March To Be Month of PHP Bugs

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

So, PHP means ?

[Rastignac]

Public Holes Publication, isn't it ? ;)

Re:So, PHP means ?

[Dimentox]

Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.

Re:So, PHP means ?

No, PHP is quite insecure. The libraries, the interpreter, and most PHP software are all poorly written.

And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of PHP itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.

Re:So, PHP means ?

[Dimentox]

right they do indeed need to step up. BUt my mainj point being that just having php installed does not open up the machine to be hacked.

Re:So, PHP means ?

[milamber3]

Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? You are confusing the ability to use a script written in a specific language to exploit a hole with security vulnerabilities that are inherent in a particular language.

If you are making that mistake you should probably not be flaming anyone.

Re:So, PHP means ?

[daeg]

The problem isn't just the coders, it's the fault of the language, too. Sure, you can write fairly secure PHP code, but the language itself does not lend itself to teaching security. It's plainly evident that most features have "ease of use" ahead of "security" -- Register Globals is a prime example. I could have told you from the start that registering variables based on the names of POST/GET values was a Bad Idea(tm). Hell, anyone could have.

PHP is also forever afraid of breaking backwards compatibility. They probably don't want to scare PHP coders.

They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.

I am glad that they are making progress, though. PHP 5 finally brought their OO up to speed (mostly). They finally have a secure, native database connector (PDO) that supports escaped bound parameters. PHP 6 is finally removing some deprecated features.

That said, I still am weary when I log into a website that holds my personal information and see a ".php" URL.

(I was a full time PHP developer for about 6 years. Was.)

Re:So, PHP means ?

[JoelMartinez]

And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts.

Microsoft calls this the pit of success ... where it's easy to "fall into" a successful implementation

Re:So, PHP means ?

[onerob]

Register Globals has been off by default for years.

Please don't let us see the return of \'magic quotes\'

Re:So, PHP means ?

[jdbartlett]

You've just summed up--in one short comment--everything I hate about PHP. I've been a PHP developer for several years and it was my first introduction to the OSS community, but I still remember that wild discovery: "You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

Re:So, PHP means ?

[rufus+t+firefly]

You've just summed up--in one short comment--everything I hate about PHP. I've been a PHP developer for several years and it was my first introduction to the OSS community, but I still remember that wild discovery: "You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

I understand the point you're making, but why don't you just run it in CGI mode if you don't want to recompile, or use dl() to load the extension you want at runtime? I can't fault a language for needing extensions to be compiled ... it's more the fault of it being an Apache module than anything, since it simply needs to be reloaded to "see" its new modules.

Re:So, PHP means ?

[tinkertim]

Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.

You are correct, but that doesn't make net irritants that are permitted by insecure setups any less irritating. One of the biggest problems that come to mind are shared web hosting providers who have no choice but to run php 'wide open' allowing almost all functionality and without the benefit of phpsuexec to find what sites they host are letting the bots in.

They have no control or knowledge of what people upload. Someone could upload a 2 year old copy of phpBB they had on CD, not knowing any better and now you have a gigabit connected spam cannon hurling garbage at the rest of us.

I'm not saying its *just* shared hosts that (help to) give PHP the reputation its been getting, but they are a major contributor. Some take proactive measures to try and at least curtail it, most do not.

Its going to be a 'fun' month for those of us who have to deal with abuse issues. That is more than certain. I think I speak for many when I say : "Aww, SHIT."

Re:So, PHP means ?

[Joebert]

That speach sounds soo scripted.

Re:So, PHP means ?

[julesh]

Register Globals has been off by default for years.

Yes, but most hosting companies just switch it straight back on again, to stem the tide of complaints from users who downloaded an old script from somewhere but it doesn't work...

Re:So, PHP means ?

[exabrial]

Yeah, for real! PHP=Personal Home Page . Please lets the PHP fad die already, I have been waiting for this! Move on to Ruby , or face the cold hard truth that Java is the new COBOL. You can't kill it, every major company uses it, and now... it's becoming open source. Dear god, run for the hills! Now someone please post the Month of Blendtec Bugs

Re:So, PHP means ?

[tepples]

PHP can be secure. If you write it correctly. Except in PHP 4 and PHP 5, the content of php.ini as deployed by too many shared hosting companies has not necessarily been conducive to writing it correctly.

Re:So, PHP means ?

[TheNinjaroach]

And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. Bullshit. Don't start cramming requirements down my language because you want to protect every idiot who won't spend the time to learn it properly.

Re:So, PHP means ?

[nozavroni]

Would Flickr, Digg, and Wikipedia be PHP's "few remaining strands of reputation"?

Re:So, PHP means ?

can be vuln(erable).

Re:So, PHP means ?

That speach sounds soo scripted. "speech".

Re:So, PHP means ?

[Kelson]

Yes, but most hosting companies just switch it straight back on again, to stem the tide of complaints from users who downloaded an old script from somewhere but it doesn't work...

I was going to gripe about it being an issue for the hosting companies (we've had it disabled on our servers for several years), but now that I think about it, you're right: Register Globals is a "wings fall off" button.

Re:So, PHP means ?

[daeg]

Don't you mean \\\\\\\\\'magic quotes\\\\\\\\\'?

Re:So, PHP means ?

I do admit recompiling is a pain in the ass, but if you save all the information on a build machine this should take you seconds to recompile with the additional libraries or options. It is up to YOU to be able to perform these tasks efficiently. Don't blame PHP developers. Know the needs of the application(s) you're running and prepare ahead of time.

Re:So, PHP means ?

[jjsoh]

May I as what language you use now? I am genuinely curious. I'd like to know what language a PHP developer moves on to after 6 years. I'm only on my 2nd year, so maybe I can get a head start. :)

Re:So, PHP means ?

[daeg]

Python. I had used Python for a while for shell/cron scripts, so it made for an easy transition. Specifically using the Django framework.

Note that I did try Ruby for a while, and it was fun, but felt like too much magic. Python's syntax is a little more expressive and more closely matches natural English.

The biggest attractions were automatic disk-based script compiling (there are PHP cachers and such that do this, but Python does it natively) and module separation (namespaces). One of my biggest gripes about PHP was that everything was in the same namespace, and not everything was consistent (substr vs. str_replace, note the position of "str" and the varied use of "_"). In Python, you can easily split into multiple named modules, for instance, if I have a "date" module with "class date" in it, I can import the default date-handlers as "from datetime import date as pythondate". This also means that if I never do anything with date handling, my Python code never has to load the information for it -- unlike PHP, where you have access to everything in every process whether you need it or not.

Performance-wise, I think they are roughly the same in the hands of a capable developer. I'd wager PHP might be faster for smaller scripts, but once you get into the large application realm, the difference approaches nil.

Re:So, PHP means ?

[billcopc]

Well then those hosting companies should quit selling $1.99/mo hosting plans to idiots.

I'm sick of this anti-darwinian modernism where you have to kiss ass to the dumbest man on the planet or get sued into oblivion. It used to be, if you wanted to write code, you had to be a programmer. I don't care how easy they make coding, if you're not a programmer then you're gonna have to find one and pay them to do it right. It's not the hosting company's fault if you're trying to do something that's way above your head.

Re:So, PHP means ?

[1110110001]

They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.

It's the same with i.e. Apache - if you don't use shared modules. With php it's

cd path/to/extension-source/
phpize
configure --enable-your-extension # should be ./configure but /. stripped the newline
make
cp module.so your/lib/path
vi path/to/php.ini


Where have I recompiled PHP?

Re:So, PHP means ?

[just-a-stone]

While I can't agree with GP, your proposed solutions aren't really that great too. CGI is a performance killer (not talking about fastCGI, but there he'd need to restart anyway) and dl() shouldn't be used in webapps - or even can's be used in upcoming versions of PHP

But he can compile new modules as shared objects (either via main configure --[with|enable]-lib=shared[,path] or stand-alone using phpize) and load them via php.ini.
A simple restart of his HTTPd, that's all. Just a few seconds of (standalone-setup) downtime with the only risk of finding an entry in his php_log complaining about a non-working addition he didn't rely on for his old scripts.

PHP has it's faults, some by design, some by maintenance, some lie in it's ease of use and others in it's history. But bashing it for being inflexible while one of the main origins of it's problems is the exact opposite...

Re:So, PHP means ?

[raynet]

Or even better, run dselect, pick the PHP modules you like, install, done. Apt-get might work, but I only use it for one thing, to install joe to a clean Debian installation to edit /etc/apt/sources.list.

Re:So, PHP means ?

Can't comment on the first two, but have you looked at Wikipedia's code? It's disastrously bad.

Re:So, PHP means ?

[jjsoh]

Thanks for the insight. Due to the momentum of Ruby in recent years, I was considering moving over to that, but I guess I will take a look at Python, as well. Besides, telling people I develop on the LAMR platform doesn't have _as_ nice a ring to it.

Either way, it seems using a framework is pretty much a standard (if not necessary) thing for most web developers, though I personally haven't used one yet. Maybe I should consider that also, even for the current work that I do in PHP. That is, until I move over to something else in the future.

Re:So, PHP means ?

[sarathmenon]

That speach sounds soo scripted.

Don't worry, this month will change that.

Re:So, PHP means ?

[CopaceticOpus]

Don't write off PHP just because some people complained about it on Slashdot. For every angry person on here complaining about PHP, there are many more talented PHP developers out there getting real work done. Now, I think it's a great idea to expose yourself to more languages and to make your own decisions about what language is best for any given project. But don't be surprised if you find that PHP, despite a few quirks, turns out to be the most efficient way to practically accomplish many projects. That's what I've often found to be the case.

Re:So, PHP means ?

[DrSkwid]

Please don't talk rubbish, as the month of PHP bugs will show you !

Re:So, PHP means ?

[jjsoh]

I don't believe I'll be leaving PHP completely, since I currently am using it as my primary, and only language (though admittedly not by choice). I know it has its place in the web world. As I've stated, I am fairly new (only 2+ years) to web development, but I am in an experimental phase and would like to try out other languages. I'd really like to find out for myself why some experienced developers adamantly prefer Python or Ruby over PHP. Only then can I decide, for reasons that are important to me, which language is going to be the one I prefer over another.

May I ask which one you use? I'm assuming PHP, but are there others that you like?

great...

[blantonl]

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

Re:great...

[julesh]

Yep. This is going to be fun^Wannoying.

Re:great...

[FredDC]

As opposed to "month-of-script-kiddies-working-hard-to-exploit-n on-patched-and-non-updated-websites"?

Re:great...

[bconway]

Well, to be fair, you did choose to use PHP, which is notoriously buggy and insecure.

Re:great...

[kestasjk]

I'm a PHP enthusiast with a few servers running PHP apps, and I say bring it on. If such a small team can look for and find so many bugs I doubt a determined attacker would have much problem anyway.
I'm sure that after the dust has settled PHP will be more secure than it was, and that can only be a good thing.

Re:great...

[miyako]

This comment reflects what seems to be one of the biggest misconceptions in computer security. People seem to be under the impression that vulnrabilities are magically conjured into existance when the bugs are made public.
The fact is that the bugs have really been there the whole time, and just because we didn't know about it doesn't mean that some nefarious person didn't know about it.
Now, script kiddies might not know about the vulnrabilities until they are made public, but they are called script kiddies because they use scripts- usually written by someone who has an inkling of what they are doing.

Re:great...

[Dragonslicer]

If it's so buggy and insecure, why do so many large (and small, like the one I work for) companies have sites that use PHP and don't have problems with PHP-caused bugs or security holes? The existence of crap written by a 12-year-old like phpBB and phpnuke does not prove that the language is buggy or insecure. Idiots will write bad code in whatever language you put in front of them.

Re:great...

[elrous0]

Hey, my un-fashionable use of Perl finally pays off!

[Ducks down and hopes next month isn't the "31 days of Perl Bugs"]

-Eric

Re:great...

[mobby_6kl]

I'm sure that after the dust has settled PHP will be more secure than it was ...

That's like saying that the ocean will be more wet after it's been raining for a day than it was before.

Re:great...

If it's so buggy and insecure, why do so many large (and small, like the one I work for) companies have sites that use PHP and don't have problems with PHP-caused bugs or security holes?

They surely do. They just aren't aware of them. But once they get a $80,000 bandwidth bill, because some spammer compromised their server and used it to send out billions of spam messages, they'll realize that they've got a little bit of a problem on their hands.

Re:great...

[Mr.+Underbridge]

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

Well, if the article is to be believed and the PHP team hasn't much cared about some of these bugs, patching and updating won't help you. In any event, these bugs won't be fixed live. So they will result in potential compromise you won't be able to stop, likely.

In other words, this will also be "Month-of-you-getting-bent-over-by-open-security-h oles-in-PHP-you-can't-do-anything-about"

Re:great...

[joebp]

This is about bugs in PHP itself, not applications written in PHP. Both have an utterly appalling security record though.

Re:great...

[suv4x4]

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

You can thank the PHP internals and Zend about this. Having to deal with them at some points, they are literally like having to handle a bunch of spoiled children on a mission to have fun on your expense.

I've said it plenty of times and I'll say it again: PHP is going down, fast. The only reason to use it right now, is because there's still some money to be made from clients with PHP sites, or clients who wants to pay thousands for a site, but only few bucks/month for your average PHP host (I know.. I don't get it either).

(Much) faster, more stable and more consistent alternatives currently include Mono (C# - an excellent language), Python, Java and possibly Ruby 2.0, from the looks of it.

Re:great...

[bradword]

If this is anything like the month of apple bugs, they'll release one or two bugs actually associated with apple, then talk about bug that are third party add-ons. The months of apple bugs was a big disappointment. If this actually comes through and makes php more secure, then more power to him.

Re:great...

[julesh]

This comment reflects what seems to be one of the biggest misconceptions in computer security. People seem to be under the impression that vulnrabilities are magically conjured into existance when the bugs are made public.

Well, yes, but the fact is that there is incalculably higher risk from an unpatched, publicised bug (especially if more than a few weeks old) than there is in an unpublicised one. Almost all exploits occur using well known bugs, even if you discount worms.

Re:great...

[rufus+t+firefly]

This is about bugs in PHP itself, not applications written in PHP. Both have an utterly appalling security record though.

I'm not sure how I feel about that statement.

I'm the primary developer of an opensource PHP-based application, and I can attest that PHP security is more in the hands of the application developer. Yes, we've all heard some of the stupid PHP Nuke exploits, people not quoting their SQL properly ... but should the PHP interpreter developers really be held accountable for other peoples' shoddy coding practices? How many of the bugs in the wild that you're referring to are actually PHP application developers who don't know their ass from their elbow and don't bother to patch known vulnerabilities in a timely fashion?

I understand it has become fashionable to dump on PHP whenever languages are being discussed, but I believe, and have for some time, that it's not the language (unless you run up against intrinsic limitations of said language), but how people choose to develop in it. I'm sure there are secure VB apps, just as there are shoddy crashy Java apps out there.

Re:great...

[Bastard+of+Subhumani]

If it's so buggy and insecure, why do so many large (and small, like the one I work for) companies have sites that use PHP

I'm sure there's a fancy Latin name for it, but what you're saying is equivalent to "Eat shit - a billion flies can't be wrong".

Re:great...

[rho]

(Much) faster, more stable and more consistent alternatives currently include Mono (C# - an excellent language), Python, Java and possibly Ruby 2.0, from the looks of it.

I hear this a lot. PHP has a massive installed base of working apps. There is no compelling reason to move to a new language simply because it appears to be more secure at the expense of not having functional applications.

Re:great...

"PHP is the OpenBSD of languages" -- mobby_6kl

I've got a new sig!

Re:great...

[raju1kabir]

Did you read the interview? These are security bugs in the interpreter itself, not bugs in poorly-written PHP applications.

Re:great...

[parkrrrr]

Don't worry, it won't be.

April only has 30 days.

Re:great...

[rufus+t+firefly]

Did you read the interview? These are security bugs in the interpreter itself, not bugs in poorly-written PHP applications.

I understand ; I was complaining about the general dumping on PHP applications which seems to follow any thread with the word "PHP" in it.

Re:great...

[Joebert]

Hi kids! Would you like to script this? (Yeah yeah yeah!)
Wanna see me shoot chocolate milk from each one of my eyelids? (Uh-huh!)
Wanna copy this and paste exactly like I did? (Yeah yeah!)
Try the wrong CID and get fucked up worse that my code is? (Huh?)
My mouse's dead weight, I'm tryin to get my story straight
but I can't figure out which Administrator I want to impersonate (Ummmm..)
And Dr. Phil said, "Failure is no accident."
Uh-huhhh! "Then why's your hands red? Man you busted!"
Well at age twelve, I learned HTML
Hacked my robodog to fetch the paper while I sit here in my shell
Got pissed off and organized a massive DDoS
Smacked the web so hard people lost their job at Bluefrog
I pay a crackhead to mow my grass
Hacking my mower would still require me to go get gas !
C'mere slut! (hey wait a minute, that's my goat dog!)
I don't give a fuck, naggin bitches just piss me off !

Re:great...

[jZnat]

There is no compelling reason to move to a new operating system simply because it appears to be more secure at the expense of not having functional applications. Notice the similarities when you replace "language" with "operating system". :O

Re:great...

I'm not sure if perl itself is a bug, or the greatest programing language ever written?

Sort of like c. Buffer overflows are easy and common. Are those security vulnerabilities? I'd like to see month of c bugs where they just list things like strcpy, malloc, free, and any statement that has a * in it.

Re:great...

[Bogtha]

people not quoting their SQL properly ... but should the PHP interpreter developers really be held accountable for other peoples' shoddy coding practices?

