On 11/07/16 02:14 PM, Lennart Sorensen via talk wrote: > On Mon, Jul 11, 2016 at 11:44:58AM -0400, D. Hugh Redelmeier via talk wrote: >> I don't use PHP so my opinion isn't reliable. >> >> Historically it has been too hard to write secure code in PHP. Or perhaps >> it was the culture. I know that things have gotten better over the years. >> Culture is pretty resistant to change. > > Actually I think the right way to word it is: > > It is too easy to make it insecure in php. > > It is perfectly possible to write secure php code. It just happens to be > stupidly easy to write insecure php. >
Yes, totally -- it's far too easy to write insecure code in PHP. > [...] a lot of the problems are really just that people don't know what they > are doing and it makes it very easy to make something that "works" even if it > is also very insecure in non obvious ways. You can do some of those > stupidities in other languages, but usually you actually have to try a bit > harder to get bitten. Trusting user input and using it directly is pretty > much always a bad idea in any language. > Absolutely. Beyond that, PHP just makes it really easy to write code in general, and then really easy to do stupid stuff when you're writing code. It's a bad combination of democratizing web programming and bringing the masses in but also abandon moral and technical standards and traditions in the process... you just get a free for all where any schlub can hack together terribly insecure code... Thing is, I don't think you can generalize from a particular culture of PHP devs to say something about all PHP applications though. It's not like the ownCloud/nextCloud community is a bunch of unsophisticated people using PHP to cobble together some shoddy thing. The ownCloud/nextCloud developer community rose out of the KDE developer community (not like, Joomla! or something). Not that I've poured through the source code, but ownCloud feels sophisticated -- they've got top-knotch libraries employed, like SabreDAV, and support a ton of APIs and standards, which would be tough for an unsophiticated bunch to pull off, plus a fully-featured management CLI, which is another sign to me of a well-designed application. There are well-designed and sophisticated PHP-based applications, like SabreDAV, like Symfony, like ownCloud/NextCloud. It's possible to write secure, well-designed code in PHP, and some people choose PHP because of it's broad accessibility for hosting, not because they don't know how to write secure code. I'm not that old, but I've seen and worked with my fair share of terrifying PHP applications... ownCloud/NextCloud isn't one of them. *shrugs*
signature.asc
Description: OpenPGP digital signature
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk