PHP.net Compromised

← Back to Stories (view on slashdot.org)

Posted by timothy on Thursday October 24, 2013 @07:36AM from the stay-safe-out-there dept.

An anonymous reader writes "The open source PHP project site was compromised earlier today. The site appears to have been compromised and had some of its Javascript altered to exploit vulnerable systems visiting the website. Google's stop-badware system caught this as well and flagged php.net as distributing malware, warning users whose browsers support it not to visit the site. The comment by a Google employee over at the hacker news thread (official Google webmaster forum thread) seems to suggest that php.net wasn't incorrectly flagged."

123 of 189 comments (clear)

Min score:

Reason:

Sort:

Oh the irony by killerzax · 2013-10-24 07:38 · Score: 5, Funny

Let me guess, they got in through a PHP vulnerability?
1. Re:Oh the irony by ArcadeMan · 2013-10-24 07:49 · Score: 5, Funny
  
  It's Microsoft's fault. The URL for PHP is php.net, which means it's .NET and hence the reason for being compromised.
  The malware was distributed via Javascript, which has Java in its name, which means it's also Oracle's fault.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:Oh the irony by eexaa · 2013-10-24 07:52 · Score: 1
  
  Either that, or missing mysql_escape_string.
3. Re:Oh the irony by CastrTroy · 2013-10-24 08:37 · Score: 1
  
  It's it supposed to be mysql_real_escape_string? I can't remember since I've been using parameterized queries for so long.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
4. Re:Oh the irony by Anonymous Coward · 2013-10-24 09:27 · Score: 1
  
  And it's open sores software, which means now all the visitors to the site have herpes!
5. Re:Oh the irony by NettiWelho · 2013-10-24 12:46 · Score: 1
  
  On a more serious note, what systems were vulnerable and what was the payload?
It was already a dangerous site to visit ... by c0d3g33k · 2013-10-24 07:38 · Score: 5, Funny

... it introduced visitors to PHP.
1. Re:It was already a dangerous site to visit ... by Minwee · 2013-10-24 07:51 · Score: 1
  
  I'd rather bash people with no sense of humour who feed trolls.
  It's even easier than bashing PHP.
2. Re:It was already a dangerous site to visit ... by Sarten-X · 2013-10-24 07:52 · Score: 3, Insightful
  
  As a mild Java fanboy, I feel compelled to mention that real Java isn't really locked in to a single vendor, as the reference implementation (OpenJDK) is open-source. However, the reference implementation lacks a lot of the features that aren't real Java, that Sun and Oracle have so kindly implemented in their own versions. A careful Java developer isn't locked in, but a careless one easily can be.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
3. Re:It was already a dangerous site to visit ... by Anonymous Coward · 2013-10-24 07:55 · Score: 1, Informative
  
  PHP does not have very good performance. node.js has very good performance, so does .NET.
  PHP uses massive amounts of memory and security is a problem on I'd guess 99% of all shared hosts due to the difficulty in running the process as different users without using up all the RAM on the server. I've been working with PHP since 2006. No more, it's days are over.
  Add to that the still broken implementation of Unicode. Embarassing is the Word for PHP.
4. Re:It was already a dangerous site to visit ... by guruevi · 2013-10-24 08:05 · Score: 1
  
  Clueless sysadmins (and programmers) do indeed bring a bad rep to PHP but correctly implemented and managed, it can be a great asset. What alternative do you suggest? Node.js? Who runs that and .NET? Really?
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re:It was already a dangerous site to visit ... by Megane · 2013-10-24 08:07 · Score: 2
  
  PHP: a fractal of bad design
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
6. Re:It was already a dangerous site to visit ... by c0d3g33k · 2013-10-24 08:15 · Score: 1
  
  Hi, girlintraining.
  I'm no troll. I was there (on the internet, not physically present) when Tim Berners-Lee announced the World Wide Web and I happened to notice while using Gopher. I downloaded and installed the first web browser and went to http://info.cern.ch/hypertext to see what was up with this new thing. I advocated and used PHP when the acronym stood for Personal Home Page. Back when everyone was banging out custom CGI scripts in Perl, it looked pretty cool. And for awhile it was. I rolled out quite a few sites based on PHP at the time. I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.
  I calmly stand by my snark, perched atop the mountain of experience.
7. Re:It was already a dangerous site to visit ... by Anonymous Coward · 2013-10-24 08:23 · Score: 4, Insightful
  
  Silverlight and .Net are the same. Silverlight is simply a subset of .Net that runs in a browser plugin environment. Flash runs like that more commonly than not. Java came with a browser plugin from day 1. Silverlight was simply a catch-up attempt by Microsoft, back before HTML5 made those plugins irrelevant. Throw it in the too-little-too-late bag, but don't confuse it with a real framework.
  Also, you're wildly misinformed about the extent of lock-in. Flash is single-vendor, but there are several knock-offs that claim at least partial compatibility. The rest of your examples aren't even close to locked-in. .Net is multi-vendor, as there are several non-Microsoft versions of it (Mono isn't the only one). Java has even more vendors, providing various JVM's and front-end languages that will compile to bytecode. Heck, one of the most widely used Java app servers is Tomcat, and that's made by Apache. It can be paired with any of the compliant JVM's with relative ease.
  Meanwhile, the GP is getting all angry about someone insulting their language of choice. Lighten up. Nobody is going to take away your precious PHP. Hell, my career got its start as a "professional PHP developer". Even at the time, it was something I joked about, and this was a decade ago.
  The fact is, PHP is ridiculously easy to use, even for a newbie developer. And because of that, there are a lot of newbies using PHP, making the mistakes that newbies inevitably make. This would be OK if they were still in school or developing a Personal HomePage (thanks, retconning!), but when they make this crap in the workforce, it crystallizes into production code and then we (all of us) have to maintain their steaming pile of newbieness forever. Mostly, I blame management for allowing this to happen. But its much easier to fight off newbies and their PHP by requiring more newbie-proof development technologies in the workplace.
  I'm a programmer that does web, web service, desktop, command line, and mobile development for large scale data management and real-time reporting. I no longer use PHP because it is incapable of doing what the software I write does. It's simply the wrong tool for the job, including the web portions. If you want to introduce yourself to web programming, by all means, use PHP. And once you've learned it, know HTTP inside and out, know request/response interplay like the back of your hand, and can set headers, dynamically generate formatted and unformatted data, and in general, use the response body as your bitch, then you don't need PHP anymore and can (and should) move up to something more scalable.
  And before you say "PHP is scalable because Facebook uses it", keep in mind, your what the parent post already noted (emphasis mine):
  
  Facebook uses a special version of it.
  Facebook's version is scalable and has good performance. Stock PHP is mediocre. And you can't afford Facebook's clustering and load-balancing setup.
8. Re:It was already a dangerous site to visit ... by binarylarry · 2013-10-24 08:23 · Score: 2
  
  I'm pretty sure it's PHP that gives PHP a bad rep.
  
  --
  Mod me down, my New Earth Global Warmingist friends!
9. Re:It was already a dangerous site to visit ... by Mitchell314 · 2013-10-24 08:24 · Score: 1
  
  Calm down, it's just a joke.
  