In the case of SQL injection attacks, definitely yes. They provide add_slashes(), oh, but wait, that's insecure, so they provided mysql_escape_string() instead. Oh wait, that's insecure too, so they provided mysql_real_escape_string() instead. All the while, ignoring the fact that string concatenation is prone to security problems by its very nature, and ignoring the real solution — bound parameters — for years.

Re:great...

[drinkypoo]

Don't worry, perl is safe. No one can find the bugs through all the punctuation.

Re:great...

Well, a lot of that is because the PHP devs are huge MySQL fanboys, so they limit themselves to what MySQL can do, rather than what better databases do.

Re:great...

They provide add_slashes(), oh, but wait, that's insecure

Ok, I have to ask. How is add_slashes() insecure? I have a little function I wrote to generate INSERTS and UPDATES and it uses add_slashes() on text fields. Is it some type of charset issue?

Re:great...

[suv4x4]

Notice the similarities when you replace "language" with "operating system". :O

Indeed, but having a "base of working apps" on the web is far less important, unless you're forced to reuse silly community efforts (phpBB etc) because the client is nickle-and-diming you.

A well built website may rely on good existing components, frameworks, but copy-pasting whole applications isn't the typical usage scenario a web developer is looking to have a career in.

Re:great...

[EugeneK]

Hi! My name is (who?)
my name is (what?)
my name is ... PHP!

Re:great...

[SimHacker]

There are many reasons that add_slashes is insecure, and if you think about it, you should be able to come up with a few yourself. Have you ever heard of Unicode? Do you really know what the quoting conventions of your database are, or are you just assuming that add_slashes somehow magically does? Have you even bothered to use google or read any of the many security articles about PHP? Obviously not. And the same goes for so many other PHP developers. They need training wheels and adult supervision, otherwise they wouldn't have made such a horrible decision to use PHP in the first place.

The issue is that PHP has many functions and mis-features like magic_quotes_gps that pretend to give you some level of security but ACTUALLY DON'T, combined with the fact that there are a lot of naive and sloppy programmers out there like you, who have no idea what the issues are, and have never bothered to think about them or even look them up on the internet. The problems are WELL DOCUMENTED AND WIDELY DISCUSSED. You have no excuse for not knowing them. You can use google as well as anybody, and educate yourself, but you choose not to.

But it's wrong to blame the ignorant sloppy application developers, when the language actually offers them up so many false non-solutions and dangerous pitfalls. It ENCOURAGES ignorant developers to make mistakes. Why didn't they remove add_slashes, magic_quotes_gpc, and all those other horrible bugs a long time ago, instead of leaving them in there to temp ignorant people into use them? The design of the PHP language and libraries and the attitude of the PHP development team is the core of the problem that causes sloppy application developers to make so many mistakes.

-Don

Re:great...

[1110110001]

and ignoring the real solution -- bound parameters -- for years.

That's interesting. I checked the source and oci8.c had ocibindbyname back in 1999. I guess it's similar for other DBs, which had bound parameters years ago. Maybe you should blame mysql - also for the name mysql_real_escape_string().

Re:great...

[JensenDied]

mysqli supports bound parameters, http://us2.php.net/mysqli just because people use the mysql module instead of mysqli doesnt mean php doesn't support them. just skiddie apps don't. Also looking forward to see what they do reveal in the month.

Re:great...

Just counting DMG bugs I found five bugs on the MOAB site. Mounting dmg is of course according to you a "third party addon" since you downloaded a third part package and mounted it. I would call it a core OS bug. Which one of the 30 bugs would you call the only core OS hole, I'm somewhat interested. Do you have a runner up for second place too?

Anyway, I hope this php bug hunting will be taken a lot more seriously than MOAB was taken in the mac community. Like no flaming on the messenger.

Re:great...

Have you ever heard of Unicode?

Yes, of course. Didn't I ask if it was a charset issue?

Do you really know what the quoting conventions of your database are

Absolutely.

, or are you just assuming that add_slashes somehow magically does?

It replaces 0x27 with 0x2F0x27, 0x00 with 0x2F0x00, 0x22 with 0x2F0x22, and 0x5C with 0x2F0x5C. Nothing more, nothing less. That is why I am asking how it is 'insecure'.

Have you even bothered to use google or read any of the many security articles about PHP?

For about 10 years now.

I am using much more than add_slashes in my function. It is only used on text fields and all of the data is validated before being allowed to make it to the database. I have tried my best to thow evil shit at it, but I have not managed to inject or alter the SQL statement in a way that it errors the database or executes arbitrary statements. Sure, I could use prepared statements. At some point when I have free time I will rewrite it to use prepared statements.

Again, I don't see how using add_slashes is insecure. If you are using it to force validation of your sql it will get you into trouble. So will typing 'rm -rf /' as root.

I think you are making assumptions about 'naive and sloppy programmers', like me, that are just not true.

Re:great...

[SimHacker]

If you have heard of Unicode, and you know that PHP does not handle Unicode, then why do you have to ask if there's a charset issue? Of course there is! You should also know that is one of the issues, but not the only one. Another important issue is the particular database's quoting conventions, and every database has its own different quoting conventions (which sometimes change from version to version). PHP had shamefully made several attempts at providing functions to quote database strings, none of which work properly, yet are all still in the language. Aren't you aware of that??!

It's insecure because it exists, and so are all the other lame half-assed database quoting functions in PHP. There is no reason for a function that doesn't work to exist, other than to mislead ignorant programmers into using it, and give them a false sense of security. Are you actually trying to deny all the security bugs that have been caused thanks to addslashes, mysql_escape_string, mysql_real_escape_string, mysql_escape_string_not, mysql_really_o_truly_o_escape_string, mysql_no_now_I_really_mean_it_escape_string, mysql_I_was_just_joking_before_but_now_I_really_re ally_mean_it_escape_string, mysql_mother_may_I_escape_string, postgres_kicks_mysqls_ass_escape_string, and all that other crap that's in PHP but shouldn't be?

If you're a professional PHP programmer, then you should be able to recite all the problems with addslashes from memory, and all the half-assed yet incomplete attempts at solving them, as well as the problems with them, and not have to ask me. The problem is that most PHP programmers think they know what they are doing, but they are horribly wrong. Even the self-proclaimed "PHP expert wizards" at Zend got tripped up and blindsided by the ZActiveRecord Boondoggle bug that they previously had refused to fix because they thought it was a feature. If Zend doesn't understand their own darling PHP, then who can? Professional competent programmers know their limitations and areas of ignorance, but ametuer incompetent programmers don't think they have any limitations, and think they know it all.

How long have you been using the Internet, that you have to ask me what the problem with addslashes is (or that other guy who asked me what the problem with register_globals is), instead of using google to find out for yourself?

-Don

Re:great...

[epine]

It's not like there isn't a tradition dating back to the C language of leaving string functions in the language that constituted an open invitation for shoddy programming. It's extremely confusing to the novice programmer to be handed a tool where portions of the language have been extremely clearly thought out intermixed with abortions waiting to happen. Don't give PHP more credit than it deserves. This practice has been with us since forever.

Huh

I thought every month was PHP Bugs month?

Re:Huh

April will be "Month of Bind bugs" closely followed by "Month of Sendmail bugs".

Re:Huh

Followed by the "Month of Digg kicking Slashdot's ass."

Re:Huh

don't forget the month of CmdrTaco having buttsex with CowboyNeal. Actually, that's been going on for the last 10 years. Digg's only been kicking slashdot's ass for a couple years.

even if...

[cosmocain]

...there are that much holes in PHP (which i don't doubt), mr. esser seems to be on a kind of crusade since he left the security response team.

Re:even if...

[Alphager]

He began his crusade when he founded the security-team: He wants a secure PHP. He left the security-team out of frustration that the main devs didn't care about security (leaving security-critical bugs unfixed for ages). This month of PHP-bugs is his effort to put pressure on the devs to finally make security a priority.

Re:even if...

that should be "because he thinks that the main devs didn't care about security"

Re:even if...

[HBI]

I imagine if he'd written the patches to fix the problems they wouldn't have had any excuse not to accept them.

This stinks of self-promotion. Calling something a "Month of PHP Bugs" does nothing to improve PHP's reputation. It sounds spiteful, in fact.

Releasing an exploitable bug every day rather than just writing the code to fix it sounds really lame, too. The people being harassed by this are the people running PHP.

I bet a lot fewer people will be after this month.

Re:even if...

[Chris_Jefferson]

For many of these bugs he did write code to fix them. However he couldn't get the patches accepted into the PHP mainline.

Re:even if...

[HBI]

So why didn't he fork the project then? That seems like a legitimate excuse.

Re:even if...

[cosmocain]

sure - i understand the frustration that's driving him. and i guess the MoPHPb will wake some folks up, hopefully the devs. but it'll wake up script-kiddies, too. in fact, that's what i fear most, it might only wake up the script kiddies, as the devs didn't seem to care in the past and that leaves more than thirty unpatched publicly documented security holes and a few folks, who need to run php. what a lot of fun...

Re:even if...

[moranar]

Maybe he didn't think it would make any difference? Forking PHP wouldn't change the countless developers who don't know nor care about security, the thousands of servers with PHP already there, plus it'd have to get a sizable team to carry it forward. Seriously, if you really want a secure language for the web, you don't stop at PHP.

Maybe what he cared more about was security, not the language.

Re:even if...

[gmack]

No.. it's a good thing. PHP apps are now the most common means of gaining a remote shell on Linux and as a sysadmin I have to constantly worry about what PHP code some customer installed can allow some attacker to break into my server. PHP allows some things it really shouldn't.. take includes on a variable for instance a few months back we had a machine spewing DoS attempts and the admin in charge of the box couldn't figure out how the attacker got a shell. The culprit? Some programmer used a variable to hold his includes and the attacker simply overrode that variable. Now you can (and we did) blame the programmer for being an idiot but the problem is that a language being sold as "great for anybody to start programming in" should be a lot safer by default I mean really.. what legitimate reason is there for that "feature" in the first place?

Re:even if...

He releases patches instead.

Re:even if...

[gmack]

sure - i understand the frustration that's driving him. and i guess the MoPHPb will wake some folks up, hopefully the devs. but it'll wake up script-kiddies, too. in fact, that's what i fear most, it might only wake up the script kiddies, as the devs didn't seem to care in the past and that leaves more than thirty unpatched publicly documented security holes and a few folks, who need to run php. what a lot of fun...

The script kiddies are already awake. The probes for PHP vulnerabilities are getting more common. The scripts they use to detect flaws in web servers are probing deeper than ever before and can now detect holes in custom PHP code.

This is all about waking everyone one else up so hopefully the problems will get fixed

Re:even if...

[moranar]

Or maybe, just maybe, on reading the article we'd find he did "fork" PHP, through Hardened-PHP and Suhosin. The wonders never cease.

Re:even if...

[M.+Baranczak]

This "feature" was used for passing request parameters into the script. So there was a legitimate need for it, it was just implemented in a really bone-headed way, since it allowed the overriding of local variables if you weren't careful. This was fixed in version 5 - unfortunately, this meant breaking backwards compatibility, since most older scripts relied on the old way of passing parameters. So a lot of servers out there (I'm assuming yours is among them) are still stuck using PHP 4.

I wanted to like PHP, I really did. But shit like this just does not inspire confidence.

Re:even if...

[tobiasly]

This stinks of self-promotion.

Of course it's self-promotion. Why does the guy stick his picture on the front of the article?

Attention geek bloggers: You are not attractive. Stop posting pictures of your dorky looking selves at the top of your blog.

It doesn't make you look like a real journalist, it just makes you look like a tool.

(Note: in case you're wondering how I got so many pictures to prove my point, I simply looked up the fud tag on Slashdot and started clicking away :)

Re:even if...

Haha,

what kind of drug are you using?

there is no photo of esser at all anywhere near the interview...

Re:even if...

[biz0r]

http://www.php.net/register_globals Read the first sentence on that page please...it was fixed in PHP 4.2, not PHP 5.

Re:even if...

[julesh]

PHP allows some things it really shouldn't.. take includes on a variable for instance [...] I mean really.. what legitimate reason is there for that "feature" in the first place?

1. Define in a config file a variable that specifies the location of your code, e.g.:

config.inc:
$modulebase = "/usr/local/lib/mypackage/2.3.11/modules";

In the rest of the code:
include ($modulebase . "/file_you_need.inc");

Then, you can upgrade versions of the modules by installing a new version in a new directory, and switching the modulebase reference when you're ready.

2. Code autoloader:

function __autoload($classname)
{
    global $modulebase;
    if (file_exists ($modulebase . "/" . $classname . ".inc"))
          include ($modulebase . "/" . $classname . ".inc");
}

For large projects, this is pretty much necessary. The only viable alternative is including all of your code all of the time, which often results in slow performance because PHP is spending too much time parsing your scripts.

Re:even if...

[julesh]

This "feature" was used for passing request parameters into the script. So there was a legitimate need for it, it was just implemented in a really bone-headed way, since it allowed the overriding of local variables if you weren't careful. This was fixed in version 5 - unfortunately, this meant breaking backwards compatibility, since most older scripts relied on the old way of passing parameters. So a lot of servers out there (I'm assuming yours is among them) are still stuck using PHP 4.

Strange. I have a server running PHP 5, and have scripts installed on it that depend upon the behaviour you describe. .htaccess:
phpflag register_globals on

Re:even if...

[metarox]

I'd use a define( 'APP_PATH', value ), instead of a variable, at least it can't be overridden by GET/POST/REQUEST variables directly if a bright guy enables global vars.

Re:even if...

[nasch]

Attention geek bloggers: You are not attractive. Stop [networkper...edaily.com] posting [securityfocus.com] pictures [zdnet.com] of your dorky [zdnet.com] looking [businessweek.com] selves [pcmag.com] at the top of your blog.

Some searching, however, came up with these.

Top 10 Blogger Babes

Gamer chick (don't know if she's actually a blogger) Morgan Webb

Re:even if...

[drinkypoo]

This stinks of self-promotion. Calling something a "Month of PHP Bugs" does nothing to improve PHP's reputation. It sounds spiteful, in fact.

It's the thing to do these days, apparently.

Releasing an exploitable bug every day rather than just writing the code to fix it sounds really lame, too. The people being harassed by this are the people running PHP.

What? He didn't create the bugs. Detection and reporting are two parts of fixing bugs, so he is making a contribution. He says he's reported a bunch of bugs like this TO the devs before. Maybe he's not interested in writing it, but is still interested in having a more secure PHP.

I bet a lot fewer people will be after this month.

Good! PHP is currently the most prevalent scripting language on the web. We could use some more diversity.

Re:even if...

[tobiasly]

Heh, you're right... the formatting of the article made it look like that was Esser's picture but the author is some other dude. My bad.

Re:even if...

Perhaps a more effective 'fork' of PHP would be a language that doesn't have functions in the global namespace like mysql_really_escape_quotes_i_mean_it_this_time()

Re:even if...

[Dragonslicer]

The default value for register_globals was changed to off in PHP 4.2. The option will be completely removed in PHP 6.

I think the biggest problem PHP has is that it became popular too quickly. If it hadn't become used so widely back around 4.0.x, a lot of problems that were identified years ago, but couldn't be fixed because of backwards compatibility breaks, would not be problems now. Things like register_globals probably would have been completely dumped in 4.3 or 5.0, instead of needing to leave it deprecated for about 5 years. Essentially, PHP 4 and PHP 5 are different languages, with PHP 6 changing even more. I have no problem writing off the days of register_globals as a nightmare that is best forgotten, but the language is vastly improved now over what it used to be.

Re:even if...

[1110110001]

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string

You can blame mysql. Or just don't use mysql. Or use PDO. And bind parameters instead of a string concat.

Re:even if...

[1110110001]

So you're one of the sysadmins who don't use the recommended php.ini? It has that name for a reason.

Re:even if...

[julesh]

I'd use a define( 'APP_PATH', value ), instead of a variable, at least it can't be overridden by GET/POST/REQUEST variables directly if a bright guy enables global vars.

As long as you ensure it's set in every top level file (and I usually use just one for each site), it can't be overridden by external vars, even with register globals on -- that happens before code starts executing.

i suggest for next month

month of PCP bugs. i see them all over my skin and i can't scratch them off! SOMEONE HELP ME

Partially surprising

I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

Re:Partially surprising

[Applekid]

Well, http://www.php.net/ is running PHP on it. I've gotta wonder if THEIR version is as much a watershed as the versions they make public.

Re:Partially surprising

[julesh]

I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.

I'm not surprised. Their attitude to bug reports in general is pretty hostile. See, for instance, this report of a segmentation fault bug.

Re:Partially surprising

Well, his name *was* sniper@php.net. What else could you expect besides 'user error'? ;-)

Re:Partially surprising

[Abu+Hurayrah]

I really think this statement is inaccurate. First of all, I will be the first to acknowledge (well, maybe the 2nd, 3rd...well, millionth-ish anyway) PHP's history of insecure default settings and exploits. However, to make a claim that the PHP team doesn't care about security is really incorrect, because in their latest versions, including PHP 5 and up, they have addressed the majority of complaints regarding insecure design. But you simply cannot claim it is PHP's fault that someone has the power to run exec($_GET['shell_command']). Would you prefer that PHP parses everything that is submitted? This is impractical and not a real solution, because it cannot possibly get every exploit, because new ways to attack will be discovered.

If you want to attack PHP's response to security, fine, but by it's nature, it allows people to do things. People are capable of doing things well and doing things poorly. This is not the fault of the language, because that is what it is designed to do. If you think, then, that PHP is too powerful of a language (???), fine, but the fact that it can allow people to muck up a system is also the reason that it can generate amazingly dynamic websites. This same logic would come down on the C language as well, because it allows (*gasp!*) direct access to memory and suffers from buffer overflow errors! Run for the hills!

