March To Be Month of PHP Bugs

← Back to Stories (view on slashdot.org)

March To Be Month of PHP Bugs

Posted by kdawson on Tuesday February 20, 2007 @01:04AM from the open-season dept.

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

50 of 292 comments (clear)

Min score:

Reason:

Sort:

So, PHP means ? by Rastignac · 2007-02-20 01:07 · Score: 4, Funny

Public Holes Publication, isn't it ? ;)

--
-- Rastignac was here.
1. Re:So, PHP means ? by Dimentox · 2007-02-20 01:48 · Score: 2, Insightful
  
  Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.
  
  --
  string sig = llGetSig("dimentox"); llSay(0,sig);
2. Re:So, PHP means ? by Anonymous Coward · 2007-02-20 01:57 · Score: 5, Insightful
  
  No, PHP is quite insecure. The libraries, the interpreter, and most PHP software are all poorly written.
  
  And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts. There has been some work done in this area, but it's been minimal, and so far ineffective.
  
  Yes, inexperienced developers probably are responsible for many of the problems. But the more experienced (I would hope) developers of PHP itself need to step up to the plate, and do their part to deal with the problem of inexperienced developers writing poor code. Even if they don't do it in order to offer a better product, they should do it to save the few remaining strands of their reputation.
3. Re:So, PHP means ? by daeg · 2007-02-20 02:25 · Score: 5, Interesting
  
  The problem isn't just the coders, it's the fault of the language, too. Sure, you can write fairly secure PHP code, but the language itself does not lend itself to teaching security. It's plainly evident that most features have "ease of use" ahead of "security" -- Register Globals is a prime example. I could have told you from the start that registering variables based on the names of POST/GET values was a Bad Idea(tm). Hell, anyone could have.
  
  PHP is also forever afraid of breaking backwards compatibility. They probably don't want to scare PHP coders.
  
  They also have issues around the monolithic nature of PHP. Oh, you want image processing? Recompile PHP! Oh, you need XML processing? Recompile PHP! There is no isolation whatsoever, everything resides in the same namespace.
  
  I am glad that they are making progress, though. PHP 5 finally brought their OO up to speed (mostly). They finally have a secure, native database connector (PDO) that supports escaped bound parameters. PHP 6 is finally removing some deprecated features.
  
  That said, I still am weary when I log into a website that holds my personal information and see a ".php" URL.
  
  (I was a full time PHP developer for about 6 years. Was.)
4. Re:So, PHP means ? by JoelMartinez · 2007-02-20 02:48 · Score: 2, Interesting
  
  And if inexperienced scripters is really the major problem, then the PHP developers need to take them into account when developing PHP. This means that the PHP developers need to add features to their product that help prevent such inexperienced people from writing easily-exploitable scripts.
  Microsoft calls this the pit of success ... where it's easy to "fall into" a successful implementation
5. Re:So, PHP means ? by onerob · 2007-02-20 02:53 · Score: 2, Informative
  
  Register Globals has been off by default for years.
  
  Please don't let us see the return of \'magic quotes\'
6. Re:So, PHP means ? by tinkertim · 2007-02-20 03:09 · Score: 2, Interesting
  
  Actually PHP is not that insecure.. Its the people who do not know hjow to write code who are insecure. You blame PHP. I blame peole who actually think they can program but are nothing more but scripters. PHP can be secure. If you write it correctly. Think about the script kiddys who use automated perl scripts.. Should perl not be on systems? If you want real security unplug your machine.. it will be safe. Otherwise any machine can be vouln.
  
  You are correct, but that doesn't make net irritants that are permitted by insecure setups any less irritating. One of the biggest problems that come to mind are shared web hosting providers who have no choice but to run php 'wide open' allowing almost all functionality and without the benefit of phpsuexec to find what sites they host are letting the bots in.
  
