<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/22/2013 09:57 AM, Andy Borgmann
wrote:<br>
</div>
<blockquote
cite="mid:CABGEp7qXib4u+oTLbtheb7xHj2Z1vQ5ww_S+WCA++QR==xsa7w@mail.gmail.com"
type="cite">Facebook hasn't had any hacks that I am aware of. I
know they release a lot of information via Graph and other areas,
which leads many of us to feel uncomfortable with there security
practices. But it seems all the information that is released, is
released by design. And I don't see how just because they run PHP
through HipHop (which they created) to run there code through C
and C++ for <i>performance reasons</i> makes it anymore secure
than standard PHP?</blockquote>
<br>
Relevant quote, with emphasis added:<br>
<br>
<blockquote type="cite">Facebook does not run the official PHP, <u><b>they
run a subset of it</b></u> that is then compiled, if memory
serves, to C++ and then compiled to system code.</blockquote>
<br>
Last I checked, there were two major categories of things they left
out; first one being things that were too difficult to implement
(but I think they got those later), and the second, they removed
functionality that serves little purpose other than to install
security flaws in code. There is some overlap between the two
categories, but remember that HH is a subset of PHP (and in some
cases, even a superset—static type checking, á la Python,
significantly reduces security flaws due to silent coercion, for
example).<br>
<br>
But, don't mind me. I've only been programming in several languages
for a little over two decades and writing production applications
for the last decade. I've used C, C#, Java, Python and PHP enough
to be able to give a fair amount of comparison between them (with my
C++ being out of date as I haven't seriously used it in about five
years). And I know more languages than that, albeit not at the
level of what I would call "native fluency" yet.<br>
<br>
PHP is making some improvements, but they have a long way to go
before they are secure by default. And even further to go before
they have an audience that is secure by default, which is an
intractable problem.<br>
<br>
In short, PHP applications can be made provably secure by tailoring
the language to the audience it has. Those who can program PHP
properly are probably also pretty good C programmers, or would be if
they aren't already.<br>
<br>
— Mike<br>
<br>
<div class="moz-signature">-- <br>
<table border="0">
<tbody>
<tr>
<td> <img src="cid:part1.00030701.02070509@naunetcorp.com"
alt="Naunet Corporation Logo"> </td>
<td> Michael B. Trausch<br>
<br>
President, <strong>Naunet Corporation</strong><br>
☎ (678) 287-0693 x130 or (888) 494-5810 x130<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>