Re:Partially surprising

However, to make a claim that the PHP team doesn't care about security is really incorrect, because in their latest versions, including PHP 5 and up, they have addressed the majority of complaints regarding insecure design.

Well, no. They've hit a couple of the big ones, it's true. But I get the impression that this is to avoid people nagging more than anything; they completely ignore plenty of other design flaws. The only reason you can say that "they addressed the majority of complaints" is because the few things they did manage to fix were so mind-bogglingly bad that everybody was complaining about them.

But more importantly, security is a property of their processes, not their design. Their processes are terrible. They ignore security reports. They dismiss crashing bugs as "user error". They don't have a release management system that copes with security patches. They did have, but they scrapped it because they were making too many security-only releases! Go ahead, tell me that isn't deliberately ignoring security.

But you simply cannot claim it is PHP's fault that someone has the power to run exec($_GET['shell_command']).

I'm not. It's true that there are vast numbers of these types of vulnerability, but a) that doesn't mean there aren't any with PHP itself, and b) some of them are directly caused by language/library misdesign (such as practically every SQL injection attack and most XSS vulnerabilities).

Re:Partially surprising

[Dragonslicer]

I don't really want to make excuses for poor responses to bug reports, but I can at least understand it a little. If you watch the bug list on a frequent basis, you can see why someone would get frustrated by the number of "phpBB doesn't work on my server. Fix it." bugs that get reported.

Re:Partially surprising

[Dragonslicer]

But you simply cannot claim it is PHP's fault that someone has the power to run exec($_GET['shell_command']). Would you prefer that PHP parses everything that is submitted?

They tried. It was called magic_quotes_gpc. We all remember how well that worked.

Re:Partially surprising

[julesh]

Yes, but that bug wasn't of that kind, really: it gave a precise description of the circumstances believed likely to cause the bug. The least they could have done was leave it open and on file. For some reason, PHP developers seem to have an obsession with closing bug reports. They'll close a report simply because nothing has happened on it for some time, whether or not a fix has been produced.

Re:Partially surprising

[1110110001]

sniper is no longer working for PHP.

But ... even if it wasn't a user error - how should it be fixed if it can't be reproduced? And if you don't like how the reporter was treated, why did you complain after 5 1/2 years and not in 2001? Also it could be that the new setup replaced a lib of a running webserver and just restarting it is the solution to the problem. That'd mean not restarting it is indeed an user error.

Re:Partially surprising

[SimHacker]

I don't really want to make excuses for poor responses to bug reports, but ...

Whenever somebody uses the sentence pattern: "I don't really bla bla bla, but bla bla bla." it means that they don't really mean the thing before the "but", and they're just saying it because they know the thing they're going to say after the "but" is totally full of shit. Like "I don't really hate gays, but I don't believe they deserve to get married, because the bible says so, and it's a horrible threat to my own marriage."

Would you please stop apologizing for PHP? You are part of the problem if you're apologizing instead of fixing security bugs. And you're hurting the internet, if you think you're sticking up for PHP by attacking somebody who actually is fixing security bugs. So stop it. PHP doesn't need you to leap to its defense: it needs to be fixed, or people need to stop using it.

-Don

Re:Partially surprising

[Dragonslicer]

Yeah, the bug that was mentioned wasn't that kind. I was making more of a general comment.

To reply to another flamebait post below this, let me clarify. I worked in an IRC channel helping PHP programmers for several years. We would have people come in every day asking about crap like phpBB or phpnuke, even when we explicitly said that we can't help people with code they downloaded from other site, since none of us are familiar with every piece of PHP code ever written. I'm not saying that responding that way to the bug reports is good, I'm not saying it's helpful, and I'm not saying that it can't be or shouldn't be improved. I'm just saying that I understand.

For once

[Timesprout]

I am actually glad to see one of these xxx month of bugs. Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws. Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality by improving the core security of the language is therefore to be welcomed.

Re:For once

[nottestuser]

The meme is true but only because for each of the 100 flaws in PHP itself there 1M programmers who don't know a single thing about any of the OWASP top 10.

Re:For once

[jimicus]

Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality

Most flaws in any code are caused by poor programmers. It's possible to write clearly structured, well laid out code in BASIC (no, not visual BASIC, the real thing), as most implementations support things like local variables and procedures. It's just exceptionally rare.

This is why so many computer science degrees (at least until recently in the UK) used Modula-2 or Pascal as their primary teaching language. Don't for one moment imagine the lecturers thought that these languages would be useful in the real world - the idea was to teach good practise.

Re:For once

This is why so many computer science degrees (at least until recently in the UK) used Modula-2 or Pascal as their primary teaching language. Don't for one moment imagine the lecturers thought that these languages would be useful in the real world - the idea was to teach good practise.

Huh? Since when is Pascal not a useful real-world language? This is the first time I've ever heard this claim.

Re:For once

Absolutely, 99.9999% of software flaws are caused by poor programmers, with the 0.0001 remaining ones caused by dirt and coffee drops inside the keyboard.

Re:For once

[rho]

Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws.

A critical thinker will look at those two clauses and derive some wisdom. PHP is not "poorly thought out", it changes to meet the market's needs. Java was very well thought out, but it's mostly popular with big shops where you can hire a guy for $70,000/year to maintain a tiny little bit of a larger program. PHP is very popular because it allows a single person (or a small group) to make functional applications quickly and easily, with a lot of flexibility.

Re:For once

[mstone]

To be fair, Pascal was originally designed as a teaching tool and to match the real-world value of say, C, you have to bolt on some extensions. That works, but it's less than perfect.

The Modula family of languages, OTOH, are way cool.

Re:For once

[drinkypoo]

PHP is very popular because it allows a single person (or a small group) to make functional applications quickly and easily, with a lot of flexibility.

So does ASP. In fact, ASP is easier in a lot of ways, and has MORE flexibility (supports any ISAPI language, including vbscript (yuck), perl (whee), php (hello month of bugs!), python, blah blah blah.

PHP is popular because it's free and Free and lets one person write a very simple/stupid dynamic webpage very easily. Unfortunately, it seems that when you get into real complexity, you start running into PHP's design flaws.

Re:For once

[julesh]

Huh? Since when is Pascal not a useful real-world language? This is the first time I've ever heard this claim.

Since according to ISO pascal:

1. Pascal programs cannot be modular -- they are defined in a single file that starts 'program ;' and continues until the matching 'end' statement. If you are using standard pascal (as most of the universities that used it as a teaching language restricted themselves to), you cannot use 'unit' (which is unsupported in many implementations, being I believe a Borland innovation) or C-style '#include' (which was supported in the implementation at my university, but we were explicitly instructed not to use it).

2. Pascal only recognises a single sized integer type. No longints or shorts or anything like that.

3. Pascal has no means to take the address of a variable (i.e. the equivalent of C's & operator).

4. Pascal does not allow a file to be contained in a structure. They are only allowed to be declared as top-level variables.

5. Pascal does not have any mechanism to open a file with an arbitrary filename. Files are declared as variables, and are implicitly associated with an OS file. Typically, the name used is the same as the variable's name, but this is not standardised. You can (according to the standard) implicitly create files to match those named on the command line (see section 'header files'), but this mechanism isn't widely supported.

Is this enough reason for Pascal (as standardised, and as originally implemented by Wirth) not to be a useful real-world language?

Of course, the variety of extended Pascals available make it a substantially more useful language.

Install modsecurity

[HxBro]

I recently installed modsecurity http://www.modsecurity.org/ for apache along with the rules from http://www.gotroot.com/ and it's done a good job of blocking attacks on my server including a lot of the php mail() injection attempts, whilst it has shown up a few false positives like someone posting a message with sql keywords e.g. "select" "from", it is certainly worth installing even if you have to monitor the logs for a bit afterwards to watch for the false positives and alter the rules accordingly.

Whilst it probably won't solve a lot of the problems with php and security it does help protect the server especially when you don't have control over what your users are uploading to their web space.

Mod me troll-down...

But to me (and I'm not the only one), PHP is a huge security hole. There are people that consider machines running PHP insecure. Mod me down, but it's a fact.

Your site is likely already compromised.

Maybe you shouldn't bother with the patches. If you're running any of the well-known PHP software, there's a good change your server has already been compromised by one or more such script kiddies.

I worked at a somewhat popular web hosting company for a while, and you wouldn't believe how often PHP sites are exploited. Most of the time the site owner had no idea that their site had been compromised in some way, even those who went out of their way to ensure that they were running the latest version of whatever PHP software they were using.

Re:Your site is likely already compromised.

[julesh]

Maybe you shouldn't bother with the patches. If you're running any of the well-known PHP software, there's a good change your server has already been compromised by one or more such script kiddies.

I actually persuaded my business partner to authorise a 2-month long project to reimplement all the features we need from phpBB from scratch, rather than use original code, just for this reason. It didn't take much work to convince him that we didn't want the hassle of having to deal with regular 0-day exploit scripts in the wild.

Re:Your site is likely already compromised.

Most likely, you're correct.

Still, there are precautions to take when running a common PHP-based app. First off, use Xen. Set any filesystem to read only (through Xen) that you can get away with. When installing PHP, only install the modules the script actually uses. Second, install mod_security and enable every possible protection. Third, install Suhosin (hardened php, Debian Etch has it packaged). Fourth, edit the php.ini file and enable safe mode and disable every possible feature you can get away with. Fifth, for the DB create multiple accounts. Use the permissions properly. Set it so that the user the script has only can update the specific tables it has to, deny it from everything else.

Still, it will only be a matter of time before it's compromised but at least those steps help. Make sure to make regular database and file backups from the Dom0 so it will be easier to restore the site.

PHP really needs to enforce proper security. In 5.x it's OO is actually pretty nice and I like doing development with it, but I've dropped it for Java due to constant security issues.

Re:Your site is likely already compromised.

With all the effort necessary to set up Xen, strip out unused modules, fuck around with configuration settings, test it all out, etc., etc., it's probably just easier, cheaper and safer to go with something other than PHP.

Re:Your site is likely already compromised.

You're absolutely correct.

However, you'll probably run into a situation where the customer demands a certain poorly written php app. In those cases you have to go through the extra effort and deal with the inevitable compromise.

PHP is a nice language, but it needs to enforce proper security. If that security breaks apps, tough shit. Fix the broken apps.

Are bugs the problem?

[cerelib]

I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code(especially when using the mysql module). Also at fault is the general lack of programming understanding by the amatuers who find their way to PHP because it is so easy to go from having a static HTML page to a dynamic PHP page. Are there a lot of vulnerabilities in the interpreter?

Re:Are bugs the problem?

[CodeShark]

Poor code writing and a failure to integrate known fixes is the problem. For example, code/modules developed by the Hardened PHP project referenced earlier has fixes many of the known vulnerabilities, and in general PHP 5.X is much more secure than prior versions.

Personally while I don't necessarily like all the work I have to do when there is a "bug exposure" in the media for tools I am using -- like PHP -- I don't have time to track everything let alone fix them, this "month of bugs" won't affect me as much because the ISP I use for my sites has historically been very good at fixing the server-based bugs, and alerting me when a known application error is widespread in the code base so that I can scan my modules and do the updates. That's where paying more than $3.95 a month for a GOOD php web hosting service is a pretty good exchange of $ for peace of mind.

Re:Are bugs the problem?

[Peter+(Professor)+Fo]

Well it's like this : Most car crashes are caused by drivers but some are caused by defective design and materials. Others are made worse by 'misleading' the driver (I have ABS so I can stop in 6 feet on ice) or encouraging them to believe they're safe under all conditions (I can drive at 120 (a) 'cos the speedo goes up to 150 and (b) I've seen those videos with the crash dummies which don't seem too fatal.)

PHP is the same : It's easy to drive so naturally lots of people have a go. (Good Thing). Sadly many haven't got the foggiest idea about security, interface design, database design, maintainability or testing. Some will take this opportunity to learn a bit about these subjects but for most 'programming' is the same as 'getting code to work'.

If only someone would write a book. http://www.eminent.demon.co.uk/ob/Programming.htm

Re:Are bugs the problem?

[poot_rootbeer]

I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code

Or even more likely, how easy it is to download and run insecure code written by some other lousy programmer. It's not the people who are writing their own CMS systems that are getting haxor'd, it's the people who grabbed a copy of PHPNuke and threw it up there on the 'net.

Re:Are bugs the problem?

[Sigmon]

Making PHP secure is very easy...

1. Familiarize youself with how it works
2. Think like a bad guy
3. Don't trust $_POST or $_GET vars to contain the data you expect
4. ...
5. Profit!

PHP is a disgrace to the open source community.

It's amazing, but the PHP team are worse than Microsoft ever were with security.

This is very true. And also very unfortunate. When it comes to many managers, PHP has given the entire open source community a bad name. This is mainly because it has been repeatedly pushed as being part of the LAMP suite, when in fact Python and Perl are far better options for the 'P'. So when you recommend the use of Linux, Apache or MySQL, they automatically think of PHP, and recall how terrible its security is. And then they associate that lack of security with Linux, Apache and MySQL, even when that's not the case!

If there's one thing the open source community as a whole should do, it should be to disown PHP. Responsible open source developers and projects need to just stop using it for their web sites. It'd be good if more things like this Month of PHP Bugs were held, just to show the public that the OSS community knows that PHP is terrible, and wants to do something about it. The longer we continue to use PHP, the harder it will be to repair the reputation of even completely unrelated (and far more secure) open source projects.

Re:PHP is a disgrace to the open source community.

[archen]

The problem with PHP is that it's very easy. One of the supposed advantages of Lamp is that it is also rather easy to set up and work with. I've seen more projects than I would care to, where the programmers couldn't code their way out of a paper bag but managed to accumulate a surprisingly functional mass of PHP spaghetti code. Perl is a good option only if the coders are disciplined, and having good structure is critical for a good Perl project. I don't have any experience with Python, but due to the nature of python language structure, you'll never be able to embed it the way you could with PHP (templates are necessary here as well).

One of the problems with PHP is the fact that when the bar of entry is so low, you get a lot more low bar people actually coding it. It's become the next generation of VB garbage. The language is only half of the security problem (a half we could better do without, but still).

Re:PHP is a disgrace to the open source community.

Heh, once you choose MySQL, you might as well go all the way and choose IIS, PHP and Winblows.

Re:PHP is a disgrace to the open source community.

[CopaceticOpus]

The fact that a programming language is easy to use IS NOT A PROBLEM! I'm so tired of hearing this. The fact that bad code can be written in PHP isn't really a problem either, though it does end up hurting PHP's reputation.

The important question as a developer is this: can I easily write code which is also well-written and reasonably secure? For me, the answer is yes. I like PHP because I can get things done so efficiently. Just because others are writing horrible PHP code doesn't mean I have to follow their bad habits.

I'm not blind to PHP's weaknesses, but at the end of the day it still works well for me. Since PHP5, it's become reasonably mature and it will only get better in time. I wouldn't use it for flight control software, but for web sites it is very good.

Wait...

[kahei]

Only a month?

Ha ha, yes, thank you, I'll be here all week, bringing predictable yet mildly amusing banter. In fact, I'll be here all year. The whole of my life, probably. *breaks down and cries*

PHP needs to be fixed in general

[MikeRT]

If he really wants to make a difference, he should fork PHP and really fix up the language and interpreter to his liking. Besides bug and security fixes, a standard naming convention for built-in functions would be quite nice. Maybe Esser could do for PHP what EGCS did for GCCS if he did that.

Re:PHP needs to be fixed in general

[ravenlock]

Too late for that. There is a huge amount of custom web apps already written in PHP, and that's enough momentum to steamroller any attempt to make a decent PHP. Nobody wants to pay for a rewrite that "doesn't add value," because most customers don't care about vulnerabilities until they are already exploited. Time to look at solutions that were well thought out to begin with.

Re:PHP needs to be fixed in general

Too late for that. There is a huge amount of custom web apps already written in PHP, and that's enough momentum to steamroller any attempt to make a decent PHP. Nobody wants to pay for a rewrite that "doesn't add value," because most customers don't care about vulnerabilities until they are already exploited. Time to look at solutions that were well thought out to begin with.

Sounds to me like that same reasoning will keep those same people from rewriting things in any other language as well.

Re:PHP needs to be fixed in general

[julesh]

If he really wants to make a difference, he should fork PHP and really fix up the language and interpreter to his liking.

Err... he has.

Sometimes I think people don't read the articles.

Then I remember I'm reading slashdot.

Re:We audited PHP for some of our projects.

[clawoo]

Not to start a little argument over PHP and Python, but you're comparing apples with oranges here. You are saying that PHP is insecure, its semantics are undesirable and so are its standard libraries, database interfacing, interpreter and performance, and then you come along saying how awesome Django is, disregarding that actually you're comparing a language with a framework.

There are a handful of decent PHP frameworks out there, with others coming along, which you can take and compare with Django, but please don't bash the language because you don't like its semantics, you have something personal with it or you didn't take the time to choose a decent framework.

Regarding the database interfacing support, I beg to differ, I believe PHP has been supporting a large number of databases for a longer while than most of the other web scripting languages out there today.

OK, seriously now...

[MattPat]

Do we need a month dedicated to every application that has bugs in it? Because I'm pretty sure our sun will have imploded by then.

Re:OK, seriously now...

[julesh]

Do we need a month dedicated to every application that has bugs in it? Because I'm pretty sure our sun will have imploded by then.

Suns normally explode. Only IBM Netfinities implode.

Oh, right. You meant... never mind.

Re:OK, seriously now...

