<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Mike -</span><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">Ha. Loved your post. Especially the Hitler comment :) So funny.</span></div>
<div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">"I'm decent with PHP, it's what I do almost all day every day, and I find new ways to do stupid things with it all the time. Having torn apart a few PHP frameworks like CodeIgnitor and Kohana, as well as some Ruby on Rails apps, I think frameworks provide a false sense of security and make it even easier to do stupid things quickly." - this is why I prefer not to use Frameworks like CodeIgnitor but do custom coding. The thought (maybe wrong), is that hackers look for what is easiest so they will try stuff that breaks CodeIgnitor and WordPress and phpBB and the like more than trying to figured out the intricacies of the custom code.</span><br>
</div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">I'll have to look into the Binary injection stuff. I always just tried the ' OR 1=1' type of stuff to make sure it was secure. Thanks for that.</span></div>
</div><div class="gmail_extra"><br clear="all"><div><div><b><br></b></div><div><b>--</b></div><div><b>Andy Borgmann</b><br><br><div>E-mail: <a href="mailto:andy@borgmann.me" target="_blank"><font color="#990000">andy@borgmann.me</font></a> <br>
Cell Phone: <font color="#990000">(404) 492-6527</font> </div><div>Personal Website: <a href="http://andy.borgmann.me/?r=email" target="_blank"><font color="#990000">http://andy.borgmann.me/</font></a></div>
<div><br>"<i>Preach the Word; be prepared in season and out of season; correct, <br>rebuke and encourage - with great patience and careful instruction.</i>" - 2Timothy 4:2</div></div></div>
<br><br><div class="gmail_quote">On Mon, Jul 22, 2013 at 11:00 AM, Mike Harrison <span dir="ltr"><<a href="mailto:cluon@geeklabs.com" target="_blank">cluon@geeklabs.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have been following this debate about PHP. To summarize:<br>
<br>
1. PHP has some problems that can easily lead to website vulnerabilities if the programmer does not take precautions to prevent. PHP appears to have more of these problems than Python/Django, Ruby on Rails, or .NET. So if you can use something else, this is the preferred route.<br>
</blockquote>
<br></div>
You are confusing a language, with a language + framework.<br>
Frameworks often add some detainting and sanitizing to a language.<br>
Those features are often bypassed by brogrammers and webdudes..<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also, isn't SQL injection pretty much fixed with Magic Quotes? I had a<br>
</blockquote></blockquote>
<br></div>
Nope. There are so many ways to do "sql injection" and "code injection"<br>
in ANY language it is almost always possible to find a way it and do something stupid. Have you seen the binary injection method with strings like 0x... ?? or systems that also use "--" as an SQL delimiter?<br>
Or just pain stupid code that allows " '; drop table users ; "<br>
and people that use phpmysqladmin for database server configurations<br>
and grant all perms to any user.<br>
<br>
PHP is a wonderful "swiss army knife" for web apps... and just like that knife, easy to get your fingers pinched, or cut or stabbed.<br>
As a language, it sucks in many many ways. As a tool, it's very useful.<br>
Like all tools, you gotta be careful with what you are doing.<br>
I own a nice chainsaw for small jobs and emergencies... I pay a professional to do any serious tree work.<br>
<br>
I'm decent with PHP, it's what I do almost all day every day, and I find new ways to do stupid things with it all the time. Having torn apart a few PHP frameworks like CodeIgnitor and Kohana, as well as some Ruby on Rails apps, I think frameworks provide a false sense of security and make it even easier to do stupid things quickly.<br>
<br>
For example: Frameworks usually attempt to re-invent credential/authentication methods with some magic cookie / session kludge instead of using what has been built into the web and browsers since the old codger days. And most of them don't check the embedded components for any auth past the first page. ie; once you have a valid cookie, it all works until that cookie expires, and many things don't even check for the cookie.<br>
<br>
This is a religious argument, lets cut straight to the inevitable<br>
end result: What langauge would Hitler have coded in?<br>
<br>
Going back to work..<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
______________________________<u></u>_________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/<u></u>listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/<u></u>listinfo</a><br>
</div></div></blockquote></div><br></div>