There's some serious misinformation going on here. On 2/24/14 11:02 AM, Eric Wald wrote:
In PHP, the easy, obvious way to construct a webpage is to intermingle hard-coded bits with unsanitized user input.
I won't argue with that; PHP was originally intended as a web templating language. It's certainly not the common use of PHP these days, though.
In PHP, the easy, obvious way to interact with a database is to stuff user input straight into a string and use that as your query.
Most people using PHP these days use libraries that support prepared statements, so I think this outlook may be a bit outdated.
In PHP, the easy, obvious way to build a website is to make each page its own script, including a global configuration file if necessary.
It may be the "easy, obvious way", but it's not the way most sites are built.
Some configurations of PHP and/or Apache make it possible to view the source of a PHP file from over the web, including the aforementioned global configuration file.
You'd have to seriously screw up your Apache configuration to do that. Is it possible? Yes. Is it common? Not even remotely.
In PHP, passing an array to a function makes a copy by default, making it easy to run out of memory, simplifying denial-of-service attacks.
This is false, and has been for well over a decade (since PHP 4.0 was released in 2000). PHP uses copy-on-write if you don't pass by reference.
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