Actually it is the "first" Month that covers only the bugs in ONE application.

All other those "Month Projects" covered many applications. Browsers, Kernels, Software for Apple

Look on the open/bright side.

[kale77in]

The bright side, it seems to me, is that PHP's openness means even if the developers are slack, the bugs can still be disclosed without IP litigation threats.

Also, he's given the developers a week or two of warning before March. If there's anything *that* serious in there, actually known to the developers, the fix could conceivably be ready by the time the bug is announced.

I run PHP sites, and I'd rather see the bugs public and being patched, than known only to the developers (we hope).

NM

[mobby_6kl]

Disregard that post, I should have previewed and read it again before submitting. It actually makes it sound like PHP is the OpenBSD of scripting languages, which is obviously the opposite of the desired effect.

Re:NM

[lymond01]

Your posts are like the Edgar J. Hoover of Broadway theatre.

Arr? (Scooby-doo head tilt)

Take PHP outside web pages altogether.

Fork PHP. This is what they should do.

Do not let it execute inside web pages. X server pages is bad. Take PHP outside of web pages altogether. Good PHP programmers should be using Smarty templates anyways.

Make a good VM for PHP and clean up all the damn bugs. PHP has nice C/Perl syntax, it has the potential for a good general purpose language.

Create a "pervlet" container. No, not for perverts, but to serve PHP web objects much like Tomcat for servlets. Don't stuff everything inside Apache. Leave the front gate for security configurations and static pages.

That's it for now. Thank you and come again.

P.S The /. security image is the word "toasted". Haha nice!

Re:Take PHP outside web pages altogether.

[julesh]

Do not let it execute inside web pages. X server pages is bad. Take PHP outside of web pages altogether. Good PHP programmers should be using Smarty templates anyways.

One way of looking at PHP is that it is an extremely powerful templating language. That's the job it was designed to do in the first place, anyway. So why not write your back end in a more powerful language and just do a quick front end templating job in PHP that takes those results and slaps them into a web page.

Oh, right, the reason not to is that PHP is just about the only common denominator you'll find at nearly any web hosting company you might choose to go with. I think this is just about the only reason not to though.

(I say, begrudgingly, as a PHP programmer who uses the language only because of this popularity factor)

PHP has nice C/Perl syntax, it has the potential for a good general purpose language.

I don't think so. There is at least one major flaw with its language design (and it's a basic, fundamental flaw that most people don't realise): there is no distinction between strings and identifiers. Try this:

It's an interesting choice: '$' becomes an unary operator that returns a reference to the value of its argument. So why doesn't work? God knows. It should, but it doesn't. Probably the same reason that functionReturningAnObject()->field doesn't work: the language definition is screwed up. $v = "t"; echo $$v; works fine though.

Reference semantics are screwed up as well. Try this:

$a = array (1, 2, 3, 4);
foreach ($a as &$b) $b++;
foreach ($a as $b) $b++;
print_r ($a);

Now, explain to me why it is that the last item in $a is incremented twice, while all the others are only incremented once?

The more features are added to it, the more evidence there is that at its core, PHP is a badly designed language.

P.S The /. security image is the word "toasted". Haha nice!

Did you post AC just so you could make that joke?

Re:Take PHP outside web pages altogether.

[julesh]

Hmmm... The munged PHP code from my post was:

    (lack of quotation marks deliberate)

and

    (addition of quotation marks also deliberate)

Re:Take PHP outside web pages altogether.

[42forty-two42]

Still munged I'm afraid.

Re:Take PHP outside web pages altogether.

[metarox]

Actually, that bug is resolved in PHP 5.2.1

http://bugs.php.net/bug.php?id=35106

Re:Take PHP outside web pages altogether.

[FreakTrap]

$a = array (1, 2, 3, 4);
foreach ($a as &$b) $b++;
foreach ($a as $b) $b++;
print_r ($a);

It is increment twice because after the first loop, $b is still a pointer to the fourth element of $a. Continuing in the code, the second loop will assign the fourth value of $a each value of $a, then increment it. Try debugging it like so:

$a = array (1, 2, 3, 4);
foreach($a as &$b){
$b++;
}
print_r($a);
foreach($a as $b){
print_r($a);
$b++;
print_r($a);
}
print_r($a);

... and you will see what it is doing. Solution: unset your variables before you re-use them.

$a = array (1, 2, 3, 4);
foreach ($a as &$b) $b++;
unset ($b)
foreach ($a as $b) $b++;
print_r ($a);

And for the $$ thing, it seems to do exactly what it is intended for...

[Simple]
$a = "Hello World";
$b = "a";
echo $$b;
//outputs 'Hello World'

[Complex]
$var0 = "Hell";
$var1 = "o wo";
$var2 = "rld!";
$i = "var0";
while(intval($i[3]) <= 2){
echo $$i;
$i[3] = intval($i[3])+1;
}
//outputs 'Hello World!'

Re:Take PHP outside web pages altogether.

> Oh, right, the reason not to is that PHP is just about the only common denominator you'll find at nearly any web hosting company you might choose to go with. I think this is just about the only reason not to though.

No, the reason not to is that PHP is quite capable of handling the back end itself. Or do you really believe your needs are more complex than say, Yahoo? Facebook?

> I don't think so. There is at least one major flaw with its language design (and it's a basic, fundamental flaw that most people don't realise): there is no distinction between strings and identifiers. Try this:

Still can't see your example here...

> Probably the same reason that functionReturningAnObject()->field doesn't work: the language definition is screwed up. $v = "t"; echo $$v; works fine though.

Actually, functionReturningAnObject()->field DOES work, and has done for a while. PHP5 was released in 2004, so you haven't realised this for 3 years? That certainly puts your comments into perspective.

> Reference semantics are screwed up as well. Try this:

Again your confusion is due to your misunderstanding, not any fault with PHP.
After the first foreach, $b is a reference to the last element of $a, so your code is equivalent to:

$a = array (1, 2, 3, 4);
foreach ($a as &$b) $b++;
foreach ($a as $b) $a[3] = ++$b;
print_r ($a);

If on the other hand you had unset($b); between the foreach loops, then it works as [I assume you had] expected - the second foreach does nothing because $b isn't a reference. This is well documented in the PHP manual.

> The more features are added to it, the more evidence there is that at its core, PHP is a badly designed language.

That's a very sweeping statement, where is any of this evidence? I hope you're not relying on your examples.

Re:Take PHP outside web pages altogether.

[AutopsyReport]

Good PHP programmers should be using Smarty templates anyways.

I was reading until that line. Yes, let's template a templating language thereby giving us less functionality and more overhead. The additional layers of abstraction and work is brilliant!

Re:Take PHP outside web pages altogether.

Probably the same reason that functionReturningAnObject()->field doesn't work

function A() {
$x = new stdClass;
$x->foo = "bar";
return $x;
}
echo A()->foo;

works fine here.

Re:Take PHP outside web pages altogether.

the creator of smarty has not worked with it for years. And he is not interested in it anytime someone asks him a question about it. Smarty based websites are a quick fix and something you let the juniors work on. Anytime I see a smarty site I dissociate the codebase from it.

Re:Take PHP outside web pages altogether.

[onerob]

functionReturningAnObject()->field doesn't work

This works fine in PHP 5.1.4:

class TestClass {
function TestClass()
{
$this->field = 1000;
}
}

function returnAnObject()
{
$obj = new TestClass;
return $obj;
}

echo returnAnObject()->field;

- - - - - - - -

Now, explain to me why it is that the last item in $a is incremented twice, while all the others are only incremented once?

Sure (after some fiddling around). As you enter the second foreach loop, $b contains a reference to the last member of the array because that's how the previous foreach left things. Therefore, for each iteration, what you are saying is this: Make the last member of the array ($a[3] as referenced by $b) equal to the current member of the array, plus one.

If $b added 1 to itself (as might be expected) then the value would end up being 9. What seems to be happening in the second loop is: $a[3] = $a[n] + 1, not $a[3] += 1

I don't know if that behaviour is right or wrong in a formal sense.

Re:Take PHP outside web pages altogether.

[julesh]

*facepalm* Made the same mistake twice in a row.

Meant to write:

$t = hello; echo $t;

and

echo $"t";

Re:Take PHP outside web pages altogether.

[julesh]

I don't know if that behaviour is right or wrong in a formal sense.

I'm not saying its wrong. I know that according to the language design it's complete correct. I *am* saying it's counterintuitive, and evidence that something is wrong with the design.

Re:Take PHP outside web pages altogether.

[julesh]

Again your confusion is due to your misunderstanding, not any fault with PHP.

My point is that it's difficult to understand. I do understand it, believe me, which is why I used it as an example. *But* I constantly see people getting confused by this behaviour. It doesn't match their internal model of theway they thought the language worked.

Re:Take PHP outside web pages altogether.

[jsdcnet]

I work for a big web company (go ahead, guess which one). We use Smarty for several of our large sites. It is extremely convenient to not have production staff (who do stylesheets, graphics, etc) messing around with the actual site code. Overhead isn't really a big factor if you use an opcode cache. For 99% of the requests, Smarty serves a cached flat file anyway. It's very nice.

As a non-programmer, what are the alternatives?

I've been running Gallery (& more recently Gallery2) and Serendipity on a server (recently updated to 5.2.1 with Suhosin) for some time now. There have been many posts here about not using PHP, but finding replacements for these applications which don't use PHP is either hard or bloody impossible. Is there a resource site which shows web apps which *don't* use PHP? What languages are better to look out for? Ruby on Rails? Python?

I'm not a programmer and never will be, so "Code your own!" doesn't work for me. If PHP is really so insecure then what are realistic alternatives?

TIA

Re:As a non-programmer, what are the alternatives?

[julesh]

I'm not a programmer and never will be, so "Code your own!" doesn't work for me. If PHP is really so insecure then what are realistic alternatives?


Right now, they're very few and very far between. You could look through sourceforge projects in the Internet/WWW category with the filter 'excluding programming language PHP' applied.

The problem is that so much stuff was implemented in PHP in the late 90s/early 2000's that just about every hosting service went out and installed it. This led to a positive feedback system where nearly everyone chose to develop for PHP, because that's what nearly every hosting service offers, etc. It's the same kind of situation that led to Windows dominance, only (IMO) without the product actually being anywhere near as good.

Blatant Self-Promotion

[Ron+Harwood]

This stinks of self-promotion. Calling something a "Month of PHP Bugs" does nothing to improve PHP's reputation. It sounds spiteful, in fact.

Yep. Everything he writes on this topic is along the lines of:

-They all suck.
-I'm the greatest.
-They're all out to get me.
-The fools, the laughed at me at the institute.
-You aren't taking me seriously! I've fixed everything in my personal extension to PHP and you keep breaking it by changing the language!

etc... etc...

I don't know what he thinks he's going to accomplish - but he's made his name synonomous with "shit disturber" and while he claims to be trying to make PHP better, he's only poisoning things in the long run.

Re:Blatant Self-Promotion

[SimHacker]

It's the ignorant PHP apologists like you who are damaging the internet and causing much more trouble than anyone who's trying to expose PHP's bugs and embarass the PHP development team into finally fixing all of their long-standing security problems that they have refused to address.

The hackers and script kiddies ALREADY KNOW all of the vulnerabilities. It's ignorant PHP fan-boys like you who are in the dark and spreading bullshit, if you're not aware of what a truly horrible and insecure disaster PHP really is. The security holes already exist, and covering them up and making excuses for them isn't going to fix them. But exposing them to the light of day will force the idiots on the PHP development team to finally address them, and hopefully warn people away from using or trusting PHP. They had their chance to fix the problem before, and they chose not to. Stop trying to rewrite history to justify your misplaced finger-pointing. You fan-boys making excuses for the PHP development team's negligence are contributing to the problem, and just making it worse -- it's not the fault of the courageous whistle-blower who you're attacking. Stop damaging the internet, fan-boy.

-Don

Suhosin Extension

[metarox]

On a side note, anyone know where I could find that Suhosin extension compiled as a binary (DLL) for windows ?

Coming in April

[bill_mcgonigle]

"Month of Shooting Fish In a Barrel"

At least the Month of Apple Bugs was a hard target to go after.

Re:Coming in April

Apple a hard target? Bahahhahahaaahaha

Re:Coming in April

What would you rather? Month of OpenBSD remote code vulnerabilities in default install?

Two words:

[T-Ranger]

Scratch harder.

Re:We audited PHP for some of our projects.

[xtracto]

Well, I do not have a lot of experience with PHP (only some typical unsecure LAMP tests) but after looking what they did with mysql_real_escape_string() and mysql_escape_string() I agree with GP. What kind of programming language is that? what the heck does REAL is supposed to mean?

I have programmed in PHP and C#/VB.NET for web forms (back when .NET was just out) and I can tell you that even there, the microsoft product was better than PHP. One of the things I dislike about PHP and I liked about the WebForms .NET approach is the separation of the interface with the functionality which allowed us to create a real multi tier application. I have not programmed "for real" web applications for some time but as far as I know it is not possible to do that sepparation with PHP.

Welcome to the social!

Enjoy your stay this month Mr. PHP.

Love,
    Artie MacStrawman

Re:We audited PHP for some of our projects.

[julesh]

after looking what they did with mysql_real_escape_string() and mysql_escape_string() I agree with GP. What kind of programming language is that? what the heck does REAL is supposed to mean?

It's a backwards compatibility hack. When they implement mysql_escape_string, the MySQL C API didn't need a connection object to the server to perform quoting, it just did it locally. Some advanced features were added in later MySQL versions, and a connection to the server is now needed in order to know what character set is in use in order for the quoting to be performed correctly. If you're just using us-ascii/iso-8859-1 like most MySQL developers, you can ignore the difference. If you're using UTF8 or some other charset, you need to make sure you use the "_real_" version.

The whole 'mysql_*' API ought to be deprecated anyway. mysqli is much better.

Re:We audited PHP for some of our projects.

[julesh]

One more thing:

One of the things I dislike about PHP and I liked about the WebForms .NET approach is the separation of the interface with the functionality which allowed us to create a real multi tier application. I have not programmed "for real" web applications for some time but as far as I know it is not possible to do that sepparation with PHP.

As somebody who has written a 3-tier web application in PHP for a well-known multinational company, I can assure you that tier separation is not only possible in PHP, it's actually fairly easy. Just don't try forwarding remote session IDs to the middle tier from the front tier and then running them on the same server. It won't work.

A Couple Easy Precautions

[corychristison]

I've been running PHP for some time now, I try to use the latest and greatest, but sometimes I am a little behind.

Here are a few simple precautions for PHP configuration:

• Do not(!) install cURL. I know it is useful, but has a lot of security problems!
• Disable register globals [default as of 4.2.0]
• Safemode is worthless and a little too restricting, use OpenBaseDir.
• disable_functions = exec,system,passthru,shell_exec,proc_open,proc_clo se,proc_terminate,proc_nice,proc_get_status (may be more, off the top of my head :-)

These are what I can think of off the top of my head. This allows full compatability with all major scripts [mostly due to not using SafeMode] but still holds a fair bit of protection from people executing scripts and pushing them to run in the background. Had this happen to me a few years ago. I was hosting someone as a favour, and I'm not sure if they did it, or they were running some crappy code and it was exploited. Either way, their account was suspended.

Re:A Couple Easy Precautions

[1110110001]

Depending on what you're doing the exec functions might be useful. But you should disable dl().

Re:A Couple Easy Precautions

[corychristison]

Depending on what you're doing the exec functions might be useful.

I agree. But on shared hosting [even if it is just for friends] it is very dangerous. Not necessarily that they will try to wreck anything, but if someone were to comprise their account, things can go bad very quickly.

But you should disable dl().

Agreed. :-)

Hear, hear.

[cortana]

An anonymous coward said some time ago,

When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability.

Maybe he could stagger it out

[SlappyBastard]

Give people a day or two to respond to each exploit before he hands us another to go racing after.

Re:Maybe he could stagger it out

[tinkertim]

Give people a day or two to respond to each exploit before he hands us another to go racing after.

Especially us poor bastards that have 500 + servers to patch. I'm sure (err, hope?) they will do it responsibly , however I still see this being a *very* interesting month.

March that never ended

[CortoMaltese]

I hereby declare March 2007 the March that never ended, in spirit of September that never ended.

Security experts ?

[herve_masson]

My personal opinion is that there are far too many people out there that call themselves Wep Applicaton/PHP security experts and write books/give talks about PHP Security

No, kidding?

Re:We audited PHP for some of our projects.

So how do you separate code and HTML with PHP?
Just wondering.

Only a month?

Why not a Millennium of PHP bugs? I'm sure there are at least 365,250 bugs in PHP.

This is going to be fun

[lewp]

I'm going to need enough popcorn to last... March.

Fork marketing?

[tepples]

So why didn't he fork the project then? I'm guessing because he lacked the ability to market his fork to the vast majority of shared web hosting providers.

Re:We audited PHP for some of our projects.

[julesh]

Have a back end program that doesn't produce any HTML output. Have it produce a data structure that describes the information to be embedded in the page, along with the name of the template to embed the data into. More complex schemes may be necessary for some apps, but this suffices for most. Serialize this data structure (you could use any appropriate data serialization format, I generally use simple XML schemes)

Write a front end program that takes the user's request parameters and parses them, selects an appropriate back end program and then includes its response via file ('http://whatever') (or cURL if you need to POST data). Then it can either do what I do, which is use a template engine to process that data into an HTML page, or if you're feeling too lazy to do it that way you can use PHP itself as the template engine: just include ("../templates/" . $templatename . ".inc") (after suitably validating $templatename of course). The code in the template is very simple, using PHP only for simple variable substitution and iteration over predefined data structures.

