Is PHP going to die?

  • (6 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • Last »

87 Replies - 9976 Views - Last Post: 22 March 2017 - 11:17 PM

#16 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1836
  • View blog
  • Posts: 5,788
  • Joined: 15-January 14

Re: Is PHP going to die?

Posted 24 March 2016 - 09:50 AM

Quote

There is a whitepaper where the security team attempted to approve PHP for internal use and determined that the cost of securing even a single PHP app would be greater than the cost of every developer learning a better language.

There are a lot of cries about PHP being insecure by design, or having fundamental flaws relating to security, but every time I hear those I feel like people are ignoring the glaring reality that PHP is the most widely used server-side language on the internet, and I'm not seeing half of the internet fall over whenever someone cries out about PHP.

If PHP is so insecure, then why isn't every PHP server and website compromised?

And don't respond to that with some hyperbolic "they are" answer, instead point to actual cases of real exploits. Think about wordpress.com, for example - hosted Wordpress installations. If you set your browser to block wordpress.com servers you will notice that a vast amount of content is missing from things like local news sites. Compromising wordpress.com would be a massive coup for anyone trying to spread malware or steal user information.

So, why doesn't that happen?

I have just about as low of an opinion of Wordpress as a PHP developer can have, so I'm using them specifically as an example. I think that Wordpress has all kinds of problems, so if the low-hanging fruit is still on the tree then what's the big problem with PHP that Amazon can't solve? Is that a problem with PHP, or Amazon?

Or, is it just more hyperbole from biased people with an agenda?
Was This Post Helpful? 2
  • +
  • -

#17 astonecipher  Icon User is offline

  • Too busy for this
  • member icon

Reputation: 2342
  • View blog
  • Posts: 9,393
  • Joined: 03-December 12

Re: Is PHP going to die?

Posted 24 March 2016 - 10:16 AM

Other than for the money, aws hosts how many million php installs? If php was fundamentally insecure, and other than monitary, why compromise the hardware?
Was This Post Helpful? 0
  • +
  • -

#18 xclite  Icon User is offline

  • I wrote you an code
  • member icon


Reputation: 1252
  • View blog
  • Posts: 4,042
  • Joined: 12-May 09

Re: Is PHP going to die?

Posted 24 March 2016 - 11:25 AM

View PostArtificialSoldier, on 24 March 2016 - 12:50 PM, said:

Quote

There is a whitepaper where the security team attempted to approve PHP for internal use and determined that the cost of securing even a single PHP app would be greater than the cost of every developer learning a better language.

There are a lot of cries about PHP being insecure by design, or having fundamental flaws relating to security, but every time I hear those I feel like people are ignoring the glaring reality that PHP is the most widely used server-side language on the internet, and I'm not seeing half of the internet fall over whenever someone cries out about PHP.


Something being most widely used doesn't mean it's secure, nor would I expect a complaint about something to trigger an attack on an exposed vulnerability. This isn't really a compelling counterargument. See: Windows's history of insecurity.

PHP was "designed" by a programmer who is exceptionally productive but also exceptionally sloppy about language design. This is self-admitted, and that's ok. It just also does not make it the best tool for building maintainable, secure services.

Quote

If PHP is so insecure, then why isn't every PHP server and website compromised?


...What? First, saying it's really expensive to secure such an app isn't the same as saying everything written in PHP was written in an insecure fashion. Secondly, even if it *did* mean that, it wouldn't mean that every website has at this moment been compromised. I'm not sure how to make any points against these arguments, because they don't follow from anything I said in the first place.

Quote

And don't respond to that with some hyperbolic "they are" answer, instead point to actual cases of real exploits. Think about wordpress.com, for example - hosted Wordpress installations. If you set your browser to block wordpress.com servers you will notice that a vast amount of content is missing from things like local news sites. Compromising wordpress.com would be a massive coup for anyone trying to spread malware or steal user information.

So, why doesn't that happen?


http://www.wordpressexploit.com/
https://blog.sucuri....hdd-dot-eu.html (old, but a typical example).

If you haven't ever heard news about wordpress being exploited, your head has been in the sand for several years.

Quote

I have just about as low of an opinion of Wordpress as a PHP developer can have, so I'm using them specifically as an example. I think that Wordpress has all kinds of problems, so if the low-hanging fruit is still on the tree then what's the big problem with PHP that Amazon can't solve? Is that a problem with PHP, or Amazon?

