming, elegant language design or efficient implementation. First of all, if you're going to try to imitate an existing design without understanding it, then for god's sake, at least imitate a language whose object system doesn't suck, and a language that has similar semantics to the language you're trying to kludge. C++ is a static compiled language, and its object system deeply reflects that fact. (That is to say, there's very little reflection beyond RTTI, because the compiler throws all the interesting stuff away! And C++'s oop design had to make many horrible compromises because the C++ object system was designed to map directly into C se
Take a look and feel free: http://www.PieMenu.com
http://www.urbandictionary.com/define.php?term=sti ck+a+fork+in+it
-Don
Take a look and feel free: http://www.PieMenu.com
PHP is used on big sites because it's fast. Period. With a good bytecode cache, nothing else even comes close.
Worse than "easy", trivial, and most documentations head you towards crappy code hell.
Of course not, just as you can write Fortran in any language, you can write good code in any language (except BrainFuck or Moo, I guess). The thing is, PHP makes it far harder than necessary, and you'll always feel the nudge to "just do a quick fix here", and if you do, everything gows downhill. Fast.
That's kind-of like saying that something is warmer than liquid nitrogen. It's true, but it's not really hard if you try, and many other things are.
Still makes it far harder than some other languages out there that are much more flexible, complete, enjoyable, clean, and full featured.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
He may really have meant "ingineering"
Most of the stuff on
That's often said, but its misleading and somewhat of a false dichotomy.
Sometimes the mistake you made was choosing the wrong tool, and its perfectly valid to point to the defects of the tool relative to the use in explaining why that is so, even if (of course) all mistakes belong to some human at some point in time, not to a tool.
If someone wrecks my computer because they tried to open the case with a sledgehammer rather than a screwdriver, I think its right to point to the choice of tool as a central part of their error. That's not "blaming the tool", that's just identifying the problem. Likewise, if people use PHP for a purpose for which that language is ill-suited because of its set of features and bugs, and consequently produce insecure applications or ones with other systematic problems, then pointing out why the language is not a good choice for that use isn't "blaming the tool", its just identifying the problem.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
I only ever wrote one PHP website myself, but I've had the occasional brush with it with LAMP applications.
The example popular PHP applications I was thinking of were Wordpress, where keeping ahead of the security holes seems a never-ending job, and perhaps Mambo/Joomla.
Nevertheless that's good news that PHP5 supports bound parameters. Now if only all developers took some notice of that and start to use it.
This statement is not correct. The mysqli extension (PHP5+ and MySQL 4.1+) allows parameter binding and it has been available for a couple of years. E.g. $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
PDO has already been mentioned, but the following is worth noting:
Of course, it is one thing to provide developers with more secure ways of doing things - it is another to compel them to use such methods. Some of the changes in PHP6 look promising in this regard but it is probably good to keep up the pressure for security-oriented design.
Yes, every shitty $3 host has php/mysql. While it is harder to type "rails hosting" into google, its still a far cry from hard.
It was not supposed to be insightful, informative, interesting, a troll, or flamebait. It was supposed to a [bad] joke.
Though I'm hardly surprised that people wasted their mod points on it.
That also assumes you are using the new mysql driver code in PHP 5. My web host still has PHP 4.x, so no, I cannot do what you just showed. Not to mention that's not particularly portable for other databases, with Perl and DBI you just change the DBD driver and keep using the same code...
> So, it isn't technologically superior, then. You don't throw superior technology out and replace it with new tech borrowing all sorts of ideas from your competitors.
Well, it has the largest collection of good ideas in one place. Perl6's collection will be larger. That's not to say Lisp or Haskell or Ruby or Python has a small collection, though.
My other car is first.
Client: I need a youtube like thing, needs tags, searching, image manipulation, database, membership, and more.
:-)
Using PHP? 90% completed in a weekend. There is just no language this easy to prototype in. Fine do it in jsp, if you have the bucks. Model it then in PHP. Just the way it goes. PHP 5+? Looks like a pretty solid language to me.
Wikipedia, osCommerce, Drupal, Joomla, and more. IT JUST WORKS!
The article says:
Parse that carefully. It says the PHP project is not trying to conceal the fact. What fact? The fact that PHP has been implemented in a very unsafe way.