If you only need logical and not physical separation of the front and back ends, you can include a file with the implementation of the data-structure producing logic and call that, which should save the cost of serialization and deserialization.

Re:We audited PHP for some of our projects.

[clawoo]

Separation of code and presentation can be done by using a templating system. Smarty is a popular one, although it's often criticized, and there are a lot others around as well. FastTemplate, although old, is also a choice.

Most of the frameworks mentioned above are built fanatically on MVC, so this separation is imperative.

Slashdot, give it a rest!

[AutopsyReport]

If you teach a man to fish with a rod, he won't immediately know a better way to catch more fish. The idea of using a mesh net to catch more fish at once will not be apparent to him -- it will take time. A man and his tools are departed only when he finds something better for the job.

So let's apply this concept to learning in the PHP community. For years, PHP developers (newbies, amateurs, and experts alike) have been handed down wisdom that reflected the current knowledge. Years ago, it was using registered globals. Then it became including pages via the query string. And so on... You can imagine for someone new to PHP how hard it would be (if not impossible) to distinguish right from wrong when everyone was telling you to do a certain thing. Articles, forums -- you name it, they preached it.

PHP has become more insecure due to the amount of bad advice spread, not because of PHP. What did we all learn about pointers? When abused or not taken care of, they can cause problems. The same goes for the tools PHP offers.

Slashdot will forever gouge PHP for being insecure, but I think it has everything to do with an immature community dishing out advice far too soon. PHP has matured, and so has much of the advice. Given more time, bad advice will be harder to find.

Blaming PHP for being insecure / providing insecure tools is like blaming auto manufacturers for attaching a steering wheel and a gas pedal to cars that cause accidents... think about it.

Re:Slashdot, give it a rest!

Blaming PHP for being insecure / providing insecure tools is more like blaming auto manufacturers for cars that explode themself.

Think about it.

The Month of PHP Bugs is not about bugs in PHP applications but about bugs in PHP.

Re:Slashdot, give it a rest!

[AutopsyReport]

Blaming PHP for being insecure / providing insecure tools is more like blaming auto manufacturers for cars that explode themself.

When was the last time you installed PHP and it "exploded" on you? As I said, give it a rest.

LAMPython

In python, there are several ways to write websites with varying degree of complexity. One of the most interesting is Cheetah templating engine http://www.cheetahtemplate.org/

Re:LAMPython

python who?

Re:LAMPython

[Mr.+Hankey]

Python (Monty).

I'm a bit ambivalent

[SlappyBastard]

I've long argued that for as much as the pro-PHP group blames the coders, there is simply no excuse for some of the levels of vulnerability. So, while I'm loathe for the torrent of problems, I am glad to see someone finally calling PHP out in the open for some of the problems it created long before any kid touched a single line of code.

Re:I'm a bit ambivalent

[tinkertim]

've long argued that for as much as the pro-PHP group blames the coders, there is simply no excuse for some of the levels of vulnerability. So, while I'm loathe for the torrent of problems, I am glad to see someone finally calling PHP out in the open for some of the problems it created long before any kid touched a single line of code.

Since it is so widely used an in production, one could (almost) argue that some exploits and bugs can / should be kept quiet if they spark plans for major restructuring or re-writes. That type of move allows them to fix fundamental core problems without the world breathing down their back and stops this damn "bugfixed but more bugs resulted" releases. Some could also argue that PHP5 is this restructuring and rewrite, but apparently quite a bit of the exploits are tucked away in PHP's core and still exist in PHP5 .. so I don't think that's the case.

So I guess the real question to ask would be :

"Was it apathy, fear of losing public confidence (and a ton of money) or both that let this laundry list grow so huge"? I will say that Zend and some of the people who hide behind obfuscated code were really quick to jump on me when I called the effectiveness of Zend source encryption into question and pointed out the cottage industry now thriving on breaking it.

Finally, we have yet to see these exploits. All we have is what someone obviously rather angry has to say about them. We really do not have enough information to say if PHP is hiding these or just dragging ass. I have no reason to doubt the seriousness claimed by TFA. What we can say for sure is next month the laundry hits the clothesline.

What was that about 'beware the ides of March?' ... et tu .. Stefan?!' .. or, for us poor bastards who have to patch 500 servers (I can't seem to get past that, I know) a quote from Real Genius : "I drank WHAT?! - Socrates"

Starting to feel more like a STD than an interpreted scripting language.

Re:We audited PHP for some of our projects.

[thyrf]

You might want to try http://www.nyphp.org/content/presentations/3templa tes/ - it's a good explanation of how and why you should use templating. Which method you go for is entirely up to you but I recommend not using a template engine unless you're planning on building a large site and using PHPs native ability to template instead.

After learning PHP some years back by reading a couple of books I was satisfied with the level of information I got from it. I was able to write my own web-apps, hoorah! Over time though, common sense kicked in when I realised that merging PHP and a fair amount (not the whole lot) of HTML did nothing for readability and future maintenance. It's worth nothing here that I'd not much experience in formalised programming methods or style at the time.

Let me tell you, as a newcomer to PHP you see plenty of guides and books explaining how to create run-of-the-mill web apps but will never come across anything that tells the benefits of splitting up your code into different layers of logic (or funnily enough, how to use OOP). As I mentioned, common sense kicked in and I spent some time looking into it until I eventually found what I was looking for. This is a clear example of how emphasis is placed on firing out code rather than doing it right.

Yes, this _is_ unethical

[DigitAl56K]

"At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical."

Maybe. But to take more than 31 bugs and disclose them a day at a time so that in effect major web-facing infrastructure for big business and home users alike will have no chance at all of being secured during this entire window, all for the purposes of publicity?

Re:Yes, this _is_ unethical

But to take more than 31 bugs and disclose them a day at a time so that in effect major web-facing infrastructure for big business and home users alike will have no chance at all of being secured during this entire window, all for the purposes of publicity?

Hell _Y_E_S_

Some of these bugs have been around forever, and a man can only take so much. How would you go about making a point to a group of people that just.. wont.. listen. This is one hell of a way to get the message across. Remember - the PHP devs claim "there are no bugs", so what's there to worry about, right? Without some drastic measures the situation will never imrpove.

Take down the service?

[Kelson]

"You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

Really? Leaving aside the matter of using shared libraries, whenever I've had to add features to PHP it's gone like this:

1. Configure PHP with new options
2. Rebuild PHP
3. Reinstall PHP
4. service httpd configtest
5. service httpd restart

The only actual downtime occurs during step 5, which lasts maybe a second at most. This is Linux after all -- you can run the old version while you're installing the new one.

Or am I misunderstanding your point?

Looking forward to this

[Qbertino]

I'm a PHP developer (amongst other things) and am looking forward to this. Stuff like this can only be good. And if it helps to find new or forgotten bugs - all the better.

Re:We audited PHP for some of our projects.

[AutopsyReport]

You will want to use an MVC (Model-View-Controller) paradigm. The Model contains your data work (accessing database, data manipulation, etc.). The Controller directs the application what to do, and the View is the final result (HTML).

The View can contain minimal PHP that's only used for display purposes. No data manipulation is done here (other than walking through records, for example). Alternatively you can use templates, but the point is moot because you're adding a layer of abstraction on top of what PHP already does -- templating.

I recommend CodeIgniter as a simple framework for any future applications you build. It's based around MVC, has a small footprint, and is very easy to learn and work with.

I dunno, it's kind of his "Brand"

[wsanders]

This is all in fun, it's his "brand". Didi your last marketing effort end up on CNN? Of course he's picked the low-hanging fruit first. Once it's 2008 and it's the "Month of COBOL on DEC Alpha Bugs" let's see if he can still stir up a media cluster f***. Go Stefan!

Pot calling the kettle black

[SimHacker]

You wouldn't be using PHP if you weren't an idiot yourself, so shut up with calling other PHP developers idiots, and blaming them for the problem. If you were such a great programmer, you would know better, and you wouldn't be using PHP in the first place.

-Don

Re:Pot calling the kettle black

Mod parent up! It might be a bit harsh but it's completely accurate and needed to be said. If you're a programmer and you don't see huge problems with both the design of PHP itself and the standard library you should just quit now and find another hobby/profession.

Re:Pot calling the kettle black

[rkanodia]

I've forgotten - how many lumps of sugar does a Scotsman take with his tea?

Re:Pot calling the kettle black

[TheNinjaroach]

You were modded "Insightful" for this flamebait? The mod system strikes again!

The only "idiots" I referred to are the ones who know just enough about their tools to get themselves into trouble. I don't see me dropping blame on _ANYONE_ whatsoever, could you point out the "blame" I've laid on others?

Flame on with your "Insightful" claims, your valuable input is appreciated.

Re:Pot calling the kettle black

[julesh]

If you were such a great programmer, you would know better, and you wouldn't be using PHP in the first place.

You know, a lot of us PHP programmers don't use the language out of choice. We use it because either (a) the boss insists on it, or (b) we're programming for deployment to a choice of web hosting providers that is out of our control, and know that PHP is the only scripting environment that we can rely on the availability of.

Unless you see a workable solution for people in either of these situations, shut up.

Re:Pot calling the kettle black

[julesh]

If you're a programmer and you don't see huge problems with both the design of PHP itself and the standard library you should just quit now and find another hobby/profession.

I'm a programmer. I work with PHP. I see a hell of a lot of problems with its design and implementation. Am I ready to dump it and switch to something better? You bet. I've been waiting for the chance for the last 5 years or more.

Can I actually do this?

No. The marketplace is such that if I implement my solutions in any other environment, I'm cutting myself out of large chunks of the market simply because people might choose a hosting provider that doesn't support whatever alternative language I choose to use.

Re:Pot calling the kettle black

[1110110001]

And if you weren't an idiot you would come up with real issues instead of replying to everyone who doesn't hate PHP. You see how easy it is to write something like this. I write it and it makes you an idiot - like you made everyone else an idiot. Or maybe you're just wrong and are wasting you're energy for the wrong things.

BTW why are you using Drupal? Any why don't you RTFM or use the recommended php.ini? Notices and display_error should be turned of:
"Notice: Trying to get property of non-object in /usr/local/src/drupal-5.0-beta1/includes/session.i nc on line 46"
Seems like this makes you an idiot^2.

Re:Pot calling the kettle black

[SimHacker]

Want to talk about real issues? Post a reply to ZActiveRecord Boondoggle or Smarty is a piece of shit!. What's you excuse for that? Will you keep apologizing for PHP, no matter how bad it is?

Why do you think I have such a distaste for PHP? Because I have to use things like Drupal and Smarty out of necessity, because someone paid me to. If I never used PHP myself, then I would have no right to complain about it. The reason I have display_errors turned on is because I use my web server to develop and debug PHP code, and I like to see all the errors, so I know they're there and can fix them. You ought to try it some time. But fixing bugs in my drupal blog isn't high on my priority list, because there are other more important PHP bugs to fix.

-Don

Re:Pot calling the kettle black

[1110110001]

You should not develop on your live server and try not to debug there either. But even if you need to you could turn display_errors on when you need it - even in a PHP script, because it's PHP_INI_ALL. error_reporting too. Maybe in an auto_prepend_file. RTM.

Now your two posts. T_PAAMAYIM_NEKUDOTAYIM or :: is always using the class it's defined in. Otherwise self:: or parent:: wouldn't work. However it will be fixed in PHP 6. If anyone would have mentioned it when PHP 5 was still in development (before 5.0) the internal structs could have been changed to allow such code. But it took until Ruby on Rails got famous for anyone to need such a feature. Maybe it's because the same thing can be done with an instance - see Zend_Db_Table.

And Smarty. If you want to write your template with XML tools why don't you use TAL? Or output your data in XML and use XSLT to transform it to PHP. If you want to use PHP template engine then just do it! Or you could use Zend_View if you're into libs. But not everyone wants or needs every PHP feature in the view layer and not everyone working with templates should need to learn PHP - or XML and XSLT and XPath and XInclude and ... Sometimes you have "designers" write the templates and for them it's easier to learn Smarty.

Re:Pot calling the kettle black

[larry+bagina]

That's just bullshit. It took Ruby on Rails (and ZRecords, *snicker*) for Zend to understand why that would be useful. Meanwhile, there are dozens of bug reports (predating PHP 5 development), dismissed and closed because its "not a bug."

PHP is full of half-assed and poorly implemented features... references, function parameters, core functionality, etc. Depending on which version you're using, http_build_query, for example, may take three parameters. Or maybe two. Or maybe the function doesn't even exist. Why do they bother polluting the namespace when you're going to have to rewrite the (5-line) function yourself?

Re:Pot calling the kettle black

[1110110001]

It seems like you're thinking it needs Zend for any feature in PHP. But PHP is not written by Zend. So it also doesn't matter when and if Zend understands if a feature is needed.

And it is not a bug. At least for self::. There is currently no keyword that can be combined with :: that does not bind at compile time. It would be funny if i.e. parent:: changes just because it's a different instance. Also many languages don't have such a keyword and you have to write the classname explicitly - which also means it won't change. And all of them have ORM libs.

But even in PHP6 it's not a bug that self:: is bound at compile time. What you want is a new keyword that is evaluated at run-time in static context. And that will be static:: IIRC.

I don't know what your problem is with functions with added parameters. That's done in every language and as long as the parameters are optional it's backward compatible. As long as you know under which version your code will run you know which parameters or even function you can use and which you should avoid. Again - like in every other language. If you think feature X of version Y is necessary you'd define that as your minimum version.

The global/single namespace, you seem to have a problem with, is not uncommon in procedural programming languages, which PHP still is. That's why prefixes are used. And you'd prefer the internal functions if performance is an issue.

Re:Pot calling the kettle black

[SimHacker]

You should not develop on your live server and try not to debug there either.

Who are you to tell me which server I should or should not develop code on? Until you paypal me enough money to rent another server for a year, and donate your time to setting up and maintaining all the software I require on the extra server, I will develop on any server I need to.

Stop making excuses for design flaws in PHP caused by the developer's misunderstanding of object oriented programming. The fact that PHP uses a hebrew word in its error messages doesn't make it easy to understand why PHP's fucked up object system is annoyingly and brokenly different than well designed object systems of other languages. As Wikipedia article on Paamayim Nekudotayim says, "Although it has been confusing to many developers, it is still being used in PHP 5, as in this sample error message: Parse error: syntax error, unexpected T_PAAMAYIM_NEKUDOTAYIM in... on line...". Is that supposed to explain why PHP's design flaw is not a design flaw? If it weren't a design flaw, then why did it broadside the Zend developers who foolishly assumed their language had as well designed an object system as Ruby? Shouldn't they understand their own object system well enough to know it was impossible to implement ZActiveRecord, before trying it, announcing it in public, and being busted by a blogger who knew their own language better than they did? Why did they fight against fixing the bug for so long? If it's a design feature and not a bug, then why have they finally agreed to fix it in PHP 6, only after they've been publically humiliated by the ZActiveRecord Boondoggle.

You PHP apologists are just like the Bush administration's right wing water carriers. You will argue the wrong side of the issue even though you know you're wrong, because politic trumps truth. Just as bad as McCain respecting and thanking Rumsfeld: "While Secretary Rumsfeld and I have had our differences, he deserves Americans' respect and gratitude for his many years of public service", then flip-flopping and criticizing him: "I think that Donald Rumsfeld will go down in history as one of the worst secretaries of defense in history."

I have used TAL quite a lot, thank you. I've developed large compex sites in Plone, written many TAL templates and Metal macros, and I absolutely hate TAL templates, Metal macros, TALES expression language, and "restricted Python". I've read many TAL templates and Metal macros written by other people (Plone is full of them), and the TAL source code itself (which was rewritten by none other than Guide during his time at Zope Corporation). It's a great implementation of a horrible idea, that has been taken to extremes. That's why I like the Kid template system so much: it elegently addresses all the horrible problems of TAL.

But now I have to deal with PHP code that uses Smarty templates, so I read the Smarty source code. Have you? Do you have any idea how it works or what it's doing behind your back? Shut up with your PHP apologizing and sit down and read Smarty head to toe before you go claiming it's easy for designers to learn Smarty. If you had any understanding or appreciation for language design or parser implemention, you would throw up in your mouth at the heuristic regular expression guessing games it plays, and the undocumented, ridiculously obscure and inconsistent nuances of its syntax.

-Don

Re:Pot calling the kettle black

[SimHacker]

If the people at Zend don't understand the nuances of PHP's object system, then why should anyone else be expected to understand it? You must concede the point that the bug that caused them to cancel their ZActiveRecord plans was a stupid mistake caused by a misunderstanding of OOP, because Zend themselves got unexpectedly bitten by it, even after making excuses for the flawed behavior and claiming they would never fix that bug. Unless your name is John McCain, choose one side of the argument and stick to it. Either it's not a bug and it should not be fixed (and you should expect it to work that way and not make the mistake Zend did), or it is a bug and should be fixed (like all the PHP programmers have been clamoring for, which you will see if you read the comments on the bug). You can't have it both ways, Mr. Straight Talk Express.

Stop making excuses for PHP's horrible global namespace. There's nothing about "procedural languages" that requires global namespaces and all the problems inherent with them. Haven't you ever heard of "modules"? You must be totally ignorant of other languages, to make a statement like that. But then again, that's probably why you choose to use PHP, and foolishly leap to the defense of its flaws: because you don't know any better.