  They have no control or knowledge of what people upload. Someone could upload a 2 year old copy of phpBB they had on CD, not knowing any better and now you have a gigabit connected spam cannon hurling garbage at the rest of us.
  
  I'm not saying its *just* shared hosts that (help to) give PHP the reputation its been getting, but they are a major contributor. Some take proactive measures to try and at least curtail it, most do not.
  
  Its going to be a 'fun' month for those of us who have to deal with abuse issues. That is more than certain. I think I speak for many when I say : "Aww, SHIT."
7. Re:So, PHP means ? by daeg · 2007-02-20 05:08 · Score: 2, Funny
  
  Don't you mean \\\\\\\\\'magic quotes\\\\\\\\\'?
8. Re:So, PHP means ? by billcopc · 2007-02-20 07:35 · Score: 2, Interesting
  
  Well then those hosting companies should quit selling $1.99/mo hosting plans to idiots.
  
  I'm sick of this anti-darwinian modernism where you have to kiss ass to the dumbest man on the planet or get sued into oblivion. It used to be, if you wanted to write code, you had to be a programmer. I don't care how easy they make coding, if you're not a programmer then you're gonna have to find one and pay them to do it right. It's not the hosting company's fault if you're trying to do something that's way above your head.
  
  --
  -Billco, Fnarg.com
great... by blantonl · 2007-02-20 01:09 · Score: 5, Informative

Looks like this will also be "Month-of-me-working-harder-to-make-sure-my-site-i s-patched- and-updated-and-not-exploited-by-script-kiddies"

--
Lindsay Blanton
RadioReference.com
1. Re:great... by FredDC · 2007-02-20 01:13 · Score: 4, Insightful
  
  As opposed to "month-of-script-kiddies-working-hard-to-exploit-n on-patched-and-non-updated-websites"?
  
  --
  09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63
2. Re:great... by bconway · 2007-02-20 01:38 · Score: 2, Insightful
  
  Well, to be fair, you did choose to use PHP, which is notoriously buggy and insecure.
  
  --
  Interested in open source engine management for your Subaru?
3. Re:great... by kestasjk · 2007-02-20 01:51 · Score: 2, Insightful
  
  I'm a PHP enthusiast with a few servers running PHP apps, and I say bring it on. If such a small team can look for and find so many bugs I doubt a determined attacker would have much problem anyway.
  I'm sure that after the dust has settled PHP will be more secure than it was, and that can only be a good thing.
  
  --
  // MD_Update(&m,buf,j);
4. Re:great... by miyako · 2007-02-20 01:51 · Score: 2, Informative
  
  This comment reflects what seems to be one of the biggest misconceptions in computer security. People seem to be under the impression that vulnrabilities are magically conjured into existance when the bugs are made public.
  The fact is that the bugs have really been there the whole time, and just because we didn't know about it doesn't mean that some nefarious person didn't know about it.
  Now, script kiddies might not know about the vulnrabilities until they are made public, but they are called script kiddies because they use scripts- usually written by someone who has an inkling of what they are doing.
  
  --
  Famous Last Words: "hmm...wikipedia says it's edible"
5. Re:great... by elrous0 · 2007-02-20 01:57 · Score: 3, Funny
  
  Hey, my un-fashionable use of Perl finally pays off!
  [Ducks down and hopes next month isn't the "31 days of Perl Bugs"]
  -Eric
  
  --
  SJW: Someone who has run out of real oppression, and has to fake it.
6. Re:great... by Bastard+of+Subhumani · 2007-02-20 03:18 · Score: 3, Insightful
  
  If it's so buggy and insecure, why do so many large (and small, like the one I work for) companies have sites that use PHP
  I'm sure there's a fancy Latin name for it, but what you're saying is equivalent to "Eat shit - a billion flies can't be wrong".
  
