PHP.net Compromised

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

Oh the irony

[killerzax]

Let me guess, they got in through a PHP vulnerability?

Re:Oh the irony

[ArcadeMan]

It's Microsoft's fault. The URL for PHP is php.net, which means it's .NET and hence the reason for being compromised.

The malware was distributed via Javascript, which has Java in its name, which means it's also Oracle's fault.

Re:Oh the irony

[eexaa]

Either that, or missing mysql_escape_string.

Re:Oh the irony

[CastrTroy]

It's it supposed to be mysql_real_escape_string? I can't remember since I've been using parameterized queries for so long.

Re:Oh the irony

And it's open sores software, which means now all the visitors to the site have herpes!

Re:Oh the irony

[NettiWelho]

On a more serious note, what systems were vulnerable and what was the payload?

Re: Oh the irony

No do not use that one. Easily exploitable. mysql_real_real_escape_string is the one to use now.

Re:Oh the irony

We don't know.

Re:Oh the irony

I know it's asking a lot, but if you RTFA and follow a couple links, you'd know the answers to your questions.

It was already a dangerous site to visit ...

[c0d3g33k]

... it introduced visitors to PHP.

Re:It was already a dangerous site to visit ...

I agree with you, but he is probably right!

Re:It was already a dangerous site to visit ...

If you wanna bash a technology commonly used by web developers, pick Flash.

I will stick to bashing on ASP.NET in VB.

Re:It was already a dangerous site to visit ...

[Minwee]

I'd rather bash people with no sense of humour who feed trolls.

It's even easier than bashing PHP.

Re:It was already a dangerous site to visit ...

[Sarten-X]

As a mild Java fanboy, I feel compelled to mention that real Java isn't really locked in to a single vendor, as the reference implementation (OpenJDK) is open-source. However, the reference implementation lacks a lot of the features that aren't real Java, that Sun and Oracle have so kindly implemented in their own versions. A careful Java developer isn't locked in, but a careless one easily can be.

Re:It was already a dangerous site to visit ...

PHP does not have very good performance. node.js has very good performance, so does .NET.

PHP uses massive amounts of memory and security is a problem on I'd guess 99% of all shared hosts due to the difficulty in running the process as different users without using up all the RAM on the server. I've been working with PHP since 2006. No more, it's days are over.

Add to that the still broken implementation of Unicode. Embarassing is the Word for PHP.

Re:It was already a dangerous site to visit ...

[guruevi]

Clueless sysadmins (and programmers) do indeed bring a bad rep to PHP but correctly implemented and managed, it can be a great asset. What alternative do you suggest? Node.js? Who runs that and .NET? Really?

Re:It was already a dangerous site to visit ...

[Megane]

PHP: a fractal of bad design

Re: It was already a dangerous site to visit ...

Just look at this jewel from the official documentation:

Although implode() can, for historical reasons, accept its parameters in either order, explode() cannot. You must ensure that the delimiter argument comes before the string argument.

Or things like this:
https://bugs.php.net/bug.php?id=44794

Re:It was already a dangerous site to visit ...

[c0d3g33k]

Hi, girlintraining.

I'm no troll. I was there (on the internet, not physically present) when Tim Berners-Lee announced the World Wide Web and I happened to notice while using Gopher. I downloaded and installed the first web browser and went to http://info.cern.ch/hypertext to see what was up with this new thing. I advocated and used PHP when the acronym stood for Personal Home Page. Back when everyone was banging out custom CGI scripts in Perl, it looked pretty cool. And for awhile it was. I rolled out quite a few sites based on PHP at the time. I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.

I calmly stand by my snark, perched atop the mountain of experience.

Re:It was already a dangerous site to visit ...

Silverlight and .Net are the same. Silverlight is simply a subset of .Net that runs in a browser plugin environment. Flash runs like that more commonly than not. Java came with a browser plugin from day 1. Silverlight was simply a catch-up attempt by Microsoft, back before HTML5 made those plugins irrelevant. Throw it in the too-little-too-late bag, but don't confuse it with a real framework.

Also, you're wildly misinformed about the extent of lock-in. Flash is single-vendor, but there are several knock-offs that claim at least partial compatibility. The rest of your examples aren't even close to locked-in. .Net is multi-vendor, as there are several non-Microsoft versions of it (Mono isn't the only one). Java has even more vendors, providing various JVM's and front-end languages that will compile to bytecode. Heck, one of the most widely used Java app servers is Tomcat, and that's made by Apache. It can be paired with any of the compliant JVM's with relative ease.

Meanwhile, the GP is getting all angry about someone insulting their language of choice. Lighten up. Nobody is going to take away your precious PHP. Hell, my career got its start as a "professional PHP developer". Even at the time, it was something I joked about, and this was a decade ago.

The fact is, PHP is ridiculously easy to use, even for a newbie developer. And because of that, there are a lot of newbies using PHP, making the mistakes that newbies inevitably make. This would be OK if they were still in school or developing a Personal HomePage (thanks, retconning!), but when they make this crap in the workforce, it crystallizes into production code and then we (all of us) have to maintain their steaming pile of newbieness forever. Mostly, I blame management for allowing this to happen. But its much easier to fight off newbies and their PHP by requiring more newbie-proof development technologies in the workplace.

I'm a programmer that does web, web service, desktop, command line, and mobile development for large scale data management and real-time reporting. I no longer use PHP because it is incapable of doing what the software I write does. It's simply the wrong tool for the job, including the web portions. If you want to introduce yourself to web programming, by all means, use PHP. And once you've learned it, know HTTP inside and out, know request/response interplay like the back of your hand, and can set headers, dynamically generate formatted and unformatted data, and in general, use the response body as your bitch, then you don't need PHP anymore and can (and should) move up to something more scalable.

And before you say "PHP is scalable because Facebook uses it", keep in mind, your what the parent post already noted (emphasis mine):

Facebook uses a special version of it.

Facebook's version is scalable and has good performance. Stock PHP is mediocre. And you can't afford Facebook's clustering and load-balancing setup.

Re:It was already a dangerous site to visit ...

[binarylarry]

I'm pretty sure it's PHP that gives PHP a bad rep.

Re:It was already a dangerous site to visit ...

[Mitchell314]

Calm down, it's just a joke.

Re:It was already a dangerous site to visit ...

[MightyMartian]

What do I care about a scripting language's performance. The bulk of my work is basically using scripting languages as glue and display functions for RDBMS queries. The amount of cycles the interpreter/JIT/whatever has to consume is dwarfed by the cycles eaten up by the SQL database.

Re:It was already a dangerous site to visit ...

[girlintraining]

I'm no troll. I was there (on the internet, not physically present) when Tim Berners-Lee announced the World Wide Web and I happened to notice while using Gopher.

I was on the internet, er, before it was the internet. -_- That doesn't mean anything as far as statements made about today.

I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.

I calmly stand by my snark, perched atop the mountain of experience.

And I stand by my statements, that PHP would be one of my top picks for back-end design and dynamic pages. It is easy to read, has reasonably good performance, and reasonable security. But no language can stop people from shooting their own foot off if they're so determined, and your grevance seems to be not with the language itself, but with the fact that so many people shoot their own foot off while using it. The only problem I have with PHP is that the designers seem utterly incapable of understanding OOP concepts and the result is half-baked objects. But then, I say the same thing about Java.

Re: It was already a dangerous site to visit ...

[dgatwood]

It makes sense. The implode function can readily detect the difference between a string and an array through simple type introspection, but the explode function cannot do the same with two strings. Indeed, I would argue that for any function, if the parameters must be of a specific type that can be readily distinguished from the type of other parameters, there's no reason for the parameter order to matter.

Then again, I would argue that the entire notion of programming languages in which the order of arguments is significant is arcane and archaic. IMO, an ideal programming language should require that each parameter be explicitly tagged so that the parameter order never matters, or at a minimum that the order is never implied merely by position. Perl can sort of do this with a hash, Python et al sort of do this with named parameters, etc.

Such a design pattern makes it relatively simple to add additional optional parameters, because the order ceases to matter. It means that you can insert those new parameters in an order that makes logical sense, rather than having to add them at the end of the parameter list with an explicit check to see if the parameter list is empty before shifting off the next item so that you don't break backwards compatibility with existing clients. And so on.

Unfortunately, most programming languages still force you to choose between strict compile-time type checking and mandatory tagging. If you take parameters in a varargs stype, you can force mandatory tagging, but you lose any compile-time checks. If you take parameters individually in the function, somebody can still pass parameters positionally, at which point you lose the readability advantages of being able to reorder the parameter names as you add new parameters.