Your homework is to go read PEP 20, The Zen of Python. Python was designed and written by people who actually understand language design, but PHP wasn't. It actually makes a difference! Here is The Zen of Python for you to read right now -- every one of the principles flies in the face of PHP's foolish design. Pay special attention to the last one:

The Zen of Python

Beautiful is better than ugly.
Explicit is better than implicit.
Simple is better than complex.
Complex is better than complicated.
Flat is better than nested.
Sparse is better than dense.
Readability counts.
Special cases aren't special enough to break the rules.
Although practicality beats purity.
Errors should never pass silently.
Unless explicitly silenced.
In the face of ambiguity, refuse the temptation to guess.
There should be one-- and preferably only one --obvious way to do it.
Although that way may not be obvious at first unless you're Dutch.
Now is better than never.
Although never is often better than *right* now.
If the implementation is hard to explain, it's a bad idea.
If the implementation is easy to explain, it may be a good idea.
Namespaces are one honking great idea -- let's do more of those!

-Don

Re:Pot calling the kettle black

[1110110001]

Namespaces are not the same as modules. Modules is just loading a bunch of constructs in the global namespace. You could use PHP with only a minimal set of modules and load what you need at runtime. But that won't work very well in the web enviroment.

BTW how do you know ZActiveRecord was the idea of someone at Zend? There are many people working on the Zend Framework and many of them are not working for Zend.

Last but not least. If you want Python - use Python. It's that simple. PHP will never be Python - why should it?

Re:Pot calling the kettle black

[1110110001]

You mean you have only one computer and that's also your server? Otherwise you could use your desktop for development. But if you want to develop on your server you can and may - it's just not something you should do if you're sane. Even if you have to you could change your config - but I've mentioned that in my previous post.

Next point. Static inheritance is not really an OOP thing. There are no school books about how it should exactly work, thus if it's a misunderstanding it means it doesn't work like in language X.

Still - self:: is bound at compile time. That's not an error and will never be. Also not in PHP6. It won't change. PHP6 will add a new keyword static:: that does late binding or at least it's planed. Again: self:: won't change and the way it behaves is not an error.

One thing I also mentioned before - PHP is not Zend's language. Zend is one of the companies working on PHP and providing tools and support for other companies working with PHP. Like Python is not Google's language even if Guido works for them.

BTW I don't believe you've really read the TAL source code. You remember. We're talking about PHP. Plone and Zope have nothing to do with PHP. Kid on the other hand is a much XML as PHP is. You said you hate Smarty because it doesn't work with XML editors. But they won't help you with Kid either, as hiding structure in PIs is not really XML. Maybe you were just looking for a random argument against Smarty.

Oh yeah I read Smarty. It's as complex as such an additional layer needs it to be. Never had a big problem. Never had our designers. Maybe it's because we write PHP code and dummy template and they write HTML dummies and than use our dummy templates to put things together. But I guess working with others is not something someone, who calls everyone an idiot out of the blue or compares him with a random jackass, would think of.

Stop using PHP or get over it. No one really forces you - you could start flipping burgers at McDonalds and never again hear of PHP.

Re:Pot calling the kettle black

[SimHacker]

There most certainly are a lot of school books and web pages written about object oriented programming, including static inheritance. OOP is not a monolithic agreed-upon definition, but there are certainly some best practices to apply and notorious mistakes to avoid. There are a lot of different things that go into "OOP", and anyone designing an object system should understand them all, so they can understand the trade-offs they're making. Unfortunately the PHP designers were just trying to ape the surface features of Java, but they didn't understand OOP well enough themselves to know why it was designed the way it was, or get their own OOP design right.

Paul Graham quotes Jonathan Rees's la carte menu of features or properties that are related to object oriented programming:

Here is an a la carte menu of features or properties that are related to these terms; I have heard OO defined to be many different subsets of this list.

1. Encapsulation - the ability to syntactically hide the implementation of a type. E.g. in C or Pascal you always know whether something is a struct or an array, but in CLU and Java you can hide the difference.

2. Protection - the inability of the client of a type to detect its implementation. This guarantees that a behavior-preserving change to an implementation will not break its clients, and also makes sure that things like passwords don't leak out.

3. Ad hoc polymorphism - functions and data structures with parameters that can take on values of many different types.

4. Parametric polymorphism - functions and data structures that parameterize over arbitrary values (e.g. list of anything). ML and Lisp both have this. Java doesn't quite because of its non-Object types.

5. Everything is an object - all values are objects. True in Smalltalk (?) but not in Java (because of int and friends).

6. All you can do is send a message (AYCDISAM) = Actors model - there is no direct manipulation of objects, only communication with (or invocation of) them. The presence of fields in Java violates this.

7. Specification inheritance = subtyping - there are distinct types known to the language with the property that a value of one type is as good as a value of another for the purposes of type correctness. (E.g. Java interface inheritance.)

8. Implementation inheritance/reuse - having written one pile of code, a similar pile (e.g. a superset) can be generated in a controlled manner, i.e. the code doesn't have to be copied and edited. A limited and peculiar kind of abstraction. (E.g. Java class inheritance.)

9. Sum-of-product-of-function pattern - objects are (in effect) restricted to be functions that take as first argument a distinguished method key argument that is drawn from a finite set of simple names.

So OO is not a well defined concept. Some people (eg. Abelson and Sussman?) say Lisp is OO, by which they mean {3,4,5,7} (with the proviso that all types are in the programmers' heads). Java is supposed to be OO because of {1,2,3,7,8,9}. E is supposed to be more OO than Java because it has {1,2,3,4,5,7,9} and almost has 6; 8 (subclassing) is seen as antagonistic to E's goals and not necessary for OO.

The conventional Simula 67-like pattern of class and instance will get you {1,3,7,9}, and I think many people take this as a definition of OO.

Because OO is a moving target, OO zealots will choose some subset of this menu by whim and then use it to try to convince you that you are a loser.

Perhaps part of the confusion - and you say this in a different way in your little memo - is that the C/C++ folks see OO as a liberation from a world that has nothing resembling a first-class functions, while Lisp folks see OO as a prison since it limits their use of functions/objects to the style of (9.). In that case, the only way OO can be defended is in the same manner as any other game or disci

Re:Pot calling the kettle black

[SimHacker]

Your argument is based on misusing a PHP term for "modules" and trying to apply it to my sentence about Python modules. Python modules ARE namespaces, arranged in a tree. Python "extension" are plug-in code that may define modules and sub-modules. PHP makes no distinction between "module" and "extension" because it doesn't have namespaces. But Python's philosophy says namespaces (aka Python modules) are a very good thing. Too bad for PHP, because its designers chose to ignore that advice, and throw everything into one big messy global namespace.

I'm not saying PHP should try to morph itself into Python or any other language, just that people should not use PHP when given a choice in the matter. Look what happened when PHP tried to morph itself into Java, without understanding the basics of OOP: you get the horrible situation that exists today, where it's impossible to implement an ActiveRecord-like ORM. PHP also has "references" that it aped from Perl, which look just like C++ references on the surface, but they're actually totally unlike anything that C++ or Java or any other sane language: symbol table aliases. Most languages consider aliasing to be a danger that is to be avoided, not a cool feature that you have to use all over the place to work around a stupid design flaw in the original language (passing structures by copying instead of by reference).

-Don

Re:Pot calling the kettle black

[1110110001]

I thought of .so when talking about modules. I.e. DSOs in Apache are modules too. Namespaces are on the list of PHP6 IIRC, but I don't know if they've found a symbol for namespaces yet.

ActiveRecord is possible in PHP, just not with the same syntax as in Ruby. You've to create an instance before using it. See CakePHP or Zend Framework for examples.

BTW PHP uses COW. You don't need a reference to an array to avoid copying.

Re:Pot calling the kettle black

[1110110001]

If you want a real pure XML template system it'll always be PITA. Otherwise no one would use XSLT or TAL, because there would be something easier. "Hiding" commands in PIs or cdata is the only way to make it easier.

Why bother implementing an extremely bad languge like Smarty in a very bad language like PHP? Just use the very bad langauge instead: it's faster!

That's what Smarty does. Templates are translated to PHP. Many people made benchmarks and Smarty is nearly as fast as plain unstructured PHP code as template language. That trade-off is because you get an organized view layer. It's the same with every other layer in the classic MVC model.

If you don't like SAX you should take a look at XMLReader. I did take a look at Kid. Something similar should be possible in PHP. Of course it woldn't be exactly the same, because it wouldn't be base on Python, so you'd bash it anyway. One problem I see in Kid is using it for output that's not XML.

Re:Pot calling the kettle black

[SimHacker]

Python's Kid template system is proof that you're wrong about XML template systems always being a pain in the ass. I've used it to write a whole lot of complex templates, and I'm very happy with it, and will continue using it. I've also used XSLT, TAL/METAL/TALES in Plone, and Smarty in PHP, and they are all total pains in the ass which I hope to avoid ever using in the future. If you had some perspective on other templating systems, you'd know that hiding commands in processing instructions or cdata is NOT the only way to make them easier. Designing clean simple consistent yet powerful XML based languages is the way to make them easier, and that's what Kid is. OpenLaszlo is another example of a well designed XML based programming language that is easy to use because it's well designed.

At least I'm criticizing and complementing systems that I've actually used. You're just making wild guesses about things you know nothing about, and your guesses are wrong.

I know Smarty translates templates into PHP -- I've read the source code and used it. Kid translates templates into Python, and I've read that source code and used it too. Kid's approach to XML processing is a much more elegent, efficient, better designed than Smarty's ad-hoc string parsing based approach, by a long shot. Go back and read the source code to both systems yourself, and use them for non-trivial projects like I have, before shooting your mouth off about them when you don't know what you're talking about.

Again: Why bother implementing an extremely bad languge like Smarty in a very bad language like PHP? You can't argue that Smarty's syntax is any better than PHP or XML. So why use Smarty at all? Why not just stick with pure PHP? There is no need for Smarty. It doesn't solve any problems that PHP doesn't already solve. It just introduced another fucked-up quirky syntax you have to learn, which makes PHP even harder to use.

And no your could not implement a system like Kid in PHP easily or efficiently, because it's based on XML event handling using Python's generators, which PHP does not support. Kid transformations are easy to write because they use generators with "yield" and "next" in co-routines running in parallel, to efficiently produce and consume XML events, so you can write straightforward procedural code with local variables, conditionals and loops, without writing SAX-like handlers and putting all temporary state into objects. Generators are a language feature that is extremely useful for efficiently processing XML, and they can't be implemented by a library: they have to be built into the language. PHP does not have generators, and I doubt it ever will.

Generator: In computer science, a generator is a special routine that can be used to control the iteration behaviour of a loop. A generator is very similar to a function that returns an array, in that a generator has parameters, can be called, and generates a sequence of values. However, instead of building an array containing all the values and returning them all at once, a generator yields the values one at a time, which requires less memory and allows the caller to get started processing the first few values immediately. In short, a generator looks like a function but behaves like an iterator.

In Python, a generator can be thought of as an iterator that contains a frozen stack frame. Whenever the iterator's next() method is called, Python resumes the frozen frame, which executes normally until the next yield statement is reached. The generator's frame is then frozen again, and the yielded value is returned to the caller.

Smarty is purely string based, and not at all XML compliant, and makes no guarantees about the validity of its input or output. XMLReader's detailed description is "This class can be used to parse XML documents and build an array with structure and data.

Re:Pot calling the kettle black

[SimHacker]

Your statement "I don't know if they've found a symbol for namespaces yet" illustrates how some people think about languages in shallow terms of surface syntax, while others think in terms of deep semantics. Namespaces are a semantic issue. The syntax you use for them is not important. Unfortunately most of the PHP designers and programmer are shallow "syntax oriented" thinkers who can only visualize a concept if they know what characters to type to represent it, and they think that once they've designed a syntax (or imitated a syntax of an existing language, like PHP's references imitate C++, but don't share any of the semantics), they're done. They they spend the next 10 years fixing thousands of bugs and security holes that popped up because they didn't think the semantic issues through. That's why PHP is such a totally fucked up mess.

Forcing the programmer to create a dummy object, just to select for real objects of the same type, is a horrible kludge, which is wasteful and imposes unnecessary and obnoxious restrictions on the design and implementation of your objects, and clutters up the code and memory with unnecessary crap. Of course that would not occur to you if you were just trying to ape the surface syntax of ActiveRecord by putting a "Z" in front of it, giving a screencast promising it, and declaring yourself done with the design phase.

-Don

Re:Pot calling the kettle black

[1110110001]

If syntax is not an issue why is perl called a write only language? Both is important. You could use as namespace operator - people should get over it, because it's not the syntax that matters.

Re:Pot calling the kettle black

[1110110001]

Know it gets funny. You're talking about how stupid I'm about not knowing what I'm talking about, but you can't even type http://php.net/xmlreader and read what it's really about.

BTW, QED: You won't accept any Kid like solution in PHP, because PHP is not Python and it won't be exactly the same. At least I'm sure _you_ couldn't implement it in PHP.

Now if you want me stop criticizing you and the stuff you write you should really learn and understand PHP.

Re:Pot calling the kettle black

[SimHacker]

Perl is a write-only language, because its designer believes it's OK for syntax to be extremely complex, subtly nuanced, haphazard and inconsistent, which I strongly disagree with.

Both is important.

Grammars "is" important, too.

it's not the syntax that matters

Both syntax AND semantics are important. If you screw up either one of them, you've made a mistake. Smarty is so horribly bad because it totally screws up BOTH syntax and semantics. Kid is so wonderfully elegant because it has both excellent syntax and semantics.

Your words suggest that you (and the PHP designers you're talking about) are thinking in terms of syntax, and ignoring the semantics. Quibbling about what character to use to syntactically represent namespaces should not hold up such an important issue of language design. PHP should have had namespaces from day one, but now it's way too far down the road of "globalism," with millions of programs depending on thousands of global variables and functions, so adding namespaces to PHP now would just be closing the barn door years after the horse left the barn. It's laughable that they'd be so concerned about figuring out the perfect syntax of namespaces, and it has taken them so long to decide, that even after 13 years PHP still does not have namespaces!

My point is that when you THINK about programming, you should no be thinking about what characters you're going to have to type in order to enter the program into a text editor. If you are are thinking at such a low syntactic level, and not thinking about the semantics of your program, then you are a shallow programmer. But if all you have to do is write a program that barfs out some HTML and substitutes a few variables, then you can get away with being a shallow programmer, like most PHP programmers. And there's nothing wrong with that. But shallow programmers should not try to design their own languages, because the results are usually disasterous. Both PHP and Smarty exhibit the pathetic symptoms of having been designed by and for shallow programmers, more worried about syntax than semantics. Their attempts to make it simple on the surface result in deep and subtle complexity.

How about using "." for namespaces, like Java or Python? Oh, that's used for string concatination. Then how about "::" (four times as many dots). Oh that doesn't work for some obscure reason. How about ... PHP syntax is in a never-ending spiral of unintended consequences! It was never planned. It's just a lame immitation of a bunch of other poorly chosen languages' syntax, without understanding or implementing their semantics. For example, PHP's references aping C++, PHP's class system aping Java, etc.

It's hard to figure out how to put namespaces or any other syntax into PHP without breaking a lot of existing code and creating subtle nuanced special cases, because PHP's syntax is not consistent like Python, nor extensible like Lisp.

PHP's simplicity is only an illusion, because it gets extremely complex and convoluted under the surface, while Python has true simplicity that goes deep. Lua and Lisp are even simpler and deeper.

-Don

Re:Pot calling the kettle black

[SimHacker]

You still don't get it. A pull parser is not the same thing as generators. Generators are a programming language construct which is extremely useful for implementing pull parsers, and modular telescoping XML processing pipelines, like the Kid templating system.

Go read the link about generators that I provided. Then please explain how you would implement generators in PHP. You can't, because it's a language feature that can't be implemented at the PHP script level. It required modifying how the PHP interpreter works. Let me say this again: it is impossible to implement generators in PHP code, no matter how good a PHP programmer you are -- you have to rewrite the PHP interpreter which is written in C, to implement generators. Generators enable your processing modules to run in parallel, each with its own return stack and local variables (i.e. co-routines). PHP absolutely cannot do that.

If you don't believe that, then you don't understand how generators work, so go back and read the article again. Then try to convince the PHP designers to add generators to PHP: good luck!

Python supports generators, because they are built into the interpreter. They are a fairly new feature from Python 2.3, described in PEP 255: Simple Generators. The Python interpreter C code had to be modified to support them, and it was done because generators are so useful (especially for processing XML).

Other more powerful languages like Scheme do not have to have their interpreters modified in order to support generators, because they already have more powerful programming constructs (like continuations) that can be easily and efficiently used to implement generators.

But since PHP does not support continuations or co-routines, it is absolutely impossible to implement generators (or Kid-like templating systems) in PHP, no matter how great a PHP programmer you are.

-Don

Re:Pot calling the kettle black

[1110110001]

Stop the Blah. If you don't want to answer my posts just don't. Your "an easy XML template engine can only be done with generators" makes you look very stupid. But that's nothing new.

Re:Pot calling the kettle black

[SimHacker]

Of course I'm answering your posts -- you're just ignoring my answers. What point did you make that I didn't address? Just because you don't understand what I'm saying doesn't mean it means "blah". Go read the article on generators. You implied that a good PHP programmer could implement generators in PHP, and you are totally wrong. You obviously don't know what generators are. I provided a reference. Did you read the article I refered you to about generators? Do you understand them now? Do you still maintain that a good PHP programmer could implement generators without hacking the PHP interpreter source code in C? Or do you concede my point?

And now you are misquoting me: I never said "an easy XML template engine can only be done with generators". I said templating languages should have well designed syntax and semantics, but Smarty has neither, while Kid has both. I also said that generators make it much easier to implement efficient elegent XML processing tools (note that implementing a templating language is very different than using it: graphical designers don't have to understand or use generators in order to use Kid), and you haven't been able to counter that argument because you don't even understand what generators are, even though I provided a reference. Are you too lazy to learn? Then concede my point. The ball's in your court and the burden of proof is on you.