  --
  Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
7. Re:great... by Joebert · 2007-02-20 04:47 · Score: 2, Funny
  
  Hi kids! Would you like to script this? (Yeah yeah yeah!)
  Wanna see me shoot chocolate milk from each one of my eyelids? (Uh-huh!)
  Wanna copy this and paste exactly like I did? (Yeah yeah!)
  Try the wrong CID and get fucked up worse that my code is? (Huh?)
  My mouse's dead weight, I'm tryin to get my story straight
  but I can't figure out which Administrator I want to impersonate (Ummmm..)
  And Dr. Phil said, "Failure is no accident."
  Uh-huhhh! "Then why's your hands red? Man you busted!"
  Well at age twelve, I learned HTML
  Hacked my robodog to fetch the paper while I sit here in my shell
  Got pissed off and organized a massive DDoS
  Smacked the web so hard people lost their job at Bluefrog
  I pay a crackhead to mow my grass
  Hacking my mower would still require me to go get gas !
  C'mere slut! (hey wait a minute, that's my goat dog!)
  I don't give a fuck, naggin bitches just piss me off !
  
  --
  Wanna fight ? Bend over, stick your head up your ass, and fight for air.
8. Re:great... by jZnat · 2007-02-20 04:49 · Score: 2, Interesting
  
  There is no compelling reason to move to a new operating system simply because it appears to be more secure at the expense of not having functional applications. Notice the similarities when you replace "language" with "operating system". :O
  
  --
  'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
9. Re:great... by Bogtha · 2007-02-20 04:53 · Score: 2, Insightful
  
  people not quoting their SQL properly ... but should the PHP interpreter developers really be held accountable for other peoples' shoddy coding practices?
  
  In the case of SQL injection attacks, definitely yes. They provide add_slashes(), oh, but wait, that's insecure, so they provided mysql_escape_string() instead. Oh wait, that's insecure too, so they provided mysql_real_escape_string() instead. All the while, ignoring the fact that string concatenation is prone to security problems by its very nature, and ignoring the real solution — bound parameters — for years.
  
  --
  Bogtha Bogtha Bogtha
10. Re:great... by SimHacker · 2007-02-20 06:57 · Score: 2, Interesting
  
  There are many reasons that add_slashes is insecure, and if you think about it, you should be able to come up with a few yourself. Have you ever heard of Unicode? Do you really know what the quoting conventions of your database are, or are you just assuming that add_slashes somehow magically does? Have you even bothered to use google or read any of the many security articles about PHP? Obviously not. And the same goes for so many other PHP developers. They need training wheels and adult supervision, otherwise they wouldn't have made such a horrible decision to use PHP in the first place.
  
  The issue is that PHP has many functions and mis-features like magic_quotes_gps that pretend to give you some level of security but ACTUALLY DON'T, combined with the fact that there are a lot of naive and sloppy programmers out there like you, who have no idea what the issues are, and have never bothered to think about them or even look them up on the internet. The problems are WELL DOCUMENTED AND WIDELY DISCUSSED. You have no excuse for not knowing them. You can use google as well as anybody, and educate yourself, but you choose not to.
  
  But it's wrong to blame the ignorant sloppy application developers, when the language actually offers them up so many false non-solutions and dangerous pitfalls. It ENCOURAGES ignorant developers to make mistakes. Why didn't they remove add_slashes, magic_quotes_gpc, and all those other horrible bugs a long time ago, instead of leaving them in there to temp ignorant people into use them? The design of the PHP language and libraries and the attitude of the PHP development team is the core of the problem that causes sloppy application developers to make so many mistakes.
  