Or, is it just more hyperbole from biased people with an agenda?


Another non-sequitur. I didn't say Amazon *couldn't* secure a PHP app. I said that it was a better use of resources to just not write PHP. And if you think Amazon doesn't know a little about security, you're kidding yourself.

Quote

Other than for the money, aws hosts how many million php installs? If php was fundamentally insecure, and other than monitary, why compromise the hardware?


Amazon's totally cool with you running insecure software on their presumably decently isolated systems. They're not cool with developers within Amazon building insecure systems that have access to customer data. The security standard for an internal system is fairly high.
Was This Post Helpful? 1
  • +
  • -

#19 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1836
  • View blog
  • Posts: 5,788
  • Joined: 15-January 14

Re: Is PHP going to die?

Posted 24 March 2016 - 11:40 AM

Quote

Something being most widely used doesn't mean it's secure, nor would I expect a complaint about something to trigger an attack on an exposed vulnerability. This isn't really a compelling counterargument.

It also wasn't my argument. I'm not suggesting that it must be secure since it's widely used. I'm simply asserting that it is widely used, and asking where all of the real-world security problems are that must come with wide use of something so apparently insecure as people claim.

Quote

It just also does not make it the best tool for building maintainable, secure services.

I've definitely not suggested it is the single best tool. I do believe it is a good tool though. Others like to suggest it is a completely unsuitable tool, and I think that's an argument based on hyperbole and hypotheticals instead of facts.

Quote

If you haven't ever heard news about wordpress being exploited, your head has been in the sand for several years.

That's not what I said either. I'm aware of many Wordpress exploits, like I pointed out I am not a fan of Wordpress. My point was that all of these sites, and indeed the internet, is still standing. These sites are still running PHP. There is not massive ongoing data leakage of all PHP sites. The notion that PHP is fundamentally unsuited to being used to run a web site is smoke and mirrors and is not supported by reality. I'll also point out that the vast majority of Wordpress vulnerabilities exist in plugins, not the core code. Take that how you want to, but still, don't take it as my endorsement of Wordpress. I don't like anything about Wordpress, its API looks like the first project of a new college graduate with no real-world experience. But, even so, and despite all of the dire warnings about the state of PHP security, it still successfully runs a vast number of web sites. That fact doesn't mesh with the claims of fundamental insecurity and unsuitability of PHP.
Was This Post Helpful? 0
  • +
  • -

#20 xclite  Icon User is offline

  • I wrote you an code
  • member icon


Reputation: 1252
  • View blog
  • Posts: 4,042
  • Joined: 12-May 09

Re: Is PHP going to die?

Posted 24 March 2016 - 12:03 PM

View PostArtificialSoldier, on 24 March 2016 - 02:40 PM, said:

Quote

Something being most widely used doesn't mean it's secure, nor would I expect a complaint about something to trigger an attack on an exposed vulnerability. This isn't really a compelling counterargument.

It also wasn't my argument. I'm not suggesting that it must be secure since it's widely used. I'm simply asserting that it is widely used, and asking where all of the real-world security problems are that must come with wide use of something so apparently insecure as people claim.

Unfortunately, a majority of consumers and businesses seem not to care too much about security. Remember that time Sony got hacked, and they took security seriously? Wait, no, they got hacked again months later, and even worse some months after that. Remember when they went out of business after that? Neither do I. People don't vacate a technology because they or somebody else gets hacked. They patch the hole and continue on, because they don't want to spend the resources to improve their system, either via a full audit or a rewrite, whatever is appropriate.

Remember how long it took to kill Flash and Java applets, even though those pieces of technology were insecure (pretty sure applets make PHP look like a gem in terms of security) and unreliable? It took megapersonality Steve Jobs not allowing it on mobile iDevices to really make a dent in Flash, and Java applets FINALLY died out far too slowly (though we still see posts about them), culminating in Oracle killing any browser support for them.

Quote

Quote

It just also does not make it the best tool for building maintainable, secure services.

I've definitely not suggested it is the single best tool. I do believe it is a good tool though. Others like to suggest it is a completely unsuitable tool, and I think that's an argument based on hyperbole and hypotheticals instead of facts.