  --
  I read TFA and all I got was this lousy cookie
10. Re:It was already a dangerous site to visit ... by MightyMartian · 2013-10-24 08:29 · Score: 1, Insightful
  
  What do I care about a scripting language's performance. The bulk of my work is basically using scripting languages as glue and display functions for RDBMS queries. The amount of cycles the interpreter/JIT/whatever has to consume is dwarfed by the cycles eaten up by the SQL database.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
11. Re: It was already a dangerous site to visit ... by dgatwood · 2013-10-24 08:41 · Score: 3, Interesting
  
  It makes sense. The implode function can readily detect the difference between a string and an array through simple type introspection, but the explode function cannot do the same with two strings. Indeed, I would argue that for any function, if the parameters must be of a specific type that can be readily distinguished from the type of other parameters, there's no reason for the parameter order to matter.
  Then again, I would argue that the entire notion of programming languages in which the order of arguments is significant is arcane and archaic. IMO, an ideal programming language should require that each parameter be explicitly tagged so that the parameter order never matters, or at a minimum that the order is never implied merely by position. Perl can sort of do this with a hash, Python et al sort of do this with named parameters, etc.
  Such a design pattern makes it relatively simple to add additional optional parameters, because the order ceases to matter. It means that you can insert those new parameters in an order that makes logical sense, rather than having to add them at the end of the parameter list with an explicit check to see if the parameter list is empty before shifting off the next item so that you don't break backwards compatibility with existing clients. And so on.
  Unfortunately, most programming languages still force you to choose between strict compile-time type checking and mandatory tagging. If you take parameters in a varargs stype, you can force mandatory tagging, but you lose any compile-time checks. If you take parameters individually in the function, somebody can still pass parameters positionally, at which point you lose the readability advantages of being able to reorder the parameter names as you add new parameters.
  I get the impression that Python 3 allows you to force explicit tagging by adding "*" as the first parameter. It would be great to see similar functionality in all other programming languages; it just makes a lot more sense than trying to extract meaning out of order.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
12. Re:It was already a dangerous site to visit ... by csnydermvpsoft · 2013-10-24 08:43 · Score: 4, Interesting
  
  It's not that hard to be careful - just avoid the com.sun.* and sun.* namespaces. Eclipse even filters those out (of autocomplete and Organize Imports) in the default configuration.
13. Re: It was already a dangerous site to visit ... by garyebickford · 2013-10-24 08:48 · Score: 1
  
  Hmm. I recall a an analogous bit from the Perl documentation - I don't recall the specifics. And C has lots of WTFs, not least of which is the syntactic mistake of allowing 'if ( a = b )' to be valid, leading to thousands of hours of debugging time when programmers accidentally forget the second ==. We've all done it, many times. I recently found an example that had lain in wait for a couple of years, as that particular piece of code was only rarely executed, and most of the time the fact that 'a' was being set didn't matter. This bug-factory has now been propagated into several languages whose syntax is based on C. It could be prevented by simply requiring that operations that return a value inside an evaluation must be enclosed with braces: 'if ({a = b})' would evaluate, then proceed; 'if (a == b)' would compare then proceed; 'if (a = b)' would fail.
  Bottom line, PHP is just another language with historical, and not-so-historical flaws. I personally dislike the unpredictable parameter order in string and array functions; I basically have to look them up every time I use one I haven't used for a while. APL had the cleanest parsing and cleanest operating model of any language I've used - A+B meant the 'right' thing (or at least something reasonable) regardless of whether A and B were scalars, strings or arrays of arbitrary dimension. Its WTF might well have been just the requirement for the special character set.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
14. Re:It was already a dangerous site to visit ... by TomGreenhaw · 2013-10-24 08:53 · Score: 1
  
  Comparing .net to PHP is not a fair or accurate comparison, one is a scripting environment and the other is compiled. Comparing PHP to Classic ASP would be more accurate.
  
  --
  Greed is the root of all evil.
15. Re: It was already a dangerous site to visit ... by Spudley · 2013-10-24 09:04 · Score: 4, Insightful
  
  Listen, moron. PHP is GARBAGE and anyone who defends it is a clueless fool.
  Find me a language without major design flaws, and I'll show a language that hardly anyone actually uses.
  
  --
  (Spudley Strikes Again!)
16. Re:It was already a dangerous site to visit ... by c0d3g33k · 2013-10-24 09:07 · Score: 3, Interesting
  
  I was on the internet, er, before it was the internet. -_- That doesn't mean anything as far as statements made about today.
  Agreed. But you came screaming out of the gates with a hard core ad-hominem attack (Troll!) in response to what amounts to little more than a joke. Touchy much?
  That said, I was on the internet-before-it-was-the-internet back in 1980. Just out of curiosity, what's your magic date?
  
  I've spent considerable time since regretting my early advocacy and plenty of time fixing PHP driven sites or migrating away from PHP to better platforms. Plenty of other people over the years have explained why PHP is a 'fractal of bad design', so I won't make that attempt here. I agree with them.
  I calmly stand by my snark, perched atop the mountain of experience.
  And I stand by my statements, that PHP would be one of my top picks for back-end design and dynamic pages. It is easy to read, has reasonably good performance, and reasonable security. But no language can stop people from shooting their own foot off if they're so determined, and your grevance seems to be not with the language itself, but with the fact that so many people shoot their own foot off while using it. The only problem I have with PHP is that the designers seem utterly incapable of understanding OOP concepts and the result is half-baked objects. But then, I say the same thing about Java.
  You're reading a lot into my jokey original one-sentence post. Grievance (grevance)? I've used PHP. Found it wanting. Moved on. End of story. What's driving your zealous PHP advocacy?
17. Re:It was already a dangerous site to visit ... by X0563511 · 2013-10-24 09:19 · Score: 1
  
  What's driving your zealous PHP advocacy?
  Ask a stupid question, get a stupid answer.
  Note that you're being perceived as wrong, not that you actually are. I certainly don't have the experience to say which of you is right (or more right, as the case may be)
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
18. Re: It was already a dangerous site to visit ... by AuMatar · 2013-10-24 09:29 · Score: 4, Insightful
  
  That is quite possibly the worst idea I've ever heard. So I either have a hash lookup on each parameter on every function call (which will CRUSH performance in any language), or a very complicated system for the compiler to implement. Then as a user I not only need to remember what the parameters are for every function, but what they were named? Which basically means it would need to be looked up every time, because I am not remembering all that. You're looking at an order of magnitude slowdown in writing code. Just a stupid idea.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
19. Re:It was already a dangerous site to visit ... by Anonymous Coward · 2013-10-24 09:44 · Score: 1
  
  ... it introduced visitors to PHP.
  Listen troll, PHP is used on a large number of websites...
  You're using BOTH ad hominem AND Bandwagon fallacies?! Care to go for a third?
20. Re: It was already a dangerous site to visit ... by cheater512 · 2013-10-24 09:57 · Score: 1
  
  implode(array('glue' => ',', 'peices' => $stuff));
  Eww. Just eww man. So much more typing and room for error for no benefit whatsoever except you can swap the order around.
21. Re:It was already a dangerous site to visit ... by webnut77 · 2013-10-24 10:20 · Score: 1
  
  What's driving your zealous PHP advocacy?
  PHP has lots of add-ons that make it very powerful like: PHPExcel for churning out a spreadsheet, TCPDF for creating a PDF, PHPMailer for sending an email, etc. I don't know if other languages have these but they are simple to use in PHP.
  It is true you can write a crappy application with security holes like swiss cheese in PHP. But you can do that in any language. If you're going to write 'good' programs there are quite a few web principles like sanitizing input that you MUST learn.
  On the other hand, I think one of the flaws of PHP is that it is often co-mingled with HTML. This makes it hard to debug. A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement. Learn to use loops (for, foreach, while, etc.), give variables meaningful names, and create functions for things you do over and over.
22. Re:It was already a dangerous site to visit ... by Bigbutt · 2013-10-24 10:47 · Score: 2
  
  I appreciate your input. Still, no one has come up with what the next step after PHP is. Ruby? Perl? Python? It's not like there's someone out there going "ooh, good job on that PHP website and the work you're doing looks like you understand what you need. Now that you know that, you should start using JQuery to replace the hacked up Javascript and Forth to build websites. Here are a couple of good websites to get you transitioned from PHP to Forth."
  It's cool and all to denigrate the folks who are trying but if all you hear is "PHP is crap and folks who program in it are illiterate newbies" without some suggestion as to where to go next, folks will simply ignore the ranting and move on (and continue using PHP).
  As a sysadmin, I really liked the Rosetta Stone website so I could take my linux and Solaris skills and start working on AIX and HP-UX fairly quickly. Is there such a PHP -> Forth website?
  [John]
  
  --
  Shit better not happen!
23. Re: It was already a dangerous site to visit ... by wonkey_monkey · 2013-10-24 11:03 · Score: 1
  
  or a very complicated system for the compiler to implement
  What's so complicated about doing it at compile time? When a function's called, compare the caller tags to the function definition tags and re-order them to match - no?
  
  Then as a user I not only need to remember what the parameters are for every function, but what they were named?
  It doesn't have to replace the current way of doing things. AviSynth allows parameters to be specified either in order or by name.
  
  --
  systemd is Roko's Basilisk.
24. Re: It was already a dangerous site to visit ... by narcc · 2013-10-24 11:14 · Score: 1
  
  He said WITHOUT major design flaws.
  
