<div dir="ltr">Mike -<div><br></div><div>Well maybe I should look into C ;)</div><div><br></div><div>No need to get defensive. I am not "minding" you, and I am sure you are a great programmer and have more experience than me. My only point in this is that PHP is not inherently insecure. Not saying it is better than C or Java or Python. All I am saying is that the security flaws in PHP have more to do with poorly written code that is publicly viewable to the world than the system itself, and that the examples provided thus far haven't convinced me that it is any less secure than I originally knew other than less qualified people use it due to the low barrier of entry.</div>
<div><br></div><div>And I would very much be interested in what you know about HipHop, because everything I have read about it and looked into relates to performance, not security.</div></div><div class="gmail_extra"><br clear="all">
<div><div><b><br></b></div><div><b>--</b></div><div><b>Andy Borgmann</b><br><br><div>E-mail: <a href="mailto:andy@borgmann.me" target="_blank"><font color="#990000">andy@borgmann.me</font></a> <br>Cell Phone: <font color="#990000">(404) 492-6527</font> </div>
<div>Personal Website: <a href="http://andy.borgmann.me/?r=email" target="_blank"><font color="#990000">http://andy.borgmann.me/</font></a></div><div><br>"<i>Preach the Word; be prepared in season and out of season; correct, <br>
rebuke and encourage - with great patience and careful instruction.</i>" - 2Timothy 4:2</div></div></div>
<br><br><div class="gmail_quote">On Mon, Jul 22, 2013 at 10:09 AM, Michael B. Trausch <span dir="ltr"><<a href="mailto:mbt@naunetcorp.com" target="_blank">mbt@naunetcorp.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 07/22/2013 09:57 AM, Andy Borgmann
wrote:<br>
</div>
<blockquote type="cite">Facebook hasn't had any hacks that I am aware of. I
know they release a lot of information via Graph and other areas,
which leads many of us to feel uncomfortable with there security
practices. But it seems all the information that is released, is
released by design. And I don't see how just because they run PHP
through HipHop (which they created) to run there code through C
and C++ for <i>performance reasons</i> makes it anymore secure
than standard PHP?</blockquote>
<br></div>
Relevant quote, with emphasis added:<div class="im"><br>
<br>
<blockquote type="cite">Facebook does not run the official PHP, <u><b>they
run a subset of it</b></u> that is then compiled, if memory
serves, to C++ and then compiled to system code.</blockquote>
<br></div>
Last I checked, there were two major categories of things they left
out; first one being things that were too difficult to implement
(but I think they got those later), and the second, they removed
functionality that serves little purpose other than to install
security flaws in code. There is some overlap between the two
categories, but remember that HH is a subset of PHP (and in some
cases, even a superset—static type checking, á la Python,
significantly reduces security flaws due to silent coercion, for
example).<br>
<br>
But, don't mind me. I've only been programming in several languages
for a little over two decades and writing production applications
for the last decade. I've used C, C#, Java, Python and PHP enough
to be able to give a fair amount of comparison between them (with my
C++ being out of date as I haven't seriously used it in about five
years). And I know more languages than that, albeit not at the
level of what I would call "native fluency" yet.<br>
<br>
PHP is making some improvements, but they have a long way to go
before they are secure by default. And even further to go before
they have an audience that is secure by default, which is an
intractable problem.<br>
<br>
In short, PHP applications can be made provably secure by tailoring
the language to the audience it has. Those who can program PHP
properly are probably also pretty good C programmers, or would be if
they aren't already.<br>
<br>
— Mike<div class="im"><br>
<br>
<div>-- <br>
<table border="0">
<tbody>
<tr>
<td> <img src="cid:part1.00030701.02070509@naunetcorp.com" alt="Naunet Corporation Logo"> </td>
<td> Michael B. Trausch<br>
<br>
President, <strong>Naunet Corporation</strong><br>
☎ <a href="tel:%28678%29%20287-0693%20x130" value="+16782870693" target="_blank">(678) 287-0693 x130</a> or <a href="tel:%28888%29%20494-5810%20x130" value="+18884945810" target="_blank">(888) 494-5810 x130</a><br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div>