  -Don
  
  --
  Take a look and feel free: http://www.PieMenu.com
Huh by Anonymous Coward · 2007-02-20 01:10 · Score: 5, Funny

I thought every month was PHP Bugs month?
even if... by cosmocain · 2007-02-20 01:12 · Score: 3, Insightful

...there are that much holes in PHP (which i don't doubt), mr. esser seems to be on a kind of crusade since he left the security response team.
1. Re:even if... by Alphager · 2007-02-20 01:26 · Score: 5, Informative
  
  He began his crusade when he founded the security-team: He wants a secure PHP. He left the security-team out of frustration that the main devs didn't care about security (leaving security-critical bugs unfixed for ages). This month of PHP-bugs is his effort to put pressure on the devs to finally make security a priority.
2. Re:even if... by gmack · 2007-02-20 01:55 · Score: 2, Insightful
  
  No.. it's a good thing. PHP apps are now the most common means of gaining a remote shell on Linux and as a sysadmin I have to constantly worry about what PHP code some customer installed can allow some attacker to break into my server. PHP allows some things it really shouldn't.. take includes on a variable for instance a few months back we had a machine spewing DoS attempts and the admin in charge of the box couldn't figure out how the attacker got a shell. The culprit? Some programmer used a variable to hold his includes and the attacker simply overrode that variable. Now you can (and we did) blame the programmer for being an idiot but the problem is that a language being sold as "great for anybody to start programming in" should be a lot safer by default I mean really.. what legitimate reason is there for that "feature" in the first place?
3. Re:even if... by moranar · 2007-02-20 02:11 · Score: 4, Insightful
  
  Or maybe, just maybe, on reading the article we'd find he did "fork" PHP, through Hardened-PHP and Suhosin. The wonders never cease.
  
  --
  "I think it would be a good idea!"
  Gandhi, about Internet Security
i suggest for next month by Anonymous Coward · 2007-02-20 01:12 · Score: 3, Funny

month of PCP bugs. i see them all over my skin and i can't scratch them off! SOMEONE HELP ME
Partially surprising by Anonymous Coward · 2007-02-20 01:15 · Score: 5, Insightful

I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.
1. Re:Partially surprising by julesh · 2007-02-20 02:53 · Score: 2, Interesting
  
  I really shouldn't be surprised at the PHP team's approach to security any more, but it really does still surprise me from time to time. It's amazing, but the PHP team are worse than Microsoft ever were with security. And they don't even learn from this - they've had this attitude for as long as I can remember (PHP 3 days), and they just aren't getting it. Or rather, if they get it, they just don't care.
  
  I'm not surprised. Their attitude to bug reports in general is pretty hostile. See, for instance, this report of a segmentation fault bug.
For once by Timesprout · 2007-02-20 01:15 · Score: 4, Insightful

I am actually glad to see one of these xxx month of bugs. Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws. Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality by improving the core security of the language is therefore to be welcomed.

--
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
1. Re:For once by jimicus · 2007-02-20 01:47 · Score: 2, Insightful
  
  Anything that actually helps the meme 'most php flaws are caused by poor programmers' actually become a reality
  
  Most flaws in any code are caused by poor programmers. It's possible to write clearly structured, well laid out code in BASIC (no, not visual BASIC, the real thing), as most implementations support things like local variables and procedures. It's just exceptionally rare.
  
  This is why so many computer science degrees (at least until recently in the UK) used Modula-2 or Pascal as their primary teaching language. Don't for one moment imagine the lecturers thought that these languages would be useful in the real world - the idea was to teach good practise.
2. Re:For once by rho · 2007-02-20 04:02 · Score: 2, Insightful
  
  Personally I have always thought PHP to be a steaming pile of poorly thought out garbage but there is no denying its popularity despite its flaws.
  A critical thinker will look at those two clauses and derive some wisdom. PHP is not "poorly thought out", it changes to meet the market's needs. Java was very well thought out, but it's mostly popular with big shops where you can hire a guy for $70,000/year to maintain a tiny little bit of a larger program. PHP is very popular because it allows a single person (or a small group) to make functional applications quickly and easily, with a lot of flexibility.
  