  --
  Required reading for internet skeptics
25. Re:It was already a dangerous site to visit ... by narcc · 2013-10-24 11:21 · Score: 1
  
  PHP is on its way out, thank the gods.
  It doesn't appear that way. The data suggest the exact opposite.
  Why? Probably due to the lack of a viable alternative. Well, that and the fact that PHP isn't the disaster incompetent Slashdot users seem to think it is.
  
  --
  Required reading for internet skeptics
26. Re:It was already a dangerous site to visit ... by narcc · 2013-10-24 11:27 · Score: 1
  
  I've used PHP. Found it wanting. Moved on.
  
  Why did you find it inadequate? With what did you replace it?
  
  --
  Required reading for internet skeptics
27. Re:It was already a dangerous site to visit ... by narcc · 2013-10-24 11:42 · Score: 2
  
  Know what's sad? You don't know how awful that page really is. You actually think it contains something of value.
  Here's a fun exercise. From that pile of garbage, make a list of points of fact, eliminating any point that is opinion.
  Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.
  Still think PHP is a "fractal of bad design"?
  It looks like he got rid of the NaN != NaN nonsense point. (Why is that nonsense, you ask? See IEEE 754 -- I guess enough people pointed that bit of nonsense out to him. That and his old intransitivity argument and example seems to have vanished as well. Bet you didn't notice!)
  
  --
  Required reading for internet skeptics
28. Re: It was already a dangerous site to visit ... by dgatwood · 2013-10-24 12:02 · Score: 1
  
  It's horrible only because PHP doesn't build such functionality cleanly into the language. The ideal syntax looks more like this:
  implode(glue => ",", pieces => $stuff);
  Or even this:
  implode(glue=",", pieces=$stuff);
  And you're very wrong about reordering being the only benefit. Named calling parameters also provide much-needed information about what the parameters actually do when you're looking at the function call itself, without which you must mentally cross-reference the original function declaration to know how those parameters are being used. Being explicit as part of the call syntax reduces cognitive load, particularly when you're doing maintenance programming of a large code base, particularly when a function takes more than a couple of parameters. You know the old adage: If a function takes more than three parameters, you are likely to forget at least one of them.
  Also, assuming the syntax is properly built into the language (with full compile-time type checking and errors if you try to specify a parameter name that isn't part of the declaration), you get no additional opportunity for nontrivial errors (in the worst case, you just get parse errors that cause a failure as soon as you try to load the file), while removing a lot of potential for other types of errors.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
29. Re: It was already a dangerous site to visit ... by brantondaveperson · 2013-10-24 13:01 · Score: 1
  
  Objective C pretty much does this. Functions calls look like:
  [myColor changeColorToRed:5.0 green:2.0 blue:6.0];
  Now I do appreciate here that the order isn't actually flexible, but I would argue that *is* a bad idea because it makes the code much harder to read. But what you do get is the named parameters part, which in my opinion is the more important part. This makes the code much easier to read.
30. Re:It was already a dangerous site to visit ... by geminidomino · 2013-10-24 13:03 · Score: 1
  
  . A better approach, I feel, is to turn PHP on in the first line and don't turn if off until the last line. If you want to send some HTML, use an echo statement.
  
  I feel like someone made Poe's law into a truck, and hit me with it.
31. Re: It was already a dangerous site to visit ... by memco · 2013-10-24 13:46 · Score: 1
  
  There is an RFC (at affected PHP.net site), which discusses the idea of named parameters for PHP 5.6. The proposal suggests that you would be able to use both named parameters and non-named parameters in the same function, but specifies that all functions using a mix must declare the order-dependent params before declaring any named params so that the interpreter knows how to handle the two.
  
  --
  Get me a meat pie floater!
32. Re: It was already a dangerous site to visit ... by myowntrueself · 2013-10-24 14:03 · Score: 1
  
  Thats nothing
  *THAT* is a worm. Insert that into some PHP code and you have a back door.
  Sometimes I wonder if the NSA are responsible for PHP.
  
  --
  In the free world the media isn't government run; the government is media run.
33. Re: It was already a dangerous site to visit ... by myowntrueself · 2013-10-24 14:04 · Score: 1
  
  oh yeah of course it was bound to strip out the nice PHP code. Heres a URL
  http://www.madirish.net/454
  
  --
  In the free world the media isn't government run; the government is media run.
34. Re: It was already a dangerous site to visit ... by foobar+bazbot · 2013-10-24 14:50 · Score: 1
  
  It could be prevented by simply requiring that operations that return a value inside an evaluation must be enclosed with braces: 'if ({a = b})' would evaluate, then proceed; 'if (a == b)' would compare then proceed; 'if (a = b)' would fail.
  Huh? 'a==b' returns a value every bit as much as 'a=b', so under that definition, why mustn't it also be enclosed in braces? Now I wouldn't say either of them "returns" anything -- functions return values, while expressions evaluate to values -- but definitions do vary and it would be silly to nitpick over. The point, though, is that there's no sense of the term "return" in which "a=b" returns a value and "a==b" doesn't.
  You've also just clumsily overloaded C syntax, as a brace-delimited block doesn't "evaluate" to the return value of the last statement within the block. It doesn't evaluate to anything at all (C is an imperative language through-and-through), so using them to evaluate expressions is ugly and non-intuitive.
  I'm not saying that the syntax shouldn't have been fixed (personally, I remain unconvinced about the syntax, though changing the symbols (e.g. = -> := and == -> =) would definitely have been good), but a syntax fix needs to be more complicated than you seem to think it is, and therefore less obviously-correct.
  In case you don't get why the complexity would have been a downside then (it wouldn't be today, IMO), remember the C language was created in an age when many programmers didn't have the luxury of an interactive teletype session. This means you can't afford to say "Was it a: (foo && {return = bar(x)}) or b: {foo && (return = bar(x))}? Bother, I'll just put in a and change it if the compiler yells at me.", because you don't get compiler feedback immediately. Complicating the syntax decreases the odds of the programmer remembering it right off, and thus increases the time the programmer has to spend looking it up.
35. Re:It was already a dangerous site to visit ... by cerberusss · 2013-10-24 17:01 · Score: 1
  
  utterly incapable of understanding OOP concepts
  Funny thing is, I've been OO programming for fifteen years now, and splitting up requirements into sane objects is hard. When I do get it right, I spent abnormal amounts of time thinking about them. It's rare to see well-thought out design.
  
  --
  8 of 13 people found this answer helpful. Did you?
36. Re: It was already a dangerous site to visit ... by readacc · 2013-10-24 17:37 · Score: 2
  
  * Python
  Ahhaa, Python, yes. The only language I've come across where if someone is using tabs and the other is using spaces (or worse, their editor substitutes spaces for a tab), the code will break.
  I happen to like Python, but man that was an easy one to deconstruct.
37. Re:It was already a dangerous site to visit ... by hag3r · 2013-10-24 19:21 · Score: 2
  
  The only problem I have with PHP is that the designers ...
  Your problem lies in your belief that PHP is the result of actual design and forethought.
38. Re:It was already a dangerous site to visit ... by Anonymous Coward · 2013-10-24 23:57 · Score: 1
  
  I know I've tried this before and it doesn't get through to you, just like how you still refer to Java as a classic interpreted language despite having had it pointed out to you a thousand times it's a JIT compiled language but have you ever stopped to think the reason you get modded down on software development topics is because you're nearly always wrong?
  I also don't understand how you can complain about logical fallacies in the same post you make an argument like:
  "It's a popular language that is also used on many major web sites. This suggests to me that your various statements about it being "found wanting" are in error."
  Visual Basic is probably the single most use language in business across the globe with the various macros and small utilities written in it, but that doesn't mean it good. It just means it's accessible to those without the training to write software properly such that it's secure, maintainable, and performs well.
  Time and time again you come back with the same incorrect claims related to software development, and time and time again you wonder why people mod you down and tell you you're wrong. It's one thing to be ill informed about something, sometimes people misunderstand things and take that misunderstanding as fact until they find out otherwise, sometimes people don't have all the information and so come to a wrong conclusion. But you've made these arguments before, and you've been corrected before and had pretty good explanations as to why you were wrong, yet here you are repeating it all again. What you're displaying is wilful ignorance, you're being intentionally incorrect, so I'm not surprised you're being modded troll at this point, what else are people supposed to think if you intentionally say inflammatory things insisting they are correct when you know full well they're not given what you've had explained to you in the past?
39. Re: It was already a dangerous site to visit ... by dave420 · 2013-10-24 23:59 · Score: 1
  
  So PHP is bad for allowing it to run code?? wut?
40. Re: It was already a dangerous site to visit ... by myowntrueself · 2013-10-25 00:13 · Score: 1
  
  Do you understand this little hook of code? Its amazingly easy to hide in amongst other PHP code and can be nicely obfuscated.
  PHP is bad for allowing such a hook to be possible.
  