I get the impression that Python 3 allows you to force explicit tagging by adding "*" as the first parameter. It would be great to see similar functionality in all other programming languages; it just makes a lot more sense than trying to extract meaning out of order.

Re:It was already a dangerous site to visit ...

Lots of anti-vaccers believe they're correct also. It's quite funny and sad. If you like PHP, Brainf*ck is another great language to learn.

Re:It was already a dangerous site to visit ...

[csnydermvpsoft]

It's not that hard to be careful - just avoid the com.sun.* and sun.* namespaces. Eclipse even filters those out (of autocomplete and Organize Imports) in the default configuration.

Re: It was already a dangerous site to visit ...

[garyebickford]

Hmm. I recall a an analogous bit from the Perl documentation - I don't recall the specifics. And C has lots of WTFs, not least of which is the syntactic mistake of allowing 'if ( a = b )' to be valid, leading to thousands of hours of debugging time when programmers accidentally forget the second ==. We've all done it, many times. I recently found an example that had lain in wait for a couple of years, as that particular piece of code was only rarely executed, and most of the time the fact that 'a' was being set didn't matter. This bug-factory has now been propagated into several languages whose syntax is based on C. It could be prevented by simply requiring that operations that return a value inside an evaluation must be enclosed with braces: 'if ({a = b})' would evaluate, then proceed; 'if (a == b)' would compare then proceed; 'if (a = b)' would fail.

Bottom line, PHP is just another language with historical, and not-so-historical flaws. I personally dislike the unpredictable parameter order in string and array functions; I basically have to look them up every time I use one I haven't used for a while. APL had the cleanest parsing and cleanest operating model of any language I've used - A+B meant the 'right' thing (or at least something reasonable) regardless of whether A and B were scalars, strings or arrays of arbitrary dimension. Its WTF might well have been just the requirement for the special character set.

Re:It was already a dangerous site to visit ...

[TomGreenhaw]

Comparing .net to PHP is not a fair or accurate comparison, one is a scripting environment and the other is compiled. Comparing PHP to Classic ASP would be more accurate.

Re: It was already a dangerous site to visit ...

[Spudley]

Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.

Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.

Re:It was already a dangerous site to visit ...

[c0d3g33k]

I was on the internet, er, before it was the internet. -_- That doesn't mean anything as far as statements made about today.

Agreed. But you came screaming out of the gates with a hard core ad-hominem attack (Troll!) in response to what amounts to little more than a joke. Touchy much?
That said, I was on the internet-before-it-was-the-internet back in 1980. Just out of curiosity, what's your magic date?

I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.

I calmly stand by my snark, perched atop the mountain of experience.

And I stand by my statements, that PHP would be one of my top picks for back-end design and dynamic pages. It is easy to read, has reasonably good performance, and reasonable security. But no language can stop people from shooting their own foot off if they're so determined, and your grevance seems to be not with the language itself, but with the fact that so many people shoot their own foot off while using it. The only problem I have with PHP is that the designers seem utterly incapable of understanding OOP concepts and the result is half-baked objects. But then, I say the same thing about Java.

You're reading a lot into my jokey original one-sentence post. Grievance (grevance)? I've used PHP. Found it wanting. Moved on. End of story. What's driving your zealous PHP advocacy?

Re:It was already a dangerous site to visit ...

What alternative do you suggest? Node.js? Who runs that

You know all those people who actually made PHP a thing?

They do.

PHP is on its way out, thank the gods.

Re:It was already a dangerous site to visit ...

[X0563511]

What's driving your zealous PHP advocacy?

Ask a stupid question, get a stupid answer.

Note that you're being perceived as wrong, not that you actually are. I certainly don't have the experience to say which of you is right (or more right, as the case may be)

Re: It was already a dangerous site to visit ...

[AuMatar]

That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.

Re: It was already a dangerous site to visit ...

Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.

Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.

* Assembler
* Perl
* Python
* Bash

Re:It was already a dangerous site to visit ...

... it introduced visitors to PHP.

Listen troll, PHP is used on a large number of websites...

You're using BOTH ad hominem AND Bandwagon fallacies?! Care to go for a third?

Re: It was already a dangerous site to visit ...

I prefer Pascal's way of distinguishing between equality and assignment. Equality is the "derp" way, with a single "=", just like every programming language that isn't based on C. Assignment requires special forethought and an extra keystroke or two, since it's ":=".

Making these two operators the same symbol just leads to developer confusion and a complicated context-sensitive parser. See also: any BASIC programmer that ever tried to learn C.

Meanwhile, making the "easy" operator the one that modifies memory values is just insane. Yes, it's The C Way, but it's also very failure prone, both for newbies and oldsters alike, just as you pointed out. It took you years to find and fix that bug in your software. That's just retarded and avoidable if the language would use better operators.

Honestly, my dream language is C#, with a better assignment operator (Pascal's := is kind of a pain, so maybe something else), with the ability to actually compile to a real binary (preferably for Linux).

Re: It was already a dangerous site to visit ...

Lua. It's flawless for game scripting and it's widely used.

Re: It was already a dangerous site to visit ...

[cheater512]

implode(array('glue' => ',', 'peices' => $stuff));

Eww. Just eww man. So much more typing and room for error for no benefit whatsoever except you can swap the order around.

Re:It was already a dangerous site to visit ...

[girlintraining]

You're reading a lot into my jokey original one-sentence post. Grievance (grevance)? I've used PHP. Found it wanting. Moved on. End of story. What's driving your zealous PHP advocacy?

I'm not. It's a popular language that is also used on many major web sites. This suggests to me that your various statements about it being "found wanting" are in error. Especially when you have failed to offer an alternative. You criticized something because it was less than perfect. The exact same argument can be made for everything. Ever. It's a logical fallacy, and you got upmodded for it, and my pointing it out got me mod-bombed.

Slashdot needs a "-1, Ironic" for some posts.

Re:It was already a dangerous site to visit ...

[webnut77]

What's driving your zealous PHP advocacy?

PHP has lots of add-ons that make it very powerful like: PHPExcel for churning out a spreadsheet, TCPDF for creating a PDF, PHPMailer for sending an email, etc. I don't know if other languages have these but they are simple to use in PHP.

It is true you can write a crappy application with security holes like swiss cheese in PHP. But you can do that in any language. If you're going to write 'good' programs there are quite a few web principles like sanitizing input that you MUST learn.

On the other hand, I think one of the flaws of PHP is that it is often co-mingled with HTML. This makes it hard to debug. A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement. Learn to use loops (for, foreach, while, etc.), give variables meaningful names, and create functions for things you do over and over.

Re:It was already a dangerous site to visit ...

[Bigbutt]

I appreciate your input. Still, no one has come up with what the next step after PHP is. Ruby? Perl? Python? It's not like there's someone out there going "ooh, good job on that PHP website and the work you're doing looks like you understand what you need. Now that you know that, you should start using JQuery to replace the hacked up Javascript and Forth to build websites. Here are a couple of good websites to get you transitioned from PHP to Forth."

It's cool and all to denigrate the folks who are trying but if all you hear is "PHP is crap and folks who program in it are illiterate newbies" without some suggestion as to where to go next, folks will simply ignore the ranting and move on (and continue using PHP).

As a sysadmin, I really liked the Rosetta Stone website so I could take my linux and Solaris skills and start working on AIX and HP-UX fairly quickly. Is there such a PHP -> Forth website?

[John]

Re: It was already a dangerous site to visit ...

[wonkey_monkey]

or a very complicated system for the compiler to implement

What's so complicated about doing it at compile time? When a function's called, compare the caller tags to the function definition tags and re-order them to match - no?

Then as a user I not only need to remember what the parameters are for every function, but what they were named?

It doesn't have to replace the current way of doing things. AviSynth allows parameters to be specified either in order or by name.

Re: It was already a dangerous site to visit ...

[narcc]

He said WITHOUT major design flaws.

Re:It was already a dangerous site to visit ...

[narcc]

PHP is on its way out, thank the gods.

It doesn't appear that way. The data suggest the exact opposite.

Why? Probably due to the lack of a viable alternative. Well, that and the fact that PHP isn't the disaster incompetent Slashdot users seem to think it is.

Re:It was already a dangerous site to visit ...

[narcc]

I've used PHP. Found it wanting. Moved on.

Why did you find it inadequate? With what did you replace it?

Re:It was already a dangerous site to visit ...

[narcc]

Know what's sad? You don't know how awful that page really is. You actually think it contains something of value.

Here's a fun exercise. From that pile of garbage, make a list of points of fact, eliminating any point that is opinion.

Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.

Still think PHP is a "fractal of bad design"?

It looks like he got rid of the NaN != NaN nonsense point. (Why is that nonsense, you ask? See IEEE 754 -- I guess enough people pointed that bit of nonsense out to him. That and his old intransitivity argument and example seems to have vanished as well. Bet you didn't notice!)