Oh, that fact. Yes, it's a pesky little fact, indeed. But the fact that they're arguing about whether or not they're trying to conceal it, instead of arguing about how to best address that inconvenient little truth, is a big problem.
PHP's implementation is unsafe, fundamentally flawed, insecure, and it's badly designed to its very core. That's a fact. Any apologist who counters "but it gets the job done" is ignorant of PHP's problems, and ignoring the fact that there are many other open source languages out there that are much better designed, also get the job done, are at least as easy to learn and use as PHP, without all the bugs and security holes, and with many important advantages.
There's no reason to be using PHP to write new software, except ignorance of other languages and refusal to learn.
-Don
Take a look and feel free: http://www.PieMenu.com
del.icio.us uses Perl+Mason. Do leave that out.
It is easy to understand that how any post saying anything against java gets moderated down like hell.
being 'most extensively used commercial' is WAY down in scala from being 'most extensively used'. some corporations use java, but everyone uses php.
Read radical news here
PHP can't force to to write good code, but it certainly forces you to write bad code.
Case in point: Zend's ZActiveRecord Boondoggle. PHP's object model is so broken that it can't support an ORM as simple and easy to use as Ruby's ActiveRecord, let alone one as powerful and flexible as Python's SQLAlchemy.
How do PHP's "numerous other data abstraction layers" compare to ActiveRecord and SQLAlchemy? Why can't Zend themself figure out how to implement their own version of ActiveRecord? It's because a fatal flaw in the design of the PHP language, that's why.
It's no wonder so many people are abandoning PHP for better languages like Ruby and Python.
-Don
Take a look and feel free: http://www.PieMenu.com
It's at least unwise to compare php with C++. PHP is a glue for powerful C++ libraries, it's based on C/C++. it's like a son of C++. so is any one of those 3Ps(Perl,Python,PHP). they cant live without C++. PHP is a helper to C in making webpages. it would be also unwise to use php coding something like OS or compiler. but if on websites/browser-server, php rules!
China, in fact, is very fragile.
...automatic taint checking...
please don't use the words "Rails" and "taint checking" in the same paragraph; some of use would rather you not check their taint with anything for that matter.
Ahem -- REALITY CHECK: YOUR stupid PHP-fanboy post was moderated -1 Troll, and the pro-Java, pro-Apache post was moderated +1 Interesting.
Please explain why you think -1 > 1? Is there some quirk in PHP's numeric handling, type conversion, identity and comparison operators that has you confused about the order of integers?
You're the worst kind of PHP apologist, with your reality-denying Rumsfeldian arguments. The whole point of this discussion is the PHP developer's stubborn refusal to address security issues, and their consistent mis-behavior of sweeping problems under the rug and refusing to fix bugs. The fact that PHP is widely used makes it EVEN MORE IMPORTANT to fix its bugs and design flaws. But as your twisted argument goes, PHP's popularity is an EXCUSE for having so many bugs and design flaws. Blame the media for the casualties in Iraq, why don't you?
Nobody's arguing about whether or not PHP is buggy and badly designed. That's simply an undisputed fact. But you're trying to claim its outrageous number of bugs and design flaws is OK because PHP is widely used, and that's totally ridiculous, and outright negligent.
-Don
Take a look and feel free: http://www.PieMenu.com
By the way, your amazing image resizer web service that you advertise in your link has some wee bugs. Wow, that's some really amazing powerful PHP code you wrote there, which really demonstrates your mastery of PHP, and shows how much better PHP is than any other language. There's no way anyone could have done that in any language besides PHP, because PHP is just so powerful and easy to use, when it comes to resizing images. You must have to pay a lot in web hosting fees to run such a sophisticated web service. Have you already received thousands of dollars in PayPal donations from your amazing service, or sold your great online image resizing idea to Kleiner Perkins as the next big Web 2.0 startup company?
-Don
Take a look and feel free: http://www.PieMenu.com
Another point about your buggy image resizer web page: Your disclaimer is a lie!
Then how do you explain this error message:
Is it just my impression, or are most PHP apologists really as incompetent as you?
-Don
Take a look and feel free: http://www.PieMenu.com
Are you trying to deny that other languages like Python and Ruby are flexible, extensible and easy to use? In fact, they're much more flexible, extensible and easier to use than PHP, by a long shot.
There's nothing special about PHP that doesn't apply to other languages, and you can't deny that PHP is severely flawed in its own peculiar ways.