  --
  In the free world the media isn't government run; the government is media run.
41. Re:It was already a dangerous site to visit ... by Xest · 2013-10-25 01:14 · Score: 1
  
  "Who runs that and .NET? Really?"
  I'm intrigued to know your justification for disparaging .NET over PHP. Care to elaborate and expand upon that?
  Apart from it's lack of cross-platform support it's much better. It performs better, it has better tools, a much better framework, the language is much better thought out and has far less issues, allows for much faster development on all but the most trivial of projects, has a much healthier feature set (i.e. proper threading support) and it's got a far better track record of security. This all pretty much applies to Java too apart from the recent security track record though that does of course have the additional advantage of being portable.
  Where exactly do you think these two languages are lacking compared to PHP and do you have any actual experience of them or are you just going by hearsay? I ask because I do have real actual experience of running large projects in all three of these languages and can't fathom why someone would think PHP is superior unless they don't have any practical experience. It's really not, by pretty much any measure.
  I'm happy to work with whatever technology the constraints of a project push me too, but PHP would not be close to my number one choice if I had the freedom to select technology precisely because I have seen it's downsides stand out rather glaringly in the real world and I've yet to see anyone with a similar or greater depth and breadth of experience with various technologies use it by choice - those that do so are often doing so out of inexperience, either because they've barely used anything else, or because they're not developing anything large or important enough for it's flaws to matter - in other words it seems almost universally the reason that PHP gets chosen is naivety and seemingly never the result of a well informed decision.
42. Re:It was already a dangerous site to visit ... by Anonymous Coward · 2013-10-25 02:07 · Score: 1
  
  Yes, absolutely. Pretty much every finance department, project management department and so forth of major firms will have a bunch of hacked together VBA programs. You'd be amazed how much VB is holding even the largest of corporations together.
  PHP isn't used on as many major websites as people think. About the largest are Facebook, Wikipedia and Yahoo but both Facebook and Yahoo use versions that aren't actually PHP anymore (Facebook first wrote a translator to translate it to C++, and then wrote a Java style VM to JIT compile it).
  Java and C++ have much more prominence than PHP being used by Amazon, eBay, Paypal, Google and so forth.
  The bulk of PHP's usage is for my first homepage style projects.
43. Re:It was already a dangerous site to visit ... by fisted · 2013-10-25 02:19 · Score: 1
  
  It is easy to read, has reasonably good performance, and reasonable security.
  You can not be serious.
  
  --
  CLI paste? paste.pr0.tips!
44. Re:It was already a dangerous site to visit ... by undefinedreference · 2013-10-25 02:27 · Score: 1
  
  Herein lies the problem. There really isn't another decent cross-platform scripting language for web development. Even the shift toward JavaScript on both sides is full of epic failure (after all, we're talking about JavaScript here, which is only marginally better than the other client-side messes it replaced). Wikipedia uses PHP (albeit with front-end caching), so it clearly can be done right. The fundamental problem with PHP is that it has roughly 15 years of crufty functions with nonexistent naming conventions and senselessly-random parameter orders (contrast this with Python and Perl, two other wildly-popular scripting languages).
  Also, don't say "Java", which is a mess that requires outrageously heavy backend support to make it useful for web development. Scripting is the best solution for the large percentage of sites that don't have huge teams and budgets. It's also the best choice for sites with rapidly-changing requirements.
45. Re: It was already a dangerous site to visit ... by thoromyr · 2013-10-25 02:37 · Score: 1
  
  i don't think that really qualifies as a major design flaw. For example, we don't use python (rather, perl, ugh) but the requirement is that code follow standard formatting. Which is a certain number of spaces per indent level. No tabs. My point is that this "major design flaw" wouldn't even come up if we switched languages to python. Its already covered by our coding requirements.
46. Re:It was already a dangerous site to visit ... by undefinedreference · 2013-10-25 02:41 · Score: 1
  
  This sounds like a bigger trainwreck than many mixed-HTML PHP sites (which is the dirtiest thing about the language). A well-written PHP-based site will do what you say, but it will have no echo statements or anything else along these lines. Instead, it will use templates with placeholders that it fills with data. When I've worked in PHP, I've done this since the early 2000s. It's simply the only way to keep it clean, readable, and delineate logic from presentation. An added bonus is that you can usually teach a web designer to work with/around simple placeholders much easier than teaching them not to screw up your code.
47. Re: It was already a dangerous site to visit ... by godefroi · 2013-10-25 03:10 · Score: 1
  
  It's a major design flaw. It was made even worse when (allegedly) Guido said that if he were going to do it over again he'd require spaces instead of tabs. Because everyone agrees on how many spaces looks good, right?
  And it's fun to count columns to figure out where the "if" block ends, right?
  Also, while we're at it, any language with an "unless" statement is deeply flawed.
  
  --
  Karma: Poor (Mostly affected by lame karma-joke sigs)
48. Re:It was already a dangerous site to visit ... by c0d3g33k · 2013-10-25 03:11 · Score: 1
  
  I feel like someone made Poe's law into a truck, and hit me with it.
  Best post of the thread. A tip of the hat to you.
  Moderators, mod parent up, please.
49. Re: It was already a dangerous site to visit ... by thoromyr · 2013-10-25 03:53 · Score: 1
  
  now you're betraying your bias. The number of spaces is not a fixed factor in Python so your comment is neither here nor there (though in practice the variation is almost entirely 2, 4 or 8 with most people using four spaces -- and that is irrespective of language, Python doesn't even enter into it). Any language with an unless statement is deeply flawed? Right...
  I'd not seen that from Guido, but it makes a lot of sense. What you wrote sounds like: 1) you never wrote any significant amount of python code, 2) you either haven't written any significant amount of code in brace-style languages or are overlooking "its fun to guess where that code block start/ends", and 3) like using tabs.
  Tabs are simply not a good choice for indentation *regardless* of language because there is no standard for how to use them. If all you do is write personal code it doesn't matter that much, but once you enter the realm of programming with others these things start to count. As does where the braces go. Some programmers are pretty petty about what are, really, minor details and love to squabble. But once you rule out the basic usability constraints (1 space indents are too little, 32 space indents are excessive) its just a matter of agreeing to conform on details.
  If you want to be taken seriously claiming Python has a major design flaw you'll have to do better than this. Perhaps "any language that requires a NOP for an empty block" would do better (not that I'd agree, but it beats the heck out of your complaint about unless...). One really wonders if you've ever used Python or just fall into the "Python is bad because it uses white space, ooooo".
50. Re:It was already a dangerous site to visit ... by Bigbutt · 2013-10-25 06:40 · Score: 1
  
  Hmm, my experience with Basic (ibm basica and gwbasic with some quickbasic and other flavors) and C (Turbo and Microsoft mostly), my experience with RDBMs (dbase III+ and Paradox), my experience creating websites using vi. Add in my experience as a sysadmin using edlin, qedit, and vi plus experience with awk, sed, sh, ksh, bash, plus perl scripting. Then my searching around 6 or 7 years ago brings me to all the discussion over the years about LAMP; Linux, Apache, MySQL, PHP (although now it includes Perl and Python).
  So, experience and knowledge tells me to use... PHP and MySQL.
  So I'm good.
  Thanks.
  [John]
  
  --
  Shit better not happen!
51. Re: It was already a dangerous site to visit ... by dgatwood · 2013-10-25 09:12 · Score: 1
  
  It's also easy to spot. As a rule, eval should be a security red flag in pretty much any programming language. The only even semi-valid reason to use it is for certain types of shell scripting, where it can be unavoidable. In fact, it ranks right up there with system() in the red flag handbook.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
52. Re: It was already a dangerous site to visit ... by cheater512 · 2013-10-25 10:00 · Score: 1
  
  The disable_functions config option kills that code instantly.
53. Re:It was already a dangerous site to visit ... by narcc · 2013-10-25 11:02 · Score: 1
  
  Even the shift toward JavaScript on both sides is full of epic failure (after all, we're talking about JavaScript here, which is only marginally better than the other client-side messes it replaced).
  