Re: It was already a dangerous site to visit ...

[dgatwood]

It's horrible only because PHP doesn't build such functionality cleanly into the language. The ideal syntax looks more like this:

implode(glue => ",", pieces => $stuff);

Or even this:

implode(glue=",", pieces=$stuff);

And you're very wrong about reordering being the only benefit. Named calling parameters also provide much-needed information about what the parameters actually do when you're looking at the function call itself, without which you must mentally cross-reference the original function declaration to know how those parameters are being used. Being explicit as part of the call syntax reduces cognitive load, particularly when you're doing maintenance programming of a large code base, particularly when a function takes more than a couple of parameters. You know the old adage: If a function takes more than three parameters, you are likely to forget at least one of them.

Also, assuming the syntax is properly built into the language (with full compile-time type checking and errors if you try to specify a parameter name that isn't part of the declaration), you get no additional opportunity for nontrivial errors (in the worst case, you just get parse errors that cause a failure as soon as you try to load the file), while removing a lot of potential for other types of errors.

Re: It was already a dangerous site to visit ...

[brantondaveperson]

Objective C pretty much does this. Functions calls look like:

[myColor changeColorToRed:5.0 green:2.0 blue:6.0];

Now I do appreciate here that the order isn't actually flexible, but I would argue that *is* a bad idea because it makes the code much harder to read. But what you do get is the named parameters part, which in my opinion is the more important part. This makes the code much easier to read.

Re:It was already a dangerous site to visit ...

[geminidomino]

. A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement.

I feel like someone made Poe's law into a truck, and hit me with it.

Re: It was already a dangerous site to visit ...

[memco]

There is an RFC (at affected PHP.net site), which discusses the idea of named parameters for PHP 5.6. The proposal suggests that you would be able to use both named parameters and non-named parameters in the same function, but specifies that all functions using a mix must declare the order-dependent params before declaring any named params so that the interpreter knows how to handle the two.

Re: It was already a dangerous site to visit ...

[myowntrueself]

Thats nothing

*THAT* is a worm. Insert that into some PHP code and you have a back door.

Sometimes I wonder if the NSA are responsible for PHP.

Re: It was already a dangerous site to visit ...

[myowntrueself]

oh yeah of course it was bound to strip out the nice PHP code. Heres a URL

http://www.madirish.net/454

Re: It was already a dangerous site to visit ...

[foobar+bazbot]

It could be prevented by simply requiring that operations that return a value inside an evaluation must be enclosed with braces: 'if ({a = b})' would evaluate, then proceed; 'if (a == b)' would compare then proceed; 'if (a = b)' would fail.

Huh? 'a==b' returns a value every bit as much as 'a=b', so under that definition, why mustn't it also be enclosed in braces? Now I wouldn't say either of them "returns" anything -- functions return values, while expressions evaluate to values -- but definitions do vary and it would be silly to nitpick over. The point, though, is that there's no sense of the term "return" in which "a=b" returns a value and "a==b" doesn't.

You've also just clumsily overloaded C syntax, as a brace-delimited block doesn't "evaluate" to the return value of the last statement within the block. It doesn't evaluate to anything at all (C is an imperative language through-and-through), so using them to evaluate expressions is ugly and non-intuitive.

I'm not saying that the syntax shouldn't have been fixed (personally, I remain unconvinced about the syntax, though changing the symbols (e.g. = -> := and == -> =) would definitely have been good), but a syntax fix needs to be more complicated than you seem to think it is, and therefore less obviously-correct.

In case you don't get why the complexity would have been a downside then (it wouldn't be today, IMO), remember the C language was created in an age when many programmers didn't have the luxury of an interactive teletype session. This means you can't afford to say "Was it a: (foo && {return = bar(x)}) or b: {foo && (return = bar(x))}? Bother, I'll just put in a and change it if the compiler yells at me.", because you don't get compiler feedback immediately. Complicating the syntax decreases the odds of the programmer remembering it right off, and thus increases the time the programmer has to spend looking it up.

Re:It was already a dangerous site to visit ...

[cerberusss]

utterly incapable of understanding OOP concepts

Funny thing is, I've been OO programming for fifteen years now, and splitting up requirements into sane objects is hard. When I do get it right, I spent abnormal amounts of time thinking about them. It's rare to see well-thought out design.

Re: It was already a dangerous site to visit ...

[readacc]

* Python

Ahhaa, Python, yes. The only language I've come across where if someone is using tabs and the other is using spaces (or worse, their editor substitutes spaces for a tab), the code will break.

I happen to like Python, but man that was an easy one to deconstruct.

Re:It was already a dangerous site to visit ...

[hag3r]

The only problem I have with PHP is that the designers ...

Your problem lies in your belief that PHP is the result of actual design and forethought.

Re:It was already a dangerous site to visit ...

I know I've tried this before and it doesn't get through to you, just like how you still refer to Java as a classic interpreted language despite having had it pointed out to you a thousand times it's a JIT compiled language but have you ever stopped to think the reason you get modded down on software development topics is because you're nearly always wrong?

I also don't understand how you can complain about logical fallacies in the same post you make an argument like:

"It's a popular language that is also used on many major web sites. This suggests to me that your various statements about it being "found wanting" are in error."

Visual Basic is probably the single most use language in business across the globe with the various macros and small utilities written in it, but that doesn't mean it good. It just means it's accessible to those without the training to write software properly such that it's secure, maintainable, and performs well.

Time and time again you come back with the same incorrect claims related to software development, and time and time again you wonder why people mod you down and tell you you're wrong. It's one thing to be ill informed about something, sometimes people misunderstand things and take that misunderstanding as fact until they find out otherwise, sometimes people don't have all the information and so come to a wrong conclusion. But you've made these arguments before, and you've been corrected before and had pretty good explanations as to why you were wrong, yet here you are repeating it all again. What you're displaying is wilful ignorance, you're being intentionally incorrect, so I'm not surprised you're being modded troll at this point, what else are people supposed to think if you intentionally say inflammatory things insisting they are correct when you know full well they're not given what you've had explained to you in the past?

Re: It was already a dangerous site to visit ...

[dave420]

So PHP is bad for allowing it to run code?? wut?

Re: It was already a dangerous site to visit ...

[myowntrueself]

Do you understand this little hook of code? Its amazingly easy to hide in amongst other PHP code and can be nicely obfuscated.

PHP is bad for allowing such a hook to be possible.

Re:It was already a dangerous site to visit ...

Yes you did miss something, the constant whining about not being able to get a programming job whilst simultaneously demonstrating a high level of incompetence and lack of understanding of the topic and technologies and the subsequent far-right style views towards immigrants because "they took our jobs".

Re:It was already a dangerous site to visit ...

LifeHint: It's not the incompetents who think PHP is a disaster.

It's the pros, the experts, the most well informed and experienced developers there are.

Re:It was already a dangerous site to visit ...

[Xest]

"Who runs that and .NET? Really?"

I'm intrigued to know your justification for disparaging .NET over PHP. Care to elaborate and expand upon that?

Apart from it's lack of cross-platform support it's much better. It performs better, it has better tools, a much better framework, the language is much better thought out and has far less issues, allows for much faster development on all but the most trivial of projects, has a much healthier feature set (i.e. proper threading support) and it's got a far better track record of security. This all pretty much applies to Java too apart from the recent security track record though that does of course have the additional advantage of being portable.

Where exactly do you think these two languages are lacking compared to PHP and do you have any actual experience of them or are you just going by hearsay? I ask because I do have real actual experience of running large projects in all three of these languages and can't fathom why someone would think PHP is superior unless they don't have any practical experience. It's really not, by pretty much any measure.

I'm happy to work with whatever technology the constraints of a project push me too, but PHP would not be close to my number one choice if I had the freedom to select technology precisely because I have seen it's downsides stand out rather glaringly in the real world and I've yet to see anyone with a similar or greater depth and breadth of experience with various technologies use it by choice - those that do so are often doing so out of inexperience, either because they've barely used anything else, or because they're not developing anything large or important enough for it's flaws to matter - in other words it seems almost universally the reason that PHP gets chosen is naivety and seemingly never the result of a well informed decision.

Re:It was already a dangerous site to visit ...

Visual Basic is probably the single most use language in business across the globe with the various macros and small utilities written in it, but that doesn't mean it good. It just means it's accessible to those without the training to write software properly such that it's secure, maintainable, and performs well.

There's a difference between many small projects using something, and many major websites. How does your VB argument hold there. Think there's more large corps using VB than say C?

Re:It was already a dangerous site to visit ...