  --
  Potato chips are a by-yourself food.
Install modsecurity by HxBro · 2007-02-20 01:20 · Score: 5, Informative

I recently installed modsecurity http://www.modsecurity.org/ for apache along with the rules from http://www.gotroot.com/ and it's done a good job of blocking attacks on my server including a lot of the php mail() injection attempts, whilst it has shown up a few false positives like someone posting a message with sql keywords e.g. "select" "from", it is certainly worth installing even if you have to monitor the logs for a bit afterwards to watch for the false positives and alter the rules accordingly.

Whilst it probably won't solve a lot of the problems with php and security it does help protect the server especially when you don't have control over what your users are uploading to their web space.
Are bugs the problem? by cerelib · 2007-02-20 01:36 · Score: 4, Interesting

I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code(especially when using the mysql module). Also at fault is the general lack of programming understanding by the amatuers who find their way to PHP because it is so easy to go from having a static HTML page to a dynamic PHP page. Are there a lot of vulnerabilities in the interpreter?
1. Re:Are bugs the problem? by poot_rootbeer · 2007-02-20 03:37 · Score: 2, Insightful
  
  I always had the feeling that the bad security reputation with PHP had less to do with technical bugs and more to do with how easy it is to write insecure code
  
  Or even more likely, how easy it is to download and run insecure code written by some other lousy programmer. It's not the people who are writing their own CMS systems that are getting haxor'd, it's the people who grabbed a copy of PHPNuke and threw it up there on the 'net.
PHP is a disgrace to the open source community. by Anonymous Coward · 2007-02-20 01:38 · Score: 5, Interesting

It's amazing, but the PHP team are worse than Microsoft ever were with security.

This is very true. And also very unfortunate. When it comes to many managers, PHP has given the entire open source community a bad name. This is mainly because it has been repeatedly pushed as being part of the LAMP suite, when in fact Python and Perl are far better options for the 'P'. So when you recommend the use of Linux, Apache or MySQL, they automatically think of PHP, and recall how terrible its security is. And then they associate that lack of security with Linux, Apache and MySQL, even when that's not the case!

If there's one thing the open source community as a whole should do, it should be to disown PHP. Responsible open source developers and projects need to just stop using it for their web sites. It'd be good if more things like this Month of PHP Bugs were held, just to show the public that the OSS community knows that PHP is terrible, and wants to do something about it. The longer we continue to use PHP, the harder it will be to repair the reputation of even completely unrelated (and far more secure) open source projects.
1. Re:PHP is a disgrace to the open source community. by archen · 2007-02-20 03:29 · Score: 4, Insightful
  
  The problem with PHP is that it's very easy. One of the supposed advantages of Lamp is that it is also rather easy to set up and work with. I've seen more projects than I would care to, where the programmers couldn't code their way out of a paper bag but managed to accumulate a surprisingly functional mass of PHP spaghetti code. Perl is a good option only if the coders are disciplined, and having good structure is critical for a good Perl project. I don't have any experience with Python, but due to the nature of python language structure, you'll never be able to embed it the way you could with PHP (templates are necessary here as well).
  
  One of the problems with PHP is the fact that when the bar of entry is so low, you get a lot more low bar people actually coding it. It's become the next generation of VB garbage. The language is only half of the security problem (a half we could better do without, but still).
Wait... by kahei · 2007-02-20 01:39 · Score: 4, Funny

Only a month?

Ha ha, yes, thank you, I'll be here all week, bringing predictable yet mildly amusing banter. In fact, I'll be here all year. The whole of my life, probably. *breaks down and cries*

--
Whence? Hence. Whither? Thither.
PHP needs to be fixed in general by MikeRT · 2007-02-20 01:44 · Score: 2, Informative

If he really wants to make a difference, he should fork PHP and really fix up the language and interpreter to his liking. Besides bug and security fixes, a standard naming convention for built-in functions would be quite nice. Maybe Esser could do for PHP what EGCS did for GCCS if he did that.
1. Re:PHP needs to be fixed in general by julesh · 2007-02-20 03:53 · Score: 2, Insightful
  
  If he really wants to make a difference, he should fork PHP and really fix up the language and interpreter to his liking.
  