  JS on the server full of failure for many reasons, but the language isn't one of them. It's surprisingly sophisticated. There's a video series on youtube called "Crockford on JavaScript" that you should check out.
  
  The fundamental problem with PHP is that it has roughly 15 years of crufty functions with nonexistent naming conventions and senselessly-random parameter orders
  
  That's pretty much it. Function names and parameter order. It's a shame that it's basically impossible to fix at this point. Then again, they might not want to fix it.
  PHP's biggest problem is that it's ridiculously easy to use. I can rant about why that turns insecure developers away from a language, but I think everyone is sick of hearing about that by now!
  
  --
  Required reading for internet skeptics
54. Re:It was already a dangerous site to visit ... by Patman64 · 2013-10-25 15:12 · Score: 1
  
  This is the next step. You start using a mature framework, preferably in a language with far better design than PHP like Python or Ruby.
55. Re:It was already a dangerous site to visit ... by guruevi · 2013-10-26 03:32 · Score: 1
  
  Yes, it's lack of cross-platform support is pretty much the biggest issue here. You require thousands of dollars in Windows license to run a single .NET site. The tools are proprietary and costly and having used Visual Studio, I think Eclipse and even Xcode still beats the pants of off it as far as usability goes. .NET is also (or at least should be) a compiled language very similar to Java and it has the same downfalls as Java (if you've ever supported anything-Beans or Tomcat, you know what I'm talking about) - overly complex and way too heavy for websites. Another problem with .NET/IIS stacks is it's lack of isolation from other sites or the hardware, I worked for a hosting company several years ago, shared .NET hosts were a nightmare to support as one site could easily bring the entire application pool down and separating each site in a separate Application Pool gobbled up insane amounts of memory.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
56. Re:It was already a dangerous site to visit ... by Xest · 2013-10-27 21:38 · Score: 1
  
  "Yes, it's lack of cross-platform support is pretty much the biggest issue here."
  But that's not an inherent problem with it, it's a design choice of the technology and it has advantages and disadvantages - whilst you can't easily use it on non-Windows platforms, you do get to do things Java simply can't do easily because Java can't assume what functionality an OS will provide so can only encompass the lowest common denominator as standard whereas .NET can provide access to everything the OS offers.
  "You require thousands of dollars in Windows license to run a single .NET site."
  This is just nonsense. A Windows Server license doesn't cost thousands of dollars, even standard edition costs only $882 and that's direct from MS. You can get it cheaper or use a lesser edition if need be. It's not free, but it's certainly not thousands of dollars. IIS and .NET are bundled in that and that's all you need to pay to host a site.
  "The tools are proprietary and costly and having used Visual Studio, I think Eclipse and even Xcode still beats the pants of off it as far as usability goes."
  This is what people always say who haven't got reasonable experience with both. I have, and Visual Studio is far superior. Eclipse isn't even a good IDE, it's just the go to IDE people jump to when they want to slag of Visual Studio even when they don't know much about it - NetBeans is better. No one who has used a wealth of IDEs to a decent degree would imply Eclipse is somehow the king of the crop (which is the implication if you're going to claim it's better than Visual Studio), far from it.
  ".NET is also (or at least should be) a compiled language very similar to Java and it has the same downfalls as Java (if you've ever supported anything-Beans or Tomcat, you know what I'm talking about) - overly complex and way too heavy for websites."
  What websites exactly? I agree it's far too heavy for your grandmas blog or whatever, but if we're after some kind of enterprise level web site then you shouldn't use anything less. It's complex to manage because it's designed for complex software not "My First Website" style setups but here's the thing - try using PHP for complex software, I have, and it's an absolute nightmare - that Java complexity suddenly becomes simplicity in contrast. When you find out you need true multi-threading support in your application, suddenly PHP becomes a road block whilst Java and .NET let you sail right along. Your talk of .NET is or should be a compiled languages gives way to the fact you clearly have no real understanding of it yet you seem to feel qualified to declare PHP better regardless - that's mindless nonsense.
  "Another problem with .NET/IIS stacks is it's lack of isolation from other sites or the hardware, I worked for a hosting company several years ago, shared .NET hosts were a nightmare to support as one site could easily bring the entire application pool down and separating each site in a separate Application Pool gobbled up insane amounts of memory."
  This is outright false. Of course you can isolate the Microsoft stack, if you're doing it to a large enough degree then Microsoft provide Windows Datacentre Edition for precisely that purpose and if one site could bring the entire application pool down then what the fuck were you thinking? The whole point of application pools is to provide separate worker processes for each pool - of course if you stick everything in the same worker process then if one brings it down so will all the others. It's also nonsense to claim that it gobbles up insane amounts of memory because we're comparing to PHP here, which is far less resource efficient again.
  You've reaffirmed my point that those who defend PHP against the likes of Java, C++, and .NET do so out of inexperience. Much of what you say appears to be based on hearsay rather than real actual experience of working with th
57. Re: It was already a dangerous site to visit ... by godefroi · 2013-10-28 03:40 · Score: 1
  
  Tabs are simply not a good choice for indentation *regardless* of language because there is no standard for how to use them.
  That's a stupid thing to say. Replace "Tabs" with "Spaces" and it's just as true.
  If we use tabs, I can make them 1, 2, 4, 8, or 32 wide, whatever I prefer. If we use spaces, I have to agree with and accept whatever the team prefers. Seems pretty simple to me.
  If you make a standard for how to use any character or set of characters for indentation, then there's a standard.
  Oh, and while you're right, I haven't written much Python, I have written a WHOLE LOT of code in brace languages. I use IDEs that brace-match for me, so in the really hairy cases, I have a little help. How do you brace-match spaces?
  
  --
  Karma: Poor (Mostly affected by lame karma-joke sigs)
58. Re: It was already a dangerous site to visit ... by V+for+Vendetta · 2013-10-29 02:15 · Score: 1
  
  Making these two operators the same symbol just leads to developer confusion and a complicated context-sensitive parser. See also: any BASIC programmer that ever tried to learn C.
  
  Not true. Assignment in BASIC is Let (or Set) A = B, whereas comparison is A = B.
  I agree that the unfortunate fact, that for most current BASIC dialects the 'Let' is optional, results in the confusion you were referring to. But you can't blame a language for terrible/lazy programmers.
59. Re: It was already a dangerous site to visit ... by Trogre · 2013-10-29 10:54 · Score: 1
  
  Why would you need to remember what the parameters were named, when your code editor of choice will present you with a dropdox box of all the parameters when you type the function name?
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
60. Re: It was already a dangerous site to visit ... by Trogre · 2013-10-29 11:02 · Score: 1
  
  No, dropdox isn't some kind of falling documentation.
  I of course meant "dropdown box".
  
  --
  "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
61. Re:It was already a dangerous site to visit ... by vilanye · 2013-11-07 11:46 · Score: 1
  
  Wow, so basically all you know is PHP and thus think it is the bees knees.
  No point in showing you the error of your ways because you won't understand the differences.
  Here is a short list(in no particur order) of better languages for web:
  Java
  C#
  F#
  Python
  Ruby
  Perl
  Ocaml
  nodeJS
  Lisp
  C
  C++
  Smalltalk
  Haskell
  Scala
  Clojure ...
You Sound Like One Of Those by Anonymous Coward · 2013-10-24 07:45 · Score: 1, Funny

You sound like one of those Java fundies.
STFU, Doucharonimous.
1. Re:You Sound Like One Of Those by ArcadeMan · 2013-10-24 07:54 · Score: 4, Funny
  
  Here's a better URL without all the superfluous Web 2.0 crap around it.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:You Sound Like One Of Those by trum4n · 2013-10-24 08:37 · Score: 1
  
  Do you have a scruffy beard too?
3. Re:You Sound Like One Of Those by OakDragon · 2013-10-24 08:44 · Score: 1
  
  Well here's just the GIF!
  