And I think the criticism is very justified for anything that requires some semblance of reliability. Security is not easy. Tools that make it even harder should be the last one you reach for, not the first. PHP has made great strides here, and there is a good effort by the community to educate on best practices, but things are just safer if you use something better.

It is probably true that many haters of PHP are bandwagoners with no real experience in ecosystem (I expect the same for Javascript). That does not mean that the criticisms they parrot are invalid - beyond the bandwagoners are people with years of experience seeing things that should be better.

Quote

Quote

If you haven't ever heard news about wordpress being exploited, your head has been in the sand for several years.

That's not what I said either. I'm aware of many Wordpress exploits, like I pointed out I am not a fan of Wordpress. My point was that all of these sites, and indeed the internet, is still standing. These sites are still running PHP. There is not massive ongoing data leakage of all PHP sites. The notion that PHP is fundamentally unsuited to being used to run a web site is smoke and mirrors and is not supported by reality. I'll also point out that the vast majority of Wordpress vulnerabilities exist in plugins, not the core code. Take that how you want to, but still, don't take it as my endorsement of Wordpress. I don't like anything about Wordpress, its API looks like the first project of a new college graduate with no real-world experience. But, even so, and despite all of the dire warnings about the state of PHP security, it still successfully runs a vast number of web sites. That fact doesn't mesh with the claims of fundamental insecurity and unsuitability of PHP.


A couple of things here - this "not all PHP" thing isn't really strengthening any arguments. This is like saying that dogs are a good mode of transportation because, with much selective breeding and luck, you can put a saddle on a Great Dane. It is possible to run a site that is fairly robust in PHP. You need to know what to avoid, which practices to apply, etc (true of any platform). The problem is that there are more of these for PHP, and more history to be concerned about.

Again, popularity is not an indication of robustness. You say that's not your point, but you keep appealing to the existence of sites running PHP. Rasmus Lerdorf himself said he'd rather restart a web server every ten minutes than fix a memory leak. For some uses, that may be fine. Many systems run EXACTLY LIKE THIS. That does not mean that those systems are built with the best-suited tools. The majority of systems implemented on any platform that live on the web are flaky and insecure. The fact that these sites are "still standing," says nothing about how reliable or secure they are.

There is no confidence that can be drawn from a lot of things running a particular software suite for a long period of time. PHP is popular because it is easy to start with and cheap to deploy. That does not exclude it from having architectural or security-related issues.

In fact, many things that are insecure yet commonly done are done because they are often easier as a result of being insecure.
Was This Post Helpful? 1
  • +
  • -

#21 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10720
  • View blog
  • Posts: 18,353
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 24 March 2016 - 01:56 PM

View PostArtificialSoldier, on 24 March 2016 - 01:40 PM, said:

I'm simply asserting that it is widely used, and asking where all of the real-world security problems are that must come with wide use of something so apparently insecure as people claim.


I'm betting they're on little sites that we never hear about. Every now and then someone throws an attack kit at us and we get to see what sorts of "exploits" they're trying to hit. Apart from a few pokes at cgi-bin, and a few attempts to cd to /etc/passwd, they're all PHP. It's entirely possible, I suppose, that all of these always fail, and people run them anyway for some reason, but I think it's more likely that these attacks are getting people into places where they shouldn't be, often enough that they're worth trying.

I agree that this is indirect evidence, but it suggests to me that the real-world security problems you're looking for are happening on the small-business sites that were set up by some websites-r-us operation and nobody's watching over.

Quote

(pretty sure applets make PHP look like a gem in terms of security)


Really? I'd like to see some references. The Java applet security model was pretty paranoid, I'd be curious to see how people got through it.
Was This Post Helpful? 0
  • +
  • -

#22 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10720
  • View blog
  • Posts: 18,353
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 24 March 2016 - 02:25 PM

By the way, the focus on security issues is interesting. When I said that PHP was broken from the bottom up, I hadn't even gotten to security yet. I was just talking about a language that is fundamentally broken, as a language. I won't run through all of the issues here because it's already been done, but the meta-issue is worth mentioning: a language that tolerates this much fail is a language that just doesn't care.