  Err... he has.
  
  Sometimes I think people don't read the articles.
  
  Then I remember I'm reading slashdot.
Re:We audited PHP for some of our projects. by clawoo · 2007-02-20 01:59 · Score: 2, Informative

Not to start a little argument over PHP and Python, but you're comparing apples with oranges here. You are saying that PHP is insecure, its semantics are undesirable and so are its standard libraries, database interfacing, interpreter and performance, and then you come along saying how awesome Django is, disregarding that actually you're comparing a language with a framework.

There are a handful of decent PHP frameworks out there, with others coming along, which you can take and compare with Django, but please don't bash the language because you don't like its semantics, you have something personal with it or you didn't take the time to choose a decent framework.

Regarding the database interfacing support, I beg to differ, I believe PHP has been supporting a large number of databases for a longer while than most of the other web scripting languages out there today.

--
This is not your signature.
Look on the open/bright side. by kale77in · 2007-02-20 02:15 · Score: 2, Informative

The bright side, it seems to me, is that PHP's openness means even if the developers are slack, the bugs can still be disclosed without IP litigation threats.

Also, he's given the developers a week or two of warning before March. If there's anything *that* serious in there, actually known to the developers, the fix could conceivably be ready by the time the bug is announced.

I run PHP sites, and I'd rather see the bugs public and being patched, than known only to the developers (we hope).
Coming in April by bill_mcgonigle · 2007-02-20 02:52 · Score: 4, Funny

"Month of Shooting Fish In a Barrel"

At least the Month of Apple Bugs was a hard target to go after.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
A Couple Easy Precautions by corychristison · 2007-02-20 03:32 · Score: 2, Informative
I've been running PHP for some time now, I try to use the latest and greatest, but sometimes I am a little behind.

Here are a few simple precautions for PHP configuration:
- Do not(!) install cURL. I know it is useful, but has a lot of security problems!
- Disable register globals [default as of 4.2.0]
- Safemode is worthless and a little too restricting, use OpenBaseDir.
- disable_functions = exec,system,passthru,shell_exec,proc_open,proc_clo se,proc_terminate,proc_nice,proc_get_status (may be more, off the top of my head :-)
These are what I can think of off the top of my head. This allows full compatability with all major scripts [mostly due to not using SafeMode] but still holds a fair bit of protection from people executing scripts and pushing them to run in the background. Had this happen to me a few years ago. I was hosting someone as a favour, and I'm not sure if they did it, or they were running some crappy code and it was exploited. Either way, their account was suspended.
Hear, hear. by cortana · 2007-02-20 03:37 · Score: 3, Insightful

An anonymous coward said some time ago,
When I looked at Zend's introduction to PHP, the first sample PHP program was Hello World, and the second was a cross-site scripting vulnerability.
Yes, this _is_ unethical by DigitAl56K · 2007-02-20 04:44 · Score: 2, Interesting

"At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical."

Maybe. But to take more than 31 bugs and disclose them a day at a time so that in effect major web-facing infrastructure for big business and home users alike will have no chance at all of being secured during this entire window, all for the purposes of publicity?
Re:Take PHP outside web pages altogether. by FreakTrap · 2007-02-20 04:49 · Score: 2, Informative