  --
  Dark Reflection
4. Re:You Sound Like One Of Those by ArcadeMan · 2013-10-24 09:40 · Score: 2
  
  I didn't even realize that they were still using GIF instead of PNG. This proves Dilbert.com is run by a PHB.
  Optimized GIF: 29019 bytes.
  Optimized PNG: 24356 bytes.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
5. Re:You Sound Like One Of Those by narcc · 2013-10-24 09:51 · Score: 4, Insightful
  
  Well, the strip is from 1995. Did you expect them to convert the whole archive to PNG just to make a few nerds feel better?
  
  --
  Required reading for internet skeptics
6. Re:You Sound Like One Of Those by ArcadeMan · 2013-10-24 13:27 · Score: 1
  
  How about saving bandwidth? Even the latest ones are still in GIF. You may think 4-5KB isn't much, but how many people read Dilbert every day?
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
7. Re:You Sound Like One Of Those by narcc · 2013-10-24 15:05 · Score: 1
  
  Lots of people. How many of those read 18 year-old Dilbert cartoon's every day?
  Judging from their site, they're not worried about 5k here and there. They could trim significantly more than that off fairly easily.
  
  --
  Required reading for internet skeptics
8. Re:You Sound Like One Of Those by jones_supa · 2013-10-24 22:02 · Score: 1
  
  But still...GIF is a legacy format and shouldn't be used anywhere anymore.
9. Re:You Sound Like One Of Those by narcc · 2013-10-24 22:44 · Score: 1
  
  Why not?
  It's supported everywhere as there are countless old gifs still in use. There also appears to have been a fairly recent resurgence in animated gifs (PBS). You see them all the time these days being used as an alternative to short movie clips. To my knowledge, there is no viable replacement for those yet. Attempts like apng and mng never got off the ground.
  There isn't even any ideological reason to call for the elimination of the format. Even the burnallgifs website has moved on.
  In short: The format enjoys broad support, it's still a popular format for new content, there is no viable alternative, and it's now patent free.
  Try to relax, it's just an old image on a website. It's not the end of the world.
  
  --
  Required reading for internet skeptics
10. Re:You Sound Like One Of Those by antdude · 2013-10-25 03:36 · Score: 1
  
  Yes to stay updated with the technology. :P
  
  --
  Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
11. Re:You Sound Like One Of Those by kmoser · 2013-10-25 05:49 · Score: 1
  
  How about saving bandwidth? Even the latest ones are still in GIF. You may think 4-5KB isn't much, but how many people read Dilbert every day?
  If you really want to save bandwidth, stop wasting your time reading Dilbert. *Talking* about Dilbert on Slashdot, on the other hand, is a completely productive use of time.
12. Re:You Sound Like One Of Those by Desty · 2013-10-29 08:42 · Score: 1
  
  And converting a GIF to a PNG is an utterly sane thing to do if you want to save a few bytes by removing any quality that might have been left over in the GIF...
  Given that PNG is a lossless format, yes it's an utterly sane thing to do if you want to save a few kilobytes without removing any quality from the GIF.
  
  The only price would be that it costs a small once-off amount of CPU time and I/O bandwidth to do the batch conversion and maybe run them through pngcrush/optipng/ScriptPNG to losslessly compress them a bit more. But that's surely worth it if you can cut down a busy site's bandwidth costs by at least 30-40%.
Exploit vulnerable systems? by codeusirae · 2013-10-24 07:46 · Score: 1

"The site appears to have been compromised and had some of its javascript altered to exploit vulnerable systems visiting the website"

What Operating System do the clients need to run in order to be vulnerable?
I can predict the future by SmallFurryCreature · 2013-10-24 07:48 · Score: 5, Insightful

I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.
Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.
But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...
Oh wait.
I can predict the future, I am going to die a bitter and angry nerd.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
1. Re:I can predict the future by ArcadeMan · 2013-10-24 07:56 · Score: 2
  
  Security. If you do it right, everyone thinks you have wasted your time. If you do it wrong, it is all your fault. - SmallFurryCreature
  Thanks for the new quote.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
2. Re:I can predict the future by freeze128 · 2013-10-24 08:08 · Score: 1
  
  But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it... Oh wait. I can predict the future, I am going to die a bitter and angry nerd.
  At least you will have lots of company in the afterlife.
3. Re:I can predict the future by styrotech · 2013-10-24 09:47 · Score: 1
  
  I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
  Ruby? Don't you mean Rails? That wasn't a problem with the Ruby itself. Just like Wordpress bugs are not PHP bugs. I'm deliberately not including application bugs - the track record PHP apps have would make PHPs record look even worse.
  And wasn't that massive Rails security hole (assuming you're talking about that autopopulation of variables from user input misfeature) the kind of misfeature that PHP pioneered and baked into its core language?
  You can't really compare Java applet sandboxing problems either - PHP has no sandboxing of untrusted code or anything comparable at all (what a train wreck that would be). A better comparison is: how is Java's security record as a web server compared to PHPs?
  PHP is relatively unique in the way they've had so many security problems that were badly designed language features rather than just implementation mistakes.
  PHP has been objectively worse than practically every other language. Yet you still get people who just can't see the difference in scale/scope, and whine "but but other languages have had problems too!".
4. Re:I can predict the future by dkleinsc · 2013-10-24 11:05 · Score: 4, Informative
  
  I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past.
  You know, I'm going to have to disagree with you on this one.
  I'm not saying that other languages are perfect, far from it. But the PHP world, by and large, is inhabited by people who don't really understand security. I've worked in it for a long time, and in every single application and library written in PHP that I encounter, I find results that show signs of knowing of, for instance, the existance of concepts called "SQL injection" and "XSS attack" but no understanding of what those things actually mean beyond taking some boilerplate kinda-solution in most but not all relevant locations.
  By contrast, the libraries that Java and Python and Ruby provide, both out of the box and in third-party packages, tend to have been designed to make those kinds of attacks difficult to open yourself up to. The documentation for those packages emphasizes the security risks and concerns, the developer communities do everything they can to reduce those risks, and the result is that there are fewer minefields.
  And that is why, in this paper, a whopping 80% of SQL injection and a disproportionately high number of XSS vulnerabilities are from projects that were written in PHP. It's possible to do the right thing in that language, but the evidence is fairly strong that developers focused primarily on PHP don't.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
5. Re:I can predict the future by narcc · 2013-10-24 11:44 · Score: 2
  
  PHP has been objectively worse than practically every other language.
  Objectively, you say?
  Give it a go. How is it "objectively" worse than other popular languages?
  This ought to be hilarious!
  
  --
  Required reading for internet skeptics
6. Re:I can predict the future by styrotech · 2013-10-24 13:52 · Score: 1
  
  Note the context you neglected was core language design mistakes rather than implementation mistakes. Implementation mistakes while bad can generally be fixed without breaking anything. PHP has had more than it's fair share of those too.
  Compared with other languages I've used over the last 15yrs, PHP has been the standout one that seems to have to put convenient but insecure by design functionality (eg register_globals, magic_quotes etc) on a long many year cycle of recommending against using it, deprecating it, turning it off by default, then finally removing it. Each of these features has left behind a trail of legacy articles and books helping unsuspecting newbies to create insecure sites.
  It seems especially bad when PHP was intended to be used on the web right from the start.
  I don't recall any other popular language having to back out of their own deliberate design decisions the way PHP has had to multiple times.
  Hopefully that was hilarious enough for you - I'll gladly take back the word "objectively" though if you want to provide examples of other popular languages being just as bad as or worse than PHP in this respect. Maybe I just haven't been following other crappy languages closely enough.
7. Re:I can predict the future by narcc · 2013-10-24 15:14 · Score: 1
  
  So you don't actually have an answer then.
  Color me surprised.
  "There was this one feature that was a potential security hole that has been disabled by default for more than a decade!" Doesn't exactly make your case!
  
  I'll gladly take back the word "objectively" though if you want to provide examples of other popular languages being just as bad as or worse than PHP in this respect.
  Languages with security issues they've been forced to fix? What's the comment size limit again? Do languages with massive security issues "by design" that cannot be fixed without fundamentally changing the language count as well?
  Pitiful. If you don't like PHP, fine. All I ask is that you don't pretend that your personal preference is somehow perfectly rational and objective.
  
