[ale] Well, this does nothing for the reputation of Linux

Mike Harrison cluon at geeklabs.com
Mon Jul 22 11:00:53 EDT 2013


> I have been following this debate about PHP. To summarize:
>
> 1. PHP has some problems that can easily lead to website vulnerabilities if 
> the programmer does not take precautions to prevent. PHP appears to have more 
> of these problems than Python/Django, Ruby on Rails, or .NET. So if you can 
> use something else, this is the preferred route.

You are confusing a language, with a language + framework.
Frameworks often add some detainting and sanitizing to a language.
Those features are often bypassed by brogrammers and webdudes..

>> Also, isn't SQL injection pretty much fixed with Magic Quotes?  I had a

Nope. There are so many ways to do "sql injection" and "code injection"
in ANY language it is almost always possible to find a way it and do 
something stupid. Have you seen the binary injection method with strings 
like 0x... ?? or systems that also use "--" as an SQL delimiter?
Or just pain stupid code that allows "  '; drop table users ; "
and people that use phpmysqladmin for database server configurations
and grant all perms to any user.

PHP is a wonderful "swiss army knife" for web apps... and just like that 
knife, easy to get your fingers pinched, or cut or stabbed.
As a language, it sucks in many many ways. As a tool, it's very useful.
Like all tools, you gotta be careful with what you are doing.
I own a nice chainsaw for small jobs and emergencies... I pay a 
professional to do any serious tree work.

I'm decent with PHP, it's what I do almost all day every day, and I find 
new ways to do stupid things with it all the time. Having torn apart a few 
PHP frameworks like CodeIgnitor and Kohana, as well as some Ruby on Rails 
apps, I think frameworks provide a false sense of security and make it 
even easier to do stupid things quickly.

For example: Frameworks usually attempt to re-invent 
credential/authentication methods with some magic cookie / session kludge 
instead of using what has been built into the web and browsers since the 
old codger days. And most of them don't check the embedded components for 
any auth past the first page. ie; once you have a valid cookie, it all 
works until that cookie expires, and many things don't even check for the 
cookie.

This is a religious argument, lets cut straight to the inevitable
end result:  What langauge would Hitler have coded in?

Going back to work..
















More information about the Ale mailing list