$a = array (1, 2, 3, 4); foreach ($a as &$b) $b++; foreach ($a as $b) $b++; print_r ($a);
It is increment twice because after the first loop, $b is still a pointer to the fourth element of $a. Continuing in the code, the second loop will assign the fourth value of $a each value of $a, then increment it. Try debugging it like so:
$a = array (1, 2, 3, 4); foreach($a as &$b){ $b++; } print_r($a); foreach($a as $b){ print_r($a); $b++; print_r($a); } print_r($a);
... and you will see what it is doing. Solution: unset your variables before you re-use them.
$a = array (1, 2, 3, 4); foreach ($a as &$b) $b++; unset ($b) foreach ($a as $b) $b++; print_r ($a);
And for the $$ thing, it seems to do exactly what it is intended for...
[Simple] $a = "Hello World"; $b = "a"; echo $$b; //outputs 'Hello World' [Complex] $var0 = "Hell"; $var1 = "o wo"; $var2 = "rld!"; $i = "var0"; while(intval($i[3]) <= 2){ echo $$i; $i[3] = intval($i[3])+1; } //outputs 'Hello World!'
Take down the service? by Kelson · 2007-02-20 05:01 · Score: 2, Insightful
"You mean have to take down the entire service just because it wasn't compiled against this or that library? That's INSANE! What the hell is Linux FOR?"

Really? Leaving aside the matter of using shared libraries, whenever I've had to add features to PHP it's gone like this:
1. Configure PHP with new options
2. Rebuild PHP
3. Reinstall PHP
4. service httpd configtest
5. service httpd restart
The only actual downtime occurs during step 5, which lasts maybe a second at most. This is Linux after all -- you can run the old version while you're installing the new one.

Or am I misunderstanding your point?
Re:Pot calling the kettle black by julesh · 2007-02-20 07:57 · Score: 3, Interesting

If you're a programmer and you don't see huge problems with both the design of PHP itself and the standard library you should just quit now and find another hobby/profession.

I'm a programmer. I work with PHP. I see a hell of a lot of problems with its design and implementation. Am I ready to dump it and switch to something better? You bet. I've been waiting for the chance for the last 5 years or more.

Can I actually do this?

No. The marketplace is such that if I implement my solutions in any other environment, I'm cutting myself out of large chunks of the market simply because people might choose a hosting provider that doesn't support whatever alternative language I choose to use.
From the PDO docs page: by yem · 2007-02-20 09:35 · Score: 2, Informative

Warning

If your application does not catch the exception thrown from the PDO constructor, the default action taken by the zend engine is to terminate the script and display a back trace. This back trace will likely reveal the full database connection details, including the username and password. It is your responsibility to catch this exception, either explicitly (via a catch statement) or implicitly via set_exception_handler().

The default behavior in case of database problems is to display the host, username and password in the browser? Good grief.

--
No, I did not read the f***ing article!
Re:Why was register_globals there in the first pla by SimHacker · 2007-02-21 06:27 · Score: 2, Informative

If there isn't a problem with register_globals, then why are they finally taking it out of the language? Of course the real questions are: why did it take so long to remove from the language, and why was it ever there in the first place? That is even more evidence of extremely bad judgement on the part of the PHP designers, that they mad such a bad mistake in the first place, and took so long to admit they made a mistake and correct it. They still try to blame it on "bad developers", but that's the only kind of developers they have left any more, because anyone with any sense or choice in the matter has moved on to better languages like Python and Ruby.

Doing a google search for register_globals site:www.us-cert.gov shows 112 references to security vulnerabilities having to do with register_globals. Is that enough evidence that register_globals is a bad idea?

The register_globals flag should not even be an option, backwards compatibility be damned. When you have security holes like "Unsafe termination of parse_str() may result in the register_globals directive turned back on, you're screwed even when you turn it off, because PHP turns it back on internally, then wets its pants before turning it back off, so it leaves it on for the rest of the lifetime of the web server.

That terrible bug was found AND FIXED by Stefan Esser (the person who this thread is about, in case you didn't bother to read the article), yet some piss-water-carrying PHP fan-boys are still attacking him as a "traitor".

Here is another article he wrote about PHP security problems having to do with register_globals and a lot of other stupid flaws that should have never existed in the first place: Zend_Hash_Del_Key_Or_Index Vulnerability. If you don't like it when people blame the Zend Corporation for so many of the problems in PHP, then maybe you should ask Zend to stop putting their company name into all those functions that are the root cause of so many security problems.

-Don

--
Take a look and feel free: http://www.PieMenu.com