  --
  Required reading for internet skeptics
8. Re:I can predict the future by styrotech · 2013-10-24 15:37 · Score: 1
  
  It seems you are the one without an answer. Where are your examples that show other popular languages to be as bad as PHP has been then?
  The view that PHP doesn't have a comparatively shoddy security record is the extraordinary claim here and the one that needs evidence. I could just as well ask that your personal preference doesn't get in the way of you being rational and objective.
  As I said, I'll gladly retract my statement - just show me how other popular languages are as bad or worse.
9. Re:I can predict the future by narcc · 2013-10-24 19:21 · Score: 1
  
  It's been shared too much. It's complete and total garbage.
  I offered this earlier: From that incompetent screed, make a list of points of fact, eliminating any point that is opinion.
  Now that you've reduced the content of that page significantly, eliminate any point that's flat-out wrong. Now eliminate any point that also applies to other popular languages.
  To save some time, you could first eliminate anything that exposes the authors distaste or misunderstanding of dynamic typing. That should make the task a bit more manageable, as that's what makes up the bulk of that insufferable post.
  Not much left, is there? Do you still think that PHP is a "fractal of bad design"?
  Well, you might. You're welcome to that opinion. Let's just not pretend that it's based in the world of facts.
  See, there's a reason you link to that nonsense. It's really long, and thus very time consuming for anyone to refute point-by-point. That makes you feel secure. After all, unless a refutation is comprehensive, you can just claim that your opponent couldn't refute the real important bits. The title also confirms "your" opinion, which you probably got from someone else. That makes you feel good. After all, if lots of people believe the same way you do, you can pretend your silly beliefs are true, and not just your personal opinion. If you had an actually reason to think that PHP was "objectively" worse than other languages, you'd have posted that instead.
  Your post isn't any different than a creationist pointing at the Bible for "proof" of their silly beliefs. It's just as wrong, of course, for the same reasons.
  
  --
  Required reading for internet skeptics
10. Re:I can predict the future by Alarash · 2013-10-24 20:58 · Score: 2
  
  C#/.NET hasn't have had a vulnerability in a long time. I know it's not popular around here because "Micro$oft durr durr" but it's a great language and a great framework. Run Mono if you don't like Microsoft.
11. Re:I can predict the future by X.25 · 2013-10-24 21:07 · Score: 1
  
  I can predict there will be a lot of posts by developers of other languages laughing at PHP while ignoring their own languages massive security failures in the often not so distant past. That is okay when for instance Ruby had their massive security hole or Java applets were kicked out of every browser, I giggled like a schoolgirl too.
  But it sure was fun today to google some obscure function and be told php.net might harm your computer. Especially when you are having to fight management daily on some silly security measures you insisted on to protect your project that are so inconvenient and un-necessary because the project hasn't been hacked yet... sigh... do I have to point out that maybe it hasn't been broken into yet because I put the security measures in place? Or that it might simply not have been our turn yet? Nah... it must be because I am an idiot who sees script kiddies everywhere.
  Security, if you do it right everyone thinks you have wasted your time and when you do it wrong, it is all your fault.
  But at least the amazing pay, respect, job security and being the stuff all women dream about makes up for it...
  Oh wait.
  I can predict the future, I am going to die a bitter and angry nerd.
  I use Perl.
  How do I fit in here?
12. Re:I can predict the future by dkleinsc · 2013-10-24 23:02 · Score: 1
  
  Actually, it's more that PHP makes it easy to suck at those things. For example, mysql_query(), with no parameterization support, is something that should never have existed, and for a long time was the only way to do mysql queries.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
13. Re:I can predict the future by Elminster+Aumar · 2013-10-25 01:06 · Score: 1
  
  The ratio of PHP developers to those in other languages are likely every bit 10-to-1. This means many things... First, it likely means that the accessibility to the use of the language is much more prone to being handled by people still new to the language, so yes, inappropriate use is likely to happen. Secondly, it means that the resulting issues surrounding security exploits, etc. will be much more mainstreamed than those that occur in other languages. All of this in mind, PHP is a fantastic language to use. It's no frills, accessible means provides everyone with a product that can do something and do something right there and then. You don't have to spend countless hours configuring compiler scripts, setting up a bunch of libraries, etc., etc. This goes without saying that yes, PHP has flaws but every language has flaws. So stop puckering your two year-old lip and go play with a language you prefer. Don't like PHP? Then don't use it. It's that simple. Stop letting your insecurities drive you to clamor about things other people love using. It makes you look immature.
14. Re:I can predict the future by Elminster+Aumar · 2013-10-25 01:19 · Score: 1
  
  Depends on what the measurements are. How do you show how is better or worse than ? By the number of servers that use a given language? By the developers who have written code using the given language? By the volume of resources it takes to run something written in the language by developers who have at least and approximately 10+ years of proven experience? Generally-speaking, it's easy to assume that PHP developers outnumber the developers of other languages by a substantial amount. I'm not sure what the amount would be because I know there's a good number of Java guys out there as well as Perl. But here's the thing: PHP is ACCESSIBLE. You don't have to muck around with much to get it going--and working--for whatever requirements you may have. You don't have to mess with compiler scripts, libraries, etc. It's all just there, waiting to be used. What this means is that the ratio of seasoned programmers to inexperienced programmers as it pertains to PHP is likely to be unbalanced. This is unfortunate because there's nothing wrong with the language itself, at least, not when comparing it's shortcomings to the issues other languages did have at one point or another. The main point here is that the criticisms revolving around PHP's "accidents" are constantly made mainstream due to the sheer numbers of people who use PHP. This is both good and bad. It's bad for PHP in that it never makes it look any better, but it's good in how it shows just how many systems rely on it. Anyway, it's just like every other language out there: if you don't like it or have no use for it, then that's okay... Just don't use it. But spare us all the drivel where you go around spouting a bunch of immature *noise*. The internet has enough of this as-is.
15. Re:I can predict the future by Elminster+Aumar · 2013-10-25 01:25 · Score: 1
  
  You could be right about the libraries, etc. that Java et al provide out-of-the-box... But here's the thing: nobody on Earth begins a web design project thinking to themselves, "Hey, let's make a website and put ourselves through the wonderful nightmare of being forced to learn some of the most Kafkaesque Java concepts we can find and completely disregard what we originally set out to do due to the poorly-written, overly complex, impossible system requirements that languages like Java et al bring with them." It never enjoys the accommodation of maintaining private criticisms due to how accessible it is anymore by everyone who owns a blog, but whenever I need something up and running--without spending countless hours just trying to create a simple web page--I'll always be turning to PHP. It's no frills, open-source, and yes, if you mind your Ps and Qs, is secure and efficient.
16. Re:I can predict the future by thoromyr · 2013-10-25 02:53 · Score: 1
  
  or, we could try to educate people about how ridiculous it is that PHP is the only language to have non-stop vulnerabilities *in the language* and, even worse, all the cool things they are going to install to go with it are riddled with even more vulnerabilities, to the extent that running a site in php is next best thing to just posting site credentials online.
  Yes, the reason vulnerabilities are so prevalent in modules is because PHP is freaking scary easy to develop so practically anyone can do so, even (and especially) if they have no clue what secure programming means. But it doesn't change the basic fact.
  Yes, a properly developed site using PHP *can* be as secure as one developed using a different language. But that generally isn't the case -- people generally choose PHP because they have no clue. I'm *not* saying everyone who uses PHP has no clue (that is definitely not the case), but for the clueless, PHP is the platform of choice.
  A good example is wordpress. Even excluding wordpress vulnerabilities (which seem to have gotten harder to find), hardly anyone just installs wordpress, they install numerous plugins. And the vulnerabilities multiply.
  So when it comes to hosting sites, allowing PHP means you are going to have slap-dash insecure sites that constantly get hacked. And that creates overhead. It is more of a problem (by definition) than only permitting static content. It is more of a problem (in practice) than permitting dynamic content in other languages.
  So when I say "educate people" I don't mean someone who knows how to use PHP safely (insofar as that is possible for any language...), rather I mean the ones who want to have joomla because they want a site with CMS because they don't understand how *everything* they are going to do could have been done easily in any reasonable tool that generates static pages.
  I don't have time to deal with the constant hacking of PHP driven sites. If my employer wants that, they need to employ more people. This requires educating them, including how the entire PHP ecosystem is fraught with vulnerabilities.
17. Re:I can predict the future by thoromyr · 2013-10-25 02:58 · Score: 1
  
  exactly this. I was astounded when I discovered PHP and the world of vulnerabilities it introduced. Using PHP before 5 is just not a good idea, and that is a very sad statement to make about a *language*. I use PHP at times (it is scary fast to develop in), but in general I prefer other languages.
18. Re:I can predict the future by JabberWokky · 2013-10-25 04:43 · Score: 1
  
  Really? Asking for somebody to demonstrate a wild claim results in your turning it around and demanding proof that it isn't true?
  Okay, I'll say that it is objectively true that there is life on Mars.
  No, no... I don't have to *defend* that statement. The onus is on *you*, Buckaroo, to demonstrate there *isn't* life on Mars.
  Wow, this makes putting out claims much easier. Thank you for your logic, AC.
  
