On Tue, Jan 24, 2006 at 04:45:53PM -0700, Bob Beck wrote:
> > However, all this mitigating points taken together do not suffice to
> > convince me that PHP is the language to choose if you want to lead a
> > quiet, secure life.
>
> Language has very little to do with it. The code that is
> written in the language is ususally the problem :)
>
> ...
>
> > [1] Though this is a bit of an abuse in statistics; open source web
> > applications are full of easy-to-find holes, and since PHP has almost a
> > monopoly there and is almost never used elsewhere, so are almost all PHP
> > applications. It would not be unreasonable to say that a large portion
> > of web applications is just badly written.
> > The point stands that PHP makes it too easy to write bad code, but
> > still.
>
> ...
>
> People write bad code in everything. The way people write software
> and heave it out the door to the slobbering masses that don't care
> about how bad it works has everything to do with it. Nothing will
> change until programmers of the applications are in general, smarter.
> That won't change without some evolutionary pressure to make them so,
> the only thing that will do that is people refusing to run crap and
> pushing back. Turning "I don't like running crap" into "I don't like
> running language X" is not helpful in this regard - the crap writers
> just move to another language-du-jour, make another application and
> pop up somewhere else - it's like playing "whack-a-turd". I don't
> like running crap no matter what it's written in.
>
> Yes, I'm sometimes forced, I spent today fixing imp/horde and mysql
> issues. My crap-o-meter is overfull, I feel dirty - someone needs
> to send me some nice wholesome german scheisse porn so I can be
> convinced that not all the world is so smeared full of crap as
> the software I spent today looking at.
All good points. That, however, still leaves my point standing that by
evading PHP, you evade the worst crap.
I agree that it's possible to do really stupid things in any language
(though I think PHP makes it far too easy[1][2]), and that webmonkeys
(sorry, web application developers who have not yet reached the epitome
of their art) will always write crap in whatever the language-du-jour
is.
On a side note, hand-writing your own web scripts helps you evade almost
all of the crap - or at least, it'll be *your* crap. However, since one
has to deal with the pile of crap that is MSIE anyway (--- long rant
deleted ---), best to steer clear of web development at all. Which, on
a side note to this side note, does a very good job; The Crap is still
Out There, of course, but being rid of it as soon as you close your
browser is a good thing.
All this has no bearing on the fact that PHP, as a language, has a lot
of holes. This is independent of the programs you write in it, though
only having well-written programs on a server might make the problems
(almost) impossible to exploit.
As to IMP, I still haven't got it working. Might have something to do
with my reluctance to run two versions of PHP, and my unwillingness to
indulge crap that still demands PHP4. Another try coming up, probably...
(though at least I can use PostgreSQL, which I far prefer to MySQL).
Joachim
[1] Whoever made up such works of genius as register_globals, regexes
which execute stuff, and XML-RPC: all the world thanks you for it.
[2] I've also heard it say that quite a few modern scripting languages
are far too easy; this might be, to some extent, true, as a language
like C - full of obscure portability problems, NULL dereferences,
hard-to-find bugs which only rear their ugly head to shout SIGSEGV once
in a while - does scare off most of the monkeys. Then again, at least
PHP doesn't have buffer overflows (or, rather, at least programs written
in PHP don't/shouldn't have buffer overflows).