I can understand why people with professional commitments to this language get defensive about it, and I can respect that. But if you're a kid, looking at starting off a career in programming, start by just counting the issues listed in that link. It'll take a little while, but just count them. Or try, anyway - if you get bored and quit, remember that this is a language which quite literally has more major issues than you can count. If you do manage to come up with a number, know this: each of these things is a booby trap that the language has carefully prepared for you. It's meant to look like a piece of solid ground, like you can trust your weight to it, like it's not going to give way suddenly or trip a falling rock to land on your head or catch your foot in a snare, or something like that, but it's lying.
Do you want your career to be built on knowing where all of those booby traps are, and how to get around them?
Or do you want to work in a real language?

Really, this is the question you want to ask yourself.

It's your call.
Was This Post Helpful? 0
  • +
  • -

#23 xclite  Icon User is offline

  • I wrote you an code
  • member icon


Reputation: 1252
  • View blog
  • Posts: 4,042
  • Joined: 12-May 09

Re: Is PHP going to die?

Posted 24 March 2016 - 02:25 PM

I can try to dig around for some actual sources. From memory, the most common problem with applets was escape from the security sandbox - either via some hole or by compromising the security manager, or via buffer overruns. This was exacerbated by the fact that Oracle would only release updates quarterly, so any weaknesses were vulnerable for a serious amount of time, on every machine that had an applet plugin installed.
Was This Post Helpful? 0
  • +
  • -

#24 macosxnerd101  Icon User is online

  • Games, Graphs, and Auctions
  • member icon




Reputation: 12178
  • View blog
  • Posts: 45,246
  • Joined: 27-December 08

Re: Is PHP going to die?

Posted 24 March 2016 - 02:35 PM

Quote

remember that this is a language which quite literally has more major issues than you can count.

To use some math puns, it's irrational to use a language with real issues. :P
Was This Post Helpful? 0
  • +
  • -

#25 ArtificialSoldier  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1836
  • View blog
  • Posts: 5,788
  • Joined: 15-January 14

Re: Is PHP going to die?

Posted 24 March 2016 - 02:43 PM

Quote

It is possible to run a site that is fairly robust in PHP. You need to know what to avoid, which practices to apply, etc (true of any platform). The problem is that there are more of these for PHP, and more history to be concerned about.
...
Again, popularity is not an indication of robustness. You say that's not your point, but you keep appealing to the existence of sites running PHP.

I think you're still not understanding my argument. I'm saying that if:

1) PHP is inherently insecure

and:

2) PHP is the most widely-used scripting language

then:

3) We should see a large number of attacks against PHP servers on a continuous basis.

As far as I'm aware, #3 isn't true. If that's the case, then either #1 or #2 is not correct. We know that #2 is correct. Therefore, #1 must not be correct.

Quote

Rasmus Lerdorf himself said he'd rather restart a web server every ten minutes than fix a memory leak.

Should we talk about the current role of Rasmus Lerdorf and people like Zeev Suraski and Andi Gutmans, or should we act like we're still using PHP 2? We've moved on from the early days. No one is restarting a web server every 10 minutes. Of our 5 production servers, one has been online for 153 days with over 88 million requests, and another for 115 days with over 116 million requests. This is Zend Engine 3 and beyond we are talking about (hell, even Zend Engine 2), not Personal Home Page Tools version 1.

Quote

I agree that this is indirect evidence, but it suggests to me that the real-world security problems you're looking for are happening on the small-business sites that were set up by some websites-r-us operation and nobody's watching over.

OK, you're talking about old versions of PHP then, not recent versions. That problem, as stated before, is definitely not unique to PHP. Even OpenSSL has its problems. But the sky is not falling with PHP. It's just not. It's alive and well, and it's getting better. I don't think there's anything that I can say to convince you of that though, because you've already decided that I'm an idiot working with sub-standard programmers for a company without a serious business model. It's not exactly the best place from which to have a serious discussion. You obviously have strong opinions against PHP. It would be disingenuous to act like they're something beyond an opinion though.
Was This Post Helpful? 0
  • +
  • -

#26 xclite  Icon User is offline

  • I wrote you an code
  • member icon


Reputation: 1252
  • View blog
  • Posts: 4,042
  • Joined: 12-May 09

Re: Is PHP going to die?

Posted 24 March 2016 - 03:06 PM

View PostArtificialSoldier, on 24 March 2016 - 05:43 PM, said:

Quote

It is possible to run a site that is fairly robust in PHP. You need to know what to avoid, which practices to apply, etc (true of any platform). The problem is that there are more of these for PHP, and more history to be concerned about.
...
Again, popularity is not an indication of robustness. You say that's not your point, but you keep appealing to the existence of sites running PHP.

