On Fenruary 26, 2014, Michael Torrie wrote: >> same misconfiguration can result in dumping Python, Perl, Ruby, etc...
> Actually, this is not really possible with Python, Ruby, or Java, since > the code generating the page is never accessable to the web server. Well, I never brought up Java. Java servlets are pre-compiled IIRC, so that's completely different. > It's outside the webroot. The only interface to it is the callable > interface (tha API). That's how it SHOULD be done, yea. And it's how PHP should be done too. But I've seen examples here and there of perl and python scripts in the web root. I've never seen ruby at work at all, so I can't anything good or bad about it except what I've seen when I glanced at articles about programming in it, and that has nothing to do with the topic at hand. Point being there are always people who will go for the shortest, quickest approach. Those are the people who give ANY language a bad name. I can take the time and write a perl program that is careful, checks itself, and does it's job well. Or I can write a perl script in a couple hours that grabs input and works on it, regardless of if that input is actually correct. The latter can make perl look like a bad language. Same with python. And the same with PHP. I've only seen a few php routines that were stored in /var/www/html (or other webroot). 98% of the PHP work I've seen, and all I've done (except for quick things that I delete later) exist in their own /var/www/* directory (or even outside of /var/www). Because they are outside the webroot, requesting the page does not return it's code, but executes the page and returns the output. Let's just summarize this way. Are there bad PHP programs that are setup with very poor security? Absolutely. Are there good PHP programs that are written well and are as close to bug free as possible? You better believe it. Can you make horrible security mistakes in Python, or Perl? Yes you can! Is PHP worse than any other language? That's a very subjective question. Some people will knee jerk yes. Some people will consider and say yes. Some will consider and say maybe. Some will consider and say no. Some will knee jerk and say no. I, myself, consider and say no. It's no worse than any other language that's built on top of tons of 3rd party contribution. If you think the PEAR archive has problems then I guess you don't consider CPAN any better. I'm sure Python has a similiar repository too. --- Dan On Wed, Feb 26, 2014 at 8:29 PM, Michael Torrie <[email protected]> wrote: > On 02/26/2014 02:30 AM, Dan Egli wrote: > >> Some configurations of PHP and/or Apache make it possible to view the > >> source of a PHP file from over the web, including the aforementioned > >> global configuration file. > > > > Well, that would be a problem, yes. But that's due to poor configuration > in > > the apache config file, not due to any problems in the PHP language. The > > same misconfiguration can result in dumping Perl, Python, Ruby, etc.... > > > > Actually, this is not really possible with Python, Ruby, or Java, since > the code generating the page is never accessible to the web server. > It's outside the webroot. The only interface to it is the callable > interface (the API). > > CGI is another story, of course, but normally CGI scripts also live in > their own directory, outside the webroot. > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
