On Wed, Oct 25, 2006 at 02:21:55PM +0200, ropers wrote:
> On 25/10/06, bofh <[EMAIL PROTECTED]> wrote:
> >On 10/24/06, ropers <[EMAIL PROTECTED]> wrote:
> >>
> >> You mentioned that you dislike PHP.
> >> I would be curious to learn your reasons for this.
> >
> >If you look back at the history of PHP, it was created so that
> >"non-programmers" can easily program. Well, if you want to see the results
> >of a non-programmer writing scripts, go google "Not Matt's Scripts" and
> >read
> >the reason it was created. Then look again at the library of PHP scripts
> >out there, and consider them in light of Not Matt's Scripts.
>
> It's prolly worth noting that both Matt's scripts and nms are written
> in Perl, not PHP.
>
> However, I still do take your point, which I understand to be a
> **general** point about the very concept of "allowing" non-programmers
> to easily churn out code, and the way that PHP facilitates that.
That's partly true, but if PHP actually tried to make it hard to write
insecure scripts, one could get somewhere.
Just a half-baked thought, but escaping any non-constant expression
(i.e., actual variable, not fixed string) passed to the browser or a
database would go a long way toward solving most problems.
That is,
$hello = "<Hello World>";
echo "<Hello World> ", $hello;
could produce
<Hello World> <Hello World>
And
do_query('select var1, var2 from mydb where id = ' . $my_id);
would not be as dangerous as it is now.
Of course, this is an ugly hack [1]. But a hack that would make my life
quite a bit easier.
Joachim
[1] The first example is not that bad, treating constants and variables
differently is just one sin; the interesting part is figuring out a sane
way to do the latter.