Um. I don't think you have a clue what you're on about. Even if you eliminate the opinion there's a hell of a lot of cold hard fact there.

Also, his transitivity argument hasn't gone anywhere, and is still just as valid as ever:

Itâ(TM)s not transitive. "foo" == TRUE, and "foo" == 0⦠but, of course, TRUE != 0

So calm down PHP fanboy. Stop getting upset that you know nothing of proper languages and just learn something better.

Re:It was already a dangerous site to visit ...

Yes, absolutely. Pretty much every finance department, project management department and so forth of major firms will have a bunch of hacked together VBA programs. You'd be amazed how much VB is holding even the largest of corporations together.

PHP isn't used on as many major websites as people think. About the largest are Facebook, Wikipedia and Yahoo but both Facebook and Yahoo use versions that aren't actually PHP anymore (Facebook first wrote a translator to translate it to C++, and then wrote a Java style VM to JIT compile it).

Java and C++ have much more prominence than PHP being used by Amazon, eBay, Paypal, Google and so forth.

The bulk of PHP's usage is for my first homepage style projects.

Re: It was already a dangerous site to visit ...

This sounds almost exactly like Python...

Re:It was already a dangerous site to visit ...

[fisted]

It is easy to read, has reasonably good performance, and reasonable security.

You can not be serious.

Re:It was already a dangerous site to visit ...

[undefinedreference]

Herein lies the problem. There really isn't another decent cross-platform scripting language for web development. Even the shift toward JavaScript on both sides is full of epic failure (after all, we're talking about JavaScript here, which is only marginally better than the other client-side messes it replaced). Wikipedia uses PHP (albeit with front-end caching), so it clearly can be done right. The fundamental problem with PHP is that it has roughly 15 years of crufty functions with nonexistent naming conventions and senselessly-random parameter orders (contrast this with Python and Perl, two other wildly-popular scripting languages).

Also, don't say "Java", which is a mess that requires outrageously heavy backend support to make it useful for web development. Scripting is the best solution for the large percentage of sites that don't have huge teams and budgets. It's also the best choice for sites with rapidly-changing requirements.

Re: It was already a dangerous site to visit ...

[thoromyr]

i don't think that really qualifies as a major design flaw. For example, we don't use python (rather, perl, ugh) but the requirement is that code follow standard formatting. Which is a certain number of spaces per indent level. No tabs. My point is that this "major design flaw" wouldn't even come up if we switched languages to python. Its already covered by our coding requirements.

Re:It was already a dangerous site to visit ...

[undefinedreference]

This sounds like a bigger trainwreck than many mixed-HTML PHP sites (which is the dirtiest thing about the language). A well-written PHP-based site will do what you say, but it will have no echo statements or anything else along these lines. Instead, it will use templates with placeholders that it fills with data. When I've worked in PHP, I've done this since the early 2000s. It's simply the only way to keep it clean, readable, and delineate logic from presentation. An added bonus is that you can usually teach a web designer to work with/around simple placeholders much easier than teaching them not to screw up your code.

Re: It was already a dangerous site to visit ...

[godefroi]

It's a major design flaw. It was made even worse when (allegedly) Guido said that if he were going to do it over again he'd require spaces instead of tabs. Because everyone agrees on how many spaces looks good, right?

And it's fun to count columns to figure out where the "if" block ends, right?

Also, while we're at it, any language with an "unless" statement is deeply flawed.

Re:It was already a dangerous site to visit ...

[c0d3g33k]

I feel like someone made Poe's law into a truck, and hit me with it.

Best post of the thread. A tip of the hat to you.

Moderators, mod parent up, please.

Re: It was already a dangerous site to visit ...

[thoromyr]

now you're betraying your bias. The number of spaces is not a fixed factor in Python so your comment is neither here nor there (though in practice the variation is almost entirely 2, 4 or 8 with most people using four spaces -- and that is irrespective of language, Python doesn't even enter into it). Any language with an unless statement is deeply flawed? Right...

I'd not seen that from Guido, but it makes a lot of sense. What you wrote sounds like: 1) you never wrote any significant amount of python code, 2) you either haven't written any significant amount of code in brace-style languages or are overlooking "its fun to guess where that code block start/ends", and 3) like using tabs.

Tabs are simply not a good choice for indentation *regardless* of language because there is no standard for how to use them. If all you do is write personal code it doesn't matter that much, but once you enter the realm of programming with others these things start to count. As does where the braces go. Some programmers are pretty petty about what are, really, minor details and love to squabble. But once you rule out the basic usability constraints (1 space indents are too little, 32 space indents are excessive) its just a matter of agreeing to conform on details.

If you want to be taken seriously claiming Python has a major design flaw you'll have to do better than this. Perhaps "any language that requires a NOP for an empty block" would do better (not that I'd agree, but it beats the heck out of your complaint about unless...). One really wonders if you've ever used Python or just fall into the "Python is bad because it uses white space, ooooo".

Re:It was already a dangerous site to visit ...

I appreciate your input. Still, no one has come up with what the next step after PHP is. Ruby? Perl? Python?

Why should there be a "next step"? Use your experience and knowledge to choose the correct tool for the job you have to do. It's really that simple.

Re:It was already a dangerous site to visit ...

[Bigbutt]

Hmm, my experience with Basic (ibm basica and gwbasic with some quickbasic and other flavors) and C (Turbo and Microsoft mostly), my experience with RDBMs (dbase III+ and Paradox), my experience creating websites using vi. Add in my experience as a sysadmin using edlin, qedit, and vi plus experience with awk, sed, sh, ksh, bash, plus perl scripting. Then my searching around 6 or 7 years ago brings me to all the discussion over the years about LAMP; Linux, Apache, MySQL, PHP (although now it includes Perl and Python).

So, experience and knowledge tells me to use... PHP and MySQL.

So I'm good.

Thanks.

[John]

Re: It was already a dangerous site to visit ...

That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.

Yeah, it's incredibly difficult for a compiler to attach names to memory locations and then resolve those names to memory locations statically at compile time. Which is why we refer to all variables by numeric index and not by name.

Re: It was already a dangerous site to visit ...

[dgatwood]

It's also easy to spot. As a rule, eval should be a security red flag in pretty much any programming language. The only even semi-valid reason to use it is for certain types of shell scripting, where it can be unavoidable. In fact, it ranks right up there with system() in the red flag handbook.

Re: It was already a dangerous site to visit ...

[cheater512]

The disable_functions config option kills that code instantly.

Re:It was already a dangerous site to visit ...

[narcc]

Even the shift toward JavaScript on both sides is full of epic failure (after all, we're talking about JavaScript here, which is only marginally better than the other client-side messes it replaced).

JS on the server full of failure for many reasons, but the language isn't one of them. It's surprisingly sophisticated. There's a video series on youtube called "Crockford on JavaScript" that you should check out.

The fundamental problem with PHP is that it has roughly 15 years of crufty functions with nonexistent naming conventions and senselessly-random parameter orders

That's pretty much it. Function names and parameter order. It's a shame that it's basically impossible to fix at this point. Then again, they might not want to fix it.

PHP's biggest problem is that it's ridiculously easy to use. I can rant about why that turns insecure developers away from a language, but I think everyone is sick of hearing about that by now!

Re:It was already a dangerous site to visit ...

[Patman64]

This is the next step. You start using a mature framework, preferably in a language with far better design than PHP like Python or Ruby.

Re:It was already a dangerous site to visit ...

[guruevi]

Yes, it's lack of cross-platform support is pretty much the biggest issue here. You require thousands of dollars in Windows license to run a single .NET site. The tools are proprietary and costly and having used Visual Studio, I think Eclipse and even Xcode still beats the pants of off it as far as usability goes. .NET is also (or at least should be) a compiled language very similar to Java and it has the same downfalls as Java (if you've ever supported anything-Beans or Tomcat, you know what I'm talking about) - overly complex and way too heavy for websites. Another problem with .NET/IIS stacks is it's lack of isolation from other sites or the hardware, I worked for a hosting company several years ago, shared .NET hosts were a nightmare to support as one site could easily bring the entire application pool down and separating each site in a separate Application Pool gobbled up insane amounts of memory.

Re:It was already a dangerous site to visit ...

[Xest]

"Yes, it's lack of cross-platform support is pretty much the biggest issue here."

But that's not an inherent problem with it, it's a design choice of the technology and it has advantages and disadvantages - whilst you can't easily use it on non-Windows platforms, you do get to do things Java simply can't do easily because Java can't assume what functionality an OS will provide so can only encompass the lowest common denominator as standard whereas .NET can provide access to everything the OS offers.

"You require thousands of dollars in Windows license to run a single .NET site."