Are you contesting my claim that generators are extremely useful for implementing efficient XML processing pipelines? Or do you accept my point? Are you arguing that syntax doesn't matter? That semantics doesn't matter? Or do you accept my point that both matter? Are you arguing that Smarty has good syntax and semantics, or do you accept my point that it sucks?

What templating languages have you implemented, and have you published any papers about them so I can read about your design? Have you read the paper about the HyperTIES markup language I implemented in 1987 and published with Ben Shneiderman in 1991? Have you ever read any other papers written by Dr. Shneiderman, or even heard of the field of human computer interaction, or read the ACM journal of Hypermedia? Have you even heard of ACM? Do you have any problems with the points that peer reviewed paper made about markup language design? I linked to the source code and documentation that I wrote, so you can look at that and make comments on it. So what are your comments on the points I made? Silence?

"If you don't want to answer my points just don't", but that "makes you look very stupid". I am addressing your arguments point by point, and you're totally ignoring every point I'm making. Why is that? Can you answer any of these questions I've asked, or are you just frustrated that you made a lot of stupid arguments about topics that you don't know much about, and you're trying to run away from the argument without answering any questions?

You accused me of not knowing what MVC was, and I told you when I first started using it, and refered you to some criticism I wrote about it. What are your comments on that? More silence? I addressed your incorrect accusation, and asked you when you learned MVC and if you had any criticism of it or just accept it blindly, but you refused to answer. More silence that makes you look stupid.

Face it: Smarty is a piece of shit, and you're trying to apologize for it by making ridiculous statements like "don't use math in templates". You are full of shit, and I refered you to papers I wrote years ago to answer your posts and rebut your points! Don't blame me if you're too lazy to read them or too ignorant to understand them.

You're wrong that I don't want to answer your posts. I have, but you just ignored me. Can't you defend your statments? Why can't you answer my questions point by point, instead of ignoring them all?

-Don

Re:Pot calling the kettle black

[1110110001]

First - like in you other post you're now starting that "look at my penis and how big it is" thing. That's boring.

The math was {math} in Smarty. It's also mentioned in the manual that it's not a good idea to use it.

And I did never say a good and easy template engine needs a language that support generators. That's your shit. What I said was that something similar to Kid could be done in PHP. Including being light on memory. You can't stop talking about generators and thus aren't answering my post.

At least I accept that Smarty isn't the right choice for you. I just don't understand why you invest so much time if you really hate it. You could just ignore it.

Re:Pot calling the kettle black

[SimHacker]

You're the one who accused me of not knowing about MVC or templating, so I gave you some references to my experience. You're the one who brought the subject up by making false accusations. Do you retract what you said about me not understanding MVC or templating?

If Smarty's {math} isn't a good idea to use, as documented by the Smarty manual, then why does it exist? Either Smarty is supporting "bad" features that you should not use, or your premise that "math is bad" is wrong.

Of course PHP is a horrible language because it's rife with stupid half-baked ideas that they threw into the language but that are a bad idea to actually use (register_globals, magic_quotes_gpc, addslashes, all the other half-assed attempts at quoting sql strings, etc.) But math is not one of those mistakes. Do you think it's OK for Smarty to have features that you claim are bad ideas, just because that's typical of the PHP culture?

My point is that you are dead wrong about math being bad in templates. You're just attempting to apologize for Smarty by repeating what you believe is the "conventional wisdom", and that conventional wisdom is dead wrong.

What references can you give me that prove your point that you should not use math in templates? Did Alan Kay ever stand up and said "I invented OOP and MVC, and I say that views should not use math"? I gave you a reference to a paper I wrote with Ben Shneiderman (who is a user interface and hypermedia researcher whose name you should recognize if you know anything about the subject), published in the peer reviewed ACM journal of Hypermedia, which clearly describes why it's useful to have math in templates (for calculating the condition for conditional text). What is your counter-argument, or do you prefer to avoid answering that question because you can't? Claiming your too bored is conceding my point.

You keep trying to avoid addressing the arguments, by claiming you're too bored to respond, or twisting my words. I never accused you of saying a good and easy template engine needs a language that supports generators, so why are you denying that you said it, if I never implied you did? You can't win an argument by repeating the other person's point as if it's your own, as if I accused you of claiming the point I was trying to make. That only works in Bugs Bunny cartoons.

What I do accuse you of implying is that a good PHP programmer could implement generators (by saying that I wasn't a good enough PHP programmer to implement Kid in PHP), which means you have no idea what generators are, even though I pointed you to a perfectly good explanation of what they are. Did you read the explanation? Do you still believe that a PHP programmer can implement generators in PHP, or not? Do you think you're such a great PHP programmer that you could implement a templating system as efficient and easy to program as Kid, with or without generators?

So how do you propose a PHP programmer implement a good templating system without generators? I previously listed the advantages that generators have over the SAX based even call-back method, which as you know, if you've ever tried using it, is a total pain in the ass and hard to program. I also listed the advantages that generators have over parsing the entire document into a DOM tree, which is a total waste of memory, and extremely inefficient. Generators enable you to 1) process arbitrarily sized XML documents efficiently, 2) write straightforward code that uses conditionals and loops 3) keep temporary state in local variables instead of having to store it in object fields between event handler invocations. So which programming techniques do you suggest PHP programmers use to get around the problems that generators solve so nicely?

Ignoring smarty is not an option for me. I know how bad it is because I'm working on a project that uses it, and I have read the source code to understand how it works. So I have every right to complain about it.

-Don

Re:Pot calling the kettle black

[SimHacker]

"Stop the Blah", huh? So you've stuck your fingers in your ears and you're chanting "ya ya ya ya ya" because you refuse to listen to what I say, since you can't come up with any better arguments? Why can't you answer any of the questions I've asked you? If you incapable of answering any of the questions I've brought up, then you're conceding my points, thank you.

-Don

Re:Pot calling the kettle black

[1110110001]

That's a post lenght that's worth reading. Try to answer short and right to the point instead of instead of telling me what you did 20 years ago or posting information about things I already know (like what Generators are).

Maybe you should also understand that just because someone isn't against you that doesn't mean he is with you. So if I don't answer your question that could mean it's just not worth an answer or my time.

But let's use your opinion about conceding points. You had no argument against the XMLReader as found in newer PHP version or PECL. So that means it's a good solution and could help to write a better template language. Thank you very much for the discussion. I'll now stop feeding the troll.

Re:Pot calling the kettle black

[SimHacker]

The problem with using a pull parser like XMLReader from a language like PHP that doesn't support generators, is that it's difficult to write the rest of your XML processing stack using the efficient event-driven pull processing approach. The parser is only the first step of an XML processing pipeline, and while it's nice to have a pull parser, it's much nicer if you can write the rest of the templating system and XML processing pipeline in that style, as well. Which is extremely difficult to do in PHP, because it lacks generators. Why should only the parser be efficient, and not the rest of the program?

You claim you understand what generators are. Then do you think they could be implemented in PHP by a good programmer? How? Do you consider yourself a good PHP programmer, or will you pass on explaining on how to implementen generators in PHP?

Not having the attention span to understand the issues is not an excuse for being wrong -- it just means your opinions aren't valuable because you refuse to put the time into learning. If these issues bore you so much, then perhaps you shouldn't be programming computers, and just flip burgers instead?

-Don

Re:Pot calling the kettle black

[1110110001]

http://php.net/xmlwriter
http://php.net/stream_wrapper_register

What you call extreme would others call a challenge.

You're making it yourself very easy with your generators argument. It's always the same ... not ... possible ... no .. generators ... only .. holy ... generators ... can ... work. Like a robot. When do you invest some time and learn? Just because you did something useful in the 80ies or 90ies doesn't mean you can stop learning.

Why was register_globals there in the first place?

[SimHacker]

Can you please explain why register_globals was there in the first place? The reason is that PHP was designed by idiots, pure and simple. It should have never existed, not as an option, and especially not as a default setting. The same goes for magic_quotes_gpc and its ilk.

Face it: PHP is a horribly designed language from the core to its extremities, and you can't knickle-and-dime security issues as you discover them. The PHP development team's attitude just makes it much much much much worse. You're an idiot to trust them, and a danger to the Internet if you apologize for PHP, make excuses, and continue to evangelize and recruite naive developers.

-Don

The chickens come home to roost.

[SimHacker]

And you're surprized? You made your bed, now sleep in it. Or rather, stop sleeping until you've un-installed PHP on all your servers, because it will never be secure, thanks to the PHP team's attitude.

-Don

Re:The chickens come home to roost.

[tinkertim]

And you're surprized? You made your bed, now sleep in it.

I never get to see much of that in a GOOD month.

Or rather, stop sleeping until you've un-installed PHP on all your servers, because it will never be secure

Nothing connected to the Internet is secure.

thanks to the PHP team's attitude.

... the Internet will soon be flooded with more spam IRC wars and (quite possibly) extortion of small e-business than it would be otherwise. I think this is the first time you'll see a company really duck behind the "WITHOUT WARRANTY" clause in the software's open source license agreement.

The remaining question

[SlappyBastard]

Are these exploits or "exploits"? After all, a lot of "exploits" are huff and bluff about what really should be called bugs or even just quirks.

Re:The remaining question

[tinkertim]

Are these exploits or "exploits"? After all, a lot of "exploits" are huff and bluff about what really should be called bugs or even just quirks.

Of course he won't come out and say, I think the point of that interview was to simply irritate PHP. In effect, he's going to irritate a great many of us who have no choice but keep PHP installed.

I think (and this is just the feeling I got from TFA) that :

Maybe , 1/3 of them are really just 'bugs' that have the potential to cause undesirable effects (segfaults and such).

Another 1/3 are "Serious" exploits in the definition of the word, but you really need at least shell access to play with them, many (i'd assume) only come out and play with root.

Another 1/3 are most likely going to be the ones we're worried about. Now, of that 1/3, 1/2 of them may not be so easily exploited by your average script kiddie. It would take someone rather skilled to really see the value of the exploit. But, if just one brainiac posts a how-to on a forum .. well then so much for that.

I think, to be safe .. its time to go make sure all your key pairs are up to date and write a script to bulid, and rebuild, and rebuild (and rebuild) PHP. You should have a few days to finish that. Just don't write the script in PHP :)

Re:So, PHP means ?(lets replace this with Ruby)

No, Ruby On Rails is quite insecure. The libraries, the interpreter, and most Ruby On Rails software are all poorly written.

And if inexperienced scripters is really the major problem, then the Ruby On Rails developers need to take them into account when developing Ruby On Rails. This means that the Ruby On Rails developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of Ruby On Rails itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.

Wow Insightful!!! I feel enlighted. How about perl?


No, Perl is quite insecure. The libraries, the interpreter, and most Perl software are all poorly written.

And if inexperienced scripters is really the major problem, then the Perl developers need to take them into account when developing Perl. This means that the Perl developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.

Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of Perl itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.

WOW!!! INSIGHTFUl!!! You Mods are so smart!!
 
What language name shall I insert next?

High calorie solutions

It's more like a chocolate Advent Calendar of bugs. Script kiddies get a new treat every day, and the rest of us need to wait an extra month for the fat to be trimmed off with full patch.

Effective publicity, yes.
Effective results, no.
But the point, I think, is that it's a lose-lose situation to begin with. I'm not convinced software developers have any "shame" threshold to speak of.

Besides, there are more important and older bugs to tackle, like this tooltip issue I've had in Firefox since 0.9. SOMEONE FIX!!1!

Re:High calorie solutions

[1110110001]

Why do you have to wait a month? Something with your setup must be wrong if you can't get the recent source from CVS or download the latest snapshot.

STOP EVANGELIZING PHP! YOU'RE HARMING THE INTERNET

[SimHacker]

The root cause of the problem of PHP's popularity are the minions of ignorant, irresponsible PHP fan-boys, evangelists and apologists who are always shooting their mouths off trying to convince droves of other sloppy uneducated programmers to use PHP.

STOP EVANGELIZING PHP! YOU ARE HARMING THE INTERNET!

-Don

Time to switch

[harry666t]

I think I'll switch to brainfuck.

Anyone ever heard about a bug in brainfuck?

PHP FUD is justified!

[SimHacker]

If you're not fearful, uncertain and doubtful about PHP, then you're head is stuck in the ground and you do not know what you're talking about. PHP should most certainly be feared, doubted and not trusted. Stop being such an apologist fan-boy, and trying to attack the messenger instead of the cause of the problem: the PHP development team's negligent attitude.

-Don

PHP hosting installed base

[tepples]

Sounds to me like that same reasoning will keep those same people from rewriting things in any other language as well. It does. By far, among budget shared web hosting providers, the mainline PHP interpreter is installed on more accounts than any other interpreter.

ZActiveRecord Boondoggle

[SimHacker]

Not only is the PHP development team negligent when it comes to dealing with security bugs, but they're incompetent when it comes to understanding the limitations of their own language, the tenants of object oriented programming, and database object-relational mapper design.

Here is quick summary of my previous post about Zend's ZActiveRecord Boondoggle:

The creators of PHP are morons, and their support company Zend is dishonest and incompetent. The ZActiveRecord boondoggle demonstrates exactly what I mean: They can't program their way out of a paper bag, an don't even understand the limitations of the very language that they haphazardly "designed".

To summarize: [Criticism of PHP "references".] [Criticism of PHP "object system".] [Description of "static methods".] [Description of Ruby on Rail's ActiveRecord.] [Description of "ZActiveRecord", Zend's lame half-baked cargo cult attempt to ape ActiveRecord.] [Zend busted for misleading screencast.] [Blog posting that proves: ZActiveRecord Can't Work.] [Zend misunderstood their own language's object system, showed fake code in a screencast that could not possibly work (because of a PHP bug), and made promises of ZActiveRecord they couldn't keep, because of that stupid bug they refused to fix.] [Longstanding bug that PHP static methods that the developers refuse to fix.] [Summary of comments on the bug that prevents anyone from writing an ActiveRecord-like ORM in PHP.] [Final word from andi, calls it expected behavior, demonstrating how he misunderstands object oriented programming, and casually dismisses all the bug report's valid comments.] [Zend gets hoisted on their own pitard by this very bug.]

And here's the final word from andi: "Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ [php.net] and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php [php.net] This is expected behavior. self:: binds statically to its class (to the best of my knowledge other languages like C++ don't support this either as they require to explicitly use the class name). There are actually advantages also to this approach as they allow you to protect and encapsulate functinality."

Since Zend's dishonest and embarassing public-relations disaster with the ZActiveRecord Boondoggle, Zend has quietly withdrawn their plans for ZActiveRecord, instead of fixing the stupid bug that made it impossible to implement and ORM like ActiveRecord in PHP.

It's not just security that the PHP developers and Zend don't care about. They also don't care about nor understand object oriented programming, nor database object-relational mapping.

There is absolutely no reason to use PHP, when there are great languages like Python with extremely powerful, easy to use, safe and secure, database independent, object-relational mappers like SQLObject , and intelligent scalable SQL toolkits with multiple modular ORMs like SQLAlchemy. That stuff so blows away PHP's horribly insecure string-concatination approach to SQL, and all of the kludgy PHP database libraries people have cobbled together over the years.

-Don

Re:ZActiveRecord Boondoggle

[nuzak]

Yes, PHP sucks, I agree wholeheartedly. But do you have to post this polemic verbatim every time though? Post it up somewhere and a give us a god damned link. You're the "BSD is Dying" troll all over again.

Re:ZActiveRecord Boondoggle

[SimHacker]

I did not post it verbatim: I linked to my previous post and summarized it. What is "verbatim" about that? (Do you misunderstand what the word "verbatim" means? Look it up before using it!) I certainly did give you a "god damned link". If you disagree with the facts on the ground, then state your arguments, instead of making up lies about "verbatim" postings and not giving you a "god damned link".

I will keep posting references to the ZActiveRecord Boondoggle until Zend finally gets their act together and fixes the problem. Or you can fix the problem yourself, and try to get them to integrate your changes! That will make me shut up about it. But telling me not to "post this polemic verbatim every time" and "give us a god damned link", after I go to the effort of summarizing my previous post and linking to it, isn't going to make me shut up. That's just white-washing and censorship, and a lame attempt to rewrite history, fan-boy.

If you don't like the heat, get out of the fire.

-Don

Re:ZActiveRecord Boondoggle

[nuzak]

They will not fix it. It will always suck. Move on. I truly pity a person who is so hateful as yourself.

Re:ZActiveRecord Boondoggle

[SimHacker]

My point exactly: Of course they will never fix it! Move on to other languages than PHP, because PHP will always suck, and never be fixed.

But if you have to lie about what I said in order to make your straw-man argument, then I pity you too. Have you looked up the meaning of the word "verbatim" yet? I truly pity a person who is as illiterate as yourself.

-Don

HARDened PHP?

What's up with this logo: http://www.hardened-php.net/globals-problem

PHP Reality Show!

[SimHacker]

How about putting all the PHP developers on a month long reality show, where if they can't fix all their bugs in a month, they have to cancel PHP!

But there would be so many bugs, soap operas, security holes, personality conflicts, segmentation violations, and hissy fits, that the network executives would extend the PHP Reality Show again and again, and it would end up running longer than The Simpsons. They could keep it going forever, by fixing one bug a day, while adding two more bugs.

-Don

Re:PHP Reality Show!

[lewp]

I gotta admit, I would watch that. It would never fly on TV, but you could do whatever the hip term for a video podcast is.

Smarty is a piece of shit!