  --
  "$30 for the One True Ring. $10 each additional ring!" -- JRR "Bob" Tolkien
19. Re:I can predict the future by styrotech · 2013-10-25 08:47 · Score: 1
  
  OK OK you got me... I completely retract my claim 100%. I was just talking "drivel".
  Now to show you're not really just a troll and actually are a PHP fanboy*, why don't you tell us why you think PHP is at least as good as other popular languages.
  * Having never met one before (even at well attended PHP user group meetings), I didn't realise PHP fanboys even existed.
  If you really are a fanboy, what are the good or even great things about PHP? What attracts you to it? Is it the internal consistency? The elegant expressive syntax? The well thought out standard library? Is it the lack of regressions? The joy of php.ini differences? The open way new features are designed and ironed out? The awesome capabilities of the core development and security teams? The package management?
  Or to stay on topic you could educate us plebs as to how other popular languages are equivalent to PHP in respect to how the language itself affects security. That should be easy - after all you get to pick which of the other popular languages you can compare it to.
  Some actual reasoning other than "nuh uh" or "is not" would be nice for a change. Show me you weren't just trolling...
20. Re:I can predict the future by dkleinsc · 2013-10-25 14:18 · Score: 1
  
  Here's what I think: If you know what you're doing, doing things the right way takes no longer than doing things the wrong way when you start.
  Example
  So the end result is that it's a lot cheaper to do things the right way, because you start off almost as fast, and end up not having to slow down to deal with the headaches that exist as the thing gets larger.
  And if you're one of those types that likes a CMS, try Mezzanine and tell me if it's still hard to get something other than PHP up and running.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
FTFY: I can predict the future by neo-mkrey · 2013-10-24 08:07 · Score: 2

I can predict the future, I am going to die a bitter, lonely and angry nerd.
It's about time by sl4shd0rk · 2013-10-24 08:09 · Score: 2

It's nice to finally have some company down here in the basement.
-Java Plugin

--
Join the Slashcott! Feb 10 thru Feb 17!
1. Re:It's about time by slashmydots · 2013-10-24 08:18 · Score: 1
  
  What is this, 2007? They hit rock bottom and broke through. Java is in the 9th circle of hell at the moment.
Battle Scars by Tablizer · 2013-10-24 08:22 · Score: 2

Almost every language in common use has some stupid ideas in it that make one want to slap the makers. (Although maybe Php deserves 2 slaps.) A lot of it is stretch marks from growth. Any successful language (usage-wise) that's been around a while will probably have battle scars. New languages don't have enough features, and mature languages have convoluted features due to growth and the maturing process.

--
Table-ized A.I.
1. Re:Battle Scars by bill_mcgonigle · 2013-10-24 12:30 · Score: 1
  
  yeah, but this is PHP - a fractal of bad design.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:lazy editors by Tablizer · 2013-10-24 08:24 · Score: 1

You didn't pay your proof-reading tax.

--
Table-ized A.I.
ja ja by Anonymous Coward · 2013-10-24 08:30 · Score: 1

Why is everyone assuming that it is PHP that was vulnerable?
There countless ways that an attacker could have modified the site that don't involve a vulnerability in PHP.
1. Re:ja ja by X0563511 · 2013-10-24 09:26 · Score: 1
  
  Because when an attack is successful it seems like 9/10 times they exploited a bug or configuration issue via PHP?
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:ja ja by Elminster+Aumar · 2013-10-25 01:27 · Score: 1
  
  ...or... Maybe it's just another issue of someone using a tool they weren't qualified in using?
Re:I don't get people. by Joining+Yet+Again · 2013-10-24 10:03 · Score: 1

If you think the difference between imperative programming languages goes much beyond syntactic sugar then I don't think you really understand computer science.
You know a sophomore when they start whining about how childish Visual Basic is. If you can write something well, you can write it well in VB. You might prefer not to, but you should be able to do a fine job of it.
So it wasn't hacked, and Google fucked up... by pongo000 · 2013-10-24 10:07 · Score: 1

From php.net:
It turned out that by combing through the access logs for static.php.net it was periodically serving up userprefs.js with the wrong content length and then reverting back to the right size after a few minutes. This is due to an rsync cron job. So the file was being modified locally and reverted. Google's crawler caught one of these small windows where the wrong file was being served, but of course, when we looked at it manually it looked fine. So more confusion.
I'm idly curious if Google even bothers to offer an apology.
1. Re:So it wasn't hacked, and Google fucked up... by Anonymous Coward · 2013-10-24 10:35 · Score: 4, Informative
  
  I'm concerned about this initial response. It is definitely wrong, unless they INTENDED to link to malicious code. The article in the header has an actual PCAP of an actual successful infection, including the data from the injected iframe, the malicious SWF files, and the PE payload they fetched. There's no doubt about this. I can confirm the payload is live.
  See also: https://news.ycombinator.com/item?id=6604251
  I'm more than idly curious if we can reach PHP.net via some other medium than their site which we surmise has been compromised, or if this is some form of coerced or deliberate backdoor.
  However, what I think has happened is that this is the product of an Apache module: it's only serving the bad code once to any IP, and the access logs of course won't show it. You cannot trust the logs produced by a potentially-rooted computer.
  This appears to be targeted watering-hole attack. This is certainly not a mere false positive. And there seems to be an awful lot of people trying hard to dismiss it. That said, this payload doesn't quite match any exploit kit I recognise.
  And then I think who is high-profile, has a botnet that looks rather like this one, has what you could describe as a PR department, and could coerce PHP or Google into lying... and well, a certain agency comes to mind. Has someone taken Genie over, or is it still under the same C&C? Have they, or it, gone rogue as part of Turbine? Are they actually launching? I don't know, because the C&C just went dead...
2. Re:So it wasn't hacked, and Google fucked up... by landmine · 2013-10-24 13:39 · Score: 1
  
  You just couldn't quote one more line...
  
  "...looked at it manually it looked fine. So more confusion.
  
  We are still investigating how someone caused that file to be changed, but in the meantime we have migrated www/static to new clean servers..."
  
  So they are not denying that the file was changed, they just don't know how it was possible.
3. Re:So it wasn't hacked, and Google fucked up... by wonkey_monkey · 2013-10-25 02:42 · Score: 1
  
  That doesn't like a denial that they were hacked, only that there was some confusion when they looked at the suspect file and found nothing wrong with it because it had been reverted.
  
  --
  systemd is Roko's Basilisk.
4. Re:So it wasn't hacked, and Google fucked up... by vilanye · 2013-11-07 13:22 · Score: 1
  
  Why should Google apologize because the php.net maintainers are idiots?
Uh oh... by edibobb · 2013-10-24 13:54 · Score: 4, Funny

I happened to update php on my web server today. Did I get some additional free software out of the deal?
1. Re:Uh oh... by matria · 2013-10-24 18:04 · Score: 1
  
  No.
Just prooves a point by lapm · 2013-10-24 16:25 · Score: 1

This just goes to show, badboys might find way in at any time. So rest of us needs to stay vigilant of out system. System that was presumed secure yesterday, may have hole in it that was discovered today...
Re:I love when people use fuzzy math by dkleinsc · 2013-10-24 22:56 · Score: 2

If you read the paper, you'll discover that about 50% of the projects examined use PHP, so the 80% number is disproportionately high.

--
I am officially gone from /. Long live http://www.soylentnews.com/
Re:I don't get people. by Joining+Yet+Again · 2013-10-25 04:57 · Score: 1

That's a runtime library issue.
Although maybe your argument is that a language should be judged when accompanied precisely by its standard runtime libraries.