This is just nonsense. A Windows Server license doesn't cost thousands of dollars, even standard edition costs only $882 and that's direct from MS. You can get it cheaper or use a lesser edition if need be. It's not free, but it's certainly not thousands of dollars. IIS and .NET are bundled in that and that's all you need to pay to host a site.

"The tools are proprietary and costly and having used Visual Studio, I think Eclipse and even Xcode still beats the pants of off it as far as usability goes."

This is what people always say who haven't got reasonable experience with both. I have, and Visual Studio is far superior. Eclipse isn't even a good IDE, it's just the go to IDE people jump to when they want to slag of Visual Studio even when they don't know much about it - NetBeans is better. No one who has used a wealth of IDEs to a decent degree would imply Eclipse is somehow the king of the crop (which is the implication if you're going to claim it's better than Visual Studio), far from it.

".NET is also (or at least should be) a compiled language very similar to Java and it has the same downfalls as Java (if you've ever supported anything-Beans or Tomcat, you know what I'm talking about) - overly complex and way too heavy for websites."

What websites exactly? I agree it's far too heavy for your grandmas blog or whatever, but if we're after some kind of enterprise level web site then you shouldn't use anything less. It's complex to manage because it's designed for complex software not "My First Website" style setups but here's the thing - try using PHP for complex software, I have, and it's an absolute nightmare - that Java complexity suddenly becomes simplicity in contrast. When you find out you need true multi-threading support in your application, suddenly PHP becomes a road block whilst Java and .NET let you sail right along. Your talk of .NET is or should be a compiled languages gives way to the fact you clearly have no real understanding of it yet you seem to feel qualified to declare PHP better regardless - that's mindless nonsense.

"Another problem with .NET/IIS stacks is it's lack of isolation from other sites or the hardware, I worked for a hosting company several years ago, shared .NET hosts were a nightmare to support as one site could easily bring the entire application pool down and separating each site in a separate Application Pool gobbled up insane amounts of memory."

This is outright false. Of course you can isolate the Microsoft stack, if you're doing it to a large enough degree then Microsoft provide Windows Datacentre Edition for precisely that purpose and if one site could bring the entire application pool down then what the fuck were you thinking? The whole point of application pools is to provide separate worker processes for each pool - of course if you stick everything in the same worker process then if one brings it down so will all the others. It's also nonsense to claim that it gobbles up insane amounts of memory because we're comparing to PHP here, which is far less resource efficient again.

You've reaffirmed my point that those who defend PHP against the likes of Java, C++, and .NET do so out of inexperience. Much of what you say appears to be based on hearsay rather than real actual experience of working with th

Re: It was already a dangerous site to visit ...

I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language)

The hash lookup overhead is real, but not that significant in practice. I work on a big web application written entirely in Perl (I know, I know. Hey, they pay well and have good free beer, OK?), and we cope with the language's lack of real function argument syntax by passing hashes/dictionaries everywhere and asserting the presence of values in them, which we then extract to use within functions. That means that we do at minimum two hash lookups per argument, per function call. At one point we experimented with rewriting some of the most frequently executed code (billions of calls per second totaled across the production servers) not to do that, and instead to use explicit array lookups and ensure that things were called in the right order. While there are tons of performance problems with our code (many of which are encouraged by--if not actually baked into--the language we write it in), the performance difference of hashing-vs-not-hashing arguments was undetectable by any of the benchmarks or speed tests we ran against it. We got a more noticeable impact from disabling crond (which wasn't running anything; just sitting and sleeping) on the same servers.

I'm not saying that unnecessary hash lookups should be encouraged, but there are a lot of other things you should focus on optimizing before you get that far down. Premature optimization and all that.

Re: It was already a dangerous site to visit ...

[godefroi]

Tabs are simply not a good choice for indentation *regardless* of language because there is no standard for how to use them.

That's a stupid thing to say. Replace "Tabs" with "Spaces" and it's just as true.

If we use tabs, I can make them 1, 2, 4, 8, or 32 wide, whatever I prefer. If we use spaces, I have to agree with and accept whatever the team prefers. Seems pretty simple to me.

If you make a standard for how to use any character or set of characters for indentation, then there's a standard.

Oh, and while you're right, I haven't written much Python, I have written a WHOLE LOT of code in brace languages. I use IDEs that brace-match for me, so in the really hairy cases, I have a little help. How do you brace-match spaces?

Re: It was already a dangerous site to visit ...

[V+for+Vendetta]

Making these two operators the same symbol just leads to developer confusion and a complicated context-sensitive parser. See also: any BASIC programmer that ever tried to learn C.

Not true. Assignment in BASIC is Let (or Set) A = B, whereas comparison is A = B.

I agree that the unfortunate fact, that for most current BASIC dialects the 'Let' is optional, results in the confusion you were referring to. But you can't blame a language for terrible/lazy programmers.

Re: It was already a dangerous site to visit ...

[Trogre]

Why would you need to remember what the parameters were named, when your code editor of choice will present you with a dropdox box of all the parameters when you type the function name?

Re: It was already a dangerous site to visit ...

[Trogre]

No, dropdox isn't some kind of falling documentation.

I of course meant "dropdown box".

Re:It was already a dangerous site to visit ...

It is funny you disregard CAL's. They make the cost of running MS balloon.

Then there is the real risk of getting slammed by the fascist SBA for inavertently breaking the license terms that are unintelligable and contradicting.

Use MS at your own risk. PHP is just as risky and for many of the same reasons - shiity, insecure software; difficulty in finding quality programmers willing to work with such shithole software...

Re:It was already a dangerous site to visit ...

[vilanye]

Wow, so basically all you know is PHP and thus think it is the bees knees.

No point in showing you the error of your ways because you won't understand the differences.

Here is a short list(in no particur order) of better languages for web:

Java
C#
F#
Python
Ruby
Perl
Ocaml
nodeJS
Lisp
C
C++
Smalltalk
Haskell
Scala
Clojure ...

Dogfood?

Was it a PHP exploit?
Is there any other kind on the Web?

You Sound Like One Of Those

You sound like one of those Java fundies.

STFU, Doucharonimous.

Re:You Sound Like One Of Those

[ArcadeMan]

Here's a better URL without all the superfluous Web 2.0 crap around it.

Re:You Sound Like One Of Those

[trum4n]

Do you have a scruffy beard too?

Re:You Sound Like One Of Those

[OakDragon]

Well here's just the GIF!

Re:You Sound Like One Of Those

[ArcadeMan]

I didn't even realize that they were still using GIF instead of PNG. This proves Dilbert.com is run by a PHB.

Optimized GIF: 29019 bytes.
Optimized PNG: 24356 bytes.

Re:You Sound Like One Of Those

[narcc]

Well, the strip is from 1995. Did you expect them to convert the whole archive to PNG just to make a few nerds feel better?

Re:You Sound Like One Of Those

Not "just to make a few nerds feel better", but batch-converting a bunch of images is entirely trivial if you have any desire at all to do so.

Re:You Sound Like One Of Those

[ArcadeMan]

How about saving bandwidth? Even the latest ones are still in GIF. You may think 4-5KB isn't much, but how many people read Dilbert every day?

Re:You Sound Like One Of Those

[narcc]

Lots of people. How many of those read 18 year-old Dilbert cartoon's every day?

Judging from their site, they're not worried about 5k here and there. They could trim significantly more than that off fairly easily.

Re:You Sound Like One Of Those

[jones_supa]

But still...GIF is a legacy format and shouldn't be used anywhere anymore.

Re:You Sound Like One Of Those

[narcc]

Why not?

It's supported everywhere as there are countless old gifs still in use. There also appears to have been a fairly recent resurgence in animated gifs (PBS). You see them all the time these days being used as an alternative to short movie clips. To my knowledge, there is no viable replacement for those yet. Attempts like apng and mng never got off the ground.

There isn't even any ideological reason to call for the elimination of the format. Even the burnallgifs website has moved on.

In short: The format enjoys broad support, it's still a popular format for new content, there is no viable alternative, and it's now patent free.

Try to relax, it's just an old image on a website. It's not the end of the world.

Re:You Sound Like One Of Those

How many of those read 18 year-old Dilbert cartoon's every day?

How much for a dozen tomatoes today? And why haven't you gotten your GED?

Re:You Sound Like One Of Those

[antdude]

Yes to stay updated with the technology. :P

Re:You Sound Like One Of Those

And converting a GIF to a PNG is an utterly sane thing to do if you want to save a few bytes by removing any quality that might have been left over in the GIF...

Re:You Sound Like One Of Those

[kmoser]

How about saving bandwidth? Even the latest ones are still in GIF. You may think 4-5KB isn't much, but how many people read Dilbert every day?