I think you're still not understanding my argument. I'm saying that if:

1) PHP is inherently insecure

and:

2) PHP is the most widely-used scripting language

then:

3) We should see a large number of attacks against PHP servers on a continuous basis.

As far as I'm aware, #3 isn't true. If that's the case, then either #1 or #2 is not correct. We know that #2 is correct. Therefore, #1 must not be correct.


We DO. Jon posted an example of the attack vectors he sees. We constantly see stories about it. How can you possibly claim 3 doesn't happen? Further, I would posit that it happens against all popular web server technologies, and so there can be no proof based on this that PHP is somehow secure. For example, PHP historically was really good at getting MYSQL injected. I guarantee this attack is run against all web sites, not just those involving PHP.

Further, making the news isn't an indicator of the security of software. We just hear "customer data breach." We don't always hear how, and if we do, it's usually a legit shop doing a postmortum.

I'm no longer going to respond to arguments of "I don't think PHP hacks make the news"/"*I've* never seen PHP get hacked" because that's not a useful data point. In particular, if something is easy to hack, the victim may not learn about immediately (or even ever).

Quote

Quote

Rasmus Lerdorf himself said he'd rather restart a web server every ten minutes than fix a memory leak.

Should we talk about the current role of Rasmus Lerdorf and people like Zeev Suraski and Andi Gutmans, or should we act like we're still using PHP 2?


Sigh. I should have been more clear about the point of that example. The point is not that PHP is what necessitates those restarts, but that that was his approach to fixing architectural problems, and that many systems run like that. People are most definitely doing that today, and it is not unique to PHP. I was just trying to highlight his pride in "pragmatic" hacks that seriously hamper good design in the first several years of its evolution. You can't get rid of all that stuff. Javascript, in its ever-increasing reach, still carries the baggage from Eich's weekend foray into language design and it still shows. PHP isn't different in that regard, though I'm unsure if it's better or worse.

Quote

We've moved on from the early days. No one is restarting a web server every 10 minutes. Of our 5 production servers, one has been online for 153 days with over 88 million requests, and another for 115 days with over 116 million requests.
This is Zend Engine 3 and beyond we are talking about (hell, even Zend Engine 2), not Personal Home Page Tools version 1.

No, we're talking about PHP. You can't just pick the good. You get the good with the bad, because if I know PHP, I may get hired to work on the bad. All of the pieces of the language that you aren't supposed to use but still exist are pieces you must avoid. Referring back to what I was saying about setting the bar higher, my position is that you can build maintainable, secure stuff in PHP. It's just that it's easier than in other platforms not to, and therefore anybody starting anew might do better to not invest in it, if only for the sake of making their programming a little easier and their results automatically a little better.

Quote

Quote

I agree that this is indirect evidence, but it suggests to me that the real-world security problems you're looking for are happening on the small-business sites that were set up by some websites-r-us operation and nobody's watching over.

OK, you're talking about old versions of PHP then, not recent versions. That problem, as stated before, is definitely not unique to PHP.

Except that old versions of PHP are unequivocally less secure (and also less robust) than old versions of other things, because it and was created with a particular set of priorities. That *is* unique to PHP.

Several of the most thorough people I know write PHP for a living, and their work is top notch. But I know a lot of other developers who are more careless (though no less intelligent) and I'm glad that better languages make lazy mistakes less likely to happen, spaghetti templates harder to generate, and that they provide fewer legacy stupid methods. Maybe we should all be awesome and capable of writing memory-leak free, perfectly secure machine code, but the way I see it, languages should be as helpful as possible in the majority of cases.
Was This Post Helpful? 0
  • +
  • -

#27 e_i_pi  Icon User is offline

  • = -1
  • member icon

Reputation: 879
  • View blog
  • Posts: 1,893
  • Joined: 30-January 09

Re: Is PHP going to die?

Posted 24 March 2016 - 03:29 PM

Wow, this has gotten awfully nasty all of a sudden. Most of what I have read has resorted to fallacious argument, but I'm not here to throw stones.

What are these security issues with PHP? I'd be interested to know.
Was This Post Helpful? 0
  • +
  • -

#28 xclite  Icon User is offline

  • I wrote you an code
  • member icon


Reputation: 1252
  • View blog
  • Posts: 4,042
  • Joined: 12-May 09

Re: Is PHP going to die?