[SimHacker]

Oh, please. Smarty is a piece of shit. You are hereby sentenced to go read the Smarty source code, and don't come back or post anything else about PHP to slashdot until you are done, and have washed the puke taste out of your mouth. Then you will be so embarassed you mentioned Smarty. It's one of the most truly horrible pieces of PHP code I have ever seen and had the misfortune of having to use. The whole idea is ill-concieved. PHP is ALREADY a templating language: why use it to implement another half-baked watered-down ill-defined templating language, that doesn't even support all the functions or syntax of PHP? I mean, it's not like Smarty keeps you from having to learn PHP, and then you still have to learn its horrible quirky half-assed syntax, which is even worse and messier than PHP! And you certainly can't edit in an XML editor, since it's flagrantly XML non-compliant, or even a PHP editor, since it's not PHP syntax either.

Templating languages should be clean, elegant, well integrated with the native scripting language, not trying to fight against it. And they should be 100% XML compliant, so you can edit and integrate them with all your other XML tools. Python's Kid templating language is a wonderful example of how to do it right.

Kid is a simple template language for XML based vocabularies written in Python. It was spawned as a result of a kinky love triangle between XSLT, TAL, and PHP. We believe many of the best features of these languages live on in Kid with much of the limitations and complexity stamped out (see WhatsBorrowed and WhatsDifferent). For more info on current and planned features and licensing information, see AboutKid.

Why use Kid?

Kid was designed to simplify the process of generating and transforming dynamic well-formed XML documents using Python. While there are a myriad of tools for working with XML documents in Python, generating XML is generally tedious, error prone, or both:

* APIs like SAX, DOM, or ElementTree can guarantee well-formed output but require that output documents be created entirely in Python.

* Template languages like Cheetah or PTL make generating text content easy but offer little to help ensure the output is correct/well-formed. Using text based tools to generate XML can result in bad data as there are many issues with basic XML syntax and encoding that need to be understood and coded for by the programmer.

* XSLT provides much of the functionality required to generate good XML content but requires all input to be in the form of an XML document. This brings us back to the original problem of not being able to generate XML content safely and easily.

Kid is an attempt to bring the benefits of these technologies together into a single cohesive package.

Kid also allows the programmer to exploit the structured nature of XML by writing filters and transformations that work at the XML infoset level. Kid templates use generators to produce infoset items. This allows pipelines to be created that filter and modify content as needed.

-Don

From the PDO docs page:

[yem]

Warning

If your application does not catch the exception thrown from the PDO constructor, the default action taken by the zend engine is to terminate the script and display a back trace. This back trace will likely reveal the full database connection details, including the username and password. It is your responsibility to catch this exception, either explicitly (via a catch statement) or implicitly via set_exception_handler().

The default behavior in case of database problems is to display the host, username and password in the browser? Good grief.

Re:So, PHP means ?(lets replace this with Ruby)

[Andrew+Kismet]

Java! And Applescript! And FORTRAN! And Cobol!

Cat's already out of the bad, so not unethical

[SimHacker]

It was highly unethical for the PHP development team to sweep all those bugs under the rug. The cat is already out of the bag. They are already public. Making an public issue of the PHP developer's horrible behavior and careless attitude is the only ethical thing to do. Don't blame the messenger. Blame the incompetent people who refused to fix the bugs, not the diligent person who fixed them, but had his changes ignored by the incompetent people.

-Don

Re:We audited PHP for some of our projects.

[SimHacker]

If PHP is so great at supporting databases, then why did Zend give up on their ZActiveRecord Boondoggle, which wouldn't work as they falsely advertised because of a stupid PHP bug they refused to fix? Why isn't there anything like ActiveRecord for PHP? Because it's impossible, because of a bug that came about because the PHP developers didn't understand object oriented programming when they tried to imitate Java's class system.

Python has no trouble implementing ActiveRecord-like ORMs, and even has much more advanced SQL database toolkits than ActiveRecord. What does PHP have that compares with Python's SQLAlchemy?

-Don

Re:Why was register_globals there in the first pla

[raynet]

For beginners register_globals can create nasty suprises, but for those who know that it is on and write the code accordingly, I don't see what is the problem with register_globals being enabled.

One of the biggest problems currently with PHP is the lack of good database module with support for multiple different database engines with things like prepared statements.

Re:Why was register_globals there in the first pla

[SimHacker]

For beginners register_globals can create nasty suprises, but for those who know that it is on and write the code accordingly, I don't see what is the problem with register_globals being enabled.

Most PHP programmers ARE beginners, so it creates many many unnecessary nasty surprizes. And for experts, it does not give you anything that you can't already do another way. It adds no real value to the language for experts (of which there are few), and totally screws beginners (of which there are many). Now please explain why you're apologizing for PHP and making excuses for why register_globals is still part of the language after all these years everyone knew it was wrong? I ask again: why did they make such a horrible mistake in the first place?

One of the biggest problems currently with PHP is the lack of good database module with support for multiple different database engines with things like prepared statements.

That's ironic, because people often repeat the myth that PHP makes it easy to interface with the database. Easy but deadly. The reality that PHP has horrible database handling is what's causing PHP programmers to defect to Ruby on Rails (which has ActiveRecord) in droves. Zend tried to imitate ActiveRecord but that resulted in the ZActiveRecord Boondoggle. Python has some excellent database interfaces and object-relation mappers, like SQLObject and SQLAlchemy, which beat the pants of anything PHP has to offer.

-Don

Re:So, PHP means ?(lets replace this with Ruby)

The grandparent is correct. The PHP developers are shit, and they wrote a shitty implementation of a shitty language with shitty libraries. And it will never get any better, because only shitty developers use or care about PHP.

I'm not familiar with the internals of Ruby, but Perl is surprisingly well written.

modsecurity

[Ozgur+Uksal]

I recently installed modsecurity http://www.modsecurity.org/ for apache along with the
rules from http://www.gotroot.com/ and it's done a good job of blocking attacks
on my server including a lot of the php mail() injection attempts.

ozgur uksal

Re:STOP EVANGELIZING PHP! YOU'RE HARMING THE INTER

[Watts+Martin]

STOP EVANGELIZING PHP! YOU ARE HARMING THE INTERNET!

How do you really feel, Don? Don't hold back for our sake.

Seriously, while I agree in spirit, what PHP has going for it isn't "irresponsible PHP fan-boys" as much as it is a good ol' network effect. Every host has it and deploying a PHP application is often just a matter of uploading the file and going. (In the immortal words of Jeff Goldblum, "There's no step three!") Contrast that with Ruby on Rails; you have to find a host that will host a Rails app, and as I'm learning, some of the ones that say they do have a lot of caveats on their basic plans (I'm looking at you, TextDrive, with shared hosting process size limits that make running Rails... problematic, shall we say). Assuming you manage to get things set up with Capistrano you're golden. Unless you gotta move providers for some reason. If you do, you're not just dumping your database file and zippin' up the application directory like you would with -- yes -- PHP. While I haven't used Django or Python-based apps, many of the concerns are, from what I've seen, similar.

Yes, yes, I know: none of these things make PHP any better as a language, all of them could be addressed through proper education, and so on. All true. But I'm gonna go out on a limb and guess that you're hostin' your own web site on Drupal rather than Django (or whatever) for reasons other than being convinced by droves of sloppy, uneducated programmers. And those reasons are the ones that need to be addressed. Until deploying Rails, Django, Seaside, or whatever else is as easy as deploying PHP, then PHP wins. The most repeatable (if oft depressing) lesson of modern technology is, arguably, convenience trumps all other considerations.

Fork it

[LingNoi]

If they are problems which are not being fixed then why not fork the PHP code base and apply your security fixes, no ones stopping them and this is the point of open source software.

If something isn't being done then you have to do it yourself.

Re:Why was register_globals there in the first pla

For beginners register_globals can create nasty suprises, but for those who know that it is on and write the code accordingly, I don't see what is the problem with register_globals being enabled.

If you don't see what the problem is, then you're not smart enough to code accordingly.

One of the biggest problems currently with PHP is the lack of good database module with support for multiple different database engines with things like prepared statements.

Look at Pear::DB or PDO (in PHP 5).

Re:Why was register_globals there in the first pla

[raynet]

Now please explain why you're apologizing for PHP and making excuses for why register_globals is still part of the language

I am not apologizing, perhaps I am just stupid or something, but I really don't see the problem with register_globals. Perhaps you could point me to some well written article on why it is so fundamentally bad design.

That's ironic, because people often repeat the myth that PHP makes it easy to interface with the database. Easy but deadly. The reality that PHP has horrible database handling is what's causing PHP programmers to defect to Ruby on Rails (which has ActiveRecord) in droves.

And I said, database handling is what in my opinion sucks the most in PHP. Some anonymous commented about Pear:DB and PDO, and PDO looks at a glance to be quite an improvement, so perhaps PHP6 gets it right...

Re:STOP EVANGELIZING PHP! YOU'RE HARMING THE INTER

[SimHacker]

I'm all for capitalism: vote with your feet! Those hosting providers who only host old poorly configured versions of PHP, and refuse to host decent versions of Ruby and Python, totally deserve to go out of business. So stop sending them your money! It's not like it's hard to find a better one. And I'm sick and tired of all the spam and break-in attempts I get because there are so many security holes in PHP running on those cheap hosting providers' hijacked servers.

Somebody paid me to do some Drupal programming, so I decided to learn it by installing it on my development server, using it for my own blog, reading the source code, and writing my own module (which exports an OPML site map based on the Drupal taxonomy, which dovetailed with my Laszlo OPML Drupal Taxonomy Site Map Browser). As PHP code goes, Drupal is pretty clean and well designed, because it refuses to use PHP's fucked up object system, and rolls its own instead. If course it's clumsy since its own object system is not directly supported by the language (and PHP isn't extensible like Lisp, whose macro system and CLOS lets you elegently roll your own object systems that are seamlessly integrated into the language). But Drupal's html generation facilities and user interface suck.

Sure I would love to try Django, but nobody's offered to pay me to learn it, and I have other stuff to do. I have spend a lot of time doing Zope and Plone development, and was trying to use it as a blog, but I was not satisfied with it (it's very frustrating and much too complex), so I moved over to Drupal because somebody wanted me to do some Drupal work. Ideally I'd write my own blog in TurboGears, which is currently my favorite Python web framework, but I don't have time for that either (and I'm not satisfied with any of the "Write a blog in 2 minutes" screencast example blogs, as cute and furry as they are). I'd rather spend my time developing software instead of writing about how I would be developing software if I weren't writing about it (like I'm doing right now, ironically).

You're certainly right about convenience trumping all other considerations. But building an elementary school out of radioactive wastes, asbestos insulation and lead flashing, exterminating bugs with DDT, hiring drunks to drive the school busses, and contracting McDonalds to run the cafeteria, may be convenient and expedient, but it's unwise and irresponsible.

Until people who understand the dangers start loudly and publicly warning other people about them, there is very little chance of changing those horrible yet convenient practices. That's what Stefan Esser and I and other people are doing, because it's important to discourage people who don't know better from choosing to use PHP when there are much better alternatives, and embarass the PHP developers who should know better into fixing their fucking long standing security problems and bugs (because nothing else has worked).

-Don

Re:Why was register_globals there in the first pla

[SimHacker]

If there isn't a problem with register_globals, then why are they finally taking it out of the language? Of course the real questions are: why did it take so long to remove from the language, and why was it ever there in the first place? That is even more evidence of extremely bad judgement on the part of the PHP designers, that they mad such a bad mistake in the first place, and took so long to admit they made a mistake and correct it. They still try to blame it on "bad developers", but that's the only kind of developers they have left any more, because anyone with any sense or choice in the matter has moved on to better languages like Python and Ruby.

Doing a google search for register_globals site:www.us-cert.gov shows 112 references to security vulnerabilities having to do with register_globals. Is that enough evidence that register_globals is a bad idea?

The register_globals flag should not even be an option, backwards compatibility be damned. When you have security holes like "Unsafe termination of parse_str() may result in the register_globals directive turned back on, you're screwed even when you turn it off, because PHP turns it back on internally, then wets its pants before turning it back off, so it leaves it on for the rest of the lifetime of the web server.

That terrible bug was found AND FIXED by Stefan Esser (the person who this thread is about, in case you didn't bother to read the article), yet some piss-water-carrying PHP fan-boys are still attacking him as a "traitor".

Here is another article he wrote about PHP security problems having to do with register_globals and a lot of other stupid flaws that should have never existed in the first place: Zend_Hash_Del_Key_Or_Index Vulnerability. If you don't like it when people blame the Zend Corporation for so many of the problems in PHP, then maybe you should ask Zend to stop putting their company name into all those functions that are the root cause of so many security problems.

-Don

Smarty for dummies

[SimHacker]

Oh man Smarty source code is just a hoot. Look at this stuff:

The rats-nest of regular expressions in Smarty_Compiler.class.php, and how they're used along with even more regular expressions scattered throughout the code.

File function.math.php, function smarty_function_math:

// make sure parenthesis are balanced
if (substr_count($equation,"(") != substr_count($equation,")")) {
$smarty->trigger_error("math: unbalanced parenthesis");
return;
}

That's the typical kind of seat-of-the-pants half-assed parsing that Smarty is rife with. In this case, it gleefully accepts "))((" as balanced parenthesis, and doesn't ignore parenthesis in strings! Why even bother checking, if the check's obviously not correct?

Smarty just heuristically interprets text in a bizarre, poorly documented, non-standard, arbitrary accidental syntax, by slinging around inscrutable regular expressions, parsing text bit-by-bit, making exceptions and special cases, guessing and fudging and cutting corners all along the way. It's so haphazard and mixed up, it's impossible to write a decent emacs text editing mode for it, let alone edit, validate and process your Smarty templates with standard off-the-shelf XML tools. That's why Smarty is such a vile, poorly designed templating language.

-Don

Re:Smarty for dummies

[1110110001]

Why do you do complex calculations in your view layer? Or are you still using 2.5? Otherwise avoid math.

Re:Smarty for dummies

[SimHacker]

You're such an apologist. Avoid math, indeed. You sound like a pull-string Barbie doll: "Math is hard!".

I don't need you to lecture me on what functions I should or should not be calling in my templates, thank you. And I don't need Smarty to restrict me arbitrarily to a few specific functions. (That was the problem with Zope's horribley lame "restricted Python".) If you look at the Smarty source code right after the other code I quoted, you will see that's exactly what it does: it has a list of math functions you're allowed to call, but it won't let you call any others (unless you can trick the parser into letting you call them, which is easy because Smarty's parser is so stupid).

-Don

Re:Smarty for dummies

[1110110001]

You don't understand the difference between someone who writes template and someone who writes code. Only the later needs power. Designers need a little counter or perhaps a modulo for different row colors. View logic isn't really complicated, but it seems like you don't know MVC anyway.

Re:Smarty for dummies

[SimHacker]

A templating language's support for math functions does not get in the way of designers using it. They don't need to know math in order to use it. Your argument that designers don't deserve to be able to use math even when they need it is ridiculous. Maybe your designers are mathematically illiterate, and your templates are extremely simple, but don't try to force your low standards on the rest of the world. There is nothing about supporting math that makes a templating language hard to use.

In fact Smarty does support some math functions, but not all of the functions supported by PHP. So are you actually arguing that Smart goes to far in its support for math?

Since when were you the final authority of which functions view logic should be allowed to call? I often need to round a number to a particular number of decimal places in the view, so why are you arguing that I shouldn't be able to?

As for your guess that I don't know MVC: I've writing user interface toolkits since 1986, when I developed pie menus for the X10 "uwm" window manager, and I've been regularly using OOP and MVC since at 1987 or so. When and how did you learn about object oriented programming and MVC? Do you know enough about MVC to offer any criticism of it, or do you just blindly accept it as a given without questioning it?

The hypermedia formatting and templating language I developed around 1987 was called the "HyperTIES Markup Language" for Sun workstation version of the HyperTIES hypermedia browser, while I was working for Ben Shneiderman at the University of Maryland Human Computer Interaction Lab. I implemented the first version in Forth, and it had full access for Forth expressions, conditionals, loops, etc. We implemented the second version in C, and it had a full set of mathematical and string processing functions, as well as the ability to define macros, conditionals, loops, etc.

Here is a description (including links to the source code) of the HyperTIES Hypermedia Browser and Emacs Authoring Tool for NeWS, and also a paper we published about HyperTIES in the ACM journal "Hypermedia" Volume 3, Issue 2 (1991): Designing to Facilitate Browsing: A Look Back at the Hyperties Workstation Browser [reference].

You should read the paper we published in 1991, because it gives a good explanation of why templating languages should support macros, math and string processing functions. One reason is conditional text. The conditions must be able to evaluate conditional expressions, which need to be able to call math and logic fuctions, as well as many other utility functions that are useful for authoring conditional text.

Have you published or can you reference any peer reviewed papers that support your point that templating languages should not support math? But it seems like you don't know templating languages, anyway.

From Designing to Facilitate Browsing: A Look Back at the Hyperties Workstation Browser:

Generating customizable documents

To achieve effective formatting we created the Hyperties Markup Language (HML) in 1988. It includes standard markup language features and conditional text to easily customize the document based on user actions. Although traditional Generalized Markup Languages, the Interleaf document preparation system, and scripting languages such as Hypertalk enable authors to specify conditional appearance of text, we feel that this feature should appear as a regular part of hypertext systems. Our empirical studies have shown that by limiting the amount of text on the

This is so stupid!!!!

[Aha_Yoda]

The other Month of Bugs are a little ***useful***! Exposing that things are less secure than they seem, and so forth. But everyone knows that PHP has more bugs that the worst hotel's mattress! If someone sees a point, tell me!