If you really want to save bandwidth, stop wasting your time reading Dilbert. *Talking* about Dilbert on Slashdot, on the other hand, is a completely productive use of time.

Re:You Sound Like One Of Those

[Desty]

And converting a GIF to a PNG is an utterly sane thing to do if you want to save a few bytes by removing any quality that might have been left over in the GIF...

Given that PNG is a lossless format, yes it's an utterly sane thing to do if you want to save a few kilobytes without removing any quality from the GIF.

The only price would be that it costs a small once-off amount of CPU time and I/O bandwidth to do the batch conversion and maybe run them through pngcrush/optipng/ScriptPNG to losslessly compress them a bit more. But that's surely worth it if you can cut down a busy site's bandwidth costs by at least 30-40%.

Exploit vulnerable systems?

[codeusirae]

"The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website"

What Operating System do the clients need to run in order to be vulnerable?

Re:Exploit vulnerable systems?

"The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website"
  What Operating System do the clients need to run in order to be vulnerable?

The first question is what BROWSER is vulnerable. There are exploits that will work on a particular browser/version across multiple OS's. IF there are no vulnerable browsers, then OS is not relevant as the exploit would never be able to reach the OS to start with.

I can predict the future

[SmallFurryCreature]

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.

Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.

But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...

Oh wait.

I can predict the future, I am going to die a bitter and angry nerd.

Re:I can predict the future

[ArcadeMan]

Security. If you do it right, everyone thinks you have wasted your time. If you do it wrong, it is all your fault. - SmallFurryCreature

Thanks for the new quote.

Re:I can predict the future

Hmm...it sounds like you're only approximating security by doing all that waste of time stuff.

Stop whining, take it like a man and do what needs to be done for full security: pull the plug.

Re:I can predict the future

[freeze128]

But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it... Oh wait. I can predict the future, I am going to die a bitter and angry nerd.

At least you will have lots of company in the afterlife.

Re:I can predict the future

You're only paranoid about security until you're proven to be an incompetent fool.

Re:I can predict the future

While it's true that most other languages have security problems, however PHP is a case for itself: http://use.perl.org/use.perl.org/_Aristotle/journal/33448.htm.

Re:I can predict the future

I agree - we find it so easy to point out the splinter in another's eye, while ignoring the plank in our own.

Re:I can predict the future

At least it's not as bad as perl http://cubicspot.blogspot.com/2008/05/perl-is-terrible-language.html

Re:I can predict the future

[styrotech]

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

Ruby? Don't you mean Rails? That wasn't a problem with the Ruby itself. Just like Wordpress bugs are not PHP bugs. I'm deliberately not including application bugs - the track record PHP apps have would make PHPs record look even worse.

And wasn't that massive Rails security hole (assuming you're talking about that autopopulation of variables from user input misfeature) the kind of misfeature that PHP pioneered and baked into its core language?

You can't really compare Java applet sandboxing problems either - PHP has no sandboxing of untrusted code or anything comparable at all (what a train wreck that would be). A better comparison is: how is Java's security record as a web server compared to PHPs?

PHP is relatively unique in the way they've had so many security problems that were badly designed language features rather than just implementation mistakes.

PHP has been objectively worse than practically every other language. Yet you still get people who just can't see the difference in scale/scope, and whine "but but other languages have had problems too!".

Re:I can predict the future

[dkleinsc]

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past.

You know, I'm going to have to disagree with you on this one.

I'm not saying that other languages are perfect, far from it. But the PHP world, by and large, is inhabited by people who don't really understand security. I've worked in it for a long time, and in every single application and library written in PHP that I encounter, I find results that show signs of knowing of, for instance, the existance of concepts called "SQL injection" and "XSS attack" but no understanding of what those things actually mean beyond taking some boilerplate kinda-solution in most but not all relevant locations.

By contrast, the libraries that Java and Python and Ruby provide, both out of the box and in third-party packages, tend to have been designed to make those kinds of attacks difficult to open yourself up to. The documentation for those packages emphasizes the security risks and concerns, the developer communities do everything they can to reduce those risks, and the result is that there are fewer minefields.

And that is why, in this paper, a whopping 80% of SQL injection and a disproportionately high number of XSS vulnerabilities are from projects that were written in PHP. It's possible to do the right thing in that language, but the evidence is fairly strong that developers focused primarily on PHP don't.

Re:I can predict the future

Meanwhile, PHP's eye contains an entire forest.

Re:I can predict the future

[narcc]

PHP has been objectively worse than practically every other language.

Objectively, you say?

Give it a go. How is it "objectively" worse than other popular languages?

This ought to be hilarious!

Re:I can predict the future

[styrotech]

Note the context you neglected was core language design mistakes rather than implementation mistakes. Implementation mistakes while bad can generally be fixed without breaking anything. PHP has had more than it's fair share of those too.

Compared with other languages I've used over the last 15yrs, PHP has been the standout one that seems to have to put convenient but insecure by design functionality (eg register_globals, magic_quotes etc) on a long many year cycle of recommending against using it, deprecating it, turning it off by default, then finally removing it. Each of these features has left behind a trail of legacy articles and books helping unsuspecting newbies to create insecure sites.

It seems especially bad when PHP was intended to be used on the web right from the start.

I don't recall any other popular language having to back out of their own deliberate design decisions the way PHP has had to multiple times.

Hopefully that was hilarious enough for you - I'll gladly take back the word "objectively" though if you want to provide examples of other popular languages being just as bad as or worse than PHP in this respect. Maybe I just haven't been following other crappy languages closely enough.

Re:I can predict the future

[narcc]

So you don't actually have an answer then.

Color me surprised.

"There was this one feature that was a potential security hole that has been disabled by default for more than a decade!" Doesn't exactly make your case!

I'll gladly take back the word "objectively" though if you want to provide examples of other popular languages being just as bad as or worse than PHP in this respect.

Languages with security issues they've been forced to fix? What's the comment size limit again? Do languages with massive security issues "by design" that cannot be fixed without fundamentally changing the language count as well?

Pitiful. If you don't like PHP, fine. All I ask is that you don't pretend that your personal preference is somehow perfectly rational and objective.

Re:I can predict the future

[styrotech]

It seems you are the one without an answer. Where are your examples that show other popular languages to be as bad as PHP has been then?

The view that PHP doesn't have a comparatively shoddy security record is the extraordinary claim here and the one that needs evidence. I could just as well ask that your personal preference doesn't get in the way of you being rational and objective.

As I said, I'll gladly retract my statement - just show me how other popular languages are as bad or worse.

Re:I can predict the future

[narcc]

I believe the claim you made was that "PHP has been objectively worse than practically every other language."

I'm still waiting. I'll wait forever, of course, as it's total nonsense.

You're new claim is that PHP has a "a comparatively shoddy security record". Nice misdirection. I'd like to see you defend that after you actually defend your silly nonsense from earlier, assuming you're still clinging to that absurdity.

Or, you know, you could just recognize that what you said was completely ridiculous and let it go. That's what I expected you'd do. Who knew that you'd double-down?

Re:I can predict the future

[MSG]

This link cannot be shared enough:
http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/

Re:I can predict the future

It really does look like everyone has forgotten about VB and the other "easy" programming languages out there..

People keep saying things like "the php community doesn't know this and that about security", even though most programming communities that have a large userbase of non-experts have huge security holes like php does.

No one is saying it's perfect, but please don'ttry a show off your ignorance by yelling about how bad something is. WHen you're using something that has had at least as serious flaws or worse(lower access means bigger problems).

Re:I can predict the future

[narcc]

It's been shared too much. It's complete and total garbage.

I offered this earlier: From that incompetent screed, make a list of points of fact, eliminating any point that is opinion.

Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.

To save some time, you could first eliminate anything that exposes the authors distaste or misunderstanding of dynamic typing. That should make the task a bit more manageable, as that's what makes up the bulk of that insufferable post.

Not much left, is there? Do you still think that PHP is a "fractal of bad design"?

Well, you might. You're welcome to that opinion. Let's just not pretend that it's based in the world of facts.

See, there's a reason you link to that nonsense. It's really long, and thus very time consuming for anyone to refute point-by-point. That makes you feel secure. After all, unless a refutation is comprehensive, you can just claim that your opponent couldn't refute the real important bits. The title also confirms "your" opinion, which you probably got from someone else. That makes you feel good. After all, if lots of people believe the same way you do, you can pretend your silly beliefs are true, and not just your personal opinion. If you had an actually reason to think that PHP was "objectively" worse than other languages, you'd have posted that instead.

Your post isn't any different than a creationist pointing at the Bible for "proof" of their silly beliefs. It's just as wrong, of course, for the same reasons.

Re:I can predict the future

this only means that most people suck at php, parameterizing sql calls and setting up apache.