I'm not judging PHP by rumor, nor trying to compare it to other languages I don't know. Anyone with enough perspective to compare PHP with other languages can understand and admit to PHP's limitations. Why can't you? Is PHP the first and only language you ever learned? If you had anything decent to compare it with, you would realize how bad PHP sucks in comparison to the alternatives.
-Don
Take a look and feel free: http://www.PieMenu.com
Yes indeed you have found some mishaps in a code that was produced during one afternoon's tea for curiousity.
Well done !!!
Why THAT much hate towards php, and trying THAT hard to demean it ? im really asking.
Read radical news here
Oh but wait. Maybe ALL uploads end up as temporary files and deleted when processing ? Kinda as it happens in all uploads around the net ? Maybe we should establish a ram cache and process the images in there shouldnt we ? hmmmm but then that again would mean that files are then would be SAVED in the ram cache eh ?
Well what i think is that you seem like you are on a witch hunt. Much annoying, and contrary to what you think, goes far to prove my point than to prove yours.
Read radical news here
actually ANYTHING that says anything against java or praises php is moderated down like hell all around slashdot, in case you havent noticed. causes might be numerous, but in any case it is something that is very detrimental to developer community and proves that there are more zealots than professionals around here. so i knew that that post would be modded down speedily right at the start by some java fanboy so that noone should read it - just like microsoft stuff.
Also, based upon the 2-3 hateful posts you have made in reply to my post, i have come to know your nick as representing a person that is aggressive, annoying, uncivil in manners and also a zealot of sorts.
So if you please, i wont be replying to your future comments here, as i dont like this lowly type of 'discussion' which is in fact little more than aggressive bickering.
Read radical news here
Almost ALL stuff we use in our modern world holds on to the information for at least a while.
Even when with the tv, the received transmission spends a few miliseconds before finally arriving at the crt and lighting up the screen.
As per your argument, even this legally should be a copyright infringement - as your device holds on to the copyrighted material even for a matter of a few miliseconds. However we all accept that it is not so, as it is the workings of the machine neccessitates it, and the device owner is not able to abuse this a few seconds delay to his/her own profit.
You say python and java does not store the image in a saved file eh. Where they are doing the operation on the received image then ? In limbo ? They are using the memory to do it, the least. In ANY case, the image will spend some time in the server's ram. A few miliseconds, nay, probably a little higher. What does image upload function for php do ? get the file uploaded, which, you will have to wait until the upload is complete, and at that moment it is complete reprocess and stream it back, and delete the file. How long does it take ? 1 seconds ? 1.5 ? Whats the difference in holding a file for 0.5 seconds or 1.5 seconds for processing ? The 'saving' part confuses you ? Saving to disk ? What happens when on a python or java server the memory is full, and the uploaded file ends in swap file instead of memory ? Whats the difference ?
But eh. I cant know this, since i dont know how my script works. Sorry to bother you.
Read radical news here
live inhe real world, kid. you simply believe ruby is better. grow up, those are just tools. when we(the real website makers) pick tools , we choose the well-supported ones. does ruby has established any better support in popular industry-standard servers like apache, or IIS? or Ruby has shown any superior advantage in performance,stability, or something we stressed here, security? or are there thousands of out-of-box web applications written in Ruby which i can customize into a website within a day?
nevertheless, after all,
in technical level, PHP has something convenient enough to Rails(Rails is just a renovated method, not a technology leap). you can learn one of those frameworks if you too weak to code from scatch..
ps:Chinese hate japanese (not personally)because japanese goverment have never made any formal apology for their wartime atrocity during WWII to us.. how can you such an unidentified homeless cyber-ghost could understand the history of mankind. and it's not your business, go back to your cage!.
China, in fact, is very fragile.
Perhaps some of us need to add a line to our license blurb at the top of the source file (not the license itself) stating that: "The author of this code stands behind his/her work and will immediately publish any defect reported in this code" while others can place the line "The author of this code does *not* stand behind his/her work and will *not* publish any defect reported until a very long time after a solution is found, if the code can be fixed at all."
umm...pg_query_params()
I understand some of it. It's not my favorite language, by far, and it is easy to shoot yourself in the foot with it.
I'm guessing most who bash PHP as a "horrible" programming language have ever been exposed to true crawling horrors like COBOL and RPG. At least PHP has functions with local variables.