Posted 24 March 2016 - 03:33 PM

Calling something a fallacious argument doesn't make it so, and it's especially disingenuous to dismiss large swaths of points on either side with such an empty comment. Also, I wouldn't call most of this debate nasty.
Was This Post Helpful? 0
  • +
  • -

#29 jon.kiparsky  Icon User is offline

  • Chinga la migra
  • member icon


Reputation: 10720
  • View blog
  • Posts: 18,353
  • Joined: 19-March 11

Re: Is PHP going to die?

Posted 24 March 2016 - 04:51 PM

Quote

3) We should see a large number of attacks against PHP servers on a continuous basis.

As far as I'm aware, #3 isn't true. If that's the case, then either #1 or #2 is not correct. We know that #2 is correct. Therefore, #1 must not be correct.


Well, as I say, I do see attacks against my server every day. They fail, because we're not running PHP, but if we were, we would be vulnerable.
Now, do they ever succeed? I believe they must, or people wouldn't bother running them. So why don't we see them? I would suggest that the people who are most vulnerable have no idea that they've been attacked, and that the attacks have succeeded, and that someone else now controls their server.
After all, if you manage to take over BobsBaitAndTackle.com's server, you're not going to call Bob and tell him, are you? So if Bob isn't very sophisticated - maybe he had someone build the site a few years ago, and doesn't realize that it needs maintenance, or maybe he built it himself but he's too busy running a business to keep on top of the world of security - then he's just going to see his site working fine, because he's not looking for the pwn.


Quote

Wow, this has gotten awfully nasty all of a sudden.


I would say "vigorous", but not nasty. I'm hoping it'll stay that way.

Quote

What are these security issues with PHP? I'd be interested to know.


The biggest one is that you have to pay far too much attention to security. If you have to think about security when you're developing functionality, you're already screwed. Simple example: input validation. I had an interview a few years ago, for a PHP job. One of the Big Questions was a "what's wrong with this code" - there was a snippet that got some input from the user and consulted the database and did a little dance and printed some output. The answer was "it doesn't sanitize the input before it hits the DB, so you could get a SQL injection attack". Well, I'm sorry, but if you have to think about that, the game is over. Use a real framework, and you will never have to think about that, because your input is sanitized on the way in and the ORM doesn't take raw SQL anyway. But if you're using PHP, eventually someone's going to forget and you have a hole. I don't know, maybe this particular issue has been addressed since I last had to suffer through PHP a few years ago, but this goes on throughout the language. Security is left up to the developer, and it's optional. (In django, it's possible to allow cross-site scripting attacks, but you have to work very hard at it - in PHP, as of a few years ago, you had to be pretty clever to even realize that this was a thing and that you had to deal with it)

This has a secondary cost, of course: under this paradigm, every feature you develop and every bug you fix has a security tax. The developer has to think about the feature or the bug, but they also have to think about security impacts. That takes extra time, which means you get less features for the money.
Was This Post Helpful? 0
  • +
  • -

#30 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3717
  • View blog
  • Posts: 13,491
  • Joined: 08-August 08

Re: Is PHP going to die?

Posted 24 March 2016 - 07:43 PM

View Postjon.kiparsky, on 24 March 2016 - 06:51 PM, said:

The biggest one is that you have to pay far too much attention to security. If you have to think about security when you're developing functionality, you're already screwed. Simple example: input validation. I had an interview a few years ago, for a PHP job. One of the Big Questions was a "what's wrong with this code" - there was a snippet that got some input from the user and consulted the database and did a little dance and printed some output. The answer was "it doesn't sanitize the input before it hits the DB, so you could get a SQL injection attack". Well, I'm sorry, but if you have to think about that, the game is over.

If you have to think about that, then you're a terrible developer who's using deprecated (actually removed in PHP 7) MySQL code instead of prepared statements in PDO or MySQLi, both of which have been around for more than a decade.

I made the mistake of calling Java insecure in another thread. I was wrong. Programming languages are not insecure. Code written by bad programmers is insecure, and it doesn't matter what language they're using.
Was This Post Helpful? 0
  • +
  • -

  • (6 Pages)
  • +
  • 1
  • 2
  • 3
  • 4
  • Last »