Re:I can predict the future

Ahh so its not the PHP language that is the problem, it is the developers.
Then throw some chairs at them, it doesn't change anything but it might be slightly satisfying.

Re:I can predict the future

[Alarash]

C#/.NET hasn't have had a vulnerability in a long time. I know it's not popular around here because "Micro$oft durr durr" but it's a great language and a great framework. Run Mono if you don't like Microsoft.

Re:I can predict the future

[X.25]

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.

But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.

Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.

But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...

Oh wait.

I can predict the future, I am going to die a bitter and angry nerd.

I use Perl.

How do I fit in here?

Re:I can predict the future

[dkleinsc]

Actually, it's more that PHP makes it easy to suck at those things. For example, mysql_query(), with no parameterization support, is something that should never have existed, and for a long time was the only way to do mysql queries.

Re:I can predict the future

[Elminster+Aumar]

The ratio of PHP developers to those in other languages are likely every bit 10-to-1. This means many things... First, it likely means that the accessibility to the use of the language is much more prone to being handled by people still new to the language, so yes, inappropriate use is likely to happen. Secondly, it means that the resulting issues surrounding security exploits, etc. will be much more mainstreamed than those that occur in other languages. All of this in mind, PHP is a fantastic language to use. It's no frills, accessible means provides everyone with a product that can do something and do something right there and then. You don't have to spend countless hours configuring compiler scripts, setting up a bunch of libraries, etc., etc. This goes without saying that yes, PHP has flaws but every language has flaws. So stop puckering your two year-old lip and go play with a language you prefer. Don't like PHP? Then don't use it. It's that simple. Stop letting your insecurities drive you to clamor about things other people love using. It makes you look immature.

Re:I can predict the future

[Elminster+Aumar]

Depends on what the measurements are. How do you show how is better or worse than ? By the number of servers that use a given language? By the developers who have written code using the given language? By the volume of resources it takes to run something written in the language by developers who have at least and approximately 10+ years of proven experience? Generally-speaking, it's easy to assume that PHP developers outnumber the developers of other languages by a substantial amount. I'm not sure what the amount would be because I know there's a good number of Java guys out there as well as Perl. But here's the thing: PHP is ACCESSIBLE. You don't have to muck around with much to get it going--and working--for whatever requirements you may have. You don't have to mess with compiler scripts, libraries, etc. It's all just there, waiting to be used. What this means is that the ratio of seasoned programmers to inexperienced programmers as it pertains to PHP is likely to be unbalanced. This is unfortunate because there's nothing wrong with the language itself, at least, not when comparing it's shortcomings to the issues other languages did have at one point or another. The main point here is that the criticisms revolving around PHP's "accidents" are constantly made mainstream due to the sheer numbers of people who use PHP. This is both good and bad. It's bad for PHP in that it never makes it look any better, but it's good in how it shows just how many systems rely on it. Anyway, it's just like every other language out there: if you don't like it or have no use for it, then that's okay... Just don't use it. But spare us all the drivel where you go around spouting a bunch of immature *noise*. The internet has enough of this as-is.

Re:I can predict the future

[Elminster+Aumar]

You could be right about the libraries, etc. that Java et al provide out-of-the-box... But here's the thing: nobody on Earth begins a web design project thinking to themselves, "Hey, let's make a website and put ourselves through the wonderful nightmare of being forced to learn some of the most Kafkaesque Java concepts we can find and completely disregard what we originally set out to do due to the poorly-written, overly complex, impossible system requirements that languages like Java et al bring with them." It never enjoys the accommodation of maintaining private criticisms due to how accessible it is anymore by everyone who owns a blog, but whenever I need something up and running--without spending countless hours just trying to create a simple web page--I'll always be turning to PHP. It's no frills, open-source, and yes, if you mind your Ps and Qs, is secure and efficient.

Re:I can predict the future

If you think there's not much left in that list when you eliminate opinion and if you think PHP is not poorly designed then you failed Comp. Sci. 101.

PHP's mistakes are literally beginners errors. The sort you would barely expect undergraduates to make, let alone people making a language intended to be used across the globe in production environments.

You whinge about the length of that document, but tough shit, you don't get to just say Turing's theories on computing were wrong just because you can't be arsed to read through his papers and provide a counter-argument to his theories.

If you really believe that document is almost entirely wrong, then stop pulling out choice bits you feel you can argue and create a document that refutes the entire thing. Others have tried this but they really have been wrong and ripped to shreds as a result.

You whinge about creationists but you're doing the exact same thing, you're taking an anti-scientific stance and claiming something is wrong just because you can't be bothered to write a document with counter-arguments in. You create wishy washes arguments about how others should go through and eliminate things and how there'll be nothing left if they do.

The fact you can't produce a counter document should be explanation enough as to why you're wrong, but given your anti-scientific stance I have little hope you'll realise that.

But then, given you can't understand why PHP is seen to be an example of poor design I guess it's also pretty obvious you don't have either the basic computer science knowledge or the software development experience to know where to even begin, hence why you resort to such stupid arguments like "do some arbitrary thing that I'm too lazy to do myself, then I'll turn out to be right!".

The person who wrote that document took the time and effort to do so, to produce something of such length, to spend the time examining the issues with PHP. All you've done is talk shit. That makes that link many orders of magnitude more useful than anything you've contributed on the topic.

Either create a thorough rebuttal or shut the fuck up and accept that that document is one of the most thorough, correct rundowns on PHP's issues to date.

Re:I can predict the future

[thoromyr]

or, we could try to educate people about how ridiculous it is that PHP is the only language to have non-stop vulnerabilities *in the language* and, even worse, all the cool things they are going to install to go with it are riddled with even more vulnerabilities, to the extent that running a site in php is next best thing to just posting site credentials online.

Yes, the reason vulnerabilities are so prevalent in modules is because PHP is freaking scary easy to develop so practically anyone can do so, even (and especially) if they have no clue what secure programming means. But it doesn't change the basic fact.

Yes, a properly developed site using PHP *can* be as secure as one developed using a different language. But that generally isn't the case -- people generally choose PHP because they have no clue. I'm *not* saying everyone who uses PHP has no clue (that is definitely not the case), but for the clueless, PHP is the platform of choice.

A good example is wordpress. Even excluding wordpress vulnerabilities (which seem to have gotten harder to find), hardly anyone just installs wordpress, they install numerous plugins. And the vulnerabilities multiply.

So when it comes to hosting sites, allowing PHP means you are going to have slap-dash insecure sites that constantly get hacked. And that creates overhead. It is more of a problem (by definition) than only permitting static content. It is more of a problem (in practice) than permitting dynamic content in other languages.

So when I say "educate people" I don't mean someone who knows how to use PHP safely (insofar as that is possible for any language...), rather I mean the ones who want to have joomla because they want a site with CMS because they don't understand how *everything* they are going to do could have been done easily in any reasonable tool that generates static pages.

I don't have time to deal with the constant hacking of PHP driven sites. If my employer wants that, they need to employ more people. This requires educating them, including how the entire PHP ecosystem is fraught with vulnerabilities.

Re:I can predict the future

[thoromyr]

exactly this. I was astounded when I discovered PHP and the world of vulnerabilities it introduced. Using PHP before 5 is just not a good idea, and that is a very sad statement to make about a *language*. I use PHP at times (it is scary fast to develop in), but in general I prefer other languages.

Re:I can predict the future

Why would he let it go? He explained his point. You're the one that seems entirely unable to rise to his challenge to explain even at least one other language that's had the number of design issues PHP has.

That should be a really easy challenge if what you believe is true, yet you seem rather eager to evade it.

I guess the rest of us can only assume you know full well you're wrong, but are too scared for your own ego to admit it. That's okay, it's common on Slashdot. If it makes you feel better fine, but we all know you're wrong, and we're all laughing at you as a result so it really shouldn't make you feel better.

Perhaps you should just admit you're wrong, then we'll have at least a little more respect for you.

Re:I can predict the future

[JabberWokky]

Really? Asking for somebody to demonstrate a wild claim results in your turning it around and demanding proof that it isn't true?

Okay, I'll say that it is objectively true that there is life on Mars.

No, no... I don't have to *defend* that statement. The onus is on *you*, Buckaroo, to demonstrate there *isn't* life on Mars.

Wow, this makes putting out claims much easier. Thank you for your logic, AC.

Re:I can predict the future

I know it's not popular around here because "Micro$oft durr durr"
-1, 4chan/reddit stupidity

Re:I can predict the future

[styrotech]

OK OK you got me... I completely retract my claim 100%. I was just talking "drivel".

Now to show you're not really just a troll and actually are a PHP fanboy*, why don't you tell us why you think PHP is at least as good as other popular languages.

* Having never met one before (even at well attended PHP user group meetings), I didn't realise PHP fanboys even existed.

If you really are a fanboy, what are the good or even great things about PHP? What attracts you to it? Is it the internal consistency? The elegant expressive syntax? The well thought out standard library? Is it the lack of regressions? The joy of php.ini differences? The open way new features are designed and ironed out? The awesome capabilities of the core development and security teams? The package management?

Or to stay on topic you could educate us plebs as to how other popular languages are equivalent to PHP in respect to how the language itself affects security. That should be easy - after all you get to pick which of the other popular languages you can compare it to.

Some actual reasoning other than "nuh uh" or "is not" would be nice for a change. Show me you weren't just trolling...

Re:I can predict the future

[dkleinsc]

Here's what I think: If you know what you're doing, doing things the right way takes no longer than doing things the wrong way when you start.
Example

So the end result is that it's a lot cheaper to do things the right way, because you start off almost as fast, and end up not having to slow down to deal with the headaches that exist as the thing gets larger.

And if you're one of those types that likes a CMS, try Mezzanine and tell me if it's still hard to get something other than PHP up and running.

Re:I can predict the future

Except his claim wasn't stupid, it was perfectly reasonable and well explained.

If you want to claim there's life on Mars you similarly have to justify that, just like he justified his claim. If you do that and I disagree with you, I will explain why. The GP did not do this, and is avoiding doing this.

So stop being so stupid.

lazy editors

> warning users who's browsers support it
Whose job is it to proof-read submissions around here?

Re:lazy editors

[Tablizer]

You didn't pay your proof-reading tax.

I don't get people.

GP stated an opinion that isn't unwarranted. And get's modded down and called a Troll by the parent.

Parent states another and back it up with how many products use it - and the fact that Facebook has their own version; which somehow backs up her claim.

This taking personal offense when someone criticizes a programming language or platform seems so irrational.

My favorite language of all time is ANSI C - but I'm also the first to agree with most criticisms about it and I don't take offense. It's just a language. Give me an algorithm and I'll implement it in any language - it makes no difference to me - it's just syntax. Although is is kind of funny how C has been the inspiration for many of them - just sayín.

Editors - same thing - depending on a platform, I switch.

Platforms - same.

Linux distros - every few years I switch. I even go to a *BSD every once in a while.

I mean you can some of these people's mothers whores and they'll brush it off, but say something bad about PHP, Java,C++, JavaScript - well JavaScript is a whore language (kidding!), oh Heaven help you!

Re:I don't get people.

it makes no difference to me - it's just syntax.

If you think the only difference between languages is "just" syntax then I don't think you really understand programming languages.

Re:I don't get people.

[Joining+Yet+Again]

If you think the difference between imperative programming languages goes much beyond syntactic sugar then I don't think you really understand computer science.

You know a sophomore when they start whining about how childish Visual Basic is. If you can write something well, you can write it well in VB. You might prefer not to, but you should be able to do a fine job of it.

Re:I don't get people.

There's a reason why AC said "just" syntax. It's like saying the difference between one bomb and another bomb is "just" nuclear fusion. Syntax often makes a big difference.

If you think that syntactic sugar only makes little difference then I don't think you really understand the real world.

Compare the occurrence rate of buffer overflows in C programs with the rate in Python programs. Compare the occurrence rate of code injection problems in C programs, Python programs and PHP programs.

The difference between theory and practice is in theory there's no difference.

Re:I don't get people.

[Joining+Yet+Again]

That's a runtime library issue.

Although maybe your argument is that a language should be judged when accompanied precisely by its standard runtime libraries.

FTFY: I can predict the future

[neo-mkrey]

I can predict the future, I am going to die a bitter, lonely and angry nerd.

It's about time

[sl4shd0rk]

It's nice to finally have some company down here in the basement.
-Java Plugin

Re:It's about time

[slashmydots]

What is this, 2007? They hit rock bottom and broke through. Java is in the 9th circle of hell at the moment.

Re:It's about time

9th circle? Treachery? Did I miss something, or why do you associate Java with traitors?

Re:It's about time

The 9th circle of hell is PHP, so... we have a Java Applet running on a JVM written in PHP.

Those mental images cannot be undone, so I'll shoot myself now.

Battle Scars

[Tablizer]

Almost every language in common use has some stupid ideas in it that make one want to slap the makers. (Although maybe Php deserves 2 slaps.) A lot of it is stretch marks from growth. Any successful language (usage-wise) that's been around a while will probably have battle scars. New languages don't have enough features, and mature languages have convoluted features due to growth and the maturing process.

Re:Battle Scars

Almost every language in common use has some stupid ideas in it that make one want to slap the makers.

Yes, but PHP has stupid ideas in it that make one want to dunk the makers in molten lead.

Re:Battle Scars

[bill_mcgonigle]

yeah, but this is PHP - a fractal of bad design.

Re:Battle Scars

and you are a fucking blog spammer spouting nonsense about fractals.

sorry, did you think that being a paying bootlicker on this site actually meant something to anyone other than you?

ja ja

Why is everyone assuming that it is PHP that was vulnerable?

There countless ways that an attacker could have modified the site that don't involve a vulnerability in PHP.

Re:ja ja

[X0563511]

Because when an attack is successful it seems like 9/10 times they exploited a bug or configuration issue via PHP?

Re:ja ja

[Elminster+Aumar]

...or... Maybe it's just another issue of someone using a tool they weren't qualified in using?

Perfect timing

I was googling for "secure password hashing php" and when I clicked the php.net link I got the security warning.

Not fun.

So it wasn't hacked, and Google fucked up...

[pongo000]

From php.net:

It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.

I'm idly curious if Google even bothers to offer an apology.

Re:So it wasn't hacked, and Google fucked up...

you mean php.net should apologize to google?

google statement:
http://www.google.com/safebrowsing/diagnostic?site=http://php.net/manual/en/function.next.php&hl=en

the actual cached evil code that *WAS* served by php.net:
https://news.ycombinator.com/item?id=6604251

Re:So it wasn't hacked, and Google fucked up...

I'm concerned about this initial response. It is definitely wrong, unless they INTENDED to link to malicious code. The article in the header has an actual PCAP of an actual successful infection, including the data from the injected iframe, the malicious SWF files, and the PE payload they fetched. There's no doubt about this. I can confirm the payload is live.

See also: https://news.ycombinator.com/item?id=6604251

I'm more than idly curious if we can reach PHP.net via some other medium than their site which we surmise has been compromised, or if this is some form of coerced or deliberate backdoor.

However, what I think has happened is that this is the product of an Apache module: it's only serving the bad code once to any IP, and the access logs of course won't show it. You cannot trust the logs produced by a potentially-rooted computer.

This appears to be targeted watering-hole attack. This is certainly not a mere false positive. And there seems to be an awful lot of people trying hard to dismiss it. That said, this payload doesn't quite match any exploit kit I recognise.

And then I think who is high-profile, has a botnet that looks rather like this one, has what you could describe as a PR department, and could coerce PHP or Google into lying... and well, a certain agency comes to mind. Has someone taken Genie over, or is it still under the same C&C? Have they, or it, gone rogue as part of Turbine? Are they actually launching? I don't know, because the C&C just went dead...

Re:So it wasn't hacked, and Google fucked up...

[landmine]

You just couldn't quote one more line...

"...looked at it manually it looked fine. So more confusion.

We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers..."

So they are not denying that the file was changed, they just don't know how it was possible.

Re:So it wasn't hacked, and Google fucked up...

[wonkey_monkey]

That doesn't like a denial that they were hacked, only that there was some confusion when they looked at the suspect file and found nothing wrong with it because it had been reverted.

Re:So it wasn't hacked, and Google fucked up...

[vilanye]

Why should Google apologize because the php.net maintainers are idiots?

Uh oh...

[edibobb]

I happened to update php on my web server today. Did I get some additional free software out of the deal?

Re:Uh oh...

[matria]

No.

Re:Make me a sandwich!!!!!

You forgot the sudo.

Just prooves a point

[lapm]

This just goes to show, badboys might find way in at any time. So rest of us needs to stay vigilant of out system. System that was presumed secure yesterday, may have hole in it that was discovered today...

I love when people use fuzzy math

To make themselves look good.

Hey fuckface, you forgot to mention that 80% of the projects on the internet are written in PHP. Which is why the number is so high.

No one gives a shit about ruby or python on the web. Does that break your ego?

I'm not a coder, but I had to call your bullshit

Re:I love when people use fuzzy math

[dkleinsc]

If you read the paper, you'll discover that about 50% of the projects examined use PHP, so the 80% number is disproportionately high.